Hi my computer has been hit by this scam. Please help!! I downloaded Rogue Killer and this is my result:

RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Shenelle [Admin rights]
Mode: Remove – Date : 08/19/2011 22:06:55

Bad processes: 7
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0\svchost.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.1\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]

Registry Entries: 25
[SUSP PATH] HKCU[…]\Run : Spyware Doctor (C:\Documents and Settings\Shenelle\Desktop\sdsetup_aff.exe -min) → DELETED
[SUSP PATH] HKLM[…]\Run : 4023126.exe (“C:\WINDOWS\TEMP\4023126.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32.exe (“C:\WINDOWS\sysdriver32.exe” rezerv) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32_.exe (“C:\WINDOWS\sysdriver32_.exe” rezerv) → DELETED
[HJ NAME] HKLM[…]\Run : w_distrib.exe (“C:\WINDOWS\update.3\svchost.exe” stand) → DELETED
[SUSP PATH] HKLM[…]\Run : wxpdrv (C:\WINDOWS\services32.exe) → DELETED
[HJ NAME] HKLM[…]\Run : tray_ico0 (C:\WINDOWS\update.tray-7-0\svchost.exe) → DELETED
[SUSP PATH] HKLM[…]\Run : 5612934.exe (“C:\WINDOWS\TEMP\5612934.exe”) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\WINDOWS\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\WINDOWS\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\WINDOWS\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\WINDOWS\update.1\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\WINDOWS\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\WINDOWS\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\WINDOWS\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\WINDOWS\update.1\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_SRVBTCCLIENT () → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_SRVIECHECK () → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_SRVSYSDRIVER32 () → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_WXPDRIVERS () → DELETED
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\Security Center : AntiVirusDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : FirewallDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : UpdatesDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

OTS link:
http://www.mediafire.com/?a25lhlp2q2s5c3l

Thank You!

Hi I do not know what format you saved that in as it appeared as a docx ?

Lets use another programme that you can attach

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hi,

Last night I also caught this virus, I’ve followed the steps advised with malwarebytes and the majority of the problem appears to be fixed, the only problem that still persists is that I can’t open facebook. I followed your OTL scan instructions and my logs are as follows:

http://www.mediafire.com/?a3tbwgpr0zdjah9

http://www.mediafire.com/?ai8q3orxz3dkdbv

Thanks

T-Bone fix is a topic especially created for you with the fix in it… This will be created in about 5 minutes so look out for it

Hi sorry about the docx file didnt know where the file went to i had copied and saved it before i closed the notepad off.

Here are the logs:

It is spreading like crazy and a lot of people have it unfortunately. Run nukem which will stop it: http://www.spywarehelpcenter.com/nuke-m/ Then run an antimalware program and you will get rid of it.

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - [2011/08/19 19:55:45 | 000,382,464 | ---- | M] () [Auto | Running] -- C:\WINDOWS\update.7.1\svchostdriver.exe -- (ddservice) O2 - BHO: (no name) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No CLSID value found. O3 - HKU\S-1-5-21-1614895754-2000478354-1801674531-1003\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O4 - HKLM..\Run: [tray_ico] File not found O4 - HKLM..\Run: [tray_ico1] File not found O4 - HKLM..\Run: [tray_ico2] File not found O4 - HKLM..\Run: [tray_ico3] File not found O4 - HKLM..\Run: [tray_ico4] File not found O31 - SafeBoot: AlternateShell - services32.exe [2011/08/19 19:55:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.7.1 [2011/08/09 21:41:40 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.3 [2011/07/23 19:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ufa [2011/07/23 19:52:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\phoenix [2011/07/23 19:19:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.5.0 [2011/07/23 19:15:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WinRAR [2011/07/23 19:15:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.2 [2011/07/23 19:12:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\av_ico [2011/07/23 19:10:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.1 [2011/07/23 19:10:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.tray-7-0-lnk [2011/07/23 19:10:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\update.tray-7-0 [2011/07/24 19:53:51 | 000,203,160 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts1.bak [2011/07/23 19:52:05 | 005,589,370 | ---- | M] () -- C:\WINDOWS\phoenix.rar [2011/07/23 19:52:05 | 000,246,272 | ---- | M] () -- C:\WINDOWS\unrar.exe [2011/07/23 19:52:05 | 000,182,617 | ---- | M] () -- C:\WINDOWS\ufa.rar [2011/07/23 19:52:03 | 001,075,284 | ---- | M] () -- C:\WINDOWS\rpcminer.rar [2011/07/23 19:15:25 | 000,904,792 | ---- | M] () -- C:\WINDOWS\geoiplist.rar [2011/07/23 19:13:02 | 000,000,000 | ---- | M] () -- C:\WINDOWS\loader2.exe_ok [2011/08/19 20:14:42 | 000,003,038 | ---- | C] () -- C:\fix_svchost.bat [2011/07/23 19:52:05 | 005,589,370 | ---- | C] () -- C:\WINDOWS\phoenix.rar [2011/07/23 19:52:05 | 000,182,617 | ---- | C] () -- C:\WINDOWS\ufa.rar [2011/07/23 19:52:03 | 001,075,284 | ---- | C] () -- C:\WINDOWS\rpcminer.rar [2011/07/23 19:15:26 | 004,636,907 | ---- | C] () -- C:\WINDOWS\geoiplist [2011/07/23 19:15:25 | 000,904,792 | ---- | C] () -- C:\WINDOWS\geoiplist.rar [2011/07/23 19:15:25 | 000,246,272 | ---- | C] () -- C:\WINDOWS\unrar.exe [2011/07/23 19:14:44 | 000,000,245 | ---- | C] () -- C:\WINDOWS\info1 [2011/07/23 19:13:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\loader2.exe_ok

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Here is the log after the quick scan:

Could you now update and run Malwarebytes please, posting the resultant log

You may need to repair Avast

What problems remain

Did you want a full scan or a quick scan? I deleted avast well what i could have deleted. This is the log from the quick scan.

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7525

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/21/2011 9:12:56 AM
mbam-log-2011-08-21 (09-12-56).txt

Scan type: Quick scan
Objects scanned: 174542
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Should I download it again and re install it?

Yes please - the malware set itself to boot to safe mode where no AV’s are resident, removed it from there and then rebooted
You may have noticed a reboot to safe mode - pause reboot to normal mode. It would then stop you accessing safe mode

This is the bad boy O31 - SafeBoot: AlternateShell - services32.exe

Once Avast is back up and running could you let me know what problems remain

Also could you zip the following folder and upload to mediafire for me to collect

C:_OTL

Yes please to download avast and re install it again or yes please to full scan? Full scan came back the same as the quick scan? Help a non techie here ??? ???

Sorry I meant reinstall Avast ;D

Hey can I upload it to mediafire as an rar file because it is giving problems to upload as a zip?

Yep no problem rar - zip I don’t mind ;D

Hey sorry about that i got a bit delayed but here is the link with the files you wanted.

http://www.mediafire.com/?82qae0o2fqhevmt

Methinks I will have to flash up firefox to download this

OK that worked - thank you… Any further problems ?

Nope works like a charm again! Thank you very much for your help again.