Nothing will run

[Antoniodz95]

Hello. I need help. Right now i am in safe mode and have windows xp 2010 virus. I cannot run mbam even in safe mode and really need help. I have AVG Free registered and did a full scan but it found nothing. Hope you can help me...

[Maurice Naggar]

Hello,

What is the Windows version/edition ?? Always, always state that when posting, especially on a malware problem.

If running on Vista or Windows 7:

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.
  

If running on Windows XP:

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

• Download Win32kDiag (Win32kDiag.exe) - #1
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
• Download Win32kDiag (Win32kDiag.exe) - #3
  

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

Download Random's System Information Tool (RSIT) by random/random from here and save it to your desktop.

• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  

Be sure to Copy and Paste the logs within the body of reply-text box.

Do NOT attach them using the attach option. Do not put the logs enclosed within code or quote boxes.

[Antoniodz95]

info.txt logfile of random's system information tool 1.06 2010-02-21 10:21:41

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

-->MsiExec /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

[Antoniodz95]

oh and here is the win32kdiag.txt i dont know if you need it but here you go.

Running from: C:\Documents and Settings\Rudy\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Rudy\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

[Maurice Naggar]

Whenever the rogue AV or any other rogue window pops-up, do this to close the rogue window. Repeat as needed.

Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

That closes the window in the foreground. It does -not- remove the rogue physically nor resolve the main issue.

The file association for running EXE programs has been contaminated. so 2 things:

a) Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary.
  Active malware may revert these changes at your next startup.
  You can safely run the utility again.
  

B-- If you continue to not be able to run programs (like the tools I'll have you run later on), do this

Start Task Manager by pressing and holding CTRL+ALT+DEL keys

Task Manager shows up. You would then press ALT+F to get File, then press N to do a New Task Run

You would need to type in the full name of the program.

For example, to start IE browser, type in

iexplore.exe

IF you are not able to download, do them on a clean pc and transfer downloads to the Desktop of this pc.

Please stand by for my next reply.

[Antoniodz95]

Ok i have 1 problem... I do not have access to a clean computer other than the library and i do not have a usb device other then my phone with a usb cable... Can i use that? the Fix did not work the av.exe keeps popping back up. Thanks for the help so far.

[Maurice Naggar]

IF you can manage to download via your cell-phone, do so ---- just be super careful.

I did give you directions on how you'd be able to start Internet Explorer.

You can also, logoff and restart system. Tap F8 right away, and select SAFE Mode with Networking

which would allow internet access !!

P.S.S. I told you Fixpolicies is NOT the cure for your problem. It only restores certain selected defaults, such as allowing the use of Task Manager, and the command prompt. and such. It does NOT kill any malware. It does not delete anything.

Make sure you have read my last reply, and understand it, and have got & run fixpolicies, and understand how to start Task Manager & how to start new Task. You will need to apply that knowledge.

Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  C:\Documents and Settings\Rudy\Local Settings\Application Data\av.exe
  
  Drivers to disable:
  AV
  
  Drivers to delete:
  AV

  
  

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
  

[Antoniodz95]

Wow i got really scared... I couldnt run in safe mode but now i can run regularly in my regular account!!! Here is the log as requested.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File "C:\Documents and Settings\Rudy\Local Settings\Application Data\av.exe" deleted successfully.

Error: could not open driver "AV"

Disablement of driver "AV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\AV" not found!

Deletion of driver "AV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

PS. On restart the computer did cleanup.bat is that good?

[Antoniodz95]

And now a new problem... Internet wont open unless i go to the Internet Explorer folder and right click and then start. Is there any way i can fix it? If i click it on the desktop it ask me what program i want to use to open it.

Wow i cannot find the edit button... Anytime i want to open ANY program it asks what i want to open it with. Any help?

[Maurice Naggar]

you will need to continue starting Internet Explorer as you had done, until such time as we restore the association on your system for running EXE programs. We are not done yet. Please have patience.

On the plus side, we have removed the rogue "AV.exe"

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop as combofix.COM.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS Combofix.COM to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.com & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

[Antoniodz95]

What do i use to open it? Internet explorer just keeps asking me what i want to open it with.

[Maurice Naggar]

Like you did before

go to the Internet Explorer folder and right click and then start

[Antoniodz95]

Yes my internet Explorer is open but let me upload some pictures of my problem.

[Antoniodz95]

ok here you go.

untitled.bmp

help.bmp

[Maurice Naggar]

I don't understand the "upload picture" bit......

Nevertheless....

IF you are at a stopping point ---- nothing else running on this system.

