Virus reappears after removal

[sigtaba]

As I was instructed in a prior forum, I was unable to run Defogger and also GMER Root Kit scanner. The virus will only let me run the DDS. Attached are the results and also the malewarebytes file. Please help.

DDS1.zip

dds2.zip

virus.zip

[extremeboy]

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions: http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don't hear from you in five days this thread will be closed.

With Regards,

Extremeboy

[sigtaba]

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please take a read in this thread on instructions on running the tools and posting the logs for instructions: http://www.malwarebytes.org/forums/index.php?showtopic=9573

In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please note that the forum is very busy and if I don't hear from you in five days this thread will be closed.

With Regards,

Extremeboy

[sigtaba]

As I stated in my message, I was unable to run Defogger and also GMER Root Kit scanner. The virus won't let me run them. The virus will only let me run the DDS. I attached the results and also the malewarebytes file in my prior post. Are you able to help me? Currently when I try to run almost any program a screen pops up stating that "windows can not open this file" and asking me to select a program from a list.

[extremeboy]

Can you then please run DDS again for me so I can see an updated situation of your system and so we can proceed from there.

You're file associations appear to be broken, thus giving you that error. We'll deal with you're problem upon seeing the new DDS logs.

Thanks.

[sigtaba]

Here are the updadted DDS.

Can you then please run DDS again for me so I can see an updated situation of your system and so we can proceed from there.

You're file associations appear to be broken, thus giving you that error. We'll deal with you're problem upon seeing the new DDS logs.

Thanks.

DDS3.txt

DDS4.txt

[extremeboy]

Yes, you're file associations indeed is broken, we need to fix that. When running the tools, rename the extension to something else such as OTM.com and run it since your .exe file associations are broken right now.

Please do the following...

View File extension, Hidden and System files

• Double click the My Computer icon.
  
• In the explorer window that pops-up, select the Tools menu and click Folder Options.
  
• After the new window appears select the View tab.
  
• Put a checkmark in the checkbox labeled Display the Contents of System Folders, if it is not already checked.
  
• Remove the checkmark from the checkbox labeled Hide File Extensions for Known File Types, if it is not already unchecked.
  
• Remove the checkmark from the checkbox labeled Hide Protected Operating System Files, if it is not already unchecked.
  
• Click the Apply button and then the OK button.
  
• Close all the windows.
  

Download and Run OTM

1. Please download OTM by OldTimer and save it to your desktop.
   
2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
   
3. Paste the following code under the area. Do not include the word "Code".
   

   :reg
   [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
   @="exefile"
   :Commands
   [CREATERESTOREPOINT]
   [resethosts]
   [emptytemp]

   
   

4. Click the large button.
   
5. If OTM requires are reboot, please allow it to do so.
   
6. Copy/Paste the contents under the line here in your next reply.
   

Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Then download this tool to your desktop and run it. Once you have done that see if you can get GMER to run. If not, do the same thing and re-name the extension to something else like GMER.com and try running it.

[sigtaba]

I was able to do everything but I can't open Notepad to paste the results because Notepad won't open like most of the other applications.

[extremeboy]

Attach the logs here then by clicking Add Reply and you should see the Attachments area which you can browse, upload and attach the logs.

Thanks.

[sigtaba]

How do I find the file?

Attach the logs here then by clicking Add Reply and you should see the Attachments area which you can browse, upload and attach the logs.

Thanks.

[sigtaba]

I found the moved files folder but I get this message when I try to upload any of the contents:

Upload failed. You are not permitted to upload this type of file

[sigtaba]

I think I have it now. Notepad opens up when I double click the folder in "Moved Files":

All processes killed

Error: Unable to interpret <reg> in the current context!

Error: Unable to interpret <[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]> in the current context!

Error: Unable to interpret <@="exefile"> in the current context!

