How do I remove this virus that gives me pop up virus alerts? I did a scan and thought I deleted the problem, but it’s still here!! It won’t let me open programs and keeps opening my IE and going to this site: http://antivirvip.com/shop?abc=cGdpZD0xMyZyPTk0LjA=

I went through a looooong boot time scan and clicked on #1 for delete something infecting HP/BIN/endprocess or whatever. Should I have deleted or “moved to chest”??? I remember it mentioned win32/kill … so sorry, I’m very inexperienced at removing these things.

Thank you very much. I wish I knew how I got this!!!

Hi.

Download RKill to your desktop from the following link.
http://www.bleepingcomputer.com/download/anti-virus/rkill

When at the download page, click on the Download Now button labeled iExplore.exe download link.
When you are prompted where to save it, please save it on your desktop.

Start >> Run ( (or Windows button + R )

%UserProfile%\desktop

Enter

You should now see a window that shows all of your desktop icons, including the iExplore.exe program. Now double-click on the iExplore.exe icon.

Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning

—>
Download Malwarebytes to your Desktop
http://www.malwarebytes.org/

When the file has finished downloading, look on your desktop for mbam-setup.exe and right-click on it and select Rename. Change the name of the program to Explorer.exe.

After you rename the mbam-setup.exe to Explorer.exe install Malwarebytes.
MBAM will run…alow MBAM to delete any malware.

→ Attach here Malwarebytes logs and tell me if there is improvement

============

Then run DDS tool

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

Hi… Malwarebytes is asking me if I want to do a quick scan, full scan or flash scan. Which do I choose?

Thank you so much for your help.

quick scan will do

There was an improvement after the first step! The log you requested:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6373

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

4/16/2011 1:42:46 AM
mbam-log-2011-04-16 (01-42-46).txt

Scan type: Quick scan
Objects scanned: 191258
Time elapsed: 21 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qorqcrvh (Trojan.FakeAlertRP.Gen) → Value: qorqcrvh → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Coto\AppData\Local\Temp\owancsgdg\yxpkeiexsik.exe (Trojan.FakeAlertRP.Gen) → Quarantined and deleted successfully.
c:\Users\Coto\Desktop\null0.6347648293612181.exe (Trojan.FakeAlertRP.Gen) → Quarantined and deleted successfully.
c:\Users\Coto\AppData\Local\Temp\0.27087142390982055.exe (Trojan.FakeAlertRP.Gen) → Quarantined and deleted successfully.
c:\Users\Coto\AppData\Local\Temp\jar_cache6499899971548804369.tmp (Trojan.FakeAlertRP.Gen) → Quarantined and deleted successfully.

The DDS text is too long to post… what should I do? Divide it up?

DDS (Ver_11-03-05.01) - NTFSx86
Run by Coto at 1:47:38.75 on Sat 04/16/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1678 [GMT -10:00]
.
AV: avast! Internet Security Enabled/Updated {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Internet Security Enabled/Updated {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender Enabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! Disabled/Updated {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
FW: avast! Internet Security Enabled {FB460EB6-4C6D-E564-6BF5-EEEF2B44B473}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Users\Coto\AppData\Roaming\Smilebox\SmileboxClient.exe
C:\Users\Coto\AppData\Roaming\Smilebox\SmileboxTray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Coto\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://co122w.col122.mail.live.com/default.aspx?wa=wsignin1.0
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web

printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet

explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SmileboxTray] “c:\users\coto\appdata\roaming\smilebox\SmileboxTray.exe”
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] “c:\program files\adobe\reader 8.0\reader\Reader_sl.exe”
mRun: [avast5] “c:\program files\alwil software\avast5\avastUI.exe” /nogui
mRun: [Malwarebytes’ Anti-Malware (reboot)] “c:\program files\malwarebytes’ anti-malware\mbam.exe” /runcleanupscript
mRunOnce: [Malwarebytes’ Anti-Malware] c:\program files\malwarebytes’ anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet

explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web

printing\hpswp_BHO.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Gold%20Rush%20-%20Treasure%20Hunt/Images/stg_drm.ocx
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} -

hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} -

hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Gold%20Rush%20-%20Treasure%20Hunt/Images/armhelper.ocx
DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-us.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\coto\appdata\roaming\mozilla\firefox\profiles\071cx2w9.default
FF - prefs.js: browser.startup.homepage - hxxp://tvlistings.zap2it.com/tvlistings/ZCGrid.do
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\coto\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\coto\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions{972ce4c6-7e08-4474-a285-

3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions{CAFEEFAC-0016-0000-0016-

ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions{CAFEEFAC-0016-0000-0017-

ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions{20a82645-c095-46ed-80e3-

08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\coto\appdata\roaming\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2010-11-16 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2010-11-16 189904]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-25 64160]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2010-11-16 99792]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-11-16 357968]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-16 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-16 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-11-16 51280]
.
=============== Created Last 30 ================
.
2011-04-16 11:43:00 54016 ----a-w- c:\windows\system32\drivers\yokbsaiy.sys
2011-04-16 11:15:08 -------- d-----w- c:\users\coto\appdata\roaming\Malwarebytes
2011-04-16 11:14:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-16 11:14:47 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-16 11:14:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-16 11:14:43 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2011-04-16 01:06:11 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates{e89811b0-86ee-42cc-97dc-

6912d1c11d89}\mpengine.dll
2011-04-15 23:59:11 -------- d-----w- c:\users\coto\appdata\local\Smilebox
2011-04-15 19:28:59 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-15 19:28:58 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-15 19:28:55 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-15 19:28:55 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-15 19:28:55 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-15 19:28:52 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-15 19:28:52 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-15 19:28:49 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-04-15 19:28:47 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-15 19:28:44 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-15 19:28:39 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-10 05:12:39 -------- d-----w- c:\users\coto\appdata\roaming\Smilebox
.
==================== Find3M ====================
.
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-16 15:29:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 13:24:56 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-03 04:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 1:50:42.10 ===============

I hope I did what you needed from me, but I have to go. I’ll check back in the morning.

Thank you very much for your help. What a RELIEF!!!

big files can be attached… Lower left corner > additional options > attach

I see you have ad-aware installed, this has a integrated Ikarus virus engine, it may conflict with avast so i would uninstall it
anyway you did just see that Malwarebytes did what ad-aware could not do

I had the same problem as this post and followed the instructions but i’m lost @ this point. * When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic

Can someone explain? i’m unable to get online on my account due to no JavaScript message

So did following those steps help? Did you download the DDS and run it? If so, it should’ve scanned your computer and then generated those two reports which you should “save as” to your desktop then attach the DDS.text to your reply as an attachment. I guess the report is to show the support what the problem was, not sure.

Haha, I thought of the same thing so I wondered if I should uninstall. So after reading your post, I did go and uninstall LOL Of course I did NOT have the adaware on when I got the trojan/virus.
Do you have any idea how/where I picked it up? I don’t think I went to any “dodgy” sites right before that…at least no sites I don’t usually visit.

Sorry about waiting…
Carefully follow these instructions.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.