You have FixPolicies. Run it one more time. Keep going if you have a glitch.

Download this file http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

courtesy of Doug Knox

Save the ZIP file. Then extract the content. It is a .REG file

Put that somewhere on the problem-system ---- best on the Desktop

Then, RIGHT-Click on xp_exe_fix.reg file

and then select MERGE

Once completed, that will cure the issue of not being able to start EXE programs.

Next do the steps I asked for in my prior response ---- to get ERUNT, run it, get Combofix & run it.

Please go slow & careful.

[Antoniodz95]

Ok so heres the ComboFix logfile

ComboFix 10-02-21.01 - Rudy 02/21/2010 12:18:21.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2547 [GMT -8:00]

Running from: c:\documents and settings\Rudy\Desktop\ComboFix.com

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Guest\Local Settings\Application Data\{674505EC-3AD0-43F5-93F8-0D5FD55B12BB}

c:\documents and settings\Guest\Local Settings\Application Data\{674505EC-3AD0-43F5-93F8-0D5FD55B12BB}\chrome.manifest

c:\documents and settings\Guest\Local Settings\Application Data\{674505EC-3AD0-43F5-93F8-0D5FD55B12BB}\chrome\content\_cfg.js

c:\documents and settings\Guest\Local Settings\Application Data\{674505EC-3AD0-43F5-93F8-0D5FD55B12BB}\chrome\content\overlay.xul

c:\documents and settings\Guest\Local Settings\Application Data\{674505EC-3AD0-43F5-93F8-0D5FD55B12BB}\install.rdf

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\77mya.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\AaYkp.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\J8NBm1B.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\m0150k0.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\n10bj0mM.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\p0lb1xA05.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\XXm5Ba0La.jpg

c:\documents and settings\Rudy\Local Settings\Temporary Internet Files\yAPm7oLA.jpg

c:\windows\system32\AutoRun.inf

.

((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))

.

2010-02-21 20:07 . 2010-02-21 20:08 -------- d-----w- c:\program files\ERUNT

2010-02-21 18:20 . 2010-02-21 18:20 -------- d-----w- c:\program files\trend micro

2010-02-21 18:20 . 2010-02-21 18:21 -------- d-----w- C:\rsit

2010-02-21 16:58 . 2010-02-21 16:58 -------- d-----w- c:\program files\MSXML 4.0

2010-02-21 16:58 . 2010-02-21 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2010-02-21 16:57 . 2010-02-21 16:57 -------- d-----w- c:\program files\Hewlett-Packard

2010-02-21 16:56 . 2010-02-21 16:56 -------- d--h--w- c:\windows\msdownld.tmp

2010-02-21 04:06 . 2007-03-28 22:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll

2010-02-21 04:06 . 2007-03-28 21:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll

2010-02-21 04:06 . 2008-04-14 08:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys

2010-02-21 04:06 . 2008-04-14 08:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-02-21 04:04 . 2010-02-21 04:04 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-02-21 04:04 . 2007-03-08 19:20 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys

2010-02-21 04:04 . 2007-03-08 19:20 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys

2010-02-21 04:04 . 2007-03-08 19:20 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys

2010-02-21 04:04 . 2007-03-31 05:07 267864 ----a-w- c:\windows\system32\hpzids01.dll

2010-02-21 04:04 . 2007-03-18 06:11 303104 ----a-w- c:\windows\system32\hpovst10.dll

2010-02-21 04:04 . 2010-02-21 16:55 -------- dc----w- c:\windows\system32\DRVSTORE

2010-02-21 04:04 . 2007-03-18 06:11 675840 ----a-w- c:\windows\system32\hpowiax3.dll

2010-02-21 04:04 . 2007-03-18 06:11 569344 ----a-w- c:\windows\system32\hpotscl3.dll

2010-02-21 04:04 . 2007-03-08 19:20 364544 ----a-w- c:\windows\system32\hppldcoi.dll

2010-02-21 04:04 . 2007-03-08 19:20 309760 ----a-w- c:\windows\system32\difxapi.dll

2010-02-21 04:04 . 2010-02-21 04:04 -------- d-----w- c:\program files\HP

2010-02-21 04:02 . 2010-02-21 04:07 122797 ----a-w- c:\windows\hpoins14.dat

2010-02-21 04:02 . 2007-09-21 11:55 1996 ------w- c:\windows\hpomdl14.dat

2010-02-20 22:44 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2010-02-20 22:42 . 2010-02-20 22:44 -------- d-----w- c:\windows\Logs

