VBS:Malware-gen and Win32:Oliga[Trj] in my computer.

[scnd]

My mother in law recently bought a new computer but it runs with Windows XP. We set it up and installed firefox. Everything ran fine as a new computer should. But after about a month it started closing Microsoft Office randomly. We didn't pay much attention to this. But then it started freezing, at first very rarely, but now it freezes after 5 to 30 minutes from startup. I downloaded Avast and scanned the computer and came up with these results.

C:\autorun.inf (This one is infected with the VBS)

C:\Documents and Settings\HelpAssistant\Configuration local\Temp\ascypp.dll (This one with the Win32)

C:\kn6jhgc.cmd (And also this one with Win32)


The rest of the infection is located here


C:\System Volume Information\_restore{3E71F1C-1251-4E1B-98B0-0CB3DD811B29}\RP12\A0000265.cmd

with the last three digits being different and finishing off with .cmd .inf or .dll like so;

"..."A0000266.inf

"..."A0000652.dll

there are 163 infected files total. They seem to switch randomly between VBS:Malware-gen and Win32:Oliga[Trj]. I have them locked up in the chest but I'm not sure if I should delete them. I'm afraid I might damage something in the process. Can anyone offer advice as to what I should do? I'm not very computer savvy... Thanks.

[Pondus]

Win32:Oliga is a harmful trojan that downloads spyware, adware and other malware onto the compromised computer. The trojan is usually spred via questionable pornographic related websites, via peer to peer programs and spam emails. As soon as Win32:Oliga is active it will install malicious files it will contact outlying servers and download further viruses. Win32:Oliga is a critical security risk that can modify system registry and dramatically slash computer speed.

Common Win32:Oliga malware infection indications:
Reduced Internet and Pc performance, slower Windows startup / shutdown
Hijacked browser startpage and search results
Corrupt or missing registry files cause Blue Screen Of Death error
Abnormal Oliga processes running in windows task list, annoying error bleepings from Pc tower speaker
Oliga is difficult to remove manually, recreate itself after removal
Common pop-up blockers can't block irritating adult related pop-up ads
Changed Windows shortcuts, background picture and desktop tray icons

Common Win32:Oliga behaviors:
Monitors browsing activity and Windows system to generate equivalent popup advertisements
Installs itself into system and downloads mischievous trojan and adware bundles via security leaks
Bypasses firewalls and antivirus programs by hide itself as authentic system utility and sends confidential info to outlying hackers

[Pondus]

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run cuick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

[scnd]

This is the scan log from SUPERAntiSpyware, for some reason I couldn´t get the Malwarebytes to work. It keep saying runtime error 0.



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2010 at 03:19 PM

Application Version : 4.34.1000

Core Rules Database Version : 4611
Trace Rules Database Version: 2423

Scan type       : Complete Scan
Total Scan Time : 00:12:01

Memory items scanned      : 450
Memory threats detected   : 0
Registry items scanned    : 4173
Registry threats detected : 0
File items scanned        : 15261
File threats detected     : 38

Adware.Tracking Cookie
   C:\Documents and Settings\Usuario\Cookies\usuario@smartadserver[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@tradedoubler[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@questionmarket[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@revsci[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@ak[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@advertising[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@weborama[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@adtech[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@ad.yieldmanager[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@cgi-bin[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@ecirebajas.solution.weborama[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@bluestreak[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@tacoda[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@at.atwola[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@doubleclick[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@ad.wsod[2].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@atdmt[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@2o7[1].txt
   C:\Documents and Settings\Usuario\Cookies\usuario@content.yieldmanager[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@content.yieldmanager[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@weborama[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@atdmt[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@smartadserver[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@adtech[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@advertising[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@msnportal.112.2o7[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@questionmarket[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@ecirebajas.solution.weborama[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@ad.wsod[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@tacoda[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@tradedoubler[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@revsci[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@at.atwola[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@bluestreak[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@doubleclick[2].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@2o7[1].txt
   C:\Documents and Settings\HelpAssistant\Cookies\usuario@ad.yieldmanager[2].txt

[scnd]

Ah, I managed to get the Malwarebytes to work. Here is the scan log.

Malwarebytes' Anti-Malware 1.44
Database version: 3780
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/23/2010 4:01:14 PM
mbam-log-2010-02-23 (16-01-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177174
Time elapsed: 11 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{3E71F71C-1251-4E1B-98B0-0CB3DD811B29}\RP63\A0059766.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\Log\2010 Feb 20 - 10_43_10 AM_125.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\Log\2010 Feb 20 - 10_56_01 AM_875.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Datos de programa\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

[pinnacle]

if you still have trouble with getting these nasties off your PC. Then use this tools, one is Hitman Pro, http://www.surfright.nl/en/hitmanpro it will detect and remove threats even in its trial mode, the other is Vipre Rescue no installation is needed to your hard drive its found here, http://live.sunbeltsoftware.com/  both are very effective