[Inactive] Can You Help with Spambot Removal?

[joshhemming]

I know you guys and girls are great in helping people remove actual viruses, and I hope you can help me with a new problem:

A few days ago I received an email in my Yahoo Inbox from a friend which only said "hi" in the subject line.  The body just said

"this is crazy check this out hxxp://www.tenews15.net/biz/?news=0721683"

Since I recognized my friend's email address and assumed it was safe, I clicked on the link, and it took me to some web page reporting on Work-at-Home ideas.  The next day, two other friends emailed me, saying they had received the same email from ME, which I didn't send.  

I had my free AVG do a whole-computer scan and it found no threats.  Is there any program I can run to get rid of the Spambot (if that's what I actually HAVE)?  I'm using Windows 7, IE, and a Dell Inspiron desktop.  

[Hoov]

Chances are fairly good that good that you do not have a spambot on your computer. Unless your internet connection is really slow lately.

Do you still have the e-mail that was sent to you? Can you get the e-mail that was sent to your friends? Not just the content, but I need the entire header (the part not normally seen). If everyone still has it, and you let me know which e-mail clients they are using, I can give you instructions on how to get me the headers so we can tell what the problem is.

[joshhemming]

This is the one I received from my friend (Dave), which I believe infected my Yahoo email:

HelloWednesday, May 9, 2012 12:25 PM
From Dave Dudkiewicz Wed May 9 11:25:23 2012
X-Apparently-To:   ***Removed e-mail address - Hoov *** via 98.136.164.230; Wed, 09 May 2012 11:25:24 -0700
Return-Path:   <***Removed e-mail address - Hoov ***>
Received-SPF:   none (domain of yahoo.com does not designate permitted sender hosts)
X-YMailISG:   4R33jgsWLDsVXeT45gtjT3_dWwonYvWfnaZXIcsNmHZEzqo2 .bkYqhAxc2dPYdBCaqHuShrUuVK.DI.pTuMmTIa7w9yz4VU1E.Rwc7WYxT8. Y_bkwpRnudVCvo7LkQUwV5DyLpP7nOLIIUy7SWhxco4mCns4psuQDWgEP9CK MHFLJP32pdO0TLGctYSmkwf199Yc6bXgrIsMBdZ1LuUw2WJHApno7Ew9q65G uoEWOZLnRv2Any6JU929NA.bd96zQsT26zH4GXR39glcntKaeT_KAjSsRxZu _T.V7pht5EGhi3SyTgA6vdx7zNLmsKv_tR3M80E7G9hy9MfOBIZgqv6ZxFg4 J6sppTQAvcXR_wfeznS2kI.HxqQxNDUm8HwLqGjLBWsBmtbjvt34wQbGNCE9 sg3Zd4gNfQLgrPJjt3nwDBXqV_vCMW2WrNXV5RNUkm43E0WnFKU6FsuuACz4 0oLKCy7Qe0ug4bi7f05hWfyuIw14BL5flQ.1zjw2LtpGPQqtSfc.5P7urkwU ik8pGCIcUIsOIsThu.avgXBvrlvBs8yfvymlkL1yl_CpSSBCAzEZOLAXUmiC GbCDSWPjmJ4xCFKU218UvxlUMt8xgsp1vbbpSnKnyL6SlXUlIsVMutD1WSET EpM0r72xwi0DieO_45Sw3tv180MAxRlX.Y2tajqHUuL7GE164VVcCS_A0hQS bBbhzgH11WJ5Gp8HpDTp7iWVCcH8BJi0tzWUpGagnHK.LwQZLRjnK_QdqinI bZmCIEyhiEtv6qfqTHSGrIMdMAJLFggZdDHJ4WvBABNKNUJGUXz99xf5vRXc kTNvsv0yu827j1bEUopJgnb26053olePuQZGPVotKOOmpDVrmCGDBl7I9XCW ooFtpYQ8ehh3hYCb.ovbYqTx5lrEDdghtLssm0c04deoOKrBURKDXbb.mIoi 0RFA_jNm3DJzSxvo3bzOv737290wAFIAnX7VRu2uu.Rhn0t3MYghsqR3llj4 nbXZxcjZB7kZFh2e5uP154NIizuXmdMn4ueBLIt9cjp0Orfcs_Bysb5bJDST N6r.o_t7vPw.1wnLVK3iK9RRujGHo9cIN8uXn65PRLP4CxCsJgQq97rMYvhc Ar59pOfo
