need help!! system security virus gone wrong

bhof · July 8, 2009

hey guys im after some help.....

my computer got infected with the system security virus 2 days ago. It started out with me not being able to do anything,

(taskbar is gone, start button gone, cant open any files at all, no system restore, anything). I rebooted the computer and the same thing again. I then used the mrs laptop to do some research on the virus. i have pretty much done everything recommended on the net but still cant get my comp working. The virus seems to be gone and i can run some programs but i still have no start or taskbar, no net connectivity, and still cant run malwarebytes.

Can some one please help me??? I need my comp asap and dont really want to format my drive. Any help would be greatly appreciated.

here is a log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:33:47 PM, on 7/8/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.62 antispy.microsoft.com

O1 - Hosts: 209.44.111.62 antiaware-pro.com

O1 - Hosts: 209.44.111.62 www.antiaware-pro.com

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [bootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [14774844] C:\Documents and Settings\All Users\Application Data\14774844\14774844.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MalwareRemovalBot] J:\MalwareRemovalBot\MalwareRemovalBot.exe -boot

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [MalwareRemovalBot] J:\MalwareRemovalBot\MalwareRemovalBot.exe -boot (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent (User '?')

O4 - HKUS\S-1-5-21-448539723-838170752-839522115-1002\..\Run: [Cognac] C:\DOCUME~1\Homer\LOCALS~1\Temp\b.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - AppInit_DLLs: ,C:\DOCUME~1\Homer\LOCALS~1\Temp\2471625755mxx.dll

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1c9a1ca569e944e) (gupdate1c9a1ca569e944e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)

--

End of file - 8690 bytes

bhof · July 9, 2009

can anyone help me please???

AdvancedSetup · July 9, 2009

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

R3 - URLSearchHook: (no name) - FBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.62 antispy.microsoft.com

O1 - Hosts: 209.44.111.62 antiaware-pro.com

O1 - Hosts: 209.44.111.62 www.antiaware-pro.com

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java

bhof · July 9, 2009

Hey mate thanks for that. I will give it a go today and post back my results.

The only problem is that i dont have a task bar and cant click on start to get the run application up. Is there another way to get to it?

Also i cannot access the internet on the computer so im currently using a laptop to read this.

Thanks again for your help.

AdvancedSetup · July 10, 2009

Try pressing CTRL-ESC on the keyboard maybe or the Windows key if you have one of the newer keyboards.

You can try in Safe Mode if you really have to.

bhof · July 10, 2009

i have tried to that already but it still wont bring it up. I have tried in safe mode also.

Thanks

bhof · July 10, 2009

Ok i got to the run command by holding the windows key and pressing R.

Did what you said above but when i restarted the comp i got these messages popping up

userinit.exe - application error The instruction at "0x00fc4a49" referenced memory at "0x80000024". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0x00200070". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934fe9" referenced memory at "0x0000f300". The memory could not "read". Click ok to terminate the program

pctstray: pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0x00000000". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x7c934feb" referenced memory at "0xffffffff". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x0129c698". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x01294f00". The memory could not "read". Click ok to terminate the program

pctsTray.exe - application error The instruction at "0x771544f1" referenced memory at "0x01286690". The memory could not "read". Click ok to terminate the program

There were about another 4 of these errors with different referenced memory locations.

After those messages i got this

Error - Runtime error 216 at 00FC4A49

I wouldnt have a clue what these are?

bhof · July 10, 2009

Ok so i tried to re-install malwarebytes after the process you mentioned above. I ran the setup file off my usb stick and renamed it to winlogon.exe otherwise it wont run. Once it starts install its all good until the end and gets stuck on finishing installation. I left it for a while but it still stays frozen.

I got up the task manager and there is a winlogon.tmp process running which is the setup program. Once i end that process the frozen setup screen goes away.

When i try to run malwarebytes after that it wont run but comes up in the task manager as mbam.exe

I tried to rename the mbam.exe to winlogon.exe but i get this error.

Run-time error '372': Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Ok so now im stuck. Blood viruses.

Any more help would be great. Thanks mate. Also where are you located? Just want to know the time difference so i know when you would most likely to be on here. Thanks again.

AdvancedSetup · July 10, 2009

Copy this over and try to run it. Try rename as well and Safe Mode if needed.

