My laptop got hit! I was down for most of the day with a trojan that I don’t know how it got installed, I just entered a cooking site, leqafa, and then stuff started popping up!
It disabled my Antivirus and everytime I opened my task manager, it closed it.
I booted in safe mode, F12, and scanned my PC and amazingly, neither AVG nor Ad-aware detected it. I booted back in normal mode and then my anti-spyware detected abnormalities in (…/AppData/Local/…) directory, so I decided to just delete it manually, but couldn’t do that while the malicious software was running, I couldn’t kill the process, thus I was not able to delete the executable.
I booted back to safe mode, it was located under (…/AppData/Local/ywuvh/kbppsysguard.exe) and deleted it, I deleted everything under Temp folder, I then searched my registry for entries (kbppsysguard) and deleted two. I didn’t empty my recycle bin, I’ll tell you why in a minute.
I restarted my PC and customized my scan settings and included the recycle bin and now it detected it! Weird!!
Anyway it took me almost all day to sort this out but thank GOD I managed to remove that silly infection.
I wasn’t able to browse and that seems weird because I successfully authenticated to the university network and got a public IP, but couldn’t browse … think what could be the problem ….
Checked my proxy settings on all of my browsers and it was configured to local host (127.0.0.1)! Removed that and happily browsing 
#1 by MBH on November 25, 2009 - 8:40 PM
Just because you don’t see it, doesn’t mean it ain’t there.
Run this tool (ComboFix): It cleans the computer and fixes whatever the worms broke: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
AVG stinks. After running ComboFix, remove AVG & install Kaspersky.
It always helps to have a 2nd machine with an antivirus. When one gets infected, hook the disk directly to the 2nd machine & scan away.
The only bad thing about this is that running the antivirus from a 2nd disk doesn’t fix the problems caused by worms. It has to be run directly on the infected OS.
#2 by 3baid on November 25, 2009 - 8:50 PM
The proxy setting probably means that the trojan was running a local service to hijack all your browser activities :/
#3 by MBH on November 25, 2009 - 8:59 PM
Consider the possibility of it having installed a keylogger and got your passwords. Make sure you change them.
#4 by Bloggylife on November 25, 2009 - 9:14 PM
MBH, 1st Thanks
then about the keylogger, YUP, I knew this was a possibility so I copied pasted letters to form what I needed 
But do you mean even after I deleted it, there’s a possiblity of residue I missed, I’m running the link you provided. I like AVG, except the shield feature, I’ll give Kaspersky, it’s free right.
don’t tell me I need to change them, I can barely remember the ones I have xo I didn’t log in keys while I was infected, but I had saved passwords for some sites! But I’ve already disconnected myself from the Internet so I hope I covered everything … you think I still need to change my passwords …
3baid, I’m not sure how it all works, but I deleted all related files/registry entries.
#5 by MBH on November 25, 2009 - 9:18 PM
Kaspersky isn’t free. They offer a trial. A strong free for home-user AV is Avira. Not as good as Kaspersky Internet Security, but good enough.
New generation worms bring in their cousins when they infect a box, so I wouldn’t be surprised if there are others lurking silently.