Questions about Computer Hope's malware removal guide

[myswtsins]

I am following the guide to remove malware as advise in my other thread.  Can I do everything in safe mode?  Because my computer doesn't work properly in normal mode, programs never open (so I can't install superantivirus) and most time the PC never even starts up past "loading personal settings".

[SuperDave]

Please tell me exactly what happens when you boot in Normal Mode.

[myswtsins]

I fixed the issue with not being able to get past "loading your personal settings" by F8 with use last good config option. 

When in normal mode if I try to open a program (like any anti-virus stuff) I get an hourglass for a second but it never opens or appears in taskmanger.  I have been renaming things "winlogon" to get past that issue though.

Even in safe mode now though I get repeating svchost.exe errors & fake anti-virus pop-ups (your PC is infected type) almost as soon as it boots up.

I tried following the removal guide (in safe mode) but Superanti spyware is not creating logs (box IS checked for it to keep logs) & it does not show any items in QT.  It found 77 items (quick scan) and I chose to QT (or removed, whatever it asks you to do) them and it said they were taken care of but there is no record of it.  I ran a full scan for over 19 hours and when I came back to the PC it was just on the main menu with no options or logs shown.

I also could not update java.  I do not have the error in front of me because I am using my brother's PC but I will get the exact error a little later.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.
 
Now download and Run exeHelper.

Please download exeHelper from Raktor to your desktop.

• Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
  
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
  **********************************************
  SUPERAntiSpyware
  
  If you already have SUPERAntiSpyware be sure to check for updates before scanning!
  
  Download SuperAntispyware Free Edition (SAS)
  * Double-click the icon on your desktop to run the installer.
  * When asked to Update the program definitions, click Yes
  * If you encounter any problems while downloading the updates, manually download and unzip them from here
  * Next click the Preferences button.
  
  •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
  * Click the Scanning Control tab.
  * Under Scanner Options make sure only the following are checked:
  
  •Close browsers before scanning
  •Scan for tracking cookies
  •Terminate memory threats before quarantining
  •Please leave the others unchecked
  
  •Click the Close button to leave the control center screen.
  
  * On the main screen click Scan your computer
  * On the left check the box for the drive you are scanning.
  * On the right choose Perform Complete Scan
  * Click Next to start the scan. Please be patient while it scans your computer.
  * After the scan is complete a summary box will appear. Click OK
  * Make sure everything in the white box has a check next to it, then click Next
  * It will quarantine what it found and if it asks if you want to reboot, click Yes
  
  •To retrieve the removal information please do the following:
  •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  •Click Preferences. Click the Statistics/Logs tab.
  
  •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  
  •It will open in your default text editor (preferably Notepad).
  •Save the notepad file to your desktop by clicking (in notepad) File > Save As...
  
  * Save the log somewhere you can easily find it. (normally the desktop)
  * Click close and close again to exit the program.
  *Copy and Paste the log in your post.
  **************************************
  Please download Malwarebytes Anti-Malware from here.
  
  Double Click mbam-setup.exe to install the application.
  
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
    
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
    
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
  Extra Note:
  
  If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[myswtsins]

Thanks for helping me SuperDave!  Unfortunately I didn't get far.  I tried all 4 rkills without success.  The .pik link gave me an error so I was not able to DL that one but the other 3 all had the same results.  After it ran for awhile "rkill terminating known malware..." a application error would pop up that I have never seen before, I get svchost.exe app errors all the time though.
"pev.rkexe - Application Error 
The exception unknown software exception (0xc00000fd) occurred in the application at location 0x5ff19817.

Click on OK to terminate the program
Click on CANCEL to debug the program"

I have clicked OK, the X to close and just moved it aside with no seen effects.  When I hit CANCEL I get messages that it is trying to access HKCU files and is blocked.  The rkill program has ran for over 2 hours with no change just says Please be patient, should it take that long?

[SuperDave]

should it take that long?