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click
Yes
to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post the
C:\ComboFix.txt
along with a
new HijackThis log
so we may continue cleaning the system.

bhof · July 10, 2009

I cant copy anything to the computer. The only way to get any new programs on is run the setup file from my usb stick.

I cant copy and past, or even drag and drop from anywhere on the comp or usb.

I dont know any other way to get combofix onto my desktop, plus it has removed all my network connections and they dont show up to even repair them.

bhof · July 10, 2009

Ok ive got some good news. I put my hard drive in another comp as a slave and ran malwarebytes on it there. The results came back and cleaned up some trojans, and backdoors. I then put it back in my normal comp and now was able to install and run malwarebytes with out any problems. I also got my taskbar and start button back.

Here is 3 log from malwarebytes and i also ran combofix after thats aswell.

1.)

Malwarebytes' Anti-Malware 1.38

Database version: 2297

Windows 5.1.2600 Service Pack 2

7/3/2009 5:35:48 PM

mbam-log-2009-07-03 (17-35-48).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)

Objects scanned: 165097

Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\local settings\Temp\install[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\ld12.exe (Backdoor.Bot) -> Delete on reboot.

c:\WINDOWS\strt_1246661561.exe (Worm.KoobFace) -> Quarantined and deleted successfully.

2.)

Malwarebytes' Anti-Malware 1.38

Database version: 2366

Windows 5.1.2600 Service Pack 2

7/3/2009 6:08:19 PM

mbam-log-2009-07-03 (18-08-19).txt

Scan type: Full Scan (C:\|)

Objects scanned: 125020

Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\program files\drv\drv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVDRV (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRV (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Homer\local settings\temporary internet files\Content.IE5\67M5SH61\pdrv[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Program Files\drv\drv.dll (Trojan.Agent) -> Delete on reboot.

C:\Program Files\drv\drv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

3.)

Malwarebytes' Anti-Malware 1.38

Database version: 2402

Windows 5.1.2600 Service Pack 2

7/10/2009 11:29:32 PM

mbam-log-2009-07-10 (23-29-32).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|I:\|)

Objects scanned: 168269

Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 8

Registry Values Infected: 8

Registry Data Items Infected: 0

Folders Infected: 6

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\documents and settings\Administrator\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\administrator\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 07 - 11_55_17 PM_640.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 07 - 11_57_39 PM_203.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Log\2009 Jul 08 - 08_29_22 AM_093.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\administrator\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 07 - 10_05_22 PM_750.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 11_53_33 AM_531.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 12_23_46 PM_078.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Log\2009 Jul 08 - 12_46_34 PM_875.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

c:\documents and settings\Homer\application data\malwareremovalbot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Then combofix

ComboFix 09-07-09.08 - Homer 07/10/2009 23:51.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2533 [GMT -7:00]

Running from: c:\documents and settings\Homer\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Homer\Application Data\inst.exe

c:\program files\Internet Explorer\ws2help.dll

c:\recycler\S-1-5-21-2000478354-57989841-839522115-1003

c:\windows\Install.txt

c:\windows\kb913800.exe

c:\windows\system32\Install.txt

c:\windows\system32\msconfig.exe

c:\windows\system32\UACbmeuwftoipgekxi.dat

c:\windows\system32\UACfhdspgwcdhmylte.db

c:\windows\system32\uactmp.db

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSNCACHE

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))

.

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\wbem\snmp

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\srchasst

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\windows\system32\xircom

2009-07-11 06:54 . 2009-07-11 06:54 -------- d-----w- c:\program files\microsoft frontpage

2009-07-10 19:56 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-10 19:56 . 2009-07-11 06:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-10 19:56 . 2009-07-10 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-07-10 19:56 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-08 21:33 . 2009-07-08 21:33 -------- d-----w- c:\program files\Trend Micro

2009-07-08 06:53 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-07-08 06:52 . 2009-03-06 23:45 130424 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-07-08 06:52 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-07-08 06:52 . 2009-07-08 06:54 -------- d-----w- c:\program files\Common Files\PC Tools

2009-07-08 06:52 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-07-08 06:52 . 2009-07-11 05:41 -------- d-----w- c:\program files\Spyware Doctor

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-07-08 06:52 . 2009-07-08 06:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2009-07-08 05:53 . 2009-07-08 05:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-07-08 02:55 . 2009-07-08 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-07-08 01:48 . 2009-07-08 01:48 -------- d-----w- c:\program files\Chec