X-Originating-IP:   [98.139.91.198]
Authentication-Results:   mta1137.mail.sk1.yahoo.com from=yahoo.com; domainkeys=pass (ok); from=yahoo.com; dkim=pass (ok)
Received:   from 127.0.0.1 (HELO nm10-vm0.bullet.mail.sp2.yahoo.com) (98.139.91.198) by mta1137.mail.sk1.yahoo.com with SMTP; Wed, 09 May 2012 11:25:23 -0700
Received:   from [72.30.22.79] by nm10.bullet.mail.sp2.yahoo.com with NNFMP; 09 May 2012 18:25:23 -0000
Received:   from [98.139.91.49] by tm13.bullet.mail.sp2.yahoo.com with NNFMP; 09 May 2012 18:25:23 -0000
Received:   from [127.0.0.1] by omp1049.mail.sp2.yahoo.com with NNFMP; 09 May 2012 18:25:23 -0000
X-Yahoo-Newman-Property:   ymail-3
X-Yahoo-Newman-Id:   826985.63713.bm@omp1049.mail.sp2.yahoo.com
Received:   (qmail 16642 invoked by uid 60001); 9 May 2012 18:25:23 -0000
DKIM-Signature:   v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336587923; bh=K6sFUnjLo7NPJMaeBrWyRH03+o8F4QokaDlBvmLsJv8=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=a1WxZVgH5fwtJ1jlmdGl2LrsiG/Gj6Yy0Z6lx1ogw61z+dALhoqNgWKJecv90EPw7OxjJbtTGuPE1gI4S8tgMUdjp+j/a5CT0PhYKBLDXbSMvOjFdY5vMPuh23q8S4FMAkkasz61U2Ne5O1mCsuVYSCQhBevTokcqfTvFDyhZb0=
DomainKey-Signature:   a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=VsCUylIX3T1BT024Jg2mKCc/I1Sk5DByCpEmuO9bozb688C3kXSZ6BVLEL8ICJL50Sx7aZdBkNuxw1ZAM1S6vxuaZPV2K3FHiNoTcVnQFFHxOhZR9JIOXXumxazX9cVQ0yubOLUqu5G57DWVmkaWoCdpwbp65/1/9aJuRAgtmeQ=;
X-YMail-OSG:   .PIC82cVM1mBGe_srU..mY6.f2yacTIknaVMJENn6rmhEil j1Lped4kMBSY_mJFBa30g.yTuAXB0NFZ3RqQJgsNpJVIzPntgHDcDAUyI2v2 5xE6BS06BjKEX.9405zAvQjg_ymQXKXf6y1rUgIncQoOlk3XceeVj6DaA6AT 58VDe15OdoKiQZBM6GMItLbI212k3VeZ5e_l.I.SNS3x3F2ek31L8Jd9hev0 RWfRimYB_H1Rp2bErEEaOLQ8coUcqbrlmovPyu4IlYl6CIo72pCVPidlZsuy Erd9HU1ta0CdzER5eST8kkFtuecnw6Mx0FytQKLLh.93K6fsXswAaxgfts_6 qZH5gbMCfd.w07C9mzKm1bXupBLyUOzSY0dUaliNurbPeObPXi..1AQVfoM8 bm4zHwxo7BzcQ6XmSuHZR.tznRdDExGtLc7ZCpkwe1X5MdI_SJSWUKhx_R3Z rxqwS.0GNnl0rtBHgmuK7hpwx0FV.wtB7d7iS9UNigcufEvq2Z7pIY5uIa3G nDcf93sLzBcEeG2Ey415xuA--
Received:   from [109.226.50.29] by web111508.mail.gq1.yahoo.com via HTTP; Wed, 09 May 2012 11:25:23 PDT
X-Mailer:   YahooMailWebService/0.8.118.349524
Message-ID:   <1336587923.11585.BPMail_high_noncarrier@web111508.mail.gq1.yahoo.com>
Date:   Wed, 9 May 2012 11:25:23 -0700 (PDT)
From:   This sender is DomainKeys verified Dave Dudkiewicz <***Removed e-mail address - Hoov ***>  View contact details
Subject:   Hello
To:   ***Removed e-mail address - Hoov ***
MIME-Version:   1.0
Content-Type:   text/plain; charset=us-ascii
Content-Length:   77

