boydcl

Also, one more question - I plugged one of my flash drives into the machine while it was infected, hoping to load the latest MBAM that way. The malware blocked access, so I was never able to transfer anything to or from, but I'm concerned that bad stuff might have been loaded onto the flash drive automatically... is there a good way to clean it without infecting my whole computer all over again?

Awesome - thank you SO MUCH! I really, really appreciate all the help you've given me in dealing with this.

Followed the steps, MBAM's full scan didn't find any malware. It didn't ask me to reboot afterward, but I did anyway just to follow your steps to the letter Here's the log: Malwarebytes' Anti-Malware 1.36 Database version: 2095 Windows 5.1.2600 Service Pack 3 5/8/2009 1:06:48 PM mbam-log-2009-05-08 (13-06-48).txt Scan type: Full Scan (C:\|E:\|) Objects scanned: 274915 Time elapsed: 1 hour(s), 10 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Here's my ComboFix log. Although I turned off my Avira Antivir before running it as instructed, it turned itself back on when ComboFix rebooted the machine. I had to tell it to ignore several processes which it identified as malicious (but seemed to actually be ComboFix), and ComboFix seemed to proceed and complete normally in spite of the interruptions. I thought I'd better mention it, just in case. ComboFix 09-05-07.06 - Charles Boyd 05/07/2009 21:52.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1697 [GMT -5:00] Running from: e:\documents and settings\Charles Boyd\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\xcrashdump.dat e:\documents and settings\Charles Boyd\Local Settings\Temporary Internet Files\fbk.sts e:\documents and settings\NetworkService\protect.dll e:\windows\system32\__c0089764.dat e:\windows\system32\drivers\ovfsthjbimoyqxduyeptknxbnegsgdykicsiuy.sys e:\windows\system32\evefmpfa.ini e:\windows\system32\ovfsthhiykscusxdmsgukdyowyqwntwmhrewpd.dll e:\windows\system32\ovfsthpgqsrpidqoqiktnbegcprgpfqlhnekxv.dat e:\windows\system32\ovfsthqhxnnlstquojmhhsdsiexnqtsjcwvmey.dat e:\windows\system32\ovfsthqswqvflmxdjbqfxbksbrqxrxhxsfafun.dll e:\windows\system32\ovfsthtmvkifhxtkiapkfxkbsecxwtyyrrkbpu.dll e:\windows\system32\tdrwrtat.ini e:\windows\system32\uniq.tll e:\windows\system32\win32hlp.cnf e:\windows\system32\winglsetup.exe e:\windows\system32\zuzogomi.exe e:\windows\Temp\1050302926.exe e:\windows\Temp\1050459176.exe e:\windows\Temp\1118115426.exe e:\windows\wiaserviv.log Infected copy of e:\windows\system32\userinit.exe was found and disinfected Restored copy from - e:\windows\$NtServicePackUninstall$\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_ovfsthmlvslwkfjwqvpabdsecpqrmfolexvalq ((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 ))))))))))))))))))))))))))))))) . 2009-05-08 00:39 . 2009-05-08 00:41 -------- d-----w e:\documents and settings\Charles Boyd\Application Data\InfraRecorder 2009-05-08 00:39 . 2009-05-08 00:39 -------- d-----w e:\program files\InfraRecorder 2009-05-07 01:35 . 2009-05-07 01:35 -------- d-----w e:\program files\Trend Micro 2009-05-07 01:31 . 2009-05-08 00:46 27648 ----a-w e:\windows\system32\lmn_setup.exe 2009-05-07 01:08 . 2009-03-24 21:08 55640 ----a-w e:\windows\system32\drivers\avgntflt.sys 2009-05-07 01:08 . 2009-05-07 01:08 -------- d-----w e:\documents and settings\All Users\Application Data\Avira 2009-05-07 01:08 . 2009-05-07 01:08 -------- d-----w e:\program files\Avira 2009-05-01 01:32 . 2009-05-01 01:33 -------- d-----w e:\program files\Guild Wars 2009-04-15 19:12 . 2009-03-06 14:22 284160 -c----w e:\windows\system32\dllcache\pdh.dll 2009-04-15 19:12 . 2009-02-09 12:10 401408 -c----w e:\windows\system32\dllcache\rpcss.dll 2009-04-15 19:12 . 2009-02-06 11:11 110592 -c----w e:\windows\system32\dllcache\services.exe 2009-04-15 19:12 . 2009-02-09 12:10 473600 -c----w e:\windows\system32\dllcache\fastprox.dll 2009-04-15 19:12 . 2009-02-06 10:10 227840 -c----w e:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 19:12 . 2009-02-09 12:10 453120 -c----w e:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 19:12 . 2009-02-09 12:10 729088 -c----w e:\windows\system32\dllcache\lsasrv.dll 2009-04-15 19:12 . 2009-02-09 12:10 617472 -c----w e:\windows\system32\dllcache\advapi32.dll 2009-04-15 19:12 . 2009-02-09 12:10 714752 -c----w e:\windows\system32\dllcache\ntdll.dll 2009-04-15 19:12 . 2008-05-03 11:55 2560 ------w e:\windows\system32\xpsp4res.dll 2009-04-15 19:12 . 2008-04-21 12:08 215552 -c----w e:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-08 02:55 . 2008-05-15 13:56 -------- d-----w e:\program files\DNA 2009-05-06 06:32 . 2008-12-14 20:21 -------- d-----w e:\program files\Malwarebytes' Anti-Malware 2009-05-03 03:57 . 2008-12-27 18:47 -------- d-----w e:\program files\Steam 2009-04-29 23:29 . 2008-07-09 00:22 -------- d-----w e:\program files\City of Heroes 2009-04-06 20:32 . 2008-12-14 20:21 38496 ----a-w e:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 20:32 . 2008-12-14 20:21 15504 ----a-w e:\windows\system32\drivers\mbam.sys 2009-04-01 02:26 . 2009-04-01 02:26 -------- d-----w e:\program files\GOG.com 2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w e:\windows\system32\pdh.dll 2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w e:\windows\system32\wininet.dll 2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w e:\windows\system32\ieencode.dll 2009-02-09 13:51 . 2008-07-19 04:45 18704 ----a-w e:\documents and settings\Charles Boyd\Application Data\GDIPFONTCACHEV1.DAT 2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w e:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w e:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w e:\windows\system32\advapi32.dll 2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w e:\windows\system32\rpcss.dll 2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w e:\windows\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360] "BitTorrent DNA"="e:\program files\DNA\btdna.exe" [2008-12-19 342848] "igndlm.exe"="e:\program files\IGN\Download Manager\DLM.exe" [2008-08-01 1103216] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GEST"="m

