deacon1959

I am having my daughter read the information you referenced as well. Thank you much for your help. cheers,

Thank you much for your help. Could this infection have happened through something as simple as my daughter clicking the X to close the fake virus warning, but the X was part of the main image, not actually part of the explorer window? I've tried to get her to use Alt-F4 to close pop-ups, but with the mouse in hand I am sure the "X" is very inviting. Without spending any real time looking, is there any obvious indication of the original problem?

per your instructions deleted viewpoint Vista does not have a "Run" option under start, so I opened a cmd window, changed dir to desktop for the current user and ran ComboFix /Uninstall - appeared to run correctly. uninstalled Norton and Malwarebytes, and reinstalled from original sources. updated each ran full malwarebytes scan - 1 hour 45 minutes - full scan successfull with no findings - previously full scan would stop after 10-12 minutes. ran eset online scanner log file you reference included this information /////////////////// ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK also available on eset results screen was this information//////////////////////////// C:\Program Files\The Game Of LIFE PTS\THE GAME OF LIFE - Path to Success.exe a variant of Win32/ReflexiveArcade application cleaned by deleting - quarantined C:\Users\Heimerl\Desktop\Documents\Documents\Ashleys docs\downloads\TheGameOfLIFEPTSSetup.exe a variant of Win32/FenomenGame application cleaned by deleting - quarantined //////////// browsing and system use otherwise appears normal explorer is not redirected and brings up no fake virus alerts no fake virus alerts at boot registry search finds no av.exe key malwarebytes reports no blocked IP addresses Norton firewall does not report any updates to firewall config or new services attempting any outbound connections as of 3/16 2:00 pm central time U.S. I see no obvious signs of "contamination"

per your directions - created CFScript file and ran combofix - results follow----- ComboFix 10-03-15.04 - Heimerl 03/15/2010 17:12:26.2.2 - x86 Microsoft

somewhere on this forum I had seen guidance to reply to the post if I had not seen a response in 2 days regardless - I downloaded combofix to my desktop, rightclicked and ran as administrator log follows-------------------------------- ComboFix 10-03-15.02 - Heimerl 03/15/2010 16:34:09.1.2 - x86 Microsoft

been an additional 2 full days for a total of 8 days, or 6 work days since my initial post. one additional note - I was initially unable to run malwarebytes because the shortcut on my desktop was calling "mbamgui.exe" but the actual file on my drive was named "mbamgui .exe" with a space prior to the .exe I have completed all of the steps according to http://forums.malwarebytes.org/index.php?s...st&p=193288 BUT I have never had the "unable to run a .exe" problem

it has been 4 full days since filing my initial information and am updating to refresh my request for help Nortons virus scan did find downloader trojan on about March 7 and says it removed it A subsequent malwarebytes quick scan found nothing, and a subsequent malwarebytes full scan stopped as usual with no error message, just the Windows feedback that "malwarebytes has stopped working" any feedback is appreciated

DDS log file DDS (Ver_09-12-01.01) - NTFSx86 Run by Heimerl at 23:30:31.22 on Thu 03/04/2010 Internet Explorer: 8.0.6001.18882 Microsoft ark.txt Attach.txt

My daughter's laptop. Vista Home Premium. She is using it with admin rights, but is not normally a high risk user. She showed me the pop-up for Vista Antispy. I showed her how to stop the process via Ctrl/Alt/Del. I downloaded MBAM and it appeared to remove the rogue and av files. About three days later, she got the popups again. So I bought and registered MBAM, ran, removed again, and enabled the Protection Module. I tried to run a full scan, and the full scans do fail - I have been unable to complete a full scan. Another 3 days, and she "says" she has not used the system on the Internet at all, but antispy is back. I ran MBAM again, and found that the Protection Module was turned off. I turned Enabled Protection and removed antispy with a quickscan. Upon reboot my Norton Antivirus blocked installation of downloader trojan. I then let Norton delete downloader. I opened MBAM again, and found Protection Module was turned off again. I have used defogger and DDS, have run GMER as suggested elsewhere in this form. I include as follows: 1. the log of my last run of MBAM that said it "removed" antispy 2. my hijackthis log 3. my GMER log 4. my attach and dds log I have no illusions that my system is clean, so all suggestions are appreciated. ============================================ dirty MBAM log Malwarebytes' Anti-Malware 1.44 Database version: 3807 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18882 3/4/2010 9:17:07 PM mbam-log-2010-03-04 (21-17-07).txt Scan type: Quick Scan Objects scanned: 106857 Time elapsed: 7 minute(s), 7 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 6 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 9 Memory Processes Infected: C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnfo32 (Trojan.Inject) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_shell (Trojan.Dropper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uishf9wuifwuh387fh3wufinhjfdwefe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\Heimerl\AppData\Local\Temp\msnfo32.exe (Trojan.Inject) -> Quarantined and deleted successfully. C:\Users\Heimerl\nah_ojbb.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-3604952309-0607771783-554017545-7923\msimfo32.exe (Trojan.Inject) -> Delete on reboot. C:\Windows\Temp\clk1005.nls (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\lwue.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully. C:\Users\Heimerl\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\iexplore.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Users\Heimerl\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. =================================================== HIJACKTHIS log Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 12:28:33 AM, on 3/5/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18882) Boot mode: Normal Running processes: C:\Program Files\Norton 360 Premier Edition\Engine\3.8.0.41\ccSvcHst.exe C:\Program Files\Norton PC Checkup\Norton PC Checkup\Engine\2.0.2.506\ccSvcHst.exe C:\Windows\system32\taskeng.exe C:\Windows\SYSTEM32\WISPTIS.EXE C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\WTablet\Wacom_TabletUser.exe C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Windows Home Server\WHSTrayApp.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll F2 - REG:system.ini: UserInit=C:\Windows\system32\Userinit.exe O1 - Hosts: