XP virus

[Mulreay]

OK I have been given a laptop by my parents that is running XP 32bit professional. I'm using my Vista laptop for this.
I use Microsoft security essentials for both laptops, with Malwarebytes, SAS and I do have sandboxie on both.

Every 10mins or so I'm getting a virus alert from MSE but never exactly the same... the one I have just quarantined now is
VirTool:Win32/ceeInject.gen!J

Basically I can no longer update MSE on the XP laptop as it says it's failed and cannot progress..

Virus & Spyware update failed

MSE wasn't able to check for blah blah

Error code 0x80072efe

Error discription: 'Yeah right' nothing

I would tell you the other viruses but the history seems to be deleted every time...
When I try to link to MS through the MSE program it will come back on the web browser saying that
'This has been flagged as a malicious request'

Am I somehow a receiver of a fake version of MSE on this XP laptop?

I have nothing left to give it other than a full uninstall 'if I can' and re-install again.

Thanks in advance as always. 

[Mulreay]

The time it took me to post this the same virus has just been flagged again... 

[BC_Programmer]

have you actually run malwarebytes?

[Mulreay]

have you actually run malwarebytes?

Sorry I was less than clear... yes I have run malwarebytes..  nothing. And SAS with still nothing.

[SuperDave]

Hello and welcome to

Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
Hi Mulreay. Let's try this:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[Mulreay]

Thanks for the reply. I had some trouble transferring the program to the infected laptop but all done.
When I try to run the program on the laptop it creates a BSOD. Tried twice with same results.
Thanks in advance

[SuperDave]

Ok. Let's try this:

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

[Mulreay]

Thanks for the reply.
Just tried it, followed your instructions fully.. combofix started, it got to the end of the progress bar as normal and then I was hit with another BSOD.
Thanks in advance.

[SuperDave]

Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply

[Mulreay]

OK here's all the information.

==================================================
Dump File         : Mini011011-04.dmp
Crash Time        : 10/01/2011 21:12:26
Bug Check String  : BAD_POOL_HEADER
Bug Check Code    : 0x00000019
Parameter 1       : 0x00000020
Parameter 2       : 0x82792e50
Parameter 3       : 0x82792e60
Parameter 4       : 0x1a020001
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c846
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Processor         : 32-bit
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\Mini011011-04.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 98,304
==================================================

==================================================
Dump File         : Mini011011-03.dmp
Crash Time        : 10/01/2011 18:45:29
Bug Check String  : BAD_POOL_HEADER
Bug Check Code    : 0x00000019
Parameter 1       : 0x00000020
Parameter 2       : 0x82c33e78
Parameter 3       : 0x82c33e88
Parameter 4       : 0x1a020001
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c846
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Processor         : 32-bit
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\Mini011011-03.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 98,304
==================================================

==================================================
Dump File         : Mini011011-02.dmp
Crash Time        : 10/01/2011 18:40:55
Bug Check String  : BAD_POOL_HEADER
Bug Check Code    : 0x00000019
Parameter 1       : 0x00000020
Parameter 2       : 0x82c47d80
Parameter 3       : 0x82c47d90
Parameter 4       : 0x1a020001
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c846
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Processor         : 32-bit
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\Mini011011-02.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 98,304
==================================================

==================================================
Dump File         : Mini011011-01.dmp
Crash Time        : 10/01/2011 18:01:24
Bug Check String  : BAD_POOL_HEADER
Bug Check Code    : 0x00000019
Parameter 1       : 0x00000020
Parameter 2       : 0x82512d98
Parameter 3       : 0x82512da8
Parameter 4       : 0x1a020001
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c846
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5973 (xpsp_sp3_gdr.100427-1636)
Processor         : 32-bit
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\Mini011011-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 98,304
==================================================

Thanks in advance

[SuperDave]

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].

[Mulreay]

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spvj.sys
Service Name: ---
Module Base: F8623000
Module End: F8716000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\axfkzztj.SYS
Service Name: ---
Module Base: F8055000
Module End: F808E000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EFC65000
Module End: EFC7D000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8C3B000
Module End: F8C3D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F86240E0
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwEnumerateKey
Address: F863CDA4
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwEnumerateValueKey
Address: F863D132
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwOpenKey
Address: F86240C0
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwQueryKey
Address: F863D20A
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwQueryValueKey
Address: F863D08A
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

Function Name: ZwSetValueKey
Address: F863D29C
Driver Base: F8623000
Driver End: F8716000
Driver Name: spvj.sys

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwTraceEvent
At Address: 80545B50
Jump To: F8DC0C00
Module Name: _unknown_

Hooked Function: ZwRequestWaitReplyPort
At Address: 80576EC6
Jump To: F8DC0D40
Module Name: _unknown_

Hooked Function: ZwRequestPort
At Address: 805DD6A4
Jump To: F8DC0CA0
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\5RBRX14E\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972293515%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\5RBRX14E\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972298467%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\5RBRX14E\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972360068%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\5RBRX14E\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972366439%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\5RBRX14E\CAXZP18U.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=30&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XFC1O32\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972366439%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XFC1O32\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972368207%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XFC1O32\CA4T41SB.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=232&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_hi
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XFC1O32\CAE10PMR.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=232&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_hi
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\6XFC1O32\CAO9U7W1.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=232&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_hi
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\EHSF2565\band%20Internet%2C%20mobile%20and%20fixed%20telecommunications%20products%20and%20service%20from%20BT%20for%20home%20and%20business&cd=32&ah=738&aw=1024&sh=7
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\KDMZ4DIJ\band%20Internet%2C%20mobile%20and%20fixed%20telecommunications%20products%20and%20service%20from%20BT%20for%20home%20and%20business&cd=32&ah=738&aw=1024&sh=7
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\KTUBWXQ7\band%20Internet%2C%20mobile%20and%20fixed%20telecommunications%20products%20and%20service%20from%20BT%20for%20home%20and%20business&cd=32&ah=738&aw=1024&sh=7
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7JVA4D1\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972298467%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7JVA4D1\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972360068%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7JVA4D1\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972368207%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\O7JVA4D1\CAMB8BDY.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=30&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\UJA7ALMF\band%20Internet%2C%20mobile%20and%20fixed%20telecommunications%20products%20and%20service%20from%20BT%20for%20home%20and%20business&cd=32&ah=738&aw=1024&sh=7
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\Z6G3FD0D\adlink%7C82%7C1114336%7C0%7C1%7CAdId%3D1179675%3BBnId%3D1%3Bitime%3D972293515%3Bkey%3Dkey1%2Bkey2%2Bkey3%2Bkey4%3Blink%3Dhttp%3A%2F%2Facptr%2Eteletextholiday
Status: Hidden

Object: C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\Z6G3FD0D\CAOBYFA2.uk%2Fsearch%3Fhl%3Den%26q%3Dholidays%2Bin%2Bmalta%26btnG%3DGoogle%2BSearch%26meta%3D&cc=30&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{676E63C1-62B2-4BFE-AC21-50126F8361CA}
Status: Access denied

There you go. That's everything.

[SuperDave]

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory..

[Mulreay]

I ran the program but I could not find the logs, there was a mention of a rootkit virus removal. But not sure what to do.
Thanks in advance.

[SuperDave]

Ok. Please run it again. I would like to see the report/log.