[statbiz]

Please Help!
I dont know what virus it is so i ran windows live care one but it didnt detect anything.
It keeps changing my homepage to: http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
Then it directs me to:
http://ucleaner.com/main.php?wmid=60...o4OQ==&lndid=2

then i change the homepage and it changes right back.
I can search the internet but i get system alert at the
bottom right corner of my screen with a flashing circle red X
saying:
System has detected virus acivities, these my impact the
peformane of your computer. Please use recommended
antispyware software to protect your system from parasites on
your computer



window security alert popup saying:

windows has detected an internet attack attempt...
somebodys trying to infect your pc with spyware
or harmful viruses. run full system scan no to
protect your pc from internet attacks,hijacking
attempts and spyware! Click here to download
spyware remover for total protection.



spyware alert popup:

worm. win32.netsky detected on your machine. this virus is distrbuted
via the internet throught the email and active-X objects. The worm has its
own smtp engine which means it gathers emails from your local computer and re-distributes itself. In worst case this worm can allow attackers to access your
computer, stealing passwords and personal data.
This process should be removed from you system.

Type:virus
system affected: windows 2000, nt, me, xp, vista
security risk(0-5): 5
Recomendation: Click Yes to rmove it from your PC immediately


popup windows internet explore:

warning! Serious malicious objects and spyware have been detected on
your pc.we highly recommend you scan the system completely and download the latest
version of spywareIsolator program which with all its cutting-edge features
helps you to protect the p against spyware and viruses.


then opens window to:
http://spywareisolator.com/landing/scan.php?wmid=abr


then it opens a fake security control panel page:
http://www.system-defender.com/freew...&lndid=37&p=01


its also put these on my desktop:
error cleaner
privavy protector
spyware&malware protection



They must really want me to use their programs!
I ran combofix and it took the three so called virus protection programs off
my desktop and got rid of the flashing red x system alert and no pop ups and then
I was able to change my homepage. so i restarted my computer and now its
all back againwhat am i doing wrong?


Here's the log from combofix:


D:\Documents and Settings\Static\Desktop\Error Cleaner.url
D:\Documents and Settings\Static\Desktop\Privacy Protector.url
D:\Documents and Settings\Static\Desktop\Spyware&Malware Protection.url
D:\Documents and Settings\Static\Favorites\Error Cleaner.url
D:\Documents and Settings\Static\Favorites\Privacy Protector.url
D:\Documents and Settings\Static\Favorites\Spyware&Malware Protection.url
D:\Program Files\FunWebProducts
D:\Program Files\FunWebProducts\ScreenSaver\Images\020EDE15.urr
D:\Program Files\FunWebProducts\ScreenSaver\Images\02111309.urr
D:\Program Files\FunWebProducts\ScreenSaver\Images\0212F099.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\0213EE99.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\02152013.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\0216E1BF.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\02181740.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\021BB3F1.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\021E1393.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\0220E9DA.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\0221A5E5.dat
D:\Program Files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
D:\Program Files\MyWebSearch
D:\Program Files\MyWebSearch\bar\History\search2
D:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
D:\Program Files\MyWebSearch\bar\Settings\setting2.htm
D:\Program Files\MyWebSearch\bar\Settings\settings.dat

