Need some assistance here...

[virus_go_away]

In all my life I haven't been so stupid. Ever! After my first installation of Windows Vista(about 2 weeks ago) I was so lazy that I thought: "Hey! I have Windows defender! And Windows Firewall! Why should I re-install avast! pro and Zone Alarm pro?" And it went wonderful for two weeks. Untill I was so stupid to do... THAT! I wanted to watch a movie online and was redirected to videomovies.com or something and that redirected me to download HotBar toolbar. Cautious as I've always been I searched on google for : "Is HotBar Toolbar safe?" and came up with an answer at YahooAnswers. The user told that he was using HotBar for about 1 year and nothing wrong happened. So I thought : "Oh, yeah, what the hell? Let's download, install, and then watch that damn movie!" But shortly after install(about 15 seconds) Windows Defender came with a pop-up that said that I had Win32.HotBar and Win32.Zango on my system. I've dealt with Zango before and I simply know what it is capable of! But again, this time it caught me unprepared. Can't download Avast! again(It is trying to block my access to internet and it is really slow) neither ZA. So since I actually have somewhat experience in fighting with viruses I needed a plan(keep in mind I've never dealt with spyware before except for zango). So I immediatly turned my attention to Spybot S&D. As I've used it in the past I am familiar with it so I can use it properly. Seeing that Spybot would only destroy a part of them(Zango keeps downloading them), I also installed Spy Sweeper Trial. After a Full Sweep I got a very unpleasant surprise: Zango brought a guest, virtumonde. Now, in the trial version I can't quarantine the spyware I found and it doesn't either give me the path of it... The thing is that Spybot couldn't delete Zango and idn't detect virtumonde. Now after about 5 minutesc of intense thinking I've decided to take a-squared anti-malware. Fended off some of the trojans and viruses swarming on my computer now, but still can't delete and get me rid completely of Zango and virtumonde.
           Please help me as I am still holding on and I control most of the operating systems but they keep coming. Coming less since I had SpySweeper to become usefull and block Zango's and virtumonde's access to most of their sites, a-squared deleting very much a big part of them and spybot keeping registry entries from being modified .Now I simply need a tool to remove all I have left of the viruses since I cut their access to the sites they were downloading viruses and keeping them from modifying my registry. Overall I am winning this war but my enemies are still holding on and seems only SpySweeper found virtumonde, but I kinda trust iit since it's the second best anti-spyware(paid) in the world. I really need your help since I'm fighting a new enemy and I have little experience with them. And as I've said I can't download avast! again it would take about 3 days  because it's trying to block my access but I'll surely install it after I'm through with this. The situation has persisted for about four days so I am about to think I will never get rid of them and ultimately... REFORMATTING to get rid of them  :'(            :'(

[essexboy]

No requirement to reformat from that information

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

THEN

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Check the box that says 64 bit
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[virus_go_away]

First of all... I forgot to mention that I already have installed MBAM and it didn't get me rid of all the viruses... I have a saved report around here somewhere... Uh, oh here it is  :
Malwarebytes' Anti-Malware 1.41
Versiunea bazei de date: 3025
Windows 6.0.6002 Service Pack 2

10/24/2009 7:30:08 PM
mbam-log-2009-10-24 (19-30-08).txt

Tipul scanarii: Scanare rapida
Obiecte scanate: 93056
Timp trecut: 5 minute(s), 59 second(s)

Procese din memorie afectate: 0
Module de memorie afectate: 0
Chei de registri infectate: 49
Valori din registri afectate: 0
Elemente din registri infectate: 0
Foldere infectate: 4
Fisiere infectate: 3

Procese din memorie afectate:
(Nici un element periculos nu a fost detectat)

Module de memorie afectate:
(Nici un element periculos nu a fost detectat)

Chei de registri infectate:
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.

Valori din registri afectate:
(Nici un element periculos nu a fost detectat)

Elemente din registri infectate:
(Nici un element periculos nu a fost detectat)

Foldere infectate:
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.6.58 (Adware.ShopperReports) -> Quarantined and deleted successfully.

Fisiere infectate:
C:\Program Files\ShoppingReport\Bin\2.6.58\ShoppingReport.dll (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Users\Dante\downloads\setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.ShopperReports) -> Quarantined and deleted successfully.

The log's in my language but if you're familiar with them you should realise how it should be. Trust me, this is everything it writes in the log. I'd install OTS(have no idead what it is) but I still didn't finish step 1... I still have some adware left   

[essexboy]

OTS will scan your system and I will then be able to see the elements that the automated antimalware missed, if you could run it and post the log please

[virus_go_away]

The log is incredibly big... About 120000 characters... So I uploaded it to Mediafire.
Link to Folder(main folder in which the file is):http://www.mediafire.com/?sharekey=abcb4591d771ee02d956df2962098fcbe04e75f6e8ebb871
Link to Download: http://www.mediafire.com/download.php?mmhlzwi4mgw
Please tell me if it's not working I never uploaded to a site besides YouTube in the past.

