Spybot and Avast executables deleted by...

[Mr_JAk3]

Hi

Yes you may uninstall AVG if you want but it is a good scanner...

Open Notepad and copy the following lines into a new document:

@echo off
sc stop M_HOOK
sc delete M_HOOK

Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close, this is normal.

Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\exefld
C:\Documents and Settings\MILENA\Dati applicazioni\hidires
F:\#Lory\#Documenti\Giochini ed eseguibili\skerzi

Reboot in Normal Mode.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post along with a fresh HijackThis startuplist

[kiwidesign]

here they are:

-kaspersky log
-hjt startuplist

Yes you may uninstall AVG if you want but it is a good scanner...

yes I think I'll keep it... what about the resident shield?

[Mr_JAk3]

Hi again, it is looking good now
How is the computer running ?

You should be careful on what you download

Delete the following infected files:
D:\MOBILE TOOLS\PC HOME\AGO\ANTISPAM Free\FreeSaverMP3.exe
F:\#Lory\#Documenti\Giochini ed eseguibili\Kissdolls\Games\hentaigame.exe
F:\#Lory\#Files importanti\BSINSTALL.exe
F:\#Lory\#Files importanti\BSINSTALLIT.exe
G:\#Miky\AGSetup0608.exe

And delete the following folders:
F:\#Lory\Themes\logon
F:\#Lory\Themes\stili visivi

The you have infections in the System Restore but that will be easily cleaned.

You don't seem to have a third-party firewall installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls:

• Sunbelt-Kerio
• ZoneAlarm
• Sygate
• Outpost
• Comodo

You don't have an antivirus on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses:

• AVG
• Antivir
• Avast

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.

Then you should update your Java to the latest version (6.0)

• Start
• Control Panel
• Add/Remove Programs
• Delete the old Java, J2SE Runtime Environment 5.0 Update 6
• Download the latest version of Java Runtime Environment (JRE) 6.0.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Install it

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

[kiwidesign]

first of all BIG thanks Jak3, you're an

You should be careful on what you download

Delete the following infected files:
D:\MOBILE TOOLS\PC HOME\AGO\ANTISPAM Free\FreeSaverMP3.exe
...
G:\#Miky\AGSetup0608.exe

you're right, but I'm not the only using this PC
anyway these all are programs setup, but no one of them is ever been installed..
BSINSTALL is the setup of BearShare, don't know why I kept the installer but I uninstalled that program looong time ago

And delete the following folders:
F:\#Lory\Themes\logon
F:\#Lory\Themes\stili visivi

uhm... all these infected exe are visual styles and logons downloaded time ago from http://themexp.org , i'll delete them...

You don't have an antivirus on your computer, you must install one antivirus. Otherwise you'll get infected again.

uh yeah, Avast4 home is installed! as you read in topic title it was partially deleted by a malware, now I reinstalled it

You don't seem to have a third-party firewall installed. You must install one firewall.

yeah, that's true... I'll install one (I haven't yet because of the worry of slowing down PC performances...). the ones you listed are equivalent? any preference?


about SpywareBlaster and SpywareGuard, they shouldn't have conflict with any av/firewall right?

about Ad-Aware, Spybot, Firefox, I use them regularly... the infection that drove me here has probably caused by a bad file downloaded from eMule... my fault! :(

about ATF Cleaner, I regularly use CCleaner, it seem to be a valid alternative... is it?


last but not least: safe mode boot still not work any idea about?

[Mr_JAk3]

Hi

Downloading custom themes is an easy way the get infected...

Good, antivirus is a must-have.

Well I use ZoneAlarm at the moment, it is very easy to use and here is a good ZoneAlarm guide.

SpywareBlaster wont conflict you AV or eat your memory.

Yes you get best results by using multiple scanners.

Yes CCleaner and ATF Cleaner do the same thing.

Ok the safe mode. Please see these instructios and let me know if you're able to access to the safe mode -> Link

[kiwidesign]

damn, I've been little bit busy these days... I'll check the link soon, thanks

[Mr_JAk3]

Ok good