========== COMMANDS ==========

Restore point Set: OTM Restore Point (0)

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 376832 bytes

->Temporary Internet Files folder emptied: 25856125 bytes

->Flash cache emptied: 1320 bytes

User: All Users

User: Chris

->Temp folder emptied: 5622899 bytes

->Temporary Internet Files folder emptied: 202740466 bytes

->Java cache emptied: 5122617 bytes

->FireFox cache emptied: 58808486 bytes

->Flash cache emptied: 19302 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService

->Temp folder emptied: 65984 bytes

->Temporary Internet Files folder emptied: 15816694 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 4348145 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 216415784 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes

RecycleBin emptied: 250940955 bytes

Total Files Cleaned = 750.00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05222010_142059

Files moved on Reboot...

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\;_ylc=X1MDOTc1NDYxNjgEX3IDMgRjYXRlZ29yeQNJREVOVElGSUVSBGV4dGZyb20DBGZiAzAEZ

nJjb2RlA2NzY195bWFpbGNsBGlzZXh0AzAEaXQDc2hvcnRjdXRzOi91cy9pbnN0YW5jZS9pZGVudGlm[

1

].adNoOp&fr=csc_ymailcl not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;F18=f;

[

2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\OOAMF4VI\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;F18=f;

[

3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[4] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[5] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\I26L2YSW\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[4] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[4] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\Fym%2Fshowfolder%3Fsearch%3D%26npos%3D6%26next%3D1%26yy%3D16729%26y5beta%3Dyes%26y5beta%3Dyes%26inc%3D25%26order%3Ddown%26sort%3Ddate%26pos%3D5%26view%3Da%26head%3Db%26box%3Dinbox, not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;F18=f;

[

2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\H1EN0HN4\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;F18=f;

[

2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[3] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[4] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[5] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;[6] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\AccountOverview-inside;lang=en_US;acct=biz;resid=US;DC=F;bcapp=F;bcpre=F;ver=T;F1=f;F2=f;F3=f;F4

=f;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;[2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=f;F9=f;F10=f;F11=f;F12=f;F13=t;F14=f;F15=f;F16=f;F17=f;F18=f;

[

2] not found!

File C:\Documents and Settings\Chris\Local Settings\Temp\Temporary Internet Files\Content.IE5\5F3BW09R\ShopsLogout-outside;lang=en_US;acct=;resid=US;DC=F;bcapp=F;bcpre=F;ver=F;F1=f;F2=f;F3=f;F4=f

;F5=f;F6=f;F7=f;F8=t;F9=t;F10=t;F11=t;F12=f;F13=f;F14=f;F15=f;F16=f;F17=f;F18=f;

[

2] not found!

C:\Documents and Settings\Chris\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temp\~DF91E8.tmp moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\X6UGJICK\md[1].htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\TMDVKKI4\180[1].htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\TMDVKKI4\welcome[1].rand=2jpqa4k5s16u4 moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KNTR7GSB\iframe[1].htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\9OHFBJLQ\direct=MNW&rn=1274555856765&em=%7B%22site-attribute%22%3A%20%22content%3Dno_expandable%3Bajax_cert_expandable%3BATT_Mail_Portal_Block%22%7D&tgt=_blank&vw=showMessage moved successfully.

File C:\WINDOWS\temp\mcmsc_fIHFRgRCATUJdOX not found!

File C:\WINDOWS\temp\mcmsc_raSv9f3jpGEWdfQ not found!

Registry entries deleted on Reboot...

[extremeboy]

The OTM script did not go successfully because you did not copy the full script correctly. You forgot the colon ( : ) before the "reg"

Please run OTM again using the following script like last time. Don't forget the colon this time.

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@="exefile"
:Commands
[CREATERESTOREPOINT]
[resethosts]
[emptytemp]

Thanks.

[sigtaba]

OK, Here it is:

All processes killed

========== REGISTRY ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\@|"exefile" /E : value set successfully!

========== COMMANDS ==========

Restore point Set: OTM Restore Point (0)

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: All Users

User: Chris

->Temp folder emptied: 33639 bytes

->Temporary Internet Files folder emptied: 4882333 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Flash cache emptied: 405 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 664 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05242010_152142

Files moved on Reboot...

