Windows Security Alert Trojan??? Critical need help!

[Raident]

Hey so today I turn on my computer and I have this awful trojan that doesn't allow me to open any programs for more than .2 seconds or do much of anything except get spammed by constant 'Windows Security Alerts' filling up my toolbar and the unavoidable popup "Application cannot be executed. The file _____ is infected. Do you want to activate your antivirus software now?" Also occasional popups to adult sites which I've never had before....

The problem seems to be getting worse and worse and I'm in serious need for help. The creator of this thread
http://www.computerhope.com/forum/index.php/topic,95177.0.html
seems to have had the same problem as me. But when I get to the step where he was told to run Rkill I can't get any of them to open. I also can't get the superantispyware or emisoft programs to run either to help me get rid of my problem... ive also tried spybot snd and Avira to no avail. I've also tried running in safe mode(which works) and deleting all my temporary files(not 100% sure if I did it right). I know I'm not supposed to try to fix this by myself so im coming here for your help, please save me!

 http://www.computerhope.com/forum/index.php?PHPSESSID=3ffee808e87822e364bca900fba99709&/topic,46313.0.html

[Dr Jay]

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, do the following...

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[Raident]

Wow!! After using combofix the problem seems to be gone! thank you so much Dragonmaster

ComboFix 10-04-28.03 - David Gardner 04/28/2010  16:10:37.1.1 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1534.1292 [GMT -7:00]
Running from: c:\documents and settings\David Gardner\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe
c:\program files\AskSearch\bin\DefaultSearch.dll

.
(((((((((((((((((((((((((   Files Created from 2010-03-28 to 2010-04-28  )))))))))))))))))))))))))))))))
.

2010-04-24 23:57 . 2010-04-28 23:14   --------   d-----w-   c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl
2010-04-24 23:57 . 2010-04-28 23:14   --------   d-----w-   c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 23:06 . 2009-05-24 17:32   --------   d-----w-   c:\documents and settings\David Gardner\Application Data\FrostWire
2010-04-28 22:05 . 2009-05-22 16:30   --------   d-----w-   c:\program files\Steam
2010-04-27 00:06 . 2009-05-03 00:05   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-04-26 18:56 . 2009-08-19 01:54   --------   d-----w-   c:\documents and settings\David Gardner\Application Data\vlc
2010-04-25 00:31 . 2009-09-28 22:18   --------   d-----w-   c:\program files\Heroes of Newerth
2010-04-11 01:54 . 2009-05-03 00:13   --------   d-----w-   c:\documents and settings\David Gardner\Application Data\uTorrent
2010-04-09 01:29 . 2009-05-05 00:31   --------   d-----w-   c:\program files\FinePixViewer
2010-04-05 00:43 . 2009-09-30 22:39   1   ----a-w-   c:\documents and settings\David Gardner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-01 17:43 . 2009-05-24 17:37   4506256   ----a-w-   c:\documents and settings\David Gardner\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2010-03-31 20:13 . 2009-11-22 16:41   --------   d-----w-   c:\documents and settings\David Gardner\Application Data\dvdcss
2010-03-10 08:02 . 2004-08-04 12:00   417792   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-08-04 12:00   662016   ----a-w-   c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-04 12:00   81920   ----a-w-   c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-04 12:00   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 13:19 . 2004-08-04 12:00   2181376   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59   2058368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Steam"="c:\program files\Steam\Steam.exe" [2009-11-12 1217808]
"Google Update"="c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-23 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"nwiz"="nwiz.exe" [2009-03-27 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-05-11 1348144]

c:\documents and settings\David Gardner\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-5-4 303104]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-10-21 884838]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/2/2009 5:04 PM 108289]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [5/2/2009 12:29 PM 17149]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp --> c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp [?]
S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\WN111v2.sys --> c:\windows\system32\DRIVERS\WN111v2.sys [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [10/20/2009 6:42 PM 362944]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-789336058-1801674531-1003Core.job
- c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 22:15]

2010-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-789336058-1801674531-1003UA.job
- c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 22:15]

2010-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-04 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/portal/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
FF - ProfilePath - c:\documents and settings\David Gardner\Application Data\Mozilla\Firefox\Profiles\lez0zr1c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?gcht=HC&o=101676&l=dis
FF - plugin: c:\documents and settings\David Gardner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverUpdaterPro - c:\program files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-kegdosnf - c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
HKCU-Run-wrtjuyvm - c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe
HKLM-Run-kegdosnf - c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr\ruywfrdtssd.exe
HKLM-Run-wrtjuyvm - c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl\reparsjtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-28 16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\DAVIDG~1\LOCALS~1\Temp\KVH6.tmp"
.
Completion time: 2010-04-28  16:16:20
ComboFix-quarantined-files.txt  2010-04-28 23:16

Pre-Run: 7,408,603,136 bytes free
Post-Run: 8,300,707,840 bytes free

- - End Of File - - A44CB82A18CA21E49DFB11B984AF26CF

[Dr Jay]

Not quite gone yet.

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  killall::
  
  Folder::
  c:\documents and settings\David Gardner\Local Settings\Application Data\whwqpynyl
  c:\documents and settings\David Gardner\Local Settings\Application Data\ehjqpjokr
  
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:5555
  
  rootkit::
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

==========================================

GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply along with the ComboFix log. You may have to use two of three posts to get all the information in.