Malwarebytes’ Anti-Malware 1.44
Database version: 3601
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/19/2010 9:31:31 PM
mbam-log-2010-01-19 (21-31-31).txt

Scan type: Quick Scan
Objects scanned: 146144
Time elapsed: 11 minute(s), 25 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
C:\WINDOWS\freddy81.exe (Trojan.Dropper) → Unloaded process successfully.
C:\WINDOWS\pp14.exe (Worm.KoobFace) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fio32 (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIO32 (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIOO32 (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Trojan.Dropper) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.KoobFace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\freddy81.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\WINDOWS\pp14.exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\WINDOWS\ld16.exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\fio32.sys (Worm.Koobface) → Quarantined and deleted successfully.
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\JFV41PPB\win_protection_update[1].exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\JFV41PPB\win_protection_update[2].exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\JFV41PPB\setup[1].exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\Documents and Settings\Cindy\Local Settings\Temporary Internet Files\Content.IE5\KO13RQRV\setup[1].exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263940198.exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263940198.exe.exe (Worm.KoobFace) → Quarantined and deleted successfully.
C:\WINDOWS\bk20856.dat (KoobFace.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\010112010146114101.xxe (KoobFace.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\010112010146101105.rx (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\fs1235.dat (KoobFace.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263945042.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263945043.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263945044.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263945045.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263950922.exe (Worm.Koobface) → Quarantined and deleted successfully.
C:\WINDOWS\rdr_1263950924.exe (Worm.Koobface) → Quarantined and deleted successfully.

It seems that MBAM got it.

Is your computer acting normal or are you having farther problems?

I was infected by Koobface last night. A phony Facebook e-mail said I had to install a Flash plugin to view a picture of myself. I downloaded the exe file and scanned it with Avast, which reported it was clean. Then I ran the exe and got nailed. Avast belatedly reported the infection and cleaned it up only partially. The piece it missed was a Registry entry directing me to a Trojan Horse DNS server, so I was blocked from avast.com and many other security websites.

For the record, Avast should detect this beastie on initial scan, and it should clean up the infected Registry key, which is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{xxx}.
I hope that this will be fixed soon.

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here