BleepingComputer.com: Pc Totally Hijacked By Viruswebprotect2008.com

I seem to be infected badly. I can't find any description of my problem (or a solution) anywhere on the web. Here's a list of the effects I've noticed so far:

1. The desktop background was changed to show a bio-hazard symbol on a red background with a message of (I can't remember the exact wording) a security risk and "click here to download security software".
2. Three new shortcut icons were added to the desktop labelled "Error cleaner", "Privacy protector" and "Spyware&Malware Protection". The destination for all of these is "viruswebprotect2008.com. I have deleted these but they have since returned.
3. Internet explorer continuously pops up and navigates to undesirable sites.
4. Task Manager is disabled (the popup menu that appears when you right click on the system tray has task manager greyed out).
5. Using Ctrl-Alt-Del causes item 3 above to occur.
6. A "Windows Security Alert" pops up regularly warning of a security attack attempt with "Click here to download spyware remover for total protection." Clicking it opens Internet Explorer and an attempt to navigate to "SafeWebNavigate2008.com".
7. A "Spyware Alert" message box also regularly pops up stating that "Worm.Win32.NetBooster has been detected...blah blah blah...Click Yes to remove it from your PC." Clicking Yes has the same effect as item 6 above.
8. A "System Alert" speech bubble regularly appears at the bottom right saying that virus activity has been detected and that I should use the recommended antispy software. Presumably it means the "recommendations" in items 6 and 7 above.
9. A full scan by McAfee found absolutely nothing.
10. The start menu has been seriously restricted. I have recently used application but that's about it. There is no All Programs, Control Panel, Run, or anything except Printers and "Set Program Access and Defaults" on the right hand column.
11. The time in the system tray has ": VIRUS ALERT" after it.

I am running Windows XP Professional. I have been able to log on as myself (this all originally happened to my wife) with the internet unplugged and was able to start Task Manager before it got disabled.

But I can't do anything! The computer is completely unusable (I'm writing this on another, old one). Please help. How can I fix it? How can I stop it happening again? I'm desperate!

Thanks in advance.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

To fix the restrictions put in place by this infection, please open the SDFix folder or download XP_CodecRepair.inf and save it to your desktop.

• RIGHT CLICK on XP_CodecRepair.inf and select Install from the Context menu.
  
• Note: To download the .inf file, go to File, choose "Save page as" All Files and save XP_CodecRepair.inf to your desktop.
  
• Then log off or reboot to apply the changes.

This will remove the policy restrictions the infection created and restore the Start Menu items.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
  
• Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Acan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.

Instructions with screenshots if needed.

Go to Start > Control Panel > Display. Click on the "Desktop" tab, then the "Customize Desktop..." button.
Click on the "Web" tab, then under Web Pages, uncheck and delete everything you find (except "My Current Home page").
These are some common malware related entries you may see:

• Security Info
  
• Warning Message
  
• Security Desktop
  
• Warning Homepage
  
• Privacy Protection
  
• Desktop Uninstall

If present, select each entry and click the Delete button.
Also, make sure the Lock desktop items box is unchecked. Click "Ok", then "Apply" and "Ok".

Thank you so much for your help. Malwarebytes did detect a couple of trojans and seems to have cleaned them. I have included the logs below just in case they tell you something else that I didn't pick up but need to know.

I realised that I had my wife's account set up as an administrator, which was really dumb (I'm in I.T., too - I should have locked that down from the start). I have rectified that, although I've now discovered that my son's favourite game (Lego StarWars) won't run unless it's run on an administrator account.

There's still a few things acting a bit funny, such as Outlook Express (though it may just be that it's not running with administrator priviledges any more), so I've still got a bit of cleaning up to do, but at least we can use the PC again!

Thanks again for your help.

SDFix Log:

SDFix: Version 1.192
Run by Mark on Sat 14/06/2008 at 23:39

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Windows ProductId To Remove Fake Virus Alert
Restoring Time Format To Remove Fake Virus Alert

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\yayAPGAR.dll - Deleted
C:\Documents and Settings\Mark\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Mark\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Mark\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\kvsdpfeaglr.dll - Deleted
C:\WINDOWS\pebgkxwq.exe - Deleted
C:\WINDOWS\rnopbfgt.dll - Deleted
C:\WINDOWS\rtsplgob.dll - Deleted
C:\WINDOWS\xkefqtgs.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 23:45:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX"
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 8 Jun 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 8 Jun 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 18 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!


Malwarebytes Log:
Malwarebytes' Anti-Malware 1.17
Database version: 854

12:17:31 AM 15/06/2008
mbam-log-6-15-2008 (00-17-31).txt

Scan type: Quick Scan
Objects scanned: 60176
Time elapsed: 12 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iiffFuVn.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d978e8a-2b8f-45a9-bbeb-c83da98d00b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d978e8a-2b8f-45a9-bbeb-c83da98d00b5} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{17f75949-1435-4cbe-950c-15e05b512fb1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\34c09f45 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifffuvn -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.FakeAlert) -> Data: c:\windows\system32\iifffuvn -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\DELETED (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\SAVED (Rogue.MalWarrior) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iiffFuVn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nVuFffii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nVuFffii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\eptb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicky\Local Settings\Temp\winpole32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicky\Local Settings\Temporary Internet Files\Content.IE5\0ITCCUB1\css4[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicky\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\226[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vicky\Local Settings\Temporary Internet Files\Content.IE5\F5BPAS48\kb456456[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\LOG\20080614204348796.log (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  
• Under the "Configuration and Preferences", click the Preferences... button.
  
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
  
  
• Click the "Close" button to leave the control center screen and exit the program.
  