Compact Headers

***********************************************************************************

This is the one another friend (Robert) says he received from ME the following day.....at least it's the header of what he emailed me back.  He is using MSN Email:

 Flag this messageRE: hiThursday, May 10, 2012 11:31 PM
From ROBERT and - or HILDA APLIN Thu May 10 22:31:36 2012
X-Apparently-To:   ***Removed e-mail address - Hoov *** via 98.136.164.225; Thu, 10 May 2012 22:31:37 -0700
Return-Path:   <***Removed e-mail address - Hoov ***>
Received-SPF:   pass (domain of msn.com designates 65.55.116.88 as permitted sender)
X-YMailISG:   fIxeivkWLDvyrYwNDVLXR3XacCZnm4WmU.SPeh.sLSQ9Wt_5 YqX.i7Pi93pz8dXfxq_1LILfQGO7D3cyx95ysGxdbnfs5ZfbQJd88WmdnU7U Lohv5mPS6k9zw8htwOHo4_UYFI29T8C3I05.nFsZVQ1gnJHZYg_1YVFSL181 6z5_Iz0NzJvSYFOFadSZJmrKsA8Wfedlk.SyB_I6EfpZqRb_fQWyyt5q78IL ZkPsq.FOlCAejjN_4Pz1sG4WFcXwSxQXrNDzCfNrATOeV71qUHTFo23QpaRM 3xT562WI02keR2zHkcSIx2JlEveodq7aRfgVVqnwoNH9Aoki1.xedVF0Kx_Z n0qBfS1hFU9.q6qkoRCJV_umjrEI.bcIkTQeCgHjvM2IO8DbHlU.q3AhvvGT sMPtydTYaHvdNqsg9BPgB0QLfpM1zKx8PNmY2WmlfCu93sVAMivhFlzfV4Ex mnWjctSm0_5u4vAXc7WDmvay2f3ZWeeBKfQgO9J_X0h8jzfY0M8dRCXe1Enj 8GuYfsr4abpTiFLsUyb6ktoaGFIrrwcsiIcsrhCCIuOhQTEjqS34dYe_OkSp 07RzHNFdcTRml562eRqNDshSA_ZP_1TmYqKqAtDAzLRqep_QOCJ6ij8gJTpL offtUH9WIHRGoljEefq.cWm_hS1i.WH.5KNz73HMWykrAdsyf6iYJooanOYz UuMxsqkr32_oAMCEj_nwTkwupYAkudcydBkkvaokaUCC280dVv_FwA4B2_aj 3uklnAUMtMjUZqJ3S7fZMifyZKMhvqGRfs34Q4TwrzRLb2S0Ocbowlt7JBGm x_nFVCx4Qj9BsfHjJip1Nva_nwJAmYw_jXQZyNZoWxKTfIhggnXjEi70DHJF qRGG2Dd1hADunqIdDk.5UpaXRDkIxyQfthYSTBIXJ5SCBuSsScdcMHF6FuzI QHzPFuomGLD0HH.T3LE5SU3M_XKe9oYsiHQHTgF8dUr7YJUVgr8NuwFK.Dmd duuhOJ4GDuWiDDynB7ZBeQr.55c5DHQo9W0p37AOv.vUbwP1T1aQ1uA341YO XV8_MeUzenmnGU0wEXnti4oJYgVyjMWcK49CiO95DuoFQloECuOiqsVhprZo P9dR7iX5CcHI86eZ1481lUDK5NEsuqQrxlRCanbRXITVu45m9TeplIrNLunR AVnVu4sTIXFvICVW5qa84JjMRbzXTQ--
X-Originating-IP:   [65.55.116.88]
Authentication-Results:   mta1073.mail.sp2.yahoo.com from=msn.com; domainkeys=neutral (no sig); from=msn.com; dkim=neutral (no sig)
Received:   from 127.0.0.1 (EHLO blu0-omc3-s13.blu0.hotmail.com) (65.55.116.88) by mta1073.mail.sp2.yahoo.com with SMTP; Thu, 10 May 2012 22:31:37 -0700
Received:   from BLU169-W23 ([65.55.116.73]) by blu0-omc3-s13.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 10 May 2012 22:31:36 -0700
Message-ID:   <BLU169-W23C2349186B934E3164AF2BD170@phx.gbl>
Return-Path:   ***Removed e-mail address - Hoov ***
Content-Type:   multipart/alternative; boundary="_5cc0fb21-259a-4182-a4d0-b63a6885513f_"
X-Originating-IP:   [71.210.251.105]
From:   ROBERT and - or HILDA APLIN <***Removed e-mail address - Hoov ***>  View contact details
To:   Larry Carnes <***Removed e-mail address - Hoov ***>
Subject:   RE: hi
Date:   Thu, 10 May 2012 23:31:36 -0600
Importance:   Normal
In-Reply-To:   <1336699959.73749.BPMail_high_noncarrier@web112710.mail.gq1.yahoo.com>
References:   <1336699959.73749.BPMail_high_noncarrier@web112710.mail.gq1.yahoo.com>
MIME-Version:   1.0
X-OriginalArrivalTime:   11 May 2012 05:31:36.0759 (UTC) FILETIME=[557D3C70:01CD2F37]
Content-Length:   1136

