ESET completed and found 51 infections. Here is the log



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4b58932cf7757942a92ba7d9a562f339
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-06 03:52:58
# local_time=2010-02-06 10:52:58 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3586 16764926 0 1 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108399
# found=51
# cleaned=0
# scan_time=3083
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66\Program\runner.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir Win32/Adware.AdvancedVirusRemover.B application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\a.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hapoyivu.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\helper32.dll.vir Win32/TrojanDownloader.FakeAlert.ASI trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\hujinuya.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\jayodaye.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\kifabibu.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\limepuye.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\noveyobe.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\smss32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\tohuzeno.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\warning.html.vir Win32/TrojanDownloader.FakeAlert.AED virus 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\wezahevu.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon32.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yireniye.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yojonaso.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuheduwo.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\zowolage.dll.vir a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ virus 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1610\A0091867.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1611\A0091926.exe Win32/TrojanDownloader.FakeAlert.ATH trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1611\A0091927.exe Win32/TrojanDownloader.FakeAlert.ATH trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1611\A0091934.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0091937.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0092934.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0092935.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0092940.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0093931.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0093933.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0093937.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0093946.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094016.exe Win32/Adware.AdvancedVirusRemover.B application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094023.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094024.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094025.dll Win32/TrojanDownloader.FakeAlert.ASI trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094026.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094028.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094029.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094030.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094032.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094033.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094034.exe Win32/TrojanDownloader.FakeAlert.AED trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094035.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094036.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094037.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1612\A0094038.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP1617\A0098422.dll a variant of Win32/Kryptik.CBQ trojan 00000000000000000000000000000000 I
C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\Desktop.htt Win32/TrojanDownloader.FakeAlert.AED virus 00000000000000000000000000000000 I
${Memory} probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

Hi maldini,

That's not as bad as it looks. Besides the 2 adware files, the rest are files we have quarantined or are in old System Resotre points. We'll take care of those when we clean up our tools.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

Then click the Run Fix button at the top

• Let the program run unhindered

How is the computer?

Thanks

I ran OTL and here is the log

========== REGISTRY ==========
========== FILES ==========
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66\Program\runner.exe moved successfully.
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.1.27.1 log created on 02062010_135132


===========================================================

Overall the computer is running well.

The only items that seems strange to us are as follows:

1) when we close Firefox, the whole screen goes blue for a count of 3 and then the regular desktop slowly appears in the background.

2) When we move the Firefox window, it appears that the windows shows up multiple times on the screen for a count of 2 or so before the screen refreshes. It almost appears as if the refresh rate is very slow.

This post has been edited by maldini: Feb 6 2010, 12:56 PM

Hi maldini,

Some have fixed that by changing the size of the icon cache. There are other causes also.

You can try this, it won't hurt anything. It's a vbs file, just download it to your desktop, double click it to run it.

Increase Icon Cache (Line 121)
http://www.kellys-korner-xp.com/xp_tweaks.htm

Possible causes are video ram (lack of) or lots of running processes. I have the same problem on this old under powered computer.



From your desktop, please delete, if present

• any notepads/logs that we created
• GMER.zip
• GMER.exe (g6kehkqq.exe)
• SystemLook.exe
• DDS.scr

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall


Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.


I suggest you keep MBAM. Keep MBAM updated and use it regularly.


Updates and upgrades

If you don't have an antivirus program you wish to install, you can download and install one of these free ones.

Avast
Help and support can be found here Avast Forum
AVG
Help and support can be found here AVG Forum
Antivir PersonalEditionClassic
Help and support can be found here Avira Personal Support Forum



You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 6.0 first. Be sure to move any PDF documents to another folder first though.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Once you get an antivirus program installed just add a firewall and a resident antispyware program.

For an antispyware program with resident (real time) scanning. I suggest

Windows Defender
OR
Winpatrol


* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for tips, reviews and links to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware,IMO)


You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.


- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.


- Keep your antivirus program updated, as well as any other security programs you have.


-More tips and programs can be found HERE


- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked "Resolved".

Take care

Hi Oldman,

Thank you VERY much for your time and effort. All instructions were clear and the results are excellent!

I have completed all steps above and you may mark this thread as resolved!

Maldini

Hi maldini,

You are welcome, glad to have been able to help.

Take care.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.