No. It should only be for a few moments. There are other problems. Did you try running MBAM in Safe Mode? If not, please try that. If it still doesn't work, please try this: You will have to create the disk on a working computer.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
***********************************
We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

Place a blank CD-R disc in to your CD burning drive.Download

OTLPEStd.exe and double-click on it to burn to a CD using the ISO Burner.Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settings:
Change Drivers to Non-Microsoft
Press Run Scan to start the scan.
When finished, the file will be saved  in drive C:\_OTL\MovedFiles
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

[/list]

[myswtsins]

I tried rkill.exe a couple more times and it worked so I immediately ran exehelper (saved logs) and then Super Anti-Spyware which is still scanning 20hrs later, it goes through files really slowly after a little while.  Should I still do the Windows Recovery Enviroment after SAS finishes?

I am doing all of this in regular mode because you never stated whether I could do it in safe mode, just so you know.  And I am on my brother's computer right now because mine is scanning so I will post the logs when SAS is done.

[SuperDave]

If you can get the scans to run there's no need to do the OTLPE. Just post the logs whenever you can.

[myswtsins]

The SAS scan did the same thing where I come back and it is on the main menu with no log recorded so I moved to trying to run the OTLPE but I am a little confused.  Do you want me to start up with the CD, run the OTLPE scan and then install and run all the other programs (MBAM, SAS...)?

Also after clicking the OTLPE icon the pop ups did not follow your instructions.  First it asked me to choose my windows directory, when I choose Windows (C:) it said it was not win 2000 or later ( I always run XP) so I tried my WinNT folder ( I have NEVER used WinNT, it just came with the PC) it accepted it.  I also did not find a option for Drivers - non microsoft.  It gave me Drivers - none - use safelist - All, I left it on use safelist (default) and ran a scan (last one).

Here are the old logs (I have encountered NEW problems since this though)
----
Rkill
-----
This log file is located at F:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as jen on 10/23/2010 at 22:54:45.


Services Stopped:


Processes terminated by Rkill or while it was running:

Rkill completed on 10/23/2010  at 23:01:07.

----
exehelper
----
exeHelper by Raktor
Build 20100414
Run at 23:15:21 on 10/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

----
MBAM - ran in safe mode
----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4883

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

10/19/2010 3:09:20 PM
mbam-log-2010-10-19 (15-09-20).txt

Scan type: Quick scan
Objects scanned: 150440
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gkahiwifap (Trojan.Hiloti) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\gizcsckb.dll (Trojan.Hiloti) -> No action taken.
F:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WB8BVGUK\setup[1].exe (Trojan.FakeAlert) -> No action taken.


----
SAS - ran in safe mode (definitely did not scan as many files as in normal mode, about half the # of registry files)
----

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/26/2010 at 10:51 PM

Application Version : 4.44.1000

Core Rules Database Version : 5754
Trace Rules Database Version: 3566

Scan type       : Complete Scan
Total Scan Time : 03:27:12

Memory items scanned      : 273
Memory threats detected   : 0
Registry items scanned    : 7516
Registry threats detected : 0
File items scanned        : 269267
File threats detected     : 9

Trojan.Agent/Gen-Krazy
   F:\DOCUMENTS AND SETTINGS\JEN\APPLICATION DATA\HOTFIX.EXE
   F:\DOCUMENTS AND SETTINGS\JEN\LOCAL SETTINGS\TEMP\0.5321170746445714.EXE

Adware.Tracking Cookie
   convoad.technoratimedia.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
   ia.media-imdb.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
   www.naiadsystems.com [ F:\Documents and Settings\jen\Application Data\Macromedia\Flash Player\#SharedObjects\K6WJV3KA ]
   media.mtvnservices.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
   media1.break.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
   objects.tremormedia.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]
   secure-us.imrworldwide.com [ F:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\999866TD ]