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes" and reboot normally.
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
  
  
• Click Close to exit the program.

I certainly did reboot after running MBAM, but I didn't do another scan. So I ran another scan now and it still found some nasties (log included below), which required a reboot, which I did. Then I realised that I hadn't downloaded the latest update, so I did that and ran another scan (log also included), which required a reboot, which I did and then ran a third scan, which still found a nasty (yet another log included). At this point I decided to continue with your other instructions. The log for SUPERAntiSpyware is included, too. While SUPERAntiSpyware was running I realised that the account that I used to run the MBAM scans had been switched to limited access, so I logged off and logged on under an administrator account and re-ran MBAM. It found and removed the last remaining file, without requiring a reboot (and if you're not yet sick of them, the log file for this one is included, too). But I rebooted anyway and did another scan, which found nothing at all!

Thanks again. Here are the logs:

MBAM 1:

Malwarebytes' Anti-Malware 1.17
Database version: 854

11:21:23 AM 18/06/2008
mbam-log-6-18-2008 (11-21-23).txt

Scan type: Quick Scan
Objects scanned: 36989
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iiffFuVn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nVuFffii.ini (Trojan.Vundo) -> Quarantined and deleted successfully.


MBAM 2:

Malwarebytes' Anti-Malware 1.17
Database version: 865

11:29:59 AM 18/06/2008
mbam-log-6-18-2008 (11-29-59).txt

Scan type: Quick Scan
Objects scanned: 37391
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iiffFuVn.dll (Trojan.Vundo) -> Delete on reboot.


MBAM 3:

Malwarebytes' Anti-Malware 1.17
Database version: 865

11:35:50 AM 18/06/2008
mbam-log-6-18-2008 (11-35-50).txt

Scan type: Quick Scan
Objects scanned: 37302
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iiffFuVn.dll (Trojan.Vundo) -> Delete on reboot.


SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/18/2008 at 01:01 PM

Application Version : 4.15.1000

Core Rules Database Version : 3484
Trace Rules Database Version: 1475

Scan type : Complete Scan
Total Scan Time : 01:08:38

Memory items scanned : 159
Memory threats detected : 0
Registry items scanned : 5413
Registry threats detected : 0
File items scanned : 71393
File threats detected : 0

Adware.Tracking Cookie
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\x54gkyh8.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.overture.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.statse.webtrendslive.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Vicky.VICKYSPC\Application Data\Mozilla\Firefox\Profiles\ib6mnjp8.default\cookies.txt ]


MBAM 4:

Malwarebytes' Anti-Malware 1.17
Database version: 867

2:05:54 PM 18/06/2008
mbam-log-6-18-2008 (14-05-54).txt

Scan type: Quick Scan
Objects scanned: 34916
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different or even the same tools to do the job. Even then, with some types of malware infections, the task can be arduous.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr
  
• Click "Ok".
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup

I have made the restore point and cleanded up all previous ones. I had tried restoring my system (before trying this website for help), but the infection had already deleted all of my restore points and created it's own, obviously infected, one. But that's all gone now.

Thank you once again for all your help, I really appreciate it.

You're welcome.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".
• "How to Set Security Options in the Firefox Browser".

I am also a victim of this same scenario.

I just got infected by this last night and it was from using a link from a “good” website to download a free microsoft photo editor. Turned out to be our above mentioned villains instead. It has taken over the whole laptop. It changed the desktop (same as described by TooSleepy), removed all of my recovery points in system recovery, removed my control panel and my computer links + the C:/ drive access, and will not uninstall. It is now redirecting to: safewebnavigate2008.com and also uses the domain: 2008antivirusxp.com. This is a damaging virus and adware attack.

It has just devastated me both financially and emotionally. I was just getting everything switched over to my laptop as I will be moving and have the desktop in storage for a time. I work on the Internet and cannot afford this right now. My disc drive has a broken belt, which has been a pain, but I have still been able to use the laptop without issue. Now I cannot even reformat without buying a new disk drive and my laptop is hardly worth buying one for. I’m feeling pretty down right now and I sure hope these people are happy that they just took a single woman that has barely got a roof over her head and put her out of commission. Bravo! How gallant of them.

I'm writing this from my other pc, but not sure how I'm going to work with this one when it is in a storage unit. I did try the SDFix thing. It didn't work at all. I'm just not sure what to do now, but hope that someone can do something to stop these people.

I don't mean to whine but I did need to talk about it to someone that could understand.

Welcome to BC SadLady

Sorry to hear about your situation as a result of this infection. If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.

Hi

Just wanted to say thanks for the advice and tools given here. They have worked wonders to fix the same problem for me.

Two bits of advice: I ran the tools first as the Administrator but still found it necessary to run them under the infected user account too. I did these in safe and normal Windows modes. I did a complete scan with Malwarebytes' Anti-Malware to make sure too. Lots of the viruses were in system restore folders as well as desktop etc.

Second the link to the XP_CodecRepair file above does not work. The same file can be found in the SDFix folder and is called XP_VirusAlert_Repair.inf or W2K_VirusAlert_Repair.inf

Thanks a million again!
James

Welcome to BC acemcbuller

I'm glad your problem has been resolved. However, it's not a safe practice to be following specific instructions provided to someone else. The same reply I gave to SadLady applies in your case.

Quote

Yes, you are correct. The file names were changed during an update on 08/05/08 but the instructions I provided were given on 7/14/08 before the names were changed. I have since updated my instructions but that is something which can happen when following older instructions given to another member.

If you need assistance in the future, it's best that you tell us what specific issues YOU are having rather than point to someone else. That's what this forum is for so feel free to start your own topic anytime and someone will assist you with your issues specifically.