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-21 18:18 . 2008-03-21 18:18 3,631 --a------ D:\C5.tmp
2008-03-20 10:56 . 2008-03-20 10:57 <DIR> d-------- D:\Program Files\Google
2008-03-19 01:12 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll
2008-03-19 01:12 . 2007-07-30 19:19 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui
2008-03-18 10:59 . 2008-03-21 17:42 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2008-03-18 10:59 . 2008-03-18 10:59 1,409 --a------ D:\WINDOWS\QTFont.for
2008-03-18 09:06 . 2007-11-27 22:56 116,416 --a------ D:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-03-18 09:06 . 2007-11-27 22:56 91,328 --a------ D:\WINDOWS\system32\drivers\msfwdrv.sys
2008-03-18 09:05 . 2008-03-18 09:05 <DIR> d-------- D:\WINDOWS\system32\bits
2008-03-18 09:05 . 2007-07-06 15:09 70,928 --a------ D:\WINDOWS\system32\drivers\MpFilter.sys
2008-03-18 09:04 . 2007-03-29 05:56 7,168 -----c--- D:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-03-18 09:04 . 2007-03-29 05:56 7,168 --------- D:\WINDOWS\system32\bitsprx4.dll
2008-03-18 07:41 . 2008-03-18 07:44 <DIR> d-------- D:\WINDOWS\system32\NtmsData
2008-03-18 00:44 . 2008-03-21 16:38 <DIR> d-------- D:\Program Files\Microsoft Windows OneCare Live
2008-03-18 00:09 . 2008-03-18 00:09 <DIR> d-------- D:\Program Files\Windows Defender
2008-03-17 23:35 . 2007-12-06 19:21 6,066,176 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-17 23:35 . 2007-06-30 20:31 2,455,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-17 23:35 . 2007-06-30 20:36 991,232 -----c--- D:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-17 23:35 . 2007-12-06 19:21 459,264 -----c--- D:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-17 23:35 . 2007-12-06 19:21 383,488 -----c--- D:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-17 23:35 . 2007-12-06 19:21 267,776 -----c--- D:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-17 23:35 . 2007-12-06 19:21 63,488 -----c--- D:\WINDOWS\system32\dllcache\icardie.dll
2008-03-17 23:35 . 2007-12-06 19:21 52,224 -----c--- D:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-17 23:35 . 2007-12-06 04:00 13,824 -----c--- D:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-17 11:17 . 2008-03-17 08:37 237,568 --a------ D:\WINDOWS\altvxvm.dll
2008-03-17 11:17 . 2008-03-17 08:37 221,184 --a------ D:\WINDOWS\bokpkov.dll
2008-03-09 09:08 . 2008-03-09 09:08 <DIR> d-------- D:\Program Files\HP
2008-03-09 09:08 . 2008-03-09 09:08 <DIR> d-------- D:\Program Files\Common Files\HP
2008-03-09 09:08 . 2008-03-09 09:08 <DIR> d-------- D:\Documents and Settings\Static\Application Data\Image Zone Express
2008-03-07 19:19 . 2004-08-04 00:08 26,624 --a------ D:\WINDOWS\system32\drivers\usbehci.sys
2008-03-07 19:19 . 2004-08-04 00:08 26,624 --a--c--- D:\WINDOWS\system32\dllcache\usbehci.sys
2008-03-07 19:19 . 2004-08-04 01:56 7,168 --a------ D:\WINDOWS\system32\hccoin.dll
2008-03-07 19:19 . 2004-08-04 01:56 7,168 --a--c--- D:\WINDOWS\system32\dllcache\hccoin.dll
2008-03-03 01:42 . 2008-03-03 01:42 <DIR> d-------- D:\Program Files\MySpace
2008-03-03 01:42 . 2008-03-03 01:42 <DIR> d-------- D:\Documents and Settings\Static\Application Data\MySpace
2008-02-23 03:05 . 2001-09-24 10:38 412,672 --a------ D:\WINDOWS\system32\drivers\lvcodek2.dll
2008-02-23 03:05 . 2001-09-24 10:41 200,704 --a------ D:\WINDOWS\system32\LVUI2.dll
2008-02-23 03:05 . 2001-09-24 10:40 172,032 --a------ D:\WINDOWS\system32\lvcodec2.dll
2008-02-23 03:05 . 2001-09-24 10:39 98,304 --a------ D:\WINDOWS\system32\LVComS.exe
2008-02-23 03:05 . 2001-09-24 10:41 69,632 --a------ D:\WINDOWS\system32\LVUI2RC.dll
2008-02-23 03:05 . 2001-09-24 10:38 59,904 --a------ D:\WINDOWS\system32\drivers\lvcam2.dll
2008-02-23 03:05 . 2001-09-24 10:39 57,344 --a------ D:\WINDOWS\system32\LVComC.dll
2008-02-23 03:05 . 2001-09-24 10:38 38,912 --a------ D:\WINDOWS\system32\drivers\lvcd.sys
2008-02-23 03:05 . 2008-02-23 03:05 264 --a------ D:\WINDOWS\_delis32.ini
2008-02-23 02:55 . 2008-02-23 02:55 <DIR> d-------- D:\Program Files\Common Files\Logitech
2008-02-23 02:54 . 2008-02-23 02:54 <DIR> d-------- D:\Program Files\Windows Media Components
2008-02-23 02:51 . 2008-02-23 02:53 <DIR> d-------- D:\Program Files\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 16:10 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-03-18 16:10 --------- d-----w D:\Program Files\Philips
2008-03-18 06:54 --------- d-----w D:\Program Files\Yahoo!
2008-03-06 07:09 --------- d-----w D:\Documents and Settings\Static\Application Data\Yahoo!
2008-03-06 07:09 --------- d-----w D:\Documents and Settings\All Users\Application Data\Yahoo!
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"="" []
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2006-02-28 05:00 15360]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-03-20 10:57 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 18:52 128000 D:\WINDOWS\system32\sbusbdll.dll]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="F:\muszik\iTunesHelper.exe" [2008-01-15 04:22 267048]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"LVCOMS"="D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 10:39 98304]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"OneCareUI"="D:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-01-22 19:43 67112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 01:01 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"altvxvm"= {4849D093-1839-4D3F-A8F7-6AAA605D760D} - D:\WINDOWS\altvxvm.dll [2008-03-17 08:37 237568]
"bokpkov"= {B59FA3A0-F687-4FE2-8523-83EDEC893C39} - D:\WINDOWS\bokpkov.dll [2008-03-17 08:37 221184]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"F:\\muszik\\iTunes.exe"=
"D:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 sbusb;Sound Blaster USB Audio Driver;D:\WINDOWS\system32\DRIVERS\sbusb.sys [2005-06-10 10:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 06:07:03 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 18:24:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