2009-07-05 19:59 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

2009-07-04 00:18 . 2009-07-04 00:18 -------- d-----w- c:\documents and settings\Homer\Application Data\Malwarebytes

2009-07-03 22:34 . 2009-07-08 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-23 16:22 . 2009-06-23 16:22 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-16 20:11 . 2009-06-16 20:11 -------- d-----w- c:\program files\iPod

2009-06-16 20:10 . 2009-06-16 20:11 -------- d-----w- c:\program files\QuickTime

2009-06-16 20:05 . 2009-06-16 20:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-12 15:56 . 2009-05-07 15:44 344064 ------w- c:\windows\system32\dllcache\localspl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-11 06:44 . 2009-03-10 21:50 -------- d-----w- c:\program files\Google

2009-07-11 05:52 . 2009-03-03 21:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-10 18:41 . 2007-08-11 23:47 -------- d-----w- c:\program files\Steam

2009-07-07 23:22 . 2007-12-24 03:31 -------- d-----w- c:\documents and settings\Homer\Application Data\uTorrent

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-07-05 20:00 . 2009-07-05 20:00 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-07-05 00:20 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\CopyToDvd

2009-07-05 00:17 . 2007-09-09 05:32 -------- d-----w- c:\documents and settings\Homer\Application Data\Vso

2009-07-04 00:41 . 2009-03-03 21:51 -------- d-----w- c:\program files\Trojan Remover

2009-07-03 23:00 . 2007-08-25 03:21 -------- d-----w- c:\program files\VSO

2009-06-27 04:14 . 2007-08-11 20:32 25792 ----a-w- c:\documents and settings\Homer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-23 16:23 . 2008-04-03 16:39 -------- d-----w- c:\program files\Java

2009-06-16 20:11 . 2009-04-12 00:45 -------- d-----w- c:\program files\iTunes

2009-06-16 20:11 . 2008-09-23 04:53 -------- d-----w- c:\program files\Common Files\Apple

2009-06-15 06:55 . 2009-02-19 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-28 16:38 . 2009-05-28 16:38 -------- d-----w- c:\program files\MSECache

2009-05-25 21:40 . 2009-05-25 21:40 152576 ----a-w- c:\documents and settings\Homer\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-05-21 18:33 . 2008-11-25 04:36 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-12 22:19 . 2009-05-12 22:19 -------- d-----r- c:\documents and settings\Homer\Application Data\Brother

2009-05-09 08:14 . 2009-05-09 08:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll

2009-05-09 08:14 . 2009-05-09 08:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys

2009-05-07 15:44 . 2004-08-03 17:56 344064 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 10:09 . 2007-05-23 15:13 1847936 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 15:26 . 2007-05-23 15:12 583168 ----a-w- c:\windows\system32\rpcrt4.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]

"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-03 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"HideRunAsVerb"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15703:TCP"= 15703:TCP:NortonAV

"12722:TCP"= 12722:TCP:NortonAV

"12750:TCP"= 12750:TCP:NortonAV

"18713:TCP"= 18713:TCP:NortonAV

"13750:TCP"= 13750:TCP:NortonAV

"17044:TCP"= 17044:TCP:NortonAV

"12781:TCP"= 12781:TCP:NortonAV

"13323:TCP"= 13323:TCP:NortonAV

"18150:TCP"= 18150:TCP:NortonAV

"17396:TCP"= 17396:TCP:NortonAV

"13473:TCP"= 13473:TCP:NortonAV

"16219:TCP"= 16219:TCP:NortonAV

"15190:TCP"= 15190:TCP:NortonAV

"18641:TCP"= 18641:TCP:NortonAV

"17730:TCP"= 17730:TCP:NortonAV

"15712:TCP"= 15712:TCP:NortonAV

"15037:TCP"= 15037:TCP:NortonAV

"13928:TCP"= 13928:TCP:NortonAV

"14461:TCP"= 14461:TCP:NortonAV

"18371:TCP"= 18371:TCP:NortonAV

"16029:TCP"= 16029:TCP:NortonAV

"12416:TCP"= 12416:TCP:NortonAV

"13943:TCP"= 13943:TCP:NortonAV

"16441:TCP"= 16441:TCP:NortonAV

"12697:TCP"= 12697:TCP:NortonAV

"8085:TCP"= 8085:TCP:drv

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/7/2009 11:52 PM 130424]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 1:03 PM 169312]

S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys [9/6/2008 12:16 PM 163712]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/7/2009 11:52 PM 348752]