Compact Headers
Are you doing this??

 

> Date: Thu, 10 May 2012 18:32:39 -0700
> From:***Removed e-mail address - Hoov ***
> Subject: hi
> To: ***Removed e-mail address - Hoov ***
>
>
> this is crazy check this out hxxp://www.tenews15.net/biz/?news=0721683

 

[Hoov]

Just so that you know, I edited out e-mail address's and broke the link in the e-mail. I was going to have you do that, which is why I only asked if they were available. After looking at the headers, there is something hinky about them. We need to run some scans to make sure you are clean.

I am going to send you a Private message with some e-mail address's. Let me know if you know them.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes'' Anti-Malware
  
• Launch Malwarebytes'' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Also please run a DDS scan using these instructions.

We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Please copy and paste both logs into your next response. You may need more than one response.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

[joshhemming]

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.14.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Larry :: LARRY-PC [administrator]

5/14/2012 9:51:05 AM
mbam-log-2012-05-14 (09-51-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203164
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 1000 -> Delete on reboot.

Memory Modules Detected: 1
C:\Program Files (x86)\I Want This\I Want This.dll (Adware.GamePlayLabs) -> Delete on reboot.

Registry Keys Detected: 33
HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055225558} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO.1 (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
HKCR\CLSID\{22222222-2222-2222-2222-220022222258} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{33333333-3333-3333-3333-330033223358} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi.1 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.BHO.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0002258.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\2258 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044224458} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055225558} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011221158} (PUP.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I Want This|Publisher (Adware.GamePlayLab) -> Data: 215 Apps -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 5
C:\Program Files (x86)\I Want This (Adware.GamePlayLab) -> Delete on reboot.
C:\Users\Larry\Local Settings\Application Data\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Larry\Local Settings\Application Data\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Larry\AppData\Local\I Want This (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Larry\AppData\Local\I Want This\Chrome (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Files Detected: 15
C:\Program Files (x86)\I Want This\I Want This.dll (Adware.GamePlayLabs) -> Delete on reboot.