Awesome - I will do that and then run ComboFix tonight and let you know what happens! Thanks very much!

Sorry, I'm a bit confused - you're saying I am safe to create CD/DVD backups from my infected hard drive for use on a clean hard drive later, but those backups should NOT include documents, music, etc? Or were you just trying to say that if I don't back up things like that now, there's a good chance I'll lose them? Ideally, I'd like to burn my music, word documents, game save files, and image files to DVD for use later. Would it be safe for me to do this now?

Hi, Thanks very much for your response, I'll give ComboFix a shot tonight and post the results. If it is Virut, will I have any hope of recovering anything from the hard drive for later (documents, music, etc) or will any attempt to move stuff over spread the infection? Really appreciate the help!

Hello, I've just registered a new copy of Malwarebytes Anti-Malware after having much success with the free version in past infections. However, my current infection seems to elude it. Every time I run the scan again to make sure all has been removed, it finds newly infected files. I have tried running it both while connected to the internet and with my network cable unplugged, and received similar results. Full scans and Quick Scans deliver different numbers of infected files, but they invariably find more of the same every time I run them, even after following instructions, rebooting to complete deletion, etc. I'm seeing Trojan.Vundo, Trojan.Agent, Trojan.Ertfor, Trojan.Downloader, Worm.Autorun... all kinds of things. I followed the instructions provided in response to my original post on the MBAM general forum and installed Avira AntiVir personal after running MBAM again, then followed all steps with AntiVir. Three times in a row, it has found the same malware - TR/Dropper.Gen' [trojan] - and told me I needed to reboot to remove it. I did so every time, and every time, it finds it again. Here is my HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:35:46 PM, on 5/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Avira\AntiVir Desktop\avguard.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\RTHDCPL.EXE E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\Program Files\iTunes\iTunesHelper.exe E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe E:\Program Files\Avira\AntiVir Desktop\avgnt.exe E:\WINDOWS\system32\ctfmon.exe E:\Program Files\DNA\btdna.exe E:\Program Files\Olympus\DeviceDetector\DevDtct2.exe E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe E:\Program Files\Bonjour\mDNSResponder.exe E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\svchost.exe E:\Program Files\iPod\bin\iPodService.exe E:\Program Files\Avira\AntiVir Desktop\sched.exe \?\globalroot\E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [GEST] m

Hello, I've just registered a new copy of Malwarebytes Anti-Malware after having much success with the free version in past infections. However, my current infection seems to elude it. Every time I run the scan again to make sure all has been removed, it finds newly infected files. I have tried running it both while connected to the internet, and with my network cable unplugged, and received similar results. Full scans and Quick Scans deliver different numbers of infected files, but they invariably find more of the same every time I run them, even after following instructions, rebooting to complete deletion, etc. I'm seeing Trojan.Vundo, Trojan.Agent, Trojan.Ertfor, Trojan.Downloader, Worm.Autorun... all kinds of things. Am I missing a step somewhere?