Cannot remove this virus which started with Win32:JunkPoly [Cryp]

[h4cker]

Let me explain the story:

This is where it started: I downloaded Alcohol 120% which contained a crack to register the executable. I have avast! running 24/7 as my antivirus/firewall which is the first engine that caught the virus. The virus was hidden as the RAR file was scanned before use. The first virus that was caught was Win32:JunkPoly [Cryp] which you will see in my included log of Avast!. It seems that multiple files that were originally needed/safe to the system were inevitably infected (again as you will see in the log).

I have run SEVERAL scan engines on my own to attempt to remove the virus to no avail, as I am getting error messages when I open various applications. Although; I have removed multiple files that were "infected" with the virus.
Note: Debating with the uploader that the file had a virus, I ran it again the exact same way as before to test if Avast! detected the virus again, but nothing was found.

I have done some research on the virus and have read over something that suggested it somehow alters the compatibility mode. Stating that it prevents some applications to be started giving the error message I attached except displaying the titles pertaining to the specific application that I try to start. This error message is displayed when opening several different applications.

This is the history of my case, if you need more info, please let me know.
Thanks for your help.

P.S: I have included the four (4) mandatory logs in the attachment slots and am providing additional logs via filedropper I feel you may find helpful with our quest.
http://www.filedropper.com/avastlog_2
http://www.filedropper.com/applicationerror_1

[attachment deleted by admin]

[h4cker]

Is it I'm not getting some advice because I'm missing something?

[evilfantasy]

Are you asking to help make the crack work or to remove the malware? Removing all crack is the only way I will help.

Also could you please fix your system specs. It shouldn't be displaying like that. It should be a javascript window that pops up. The way it is is taking up a lot of space unnecessarily.

[h4cker]

Are you asking to help make the crack work or to remove the malware? Removing all crack is the only way I will help.

Also could you please fix your system specs. It shouldn't be displaying like that. It should be a javascript window that pops up. The way it is is taking up a lot of space unnecessarily.

I'm asking to get help to remove the malware. The RAR file has already been deleted. Thanks.

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[h4cker]

Just ran combofix as advised and will reboot the pc. I will not try anything until further instructions are provided. Thanks for the help.
----------------------------------------------------------------------------------------------------------------------
ComboFix 09-02-17.02 - Chris 2009-02-18 18:42:15.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1283 [GMT -6:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090217-0] *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\inf\rundll33.exe
c:\windows\xccwinsys.ini

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2009-01-19 to 2009-02-19  )))))))))))))))))))))))))))))))
.