C:\Users\Larry\AppData\Local\Temp\air3BB9.exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Users\Larry\Local Settings\Temporary Internet Files\Content.IE5\EX3ET1GM\IWantThis_new[1].exe (Adware.GamePlayLabs) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\Temp\0.5693964449779043 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\Windows\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want This.ini (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want This.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want This.ico (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want ThisGui.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want ThisInstaller.log (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\Uninstall.exe (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Larry\Local Settings\Application Data\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Larry\AppData\Local\I Want This\Chrome\I Want This.crx (Adware.GamePlayLab) -> Quarantined and deleted successfully.
C:\Program Files (x86)\I Want This\I Want This.dll (PUP.GamePlayLab) -> Delete on reboot.

(end)

[joshhemming]

Was any of the things which the malwarebytes scan removed causing my yahoo email program to be hacked, and fake emails sent out from my account?  Here's the full header from one a friend received a couple of days ago.  Again, I'm ***Removed e-mail address - Hoov ***:  

Return-Path: <***Removed e-mail address - Hoov ***>
Received: from nm14-vm0.bullet.mail.sp2.yahoo.com (nm14-vm0.bullet.mail.sp2.yahoo.com [98.139.91.246])
 by mtain-md04.r1000.mx.aol.com (Internet Inbound) with SMTP id 59C82380000A2
 for <***Removed e-mail address - Hoov ***>; Thu, 10 May 2012 21:32:40 -0400 (EDT)
Received: from [98.139.91.64] by nm14.bullet.mail.sp2.yahoo.com with NNFMP; 11 May 2012 01:32:40 -0000
Received: from [98.139.91.24] by tm4.bullet.mail.sp2.yahoo.com with NNFMP; 11 May 2012 01:32:40 -0000
Received: from [127.0.0.1] by omp1024.mail.sp2.yahoo.com with NNFMP; 11 May 2012 01:32:40 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 163229.24121.bm@omp1024.mail.sp2.yahoo.com
Received: (qmail 81487 invoked by uid 60001); 11 May 2012 01:32:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336699959; bh=1zNSrbZFoDUsumAG3fwKweE+7TP6dEWASw1XxUpRTOE=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=fX2PNSh136rhOc1jV2uQPgZ3NPWxO7EA0NSyt3RbKq9Z5oWxq7bTYpgs/B3lVqqPFQm5L4boYdmBPa20JfE8xwoJvmdI6izX2SdeTJO8iHKXwI19x4Dx1GGr9bAJtzkpfQqe+1TMIGS0DjxyEWTMw6Ha9DghMwxOjasAVgs0R7E=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
  b=GGavw07z26s0VZflL80Ir8QB+qaKPDaGcu/y4IK/ESPxBFnL/IErnz/uIcrPp03ACTqMQnhknUeNZ1ZbaokUuLpFVvGi9kJ2evx96Cf4SmIFVMX+lSzNqbt9ySxeBJtXHAuIH+uu0KlenkBDgD0TxrRE8EK6Ld1Cp0kJ10vcIUg=;
X-YMail-OSG: OFq09PcVM1kCGgorOFYgP0kgsWheZp6lyE1HkBZ1zSlFww7
 5QIb0UMK.ZrpbBh9EUGlH7zEUPr6BtPgKgirBQyggkR5nDG6zBaGiOUMxnpb
 9fGHskFKm4bajZkpBuGHhVzdMzVlabAddsPp02v8nHizlDyBBKpM2ajPT9Go
 O28aR2UCXULNQ7BzCSMFA0AtoWwPa0gTYRI0_EgYlk8K_rjIwNsrLy2YmE84
 2QLlLdRNTQeCbaAEHj05Ln7Rgccw1thu0rjQ9dpgn2kcz.swk26OqFPE6W3z
 2ipaeYAVlNDNADjtn7zG9tv2jQgd7affuHsbuiWsQhdw154hH9DySaNWVLXd
 YyzF5MOG_fjWXhDeIZ8WfCcMhMB6XrWLA0TQBOQLcjl4n33OKiSffiW8HfA0
 Ae9pEFlDXIXWv70vFbqPTw8VLZaX0oE7XlWl.trS9eu7v_Y118r3xvK5k83c
 Z2jv7V_cz1AC4.kQmKDaeMXPpMSbIMJZ5mB7vg4gbg4enccO1RuZxsnVLrzL
 jQK5_c1FZSTYCG70HInt712.mjNiGC0BXSzW8mGg1
Received: from [189.173.0.101] by web112710.mail.gq1.yahoo.com via HTTP; Thu, 10 May 2012 18:32:39 PDT
X-Mailer: YahooMailWebService/0.8.118.349524
Message-ID: <1336699959.73749.BPMail_high_noncarrier@web112710.mail.gq1.yahoo.com>
Date: Thu, 10 May 2012 18:32:39 -0700 (PDT)
From: "L. C." <***Removed e-mail address - Hoov ***>
Subject: hi
To: ***Removed e-mail address - Hoov ***
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
x-aol-global-disposition: S
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1d60584fac6c382698
X-AOL-IP: 98.139.91.246
X-AOL-SPF: domain : yahoo.com SPF : none