[jwbirdsong]

Combofix is a powerful tool intended by its creator to be used under the direction of an expert, NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.

Next download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

[statbiz]

Please help!!!! I have a virus I ran malwarebytes anti-malware and it didnt delete them all
can you hijackthis?

Malwarebytes' Anti-Malware 1.09
Database version: 526

Scan type: Quick Scan
Objects scanned: 29261
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> Unloaded module successfully.
D:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b59fa3a0-f687-4fe2-8523-83edec893c39} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4849d093-1839-4d3f-a8f7-6aaa605d760d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bovx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\bokpkov (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\altvxvm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\Documents and Settings\Static\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

[cybertech]

Is this the same machine? http://forums.techguy.org/malware-re...ml#post5725898

[statbiz]

Yes it is the same computer. I ran combo fix then i was told to run malware and to post a thread highjackthis.

[cybertech]

Quote:

Originally Posted by statbiz

Yes it is the same computer. I ran combo fix then i was told to run malware and to post a thread highjackthis.

OK, what you need to do is reply to this thread instead of starting a new one.

I have merged the two so jwbirdsong can continue to assist you.

[jwbirdsong]

Quote:

Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

I need to see a fresh HijackThis log also.

[statbiz]

this is the report that it gives me from the mbam log,
are all the infected files deleted?



Malwarebytes' Anti-Malware 1.09
Database version: 526

Scan type: Quick Scan
Objects scanned: 29261
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> Unloaded module successfully.
D:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b59fa3a0-f687-4fe2-8523-83edec893c39} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4849d093-1839-4d3f-a8f7-6aaa605d760d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bovx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\bokpkov (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\altvxvm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\bokpkov.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\altvxvm.dll (Trojan.FakeAlert) -> Delete on reboot.
D:\Documents and Settings\Static\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
D:\Documents and Settings\Static\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

[jwbirdsong]

Quote:

are all the infected files deleted?

Looks like it but I need another report to make sure. Perhaps you don't have HijackThis on your computer. That's ok let's do this:

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

• Go to the Atachments section on the post composition page.(just below the text entry window), and
• copy and paste the following into the "Select a file" box:

  C:\Deckard\System Scanner\extra.txt
  

• Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

ALSO post the following please.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on the Start Scanning button at bottom of page.
• Accept the License Agreement and the ActiveX install.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report to your Desktop posting here.

[statbiz]

Heres the main.txt from the dss log

[statbiz]

Scanning Report
Wednesday, March 26, 2008 01:05:42 - 09:15:47
Computer name: STATICBE-DC7420
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 40795
System: 2762
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
D:\HIBERFIL.SYS
D:\PAGEFILE.SYS
D:\WINDOWS\TEMP\TMP00000019886C52E327A8B5ED
D:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
D:\WINDOWS\SYSTEM32\CONFIG\SAM
D:\WINDOWS\SYSTEM32\CONFIG\SECURITY
D:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
D:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-03-26
F-Secure AVP: 7.0.171, 2008-03-26
F-Secure Pegasus: 1.20.0, 2008-02-20
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

[jwbirdsong]

Log all look fine, as long as you have no issues not reflected in the log looks like you are good to go.
Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  • 
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??