C:\Documents and Settings\Chris\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temp\~DFC68E.tmp moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAEZMJSJ.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAG4OFNN.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAMFOPI5.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAO1QR4Z.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAT7V97L.php%3Fen%3Dcp1252,;ord=1274732391 moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ZHYLWPHC\CAWDUZ4H.php%3Fen%3Dcp1252,;ord=1274732400 moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JV0ICOYP\CA0123S5.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JV0ICOYP\CAB57ZQ8.php%3Fen%3Dcp1252,;ord=1274732383 moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JV0ICOYP\CAYPE1SP.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JV0ICOYP\iframe[1].htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JV0ICOYP\index[1].php moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\IR401KJR\welcome[1].rand=e76epeascvhbc moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\3NJ2GF8M\CA61K9YH.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\3NJ2GF8M\CAF5T447.php%3Fen%3Dcp1252,;ord=1274732400 moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\3NJ2GF8M\CAKD2V01.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\3NJ2GF8M\CAPF4L1Y.htm moved successfully.

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\3NJ2GF8M\md[1].htm moved successfully.

Registry entries deleted on Reboot...

[extremeboy]

Does your .exe files work now?

Run this tool and see if it works and if you can now post the logs.

[sigtaba]

I was able to run Defogger and the GMER but after awhile I got this blue screen I have never seen before stating that Windows detected an error and had to shut down. Driver_IRQL_Not_Less_or_ Equal and alot of other verbage and telling me to try to restart and contact the administrator. Should I try again?

[extremeboy]

Try GMER in Safe Mode, if it still doesn't work let me know.

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  
• Use your arrow keys to navigate and highlight Safe Mode.
  
• Hit Enter.
  
• You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  
• Hit Enter.
  

Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Additional instructions on booting into Safe Mode can be found here

[sigtaba]

I ran the GMER is safemode and this is the result:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-29 13:53:54

Windows 5.1.2600 Service Pack 3

Running: 6ysw04ry.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\pxtoapog.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B9CE0D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

When I ran it in safemode the list that populated on the screen only had 2 items but when I ran it in non-safemode there was a long list. My computer now is running very slow and freezes up alot. I received another blue screen that said "fatal error". I have never seen these blue screens before.

[extremeboy]

Hello.

Can you start off with Combofix for me, any problems let me know.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:

ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Please refer to this page for full instructions on how to run ComboFix.

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  
• Double click ComboFix.exe to start the program. Agree to the prompts.
  
• When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
  

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

[sigtaba]

Attached is the combo fix log

combofix_log.txt

[extremeboy]

Hello again,

Let's continue.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:

  http://forums.malwarebytes.org/index.php?showtopic=50367
  Driver::
  1ecfa6aa
  785b8bb2
  Collect::[68]
  c:\windows\system32\drivers\1ecfa6aa.sys
  c:\windows\system32\drivers\785b8bb2.sys
  c:\windows\qwingsvc.dll
  Registry::
  [-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  

• Refering to the picture above, drag CFScript into ComboFix.exe.
  
• When finished, it shall produce a log for you at "C:\ComboFix.txt"
  
• Please post the contents of the Combofix log in your next reply.
  

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

• Important: Ensure you are connected to the internet before clicking OK on the message box.
  
• A blue-screen would appear auto-uploading the zipped file I requested.
  
• After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
  

**NOTE**

=================

• IF for some reason Combofix fails to upload anything please do the following:
  
• Go to Start >> My Computer > C:\
  
• Then Navigate to the C:\Qoobox\Quarantine folder.
  
• Find the archive zip file called "[68]-Submit_Date_Time.zip"
  
• Simply go to This Channel and upload the submit.zip archive file to me.
  
• Follow the instructions on that page to copy/paste/send the requested file.
  

Let me know how it goes and if the upload went successfully or not in your next reply.

[sigtaba]

Here it is

Combofix2.txt

[extremeboy]

Hello.

That's looking good. Let's get an online scan done.

Run ESET Online Scan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       
   12. Push the button.
       
   13. Push
       
       You can refer to this animation by neomage if needed.

[extremeboy]

Are you still with me?

[sigtaba]

Yes.

I ran the online scan and it came back "no infections found".

Shortly after that I lost my internet connection due to a power outage.

Do you need to see a log file? Is there a way to retrieve it now or do I need to run the scan again?

Are you still with me?