2009-02-17 07:42 . 2009-02-17 07:42   <DIR>   d--------   c:\program files\Belarc
2009-02-17 07:42 . 2008-02-27 12:49   3,840   --a------   c:\windows\system32\drivers\BANTExt.sys
2009-02-16 04:31 . 2008-02-22 05:30   334,792   --a------   c:\windows\system32\_AxShlEx.dll
2009-02-16 04:26 . 2008-10-16 14:06   208,744   --a------   c:\windows\system32\muweb.dll
2009-02-16 03:23 . 2009-02-18 18:42   <DIR>   d--------   c:\windows\system32\inf
2009-02-16 01:06 . 2009-02-16 01:06   <DIR>   d--------   c:\program files\Trend Micro
2009-02-16 00:44 . 2009-02-16 00:44   <DIR>   d--------   c:\program files\IObit
2009-02-16 00:44 . 2009-02-16 00:44   <DIR>   d--------   c:\documents and settings\Chris\Application Data\IObit
2009-02-16 00:35 . 2009-02-16 01:30   <DIR>   d--------   c:\program files\SpywareBlaster
2009-02-16 00:35 . 2005-08-25 19:18   118,784   --a------   c:\windows\system32\MSSTDFMT.DLL
2009-02-16 00:32 . 2009-02-16 18:09   <DIR>   d--------   c:\program files\Spyware Terminator
2009-02-16 00:32 . 2009-02-16 16:43   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Spyware Terminator
2009-02-16 00:32 . 2009-02-16 02:18   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-02-16 00:32 . 2009-02-16 00:32   142,592   --a------   c:\windows\system32\drivers\sp_rsdrv2.sys
2009-02-16 00:31 . 2009-02-16 00:31   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2009-02-16 00:31 . 2009-02-16 00:31   <DIR>   d--------   c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2009-02-16 00:31 . 2009-02-16 00:31   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-14 22:23 . 2009-02-14 22:23   <DIR>   d--------   c:\program files\XviD
2009-02-14 22:21 . 2009-02-15 01:00   <DIR>   d--------   c:\program files\Growler Guncam
2009-02-14 22:21 . 2009-02-14 22:21   <DIR>   d--------   c:\program files\Common Files\GC Install
2009-02-14 20:07 . 2009-02-14 20:07   <DIR>   d--------   c:\program files\QuickTime
2009-02-14 18:41 . 2009-02-15 21:50   <DIR>   d--------   c:\windows\SHELLNEW
2009-02-14 03:53 . 2008-04-14 05:15   60,032   --a------   c:\windows\system32\drivers\USBAUDIO.sys
2009-02-13 19:56 . 2009-02-14 23:12   <DIR>   d--------   c:\program files\Steam
2009-02-12 21:24 . 2009-02-12 21:24   <DIR>   d--------   c:\program files\AC3Filter
2009-02-12 21:24 . 2007-08-18 01:54   380,928   --a------   c:\windows\system32\ac3filter.acm
2009-02-12 21:23 . 2009-02-12 21:23   <DIR>   d--------   c:\program files\GNU
2009-02-12 20:46 . 2009-02-12 20:48   <DIR>   d--------   c:\program files\Project64 1.6
2009-02-12 13:01 . 2009-02-12 13:16   <DIR>   d--------   C:\Converted Audio Files
2009-02-12 12:11 . 2009-02-12 12:59   <DIR>   d--------   c:\program files\Acoustica Audio Converter Pro
2009-02-12 12:11 . 2002-11-05 15:16   57,344   --a------   c:\windows\system32\Wnaspint.dll
2009-02-11 05:54 . 2009-02-16 02:29   126   --a------   c:\windows\wininit.ini
2009-02-11 05:53 . 2009-02-11 05:53   <DIR>   d--------   c:\windows\system32\xlive
2009-02-11 00:06 . 2009-02-11 00:24   <DIR>   d--------   c:\program files\City of Heroes
2009-02-11 00:04 . 2009-02-11 00:04   <DIR>   d--------   c:\documents and settings\Chris\Application Data\ID3 renamer
2009-02-10 23:11 . 2009-02-10 23:11   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Thinstall
2009-02-10 13:15 . 2009-02-14 23:16   <DIR>   d--------   c:\program files\Game Cam
2009-02-10 13:15 . 2001-05-11 13:18   420,240   --a------   c:\windows\system32\mpg4c32.dll
2009-02-10 13:15 . 2001-03-26 04:41   245,760   --a------   c:\windows\system32\mp4sds32.ax
2009-02-08 00:01 . 2009-02-08 00:01   <DIR>   d--------   c:\windows\system32\AGEIA
2009-02-08 00:01 . 2009-02-08 00:01   <DIR>   d--------   c:\program files\AGEIA Technologies
2009-02-07 23:31 . 2009-02-07 23:31   <DIR>   d--------   c:\program files\SuperNZB
2009-02-07 23:31 . 2009-02-07 23:34   <DIR>   d--------   c:\documents and settings\Chris\Application Data\SuperNZB
2009-02-07 16:42 . 2009-02-07 16:42   <DIR>   d--------   c:\program files\Alcohol Soft
2009-02-07 11:07 . 2007-03-21 14:49   16,145,408   --a------   c:\windows\RTHDCPL.EXE
2009-02-07 11:07 . 2007-03-23 19:19   9,734,144   --a------   c:\windows\RTLCPL.EXE
2009-02-07 11:07 . 2007-03-26 19:21   4,395,008   --a------   c:\windows\system32\drivers\RtkHDAud.sys
2009-02-07 11:07 . 2006-05-04 16:26   2,827,776   --a------   c:\windows\ALCWZRD.EXE
2009-02-07 11:07 . 2006-10-11 17:42   2,175,488   --a------   c:\windows\MicCal.exe
2009-02-07 11:07 . 2007-03-16 15:06   1,843,200   --a------   c:\windows\SkyTel.exe
2009-02-07 11:07 . 2007-01-16 10:39   1,212,416   --a------   c:\windows\RtlUpd.exe
2009-02-07 11:07 . 2005-09-21 10:25   299,008   --a------   c:\windows\system32\ALSNDMGR.CPL
2009-02-07 11:07 . 2006-08-18 06:58   282,624   --a------   c:\windows\system32\RTSndMgr.CPL
2009-02-07 11:07 . 2006-07-21 16:14   106,496   --a------   c:\windows\SOUNDMAN.EXE