NETSVCS REQUIRES REPAIRS - current entries shown

msncache

6to4

AppMgmt

AudioSrv

Browser

CryptSvc

DMServer

DHCP

EventSystem

FastUserSwitchingCompatibility

HidServ

Ias

Iprip

Irmon

LanmanServer

LanmanWorkstation

Netman

Nla

NWCWorkstation

Nwsapagent

Rasauto

Rasman

Remoteaccess

Schedule

SENS

Sharedaccess

SRService

Tapisrv

Themes

WZCSVC

Wmi

WmdmPmSp

winmgmt

xmlprov

BITS

wuauserv

ShellHWDetection

WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-07 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

2009-07-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2009-01-01 00:04]

.

- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

HKLM-Run-NWEReboot - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\Homer\Application Data\Mozilla\Firefox\Profiles\gbcuo58b.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/webhp?hl=en

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-10 23:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1848)

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-07-11 23:57 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-11 06:57

Pre-Run: 16,689,463,296 bytes free

Post-Run: 16,770,150,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

257 --- E O F --- 2009-07-05 20:00

Now what should i do?

Thanks again for your time.

AdvancedSetup · July 10, 2009

First off I see you have another post open for a laptop. Please wait till we're done with this one. Try not to share the network with this computer and the laptop though for now just in case one of them has something that is reaching out and infecting the other.

STEP 01

Please copy/paste the following entries into a new Notepad document and save it to your Desktop as DefaultServices.REG when saving you'll need to select the SAVE AS TYPE and choose ALL FILES to save with the .REG extension. Then double-click on it to run it.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]
"Start"=dword:00000003

STEP 02

Then download and run the following and reboot your computer.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

VArestorepolicies.INF

Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
Unzip or open the file VArestorepolicies.zip
Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

FixPolicies.exe

Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
Double-click FixPolicies.exe
Click the "Install" button on the bottom toolbar of the box that will open
The program will create a new Folder called FixPolicies
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close
These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

STEP 03

Then temporarily disable your Anti-Virus and run this Online AV scanner.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Anvirisus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

STEP 04

You're missing this file: c:\windows\system32\proquota.exe so you'll need to get a copy from a clean Windows XP Pro system to copy it over from or you might possibly be able to get it from downloading and installing Service Pack 3 from Microsoft once we're certain the system is clean.

DO NOT install Service Pack 3 or any other software unless asked to while were fixing the computer.

bhof · July 11, 2009

ok mate will give it a go today. cheers

bhof · July 11, 2009

Ok done the above steps and heres the log from Eset.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214)

# OnlineScanner.ocx=1.0.0.5886

# api_version=3.0.2

# EOSSerial=bffe672cc7511045afdccf60d47215d4

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-07-11 10:00:38

# local_time=2009-07-11 03:00:38 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# scanned=76445

# found=4

# cleaned=0

# scan_time=1223

C:\Documents and Settings\Homer\Desktop\programs\mp3splitter.exe probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

D:\MUSIC\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I

D:\New Folder\programs\mp3splitter.exe probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000 I

G:\music\Nero 7.10.1.0 (stew's)\Nero-7.10.1.0_eng_full.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I

AdvancedSetup · July 11, 2009

STEP 01

Please submit the following files to http://www.virustotal.com and if they come back as infected as well then delete them.

C:\Documents and Settings\Homer\Desktop\programs\mp3splitter.exe

D:\MUSIC\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3

D:\New Folder\programs\mp3splitter.exe

STEP 02

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

STEP 03

Please disable your current Anti-Virus and then delete your current copy of Combofix.exe and dowload a NEW fresh copy and run it again and post back the log.

Additional links to download the tool:

ComboFix.exe

AdvancedSetup · July 12, 2009

Please post a status update on this.

Thanks.

AdvancedSetup · July 14, 2009

Is everything okay? Where did you go?

Please post an update so that I know what's going on.

Thanks.

bhof · July 15, 2009

Hey mate sorry late reply ive been sick with the flu and havent touched my comp.

I deleted those files, they werent needed anyway.

Heres the combofix log

ComboFix 09-07-14.07 - Homer 07/15/2009 14:25.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2943.2416 [GMT -7:00]

Running from: c:\documents and settings\Homer\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))

.

2009-07-11 21:35 . 2009-07-11 21:35 -------- d-----w- c:\program files\ESET