2010-02-20 20:42 . 2010-02-20 20:42 -------- d-----w- c:\program files\Windows Media Connect 2

2010-02-20 20:42 . 2008-04-14 03:42 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-02-20 20:39 . 2010-02-20 20:41 -------- d-----w- C:\b906b94b06fe8f09838c

2010-02-20 20:39 . 2010-02-20 20:41 -------- d-----w- c:\windows\system32\drivers\UMDF

2010-02-20 20:39 . 2010-02-20 20:39 -------- d-----w- c:\windows\system32\LogFiles

2010-02-19 18:35 . 2010-02-19 18:35 -------- d-----w- c:\documents and settings\Rudy\Application Data\Malwarebytes

2010-02-19 18:35 . 2010-02-21 16:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-19 18:35 . 2010-02-19 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-18 20:06 . 2010-02-18 20:06 -------- d-----w- c:\windows\system32\wbem\Repository

2010-02-17 22:08 . 2010-02-17 22:08 -------- d-----w- c:\documents and settings\Rudy\Application Data\Subversion

2010-01-31 18:08 . 2010-01-31 18:08 -------- d-----w- c:\documents and settings\Guest\Application Data\uTorrent

2010-01-30 14:53 . 2010-02-19 18:58 -------- d-----w- c:\program files\uTorrent

2010-01-30 14:53 . 2010-02-21 16:56 -------- d-----w- c:\documents and settings\Rudy\Application Data\uTorrent

2010-01-30 14:05 . 2010-01-30 14:05 -------- d-sh--w- c:\documents and settings\Rudy\IECompatCache

2010-01-25 22:59 . 2010-01-25 22:59 -------- d-----w- c:\windows\Sun

2010-01-24 20:07 . 2010-01-29 17:16 0 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\Nguzewugonajeroy.bin

2010-01-24 20:07 . 2010-01-30 03:42 120 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\Owabakamodetakob.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-21 17:51 . 2009-06-22 01:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-02-21 17:04 . 2010-01-13 02:46 -------- d-----w- c:\documents and settings\Rudy\Application Data\LimeWire

2010-02-21 17:03 . 2010-01-02 19:47 -------- d-----w- c:\program files\Steam

2010-02-04 18:01 . 2010-02-20 22:45 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2010-02-04 18:01 . 2010-02-20 22:45 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2010-02-04 18:01 . 2010-02-20 22:45 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2010-02-04 18:01 . 2010-02-20 22:45 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2010-01-22 01:13 . 2010-01-22 01:13 12328 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-05 18:52 . 2010-01-05 18:52 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-01-05 18:52 . 2010-01-05 18:52 -------- d-----w- c:\program files\Java

2010-01-05 18:52 . 2010-01-05 18:52 152576 ----a-w- c:\documents and settings\Rudy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2010-01-04 17:59 . 2010-01-04 14:30 -------- d--h--r- c:\documents and settings\Guest\Application Data\yahoo!

2010-01-04 00:03 . 2010-01-04 00:02 -------- d-----w- c:\program files\Jnes

2010-01-03 00:51 . 2009-06-22 01:32 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-01-02 20:27 . 2010-01-02 20:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-01-02 20:27 . 2010-01-02 20:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-01-02 20:27 . 2010-01-02 20:27 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-01-02 20:27 . 2010-01-02 20:27 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-01-02 20:27 . 2010-01-02 20:27 -------- d-----w- c:\program files\AVG

2010-01-02 20:27 . 2010-01-02 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-12-31 16:50 . 2008-04-13 22:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-21 19:14 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-06-22 01:29 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2008-04-14 03:41 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26 . 2008-04-13 22:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2008-04-13 22:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11 . 2008-04-14 03:42 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07 . 2001-08-23 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07 . 2008-04-14 03:42 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:07 . 2008-04-14 03:41 84992 ----a-w- c:\windows\system32\avifil32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2010-02-20 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2009-06-10 1657376]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-05 149280]

c:\documents and settings\Rudy\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-01-02 20:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Steam\\steamapps\\lor72\\team fortress 2\\hl2.exe"=

"c:\\Program Files\\Steam\\steamapps\\lor72\\source 2007 dedicated server\\srcds.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\steamapps\\lordavatar95\\garrysmod\\hl2.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2010 12:27 PM 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/2/2010 12:27 PM 360584]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/2/2010 12:27 PM 906520]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/2/2010 12:27 PM 285392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2010-01-04 06:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-21 12:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-02-21 12:28:13

ComboFix-quarantined-files.txt 2010-02-21 20:28

Pre-Run: 96,288,755,712 bytes free

Post-Run: 98,081,968,128 bytes free

- - End Of File - - 3B98F5A4878538D25E2BBFC59C3FBAF6

[Maurice Naggar]

You must remove LimeWire and

[Antoniodz95]

Ok Limewire and

[Maurice Naggar]

Step 1

You have FixPolicies from before. Open Folder called FixPolicies.

and then double-click the file within: Fix_Policies.cmd

This does not remove anything nor delete anything. It restores some functions.

