Let’s try this now.
STEP 1.
======
Cleaning Files
Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Example from your MWAV scan
C:\Documents and Settings\Margo\Local Settings\Temp\lf_C2C.tmp infected by "Trojan-Downloader.Win32.Dluca.ci" Virus!
This is very important because your MWAV scan show the Temp files in the Documents and Settings infected
Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.
Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
STEP 2.
======
Delete Files with Killbox
Download Pocket Killbox from http://www.downloads.subratam.org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
C:\promax2.chm
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)
Note: Killbox will let you know if a file does not exist. If that happens, just continue on.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
STEP 3.
======
Run the MWAV scan again. Please be sure that you copy the whole box. It looked like some of the bottom was missing from the last post of the MWAV scan.
MWAV Scan
Please download MWAV to a convenient location.
This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.
This scan might take around 3+ hours to finish when set to scan everything.
Double-click on mwav.exe.
Put a check next to the below items before scanning:
- Memory
- Startup Folders
- Drive - All Local Drives
- Folder - then click "browse" to change the directory to C: (default is C:\Windows)
- Registry
- System Folders
- Services
- Include Sub-Directory
- Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.
**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.
On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
Disable Microsoft AntiSpyware:
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
- Open Microsoft AntiSpyware
- Click on Tools, Settings.
- In the left pane, click on Real-time Protection
- Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents
- Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
- After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Disable Ewido:
Please disable Ewido, as it may interfere with the fix. [br]To disable Ewido:
From the system tray:
- Right-click the system tray icon and uncheck real time protection.
or From within Ewido - - Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.
Once your log is clean you can re-enable Ewido.
Please set your system to show all files; please see here if you're unsure how to do this.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O16 - DPF: {70B410C0-BADA-11D4-8308-0080C8D7ED4A} (GameDesire Bridge) - http://67.15.101.2/g_bin/eng/bridge_2_0_0_14.cab
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:
c:\program files\common files\system\ms1src.exe<==file
Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.