help with fbi lockout screen virus Please

[pjoseph]

just finished, found total of 3, does it automatically delete these? still seeing that popup

C:\Qoobox\Quarantine\C\Users\pamato\flashplayer.exe.vir
a variant of Win32/Injector.AHJT trojan
C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll
Win32/TrojanDownloader.Tracur.V trojan
Operating memory a variant of Win32/Boaxxe.AW trojan

 

[pjoseph]

Ran AdwCleaner again and this time i was able to delete without it freezing
log below


# AdwCleaner v2.301 - Logfile created 05/31/2013 at 21:03:34
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : pamato - ENPUSREML0278
# Boot Mode : Normal
# Running from : C:\Users\pamato\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\ProgramData\adawaretb
Folder Deleted : C:\ProgramData\blekko toolbars

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2229 octets] - [31/05/2013 08:54:19]
AdwCleaner[R2].txt - [2275 octets] - [31/05/2013 09:10:33]
AdwCleaner[R3].txt - [2453 octets] - [31/05/2013 09:26:36]
AdwCleaner[R4].txt - [2303 octets] - [31/05/2013 21:02:34]
AdwCleaner[S1].txt - [398 octets] - [31/05/2013 08:55:42]
AdwCleaner[S2].txt - [325 octets] - [31/05/2013 09:11:59]
AdwCleaner[S3].txt - [325 octets] - [31/05/2013 09:26:26]
AdwCleaner[S4].txt - [2260 octets] - [31/05/2013 21:03:34]

########## EOF - C:\AdwCleaner[S4].txt - [2320 octets] ##########

 

[pjoseph]

Still getting that popup from malwarebytes,

 

[voyagerfan99]

It's late. You'll probably get another response from John in the morning.

 

[johnb35]

just finished, found total of 3, does it automatically delete these? still seeing that popup

C:\Qoobox\Quarantine\C\Users\pamato\flashplayer.exe.vir
a variant of Win32/Injector.AHJT trojan
C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll
Win32/TrojanDownloader.Tracur.V trojan
Operating memory a variant of Win32/Boaxxe.AW trojan

Thats only 2 files, you must have missd copying the last one.

Please delete this file.

C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll

You may have to rerun the Eset scanner to get a new log.

 

[pjoseph]

Ok my mistake I will run it again now
thanks

 

[pjoseph]

Same results as before with the third one listed like this:

Target: Operating Memory
Threat: A variant of Win32/Boaxxe. AW Trojan

I can post a screen shot if that helps any let me know

 

[johnb35]

yes post a screen shot.

 

[pjoseph]

http://www.flickr.com/photos/94131015@N06/8926316723/in/photostream/

 

[johnb35]

Never seen that before. However, have you shut the system down lately? When the system is off, everything is erased out of the memory.

 

[pjoseph]

I will restart if that is what you are talking about, not sure im clear on your last post

thanks again

 

[johnb35]

The log said it was in your operating memory. Anything in memory is erased when the pc is shut down.

 

[voyagerfan99]

I will restart if that is what you are talking about, not sure im clear on your last post

thanks again

The log said it was in your operating memory. Anything in memory is erased when the pc is shut down.

Which means shut down completely, don't just restart.

 

[pjoseph]

will do thank you

 

[pjoseph]

ok, i deleted the file last mentioned and shutdown the laptop.
everything seems fine but still getting that popup.

How come when i rean eset the second time it found the same threats it found the first time around, i thought it would have deleted them the first time i ran it?

thanks again

 

[johnb35]

Because I had you uncheck the option to remove found threats. Since you are still getting the popup, can you provide some up addresses that its displaying? Have you installed any new software lately?

 

[pjoseph]

o ok,

website: 109.236.82.107
Port:50824, process: iexplore.exe

 

[pjoseph]

another just came up same info as previous post but port changed to 50857

 

[pjoseph]

seems like it just keeps trying different ports
another with same info as above but with port 50866

 

[pjoseph]

looking at add remove programs looks like the following was installed on 5/24/13
adobe reader XI (11.0.03)
Adobe Acrobat X Standard
Adobe Flash player 11 Active X
Adobe AIR

not sure if these are installed automatically or not because I do not recall installing them