This should be fairly quick run. Keep going with next steps in any event.

Step 2

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• IF prompted to Reboot, reply "Yes".
  

Step 3

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 4

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

Read the Information block presented on the screen, and then press the Accept button.

1) Accept the agreement

2) The necessary files will be downloaded and installed. Please have plenty of patience.

3) After Kaspersky AntiVirus Database is updated, look at the Scan box.

4) Click the My Computer line

5 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

6) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the MBAM scan log &

Kaspersky.txt report.

How is your system now

[Antoniodz95]

Currently doing the Kaspersky update taking forever but other than that my computer is performing like brand new!!! Thank you so much. Here is my MBAM results for now.

Malwarebytes' Anti-Malware 1.44

Database version: 3772

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/21/2010 1:18:29 PM

mbam-log-2010-02-21 (13-18-29).txt

Scan type: Quick Scan

Objects scanned: 124813

Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maurice Naggar]

Ok, very good. Let the Kaspersky scan run without interruption. Don't use the system for any other task.

After the end of the scan, post the log from Kaspersky for my review.

And do not go away; there will be cleanups afterwards.

You may count yourself as having a very lucky day.

[Antoniodz95]

ok FINALLY done with the kaspersky scan so here you go.

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, February 21, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, February 21, 2010 20:49:11

Records in database: 3610312

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Objects scanned 45251

Threats found 0

Infected objects found 0

Suspicious objects found 0

Scan duration 00:36:43

No threats found. Scanned area is clean.

Selected area has been scanned.

Thank you very much for your help and patience. I hope you have a wonderful week!

[Maurice Naggar]

We are very fortunate to have gotten this far and have got the system back in good shape.

You got a very nasty fake antivirus (rogue) which hosed the standard Windows association for running any executable.

My guess is that it likely arrived from downloading or having peer-to-peer apps, like LimeWire / uTorrent.

Stay away from those apps as if they were the black-death-plague.

secutity updates

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says "Java Platform Standard Edition"
  
• Click the "Download" button that is marked Download JRE.
  
• Select the Windows platform from the dropdown menu.
  
• Read the License Agreement and then check the box that says: "Java SE Runtime Environment 6u18 with JavaFX 1 License Agreement . ". Click on Continue.The page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
      

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

Small tweaks for Java runtime, since most all users do not need to load Java at each Windows startup:

Click Advanced Tab. Expand the Miscellaneous item.

UN-check the line Java quick starter

If you want to also un-check the "Check for updates automatically" you may:

Click the Update tab. un-check the line if it is checked.

Press Apply then OK. Close the applet when done.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_18 from Sun Microsystems Inc.

Cleanups / removals

Go to Control Panel and Add-or-Remove programs.

Look for Kaspersky Online and click the line for it. Select Change/Remove to de-install it.

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

Locate the combofix (red lion icon) on your Desktop c:\documents and settings\Rudy\Desktop\ComboFix.com

Right-click on it, and select RENAME

Rename it to Combofix.EXE

The "/uninstall" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after exe and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run. Then type in

  CMD

  and press Enter-key.
  This will open a command-prompt window.
  In the command box that opens, type or copy/paste
  c:\documents and settings\Rudy\Desktop\ComboFix.exe /uninstall
  and then click OK.
  

IF you run into a hitch removing Combofix, continue forward anyway to the remaining steps.

• Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  
• Please double-click OTL.exe to run it.
  
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  

• Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP
  http://bertk.mvps.org/html/diskclean.html
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  ESET Online Scanner
  Panda ActiveScan
  Trend Micro Housecall
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  

In honor of this recovery, a rare appearance of dancing 'critters

We are finished here. Best regards.

[Antoniodz95]

Perfect. I have downloaded SpywareBlaster and Online Armor as in the link on you previous post. I would like to say thank you for everything you have done and hope i dont have to see you in the future Have a great week.

[Maurice Naggar]

Very well. Stay safe. Glad this was resolved.

The procedures used here were only for this system. If you are a casual viewer and have issues, start your own topic.