Help with some spyware

[Hock3y]

Okay here it is.

[jholland1964]

Ok, I see what it is...give me a bit and I will get back with you on this one.

[jholland1964]

The error is related to the removed Vundo infection. A start up registry entry remains but of course the infection is gone so the file is no longer on the computer but of course the computer doesn't know that and it keeps looking for it.
Try this first;
Download RegCleaner
Run the program.
When it opens go to the very top and choose Tools, Registry Cleanup, Do Them All.
The program will then scan the registry for old entries, entries no longer needed, entries for removed programs, etc.
This will just take a few minutes.
Once complete it will show you a list of items found you no longer need.
Then go up to Select. All.
Checkmarks will be placed in items that will be deleted.
Then click the Remove Selected Button.
These items will be removed.
Close out the program.
This program DOES make a backup of all items removed so in the rare event something is removed that is incorrect you can put it back.
Run the program, reboot and see if you still get the error.

[Hock3y]

Ok I've done that, but I still get the error when my computer starts up.

[jholland1964]

I am as dumb as a box of rocks! I never had you run HJT again and do the fixes there
Run HJT again and place checkmarks next to the following entries if they still exist;
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\fiobxsax.dll",setvm
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O15 - Trusted Zone: http://www.ti.com (Did you add this yourself? If NOT then place a checkmark next to this one too. If you DID add it then leave it.)
O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - http://www.netmarble.jp/_common/cab/NMStarterJP5.cab

Once you have placed the checkmarks then click the FIX button.
Exit HJT.
Reboot and run one more HJT scan.
If you still get the error then you may have to go into the Registry manually and remove it.

[Hock3y]

Okay that error is gone, thanks for the help. But I think I might have another problem.. there is a hidden folder in my C: drive called Uploads and its directly in it C:\Uploads. Inside of it are 15,000 zip folders all named after popular programs/games and other stuff..and they are all just 1 KB. Is this something to just delete or is there something else I need to do?

[jholland1964]

Ok, this appears to be a worm.
WORM_VB.AQ
This worm also drops the nonmalicious file BSZIP.DLL. It uses the said file to drop its compressed copy, A.ZIP, using ZIP compression.
This worm creates UPLOADS folder in the root directory, which is usually C:/. It then drops several .ZIP copies of itself using file names of known applications in the created folder.
Go here Trend Micro HouseCall

Do their online scan and see if it will fix.

[Hock3y]

Sorry for not posting a reply. I haven't been able to get to the computer at all this week. It seems my brother has downloaded some "game" or something... and unleashed a bunch more spyware on my computer. I tried using Trend Micro HouseCall but it froze during the cleaning process, and then caused internet explorer to crash. Should I try it again? And should I start the whole cleaning process over again now?

[jholland1964]

I would begin it all again using PP's link...sorry, but it wasn't clean to begin with and now you figure there is more. So let's start over with the steps in the link, post the requested logs and we will see where things stand.
Judy

[Hock3y]

Okay, I followed the sticky again. Windows Defender wasn't able to delete anything that it found, I let it run overnight trying to remove the things.. but it didn't make any progress. AVG did delete a few things. My newest log is attached.