offsafety

Thank you sooo much your help was invaluable. I can't say thank you enough.

Update: I ran Malwarebytes Anti-Malware again this morning. It didn't find anything malicious but I don't know about the last combofix sweep I ran (the one I attached last). At this point I'm not sure if I'm being through, paranoid or both.

Hello again! Sorry for the delayed response. I have been doing everything you told me, step by step. I've chosen to use a combination of AVG, COMODO (just the firewall), and of course, Malwarebytes Anti-Malware. I've also run the Startup Lite program, and last night I defrag'ed my C:/ One question though, am I supposed to check and fix the all of the results on combo-fix's or malwarebytes? I'm pretty sure I skipped that the last few times I ran them. Guess I was focused on the logs and I didn't take notice.

Hi! Here's my combofix log. I'm going to have to ask you to disregard last post about the IE redirecting me. I was under the influence of alcohol and am not 100% sure if I mistyped a url. Google seems to be working fine. combofixlog.txt

quick update: I notice that IE is still redirecting me to sites other than the ones I'm typing in.

Hello, I'm very sorry. Attached is a current hijackthis log. Things are running much smoother now. The Personal Antivirus is gone. I see no signs of malware, spyware or the such right now. I'm really not sure how to analyze the system better to provide you with a better answer. hijackthis.txt

Again, as requested, the Malwarebytes report, followed by the fresh Hijackthis log: Malwarebytes' Anti-Malware 1.41 Database version: 2897 Windows 5.1.2600 Service Pack 3 10/2/2009 7:25:03 PM mbam-log-2009-10-02 (19-25-03).txt Scan type: Quick Scan Objects scanned: 129370 Time elapsed: 5 minute(s), 28 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 9 Files Infected: 14 Memory Processes Infected: C:\Program Files\PersonalAV\PAV.exe (Rogue.PersonalAntiVirus) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\PC-AntiSpyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_PCA-FIREWALL (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\Elijah\Application Data\PC-Antispyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\logs (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\startup (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\logs (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\startup (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\Glenys\Desktop\SpeedScan_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Downloads\Swap.Magic.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully. C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\config.xml (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\Sites.bl (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\config.xml (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\Sites.bl (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\logs\1208113869.log (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Program Files\PersonalAV\PAV.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\Ati\Desktop\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. hijackthislog.txt

Hello, I followed instructions and have noticed improvement on my cpu speed. I still have the "Personal Antivirus" on my system. and it is still saying that I have a Trojan.

hijackthislog.txt

As you requested: log.txt

ie PC AntiSPYWARE and Personal Antivirus

Understood. Before I attempt this though, you didn't answer my other question. When you say disable your antivirus, antimalware and software and the sort, do you also mean the programs caused by the viruses, malwares and such?

Good morning (bout 7:25am here) The following is the contents of the Win32kDiag.txt file created after running the exe: Running from: C:\Documents and Settings\Ati\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Ati\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

I have downloaded Combofix.exe to my desktop but it won't run. I get an hourglass flicker and nothing more. Also I wanted to know when you say to disable the Antivirus/Antispyware/Firewall does that include the fake antivirus programs like Personal Antivirus or PC AntiSpyware? Also fyi my taskbar is frozen for a really long time before it starts to function don't know if that affects anything. Seems like clean this computer a little late. This is sort of new behavior.

Thanks for the quick response. Just so I'm clear: I usually cancel the "personal antivirus" through the task manager and a few other processes I thought were being troublesome. You're saying I should not do this and just run right at startup?