 

[Hoov]

First, if you post any more headers, please strip out the private e-mail address's. Posting e-mail address's in public is one sure way to get spam. I don't much care if you post your own e-mail address, as it will be your own fault, but I doubt if your friends would like more spam. Also, I really don't need any more headers. As they and you are both using the yahoo servers, there is no way to tell exactly where they came from, without yahoo's cooperation or a search warrant.

Could Malwarebytes' Anti-Malware have removed the problem that caused your e-mail to be spammed from? Possibly. But more likely it just harvested the e-mail address's. The spam are going thru the yahoo servers so it is fairly impossible to tell if the problem is a utility on your computer doing the spamming, or if it just harvested your e-mail address book and is doing the spamming from outside your computer. You did have a lot of junk on your computer.  2 Trojans and 2 exploits. Between them they can do just about anything. You have lots of PUP's (potentially unwanted programs) and AdAware. Chances are non of them are responsible, but they could have evolved since last investigated.

I have been doing some research into the emails, and it appears the exploit is JavaScript based, so I would like you to clear your java browser and then your other browser cache's using the two sets of instructions below.

Your scan showed one of more viruses in your Sun Java Runtime Environment (JRE) cache. Delete those by clearing the JRE cache. To clear the Java Runtime Environment (JRE) cache:

• Click Start > Control Panel.
• Double-click the Java icon in the control panel.

-The Java Control Panel appears.

• Click Settings under Temporary Internet Files.

-The Temporary Files Settings dialog box appears.

• Click Delete Files.

-The Delete Temporary Files dialog box appears.

-There are three options on this window to clear the cache.

• Delete Files
• View Applications
• View Applets

• Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

• Click OK on Temporary Files Settings window.
• Close the Java Control Panel

You can view those instructions along with graphics Here



1.Download and scan with CCleaner
When you get to the website, there is a dark grey box on the left side with two tabs along the top. Inside this Dark Grey box is a light grey box. Below that light grey box is where the download links are at. The pay amount is for paid support.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab: 

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.




But since you did have a couple Trojans, I would like you to run a combofix scan.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall

[Hoov]

joshhemming, do you still need help?