[essexboy]

Looks like you recently updated windows - hence the size

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< FireFox Plugins [Program Folders] > ->
YY -> npclntax_HotbarSA.dll -> C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npclntax_HotbarSA.dll
[Files/Folders - Created Within 30 Days]
NY -> 355d8e9.dll -> C:\Windows\System32\355d8e9.dll
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[virus_go_away]

All Processes Killed
[Registry - Safe List]
DllUnregisterServer procedure not found in C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npclntax_HotbarSA.dll
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npclntax_HotbarSA.dll NOT unregistered.
C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npclntax_HotbarSA.dll moved successfully.
[Files/Folders - Created Within 30 Days]
DllUnregisterServer procedure not found in C:\Windows\System32\355d8e9.dll
C:\Windows\System32\355d8e9.dll NOT unregistered.
C:\Windows\System32\355d8e9.dll moved successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: Dante
File delete failed. C:\Users\Dante\AppData\Local\Temp\DXF525.tmp\dxupdate.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Dante\AppData\Local\Temp\DSETUP.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Dante\AppData\Local\Temp\dsetup32.dll scheduled to be deleted on reboot.
File delete failed. C:\Users\Dante\AppData\Local\Temp\DXSETUP.exe scheduled to be deleted on reboot.
->Temp folder emptied: 227890148 bytes
File delete failed. C:\Users\Dante\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 40253601 bytes
->Java cache emptied: 25738139 bytes
->FireFox cache emptied: 85217431 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 27942292 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 388.22 mb
 
< End of fix log >
OTS by OldTimer - Version 3.0.23.1 fix logfile created on 10262009_214232

Files\Folders moved on Reboot...
C:\Users\Dante\AppData\Local\Temp\DXF525.tmp\dxupdate.dll moved successfully.
C:\Users\Dante\AppData\Local\Temp\DSETUP.dll moved successfully.
C:\Users\Dante\AppData\Local\Temp\dsetup32.dll moved successfully.
C:\Users\Dante\AppData\Local\Temp\DXSETUP.exe moved successfully.

Registry entries deleted on Reboot...

Huh... From what I see I guess that failed... Or not... I never worked with this program before but if there's one thing I know is that it moved the infected thing to another folder. Spy Sweeper told me that... Anyway it's day 5 of war and it seems they're not giving up... I'm running scan after scan but I don't always find them all... My computer is getting slower and slower with every passing minute... I have to wait for about 3 mins for my browser to open... On it's good days I wouldn't have to wait even 3 seconds. My internet connection is slowing as well... The viruses are accessing more and more sites... Sites that were banned by my firewall no longer work but Spy Sweeper blocks access to suspect sites 24/7
... It's getting worse ad worse... I fear this time I have to reformat and re-install windows... And I even eradicated Vundo... But this time it caught me unprepared. If my computer doesn't make it, and I have to re-install (If I get a blue screen(of death) I will have because I could never escape one of those... Either repair but on most cases reinstall) I thank you for your help 

[essexboy]

OK lets use the big boy, although I am not seeing a great deal on the scans

 Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[virus_go_away]

*clap* *clap* *clap* I was so eager to see a blue screen of death... Why can't there be green screens of life, too? Or yellow screens of happiness? Anyway, let's get down to business, shall we? Here's the log: http://www.mediafire.com/download.php?yguymyjzy3q

It shown me the blue screen of death right when it finished. But I saw where the log file was saved so... I don't know if it's good or bad but that's what I got. If I get rid of them... I think I'm gonna reinstall anyway. My computer is slow because I got about 7 security apps(bisides windows defender and firewall) running... Did it with my own hand. But I really want to see if I can actually beat them . So then, let us proceed. Did I get rid of them?

[essexboy]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\About Hotbar.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Games!.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Reset Cursor.lnk

They were all in your start menu - one area my scans did not look at.  At my count you had something like 6 security drivers loading at start it must have been as slow as molasses running.  But that was all CF found so I reckon you be clean - no sign of rootkits or keyloggers

[virus_go_away]

Well, if it's one thing I learned since I'm fighting viruses: You're never really safe untill you do an avast! boot-time scan. My connection seems to have returned to normal and my speed a little. I think I'd better run a safety check with MBAM and Spybot and if they're both clean I'll install avast! and activate it. Thanks for your help.

[virus_go_away]

There's only one thing left. npcIntax.xpt in mozilla firefox components folder. I think I'm gonna go and kill it . Just delete it...

[essexboy]

Yep that should do it

[virus_go_away]

Well the last scan got out squeaky clean, but the infection left me with holes in my OS... I am getting a bunch of errors with "Access denied", I'm getting also a lot of programs errors... Well, I think I should pay the price and reinstall... Anyway it wasn't such a big deal... I just wanted to make sure that the viruses would not affect my E: and D: drive as I have all my games, movie, music, images, etc. there and I would have been very mad to find out that they are infected... But now they're safe and I'm gonna fix the OS and install avast!(I learned my lesson).

[virus_go_away]

Oh, and thank you very much for your help, it meant a lot to me... Every time I had a problem I found the solution on this forum and I thank you for that!