----
OTLPE
----

OTL logfile created on: 11/3/2010 10:18:43 PM - Run
OTLPE by OldTimer - Version 3.1.43.0     Folder = X:\Programs\OTLPE
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195) - Type = SYSTEM
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 97.09 Gb Free Space | 75.85% Space Free | Partition Type: NTFS
Drive D: | 127.99 Gb Total Space | 10.95 Gb Free Space | 8.55% Space Free | Partition Type: NTFS
Drive E: | 170.10 Gb Total Space | 4.91 Gb Free Space | 2.89% Space Free | Partition Type: NTFS
Drive F: | 170.10 Gb Total Space | 141.72 Gb Free Space | 83.32% Space Free | Partition Type: NTFS
Drive G: | 982.13 Mb Total Space | 349.09 Mb Free Space | 35.54% Space Free | Partition Type: FAT
Drive X: | 282.52 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [Unavailable] --  -- (IAS)
SRV - [2007/04/20 08:03:02 | 000,411,168 | ---- | M] (Acronis) [Auto] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 12:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 12:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 12:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2003/06/19 12:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINNT\system32\hidserv.exe -- (HidServ)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System] --  -- (tga)
DRV - File not found [Kernel | System] --  -- (sglfb)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- E:\PciCon.sys -- (PciCon)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2007/09/02 18:09:14 | 000,392,320 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINNT\system32\drivers\timntr.sys -- (timounter)
DRV - [2007/09/02 18:09:14 | 000,032,768 | ---- | M] (Acronis) [File_System | Auto] -- C:\WINNT\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2007/09/02 18:09:13 | 000,120,992 | ---- | M] (Acronis) [Kernel | Boot] -- C:\WINNT\system32\drivers\snapman.sys -- (snapman)
DRV - [2007/04/13 05:11:08 | 006,704,736 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/06/19 12:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 12:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot] -- C:\WINNT\system32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 12:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 12:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 12:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 12:05:04 | 000,024,784 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\openhci.sys -- (openhci)
DRV - [2003/06/19 12:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 12:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot] -- C:\WINNT\system32\drivers\dmload.sys -- (dmload)
DRV - [1999/12/07 08:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 08:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
 
 
IE - HKU\x_ON_C\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\x_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
 
 
 
O1 HOSTS File: ([1999/12/07 08:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Device Detector]  File not found
O4 - HKLM..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe (Maxtor)
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\x_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINNT\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/02 17:33:33 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2007/09/02 17:32:47 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2007/09/02 13:25:32 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2007/04/13 05:11:14 | 001,662,976 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2007/04/13 05:11:14 | 001,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2007/04/13 05:11:14 | 000,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2007/04/13 05:11:14 | 000,286,720 | ---- | C] () -- C:\WINNT\System32\nvnt4cpl.dll
[2007/04/13 05:11:12 | 001,470,464 | ---- | C] () -- C:\WINNT\System32\nview.dll
[1999/12/07 08:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/12/07 08:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1999/12/07 08:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1999/12/07 08:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1999/12/07 08:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/09/25 06:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 06:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
 
========== LOP Check ==========
 
[2007/09/08 10:14:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\x\Application Data\ACD Systems
 
========== Purity Check ==========
 
 
< End of report >

[SuperDave]

Please run MBAM again and, this time, let it fix the infections. Then try booting in Normal Mode and run SAS and MBAM again.

[myswtsins]

That's odd because I know I removed them and they did not come up on the next scan (complete, in safe mode) but it did find a svchost.exe infection.  I will post the log soon as I am trying not to use that PC because new stuff pops up every time I turn it on.  I tried to run the SAS scan in normal mode but it ran for 16+ hrs and than was on the main menu again with no log.

[SuperDave]

Ok. Let's try this:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[myswtsins]

I have not done what you asked yet but as I was trying another scan with SAS while waiting for your response I got this pop-up craziness http://s70.photobucket.com/albums/i93/myswtsins/Other/?action=view&current=untitled.jpg.


I do have PC doctor spyware on my PC and CA antivirus (comes with my cablevision package) so I know I do have antivirus even though that windows alert says otherwise.  All those porn & spam icons on my desktop were not there before though.  I didn't want to do ANYthing without your advice so I took the screen shot and just left everything alone.

I also want to let you know that I am trying to clean my PC so I can transfer some files over to a external HD and reformat my PC.  I don't know if that would make any difference in this process.

[SuperDave]

If you plan to reformat please follow this advice:BTW, that is malware that is causing those pop-ups. Don't click on anything.

Backing up files before formatting

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.

Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD RW's, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
 
-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> www.windowsreinstall.com/

[myswtsins]

Sorry but I just want to make sure I am doing what you ask correctly, you want me to still run the ComboFix and continue to clean my PC before doing the backup right?