"Anti Virus" by designte.com has attacked me. Can't clean it up.

[gregory_ellis]

"Anti Virus" by designte.com has attacked me. Can't clean it up.

As you requested, I have run MalwareBytes. I also ran OTL (a couple of times). Below my comments are the readouts. A couple of other problems (that I HOPE are related) are this:

CD tray opens sporadically
Can't do a system restore (either in normal or safe mode)
If I put in an XP pro disk, it does not recognize the hard drive.

Thanks for any help you can provide.......

[Pondus]

Is this the one you have ?

did you update malwarebytes before you scanned ? 
can you post the scan log ?


Remove Antivirus Scan (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-scan

[gregory_ellis]

I THINK I have it.
I HAVE updated Malwarebyte.

The scan log is too long to post. Is there a way for me to do it?

[gregory_ellis]

Of course I CAN attach it but I sure don't blame you for not wanting to open one of my files. 

[Pondus]

lower left corner > aditional options > attach

[gregory_ellis]

If you are referring to the OTL scan file, I posted it in my first post but will post it here again followed by the EXTRAS file, which I had to get via a full scan (NOT quick scan).

[gregory_ellis]

And the EXTRA file (One was NOT generated via the Quick Scan option)

[Pondus]

and the Malwarebytes scan log

[gregory_ellis]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5571

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/22/2011 4:10:25 PM
mbam-log-2011-01-22 (16-10-25).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 505406
Time elapsed: 2 hour(s), 55 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\documents and settings\greg ellis.pc139818592325\application data\microsoft\conhost.exe (Trojan.Agent) -> 18300 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Value: load -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\DOCUME~1\GREGEL~1.PC1\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\greg ellis\application data\Mozilla\Firefox\Profiles\euby6z0j.default\yoono\yoono_running_commands.log (Trojan.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\greg ellis.pc139818592325\local settings\Temp\28B.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\greg ellis.pc139818592325\application data\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\greg ellis.pc139818592325\local settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.

[Pondus]

OK  Essexboy is notified   


Probably wont work, but you may try updating an running a quick scan with MBAM again as there have been some updates released since you scanned

[essexboy]

Hi there may be a deeper problem so I would like you to run an additional programme on completion of the OTL fix

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
  IE - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:63111
  FF - prefs.js..network.proxy.http: "127.0.0.1"
  FF - prefs.js..network.proxy.http_port: 63111
  FF - prefs.js..network.proxy.type: 4
  O3 - HKLM\..\Toolbar: (no name) - {72C9A221-FCFD-4E21-8C9F-E954A4F5C92F} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\WebBrowser: (no name) - {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\WebBrowser: (no name) - {72C9A221-FCFD-4E21-8C9F-E954A4F5C92F} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  O3 - HKU\S-1-5-21-1360784826-3158860248-318043405-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
  [2011/01/23 07:46:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

.
THEN

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[gregory_ellis]

OK. Starting this now. Thanks.

[Wjohnson3]

I have the same virus.  I have tried most items listed in the post except the otl and custom scan.  What is otl and what else can I do?  Thanks in advance fir the help.

[Pondus]

What is otl and what else can I do?

OTL will produce two log files where Essexboy can see what and where the malware is located....and then remove it


if you are going to do it you should start your own topic where you attach the logs
helping multiple users in the same topic will only create chaos as you also may have different needs...

[gregory_ellis]

Essexboy - I ran the OTL (with the code you provided) I kept getting an "access violation address 005CC7ED in module otl.exe - read address of 00000000" UNTIL I removed the ":OTL". Then I got the attached file: