Hi

A few days ago, my mum was asked by the computer to install an ActiveX plugin to watch a video, while using her computer. Shortly after, she reported that her screen had gone red, showing a warning, and that she was getting lots of warning messages. That's when she alerted me, and asked if I could sort it out.

Symptoms:
- A red desktop background, that was a web background, that would take you somewhere (unknown where, I didn't look)
- 3 desktop shortcuts are created, all leading to the same suspciously-named website. If they are deleted, they are re-created whenever windows restarts (even in safe mode).
- 3 message boxes that pop up:
- - The first is a message saying that Windows had been infected, and click here to sort the problem out. When you click OK (the only button), it takes you to a webpage.
- - The second is accompanied by a small MSIE window that opens in the bottom-right corner of the screen, and has two buttons (OK.Cancel). Click either maximizes the MSIE window, and takes you to a website.
- - The third starts by saying that Trojan.W32.Looksky has been detected, displays some information about the trojan, and asks you (Yes/No) if you want to fix it. Clicking yes opens another website, clicking no just closes the message box.
- There is also a system tray icon that appears, with a balloon popup. The icon is a flashing white cross in red circle, the message is a similar warning to the first message box.
- System performance has not been noticably impeded.
- The program that my mum downloaded which caused all of these problems is called VideoAccessCodecInstall.exe, is 112423 bytes in size, and has checksums ff12795b67b72ba7f9a5c26f4a4a88c7 (MD5) and 7eb68ffbdcd9e3aa52733d1a28ff7c6c25ca3868 (SHA-1).

Steps taken so far:
- Computer has been disconnected from the internet. I am currently posting this from another computer. Files are being transfered across via a USB dongle drive.
- The web object that was causing the red background screen was removed using the Display control panel.
- A virus scan has taken place, using AVG AntiVirus 7.5 Free. I can't remember what it found, but I know that it found and took care of something...
- A scan has been done been done with Spybot Search & Destroy, it found and dealt with Zlob.NewMediaCodec (5 entries, all registry keys - 2 CLSID, 2 Interface, 1 TypeLib), Smitfraud-C (one folder and 3 registry keys - CLSID, BHO, and root class), and some tracking cookies.
- A scan has been done with Ad-Aware SE Personal Edition. It found and dealt with some Adware agents and some tracking cookies. During this scan, the virus checker found something in the System Restore area of the hard drive.
- System Restore has been disabled, and will be re-enabled when the computer is clean.
- A scan has been done with AVG AntiSpyware 7.5 Free in safe mode. It found and dealt with Trojan.AVkill.c, Adware.NewDotNet, and lots of tracking cookies. No log was generated, despite me asking it to generate one before the scan took place.
- A scan has been done using HijackThis. The log is attached below.

HijackThis log

CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:09, on 20/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\ITK\itk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE
C:\lotus\wordpro\ltsstart.exe
C:\WINDOWS\twain_32\C6U14K\WATCH.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Frank\Application Data\U3F31946082A1E99E\LaunchPad.exe
C:\clearout\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINDOWS\duocore.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [itk] C:\Program Files\ITK\itk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SA6.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\C6U14K\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{361C0696-14A9-4707-B6C4-B53615239771}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{361C0696-14A9-4707-B6C4-B53615239771}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{361C0696-14A9-4707-B6C4-B53615239771}: NameServer = 192.168.0.1
O21 - SSODL: wmpenv - {AC071C1B-449A-4CDC-83BE-F4F5579CC24D} - C:\WINDOWS\wmpenv.dll
O21 - SSODL: wmpconf - {1A6038BE-1248-4158-8338-1830DDDC6C8F} - C:\WINDOWS\wmpconf.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5280 bytes


Please can you help me remove this from my mum's computer.

PP

Welcome to the forum.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Ok my mums pc is working fine now but it did not save a log file

Go to your c drive. You should see a folder called sdfix. Look and see if the log is there.
Post a new hijackthis log and an sdfix log.