2009-02-07 11:07 . 2005-05-03 18:43   90,112   --a------   c:\windows\ALCMTR.EXE
2009-02-07 03:07 . 2009-02-07 03:07   <DIR>   d--------   C:\1274d59037d484c3402074
2009-02-07 03:06 . 2009-02-07 11:04   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-06 02:02 . 2009-02-06 02:02   4,096   --a------   c:\windows\system32\crash
2009-02-05 23:56 . 2009-02-05 23:56   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Trymedia
2009-02-01 21:20 . 2009-02-14 22:06   <DIR>   d--------   c:\program files\Game Cam V2
2009-02-01 14:48 . 2009-02-01 14:48   <DIR>   dr-h-----   c:\documents and settings\Chris\Application Data\SecuROM
2009-02-01 14:48 . 2009-02-11 01:30   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Bioshock
2009-02-01 09:36 . 2009-02-13 11:15   <DIR>   d--------   c:\program files\iArt
2009-02-01 04:32 . 2009-02-15 05:22   <DIR>   d--------   C:\Fraps
2009-01-30 02:32 . 2009-01-30 02:40   <DIR>   d--------   c:\program files\EndItAll
2009-01-30 02:18 . 2009-01-30 03:00   <DIR>   d--------   c:\documents and settings\All Users\Application Data\WinZip
2009-01-30 02:17 . 2009-01-30 02:47   66,048   --a------   c:\documents and settings\Chris\Application Data\keygen.exe
2009-01-30 01:34 . 2009-01-30 01:34   <DIR>   d--------   c:\program files\MediaMonkey
2009-01-29 08:54 . 2009-01-29 08:54   <DIR>   d--------   c:\program files\CDBurnerXP
2009-01-29 08:54 . 2009-01-29 08:54   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Canneverbe_Limited
2009-01-29 05:10 . 2009-01-29 05:10   <DIR>   d--------   C:\$WINDOWS.~BT
2009-01-29 05:10 . 2009-01-29 08:41   38,665   --a------   c:\windows\diagerr.xml
2009-01-29 05:10 . 2009-01-29 08:41   1,905   --a------   c:\windows\diagwrn.xml
2009-01-28 04:46 . 2008-04-14 05:15   26,112   --a------   c:\windows\system32\drivers\usbser.sys
2009-01-28 04:46 . 2008-03-21 13:57   14,640   ---------   c:\windows\system32\spmsgXP_2k3.dll
2009-01-28 04:46 . 2009-01-28 04:46   0   --ah-----   c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-01-28 04:46 . 2009-01-28 04:46   0   --ah-----   c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-01-28 04:41 . 2008-09-15 07:29   1,112,288   --a------   c:\windows\system32\wdfcoinstaller01007.dll
2009-01-28 04:41 . 2008-09-15 07:56   659,968   --a------   c:\windows\system32\nmwcdcocls.dll
2009-01-28 04:41 . 2008-02-01 15:17   138,112   --a------   c:\windows\system32\drivers\nmwcdnsu.sys
2009-01-28 04:41 . 2008-09-15 07:56   22,016   --a------   c:\windows\system32\drivers\ccdcmbo.sys
2009-01-28 04:41 . 2008-09-15 07:56   17,664   --a------   c:\windows\system32\drivers\ccdcmb.sys
2009-01-28 04:41 . 2008-02-01 15:17   8,320   --a------   c:\windows\system32\drivers\nmwcdnsuc.sys
2009-01-28 04:41 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-01-28 04:41 . 2008-09-15 07:56   8,064   --a------   c:\windows\system32\drivers\usbser_lowerflt.sys
2009-01-28 04:40 . 2009-01-28 04:40   <DIR>   d--------   c:\program files\Common Files\Nokia
2009-01-28 04:39 . 2009-01-28 04:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Installations
2009-01-28 03:49 . 2009-01-28 03:49   <DIR>   d--------   c:\documents and settings\Chris\Application Data\NSeries
2009-01-26 04:44 . 2009-01-26 04:44   <DIR>   d--------   c:\documents and settings\Chris\Application Data\IGN_DLM
2009-01-26 04:22 . 2009-01-26 04:22   <DIR>   d--------   c:\program files\Rockstar Games
2009-01-25 17:04 . 2009-01-25 17:04   <DIR>   d--------   c:\program files\Duplicate Cleaner
2009-01-25 17:04 . 2007-09-24 11:04   675,840   --a------   c:\windows\system32\AudioGenie24.ocx
2009-01-25 05:54 . 2009-01-25 05:54   <DIR>   d--------   c:\program files\Mp3tag
2009-01-25 05:54 . 2009-01-25 07:48   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Mp3tag
2009-01-25 05:43 . 2009-01-25 05:43   <DIR>   d--------   c:\documents and settings\Chris\Application Data\AQUATRA
2009-01-25 03:20 . 2009-01-25 12:45   107,888   --a------   c:\windows\system32\CmdLineExt.dll
2009-01-25 02:15 . 2003-08-26 09:54   930,980   --a------   c:\windows\PUNKBUSTER.RTP
2009-01-25 01:31 . 2009-01-25 02:05   <DIR>   d--------   c:\documents and settings\Chris\Application Data\vlc
2009-01-25 01:27 . 2009-01-25 01:27   <DIR>   d--------   c:\program files\VideoLAN
2009-01-24 19:12 . 2009-01-24 19:12   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Nokia
2009-01-24 19:08 . 2009-02-14 04:02   <DIR>   d--------   c:\windows\Downloaded Installations
2009-01-24 19:08 . 2009-01-24 19:24   <DIR>   d--------   c:\documents and settings\Chris\Application Data\Nokia
2009-01-24 19:08 . 2009-01-28 03:40   <DIR>   d--------   c:\documents and settings\All Users\Application Data\PC Suite
2009-01-24 19:05 . 2009-01-24 19:05   <DIR>   d--------   c:\program files\Common Files\PCSuite
2009-01-24 19:05 . 2009-01-24 19:05   <DIR>   d--------   c:\documents and settings\Chris\Application Data\SystemRequirementsLab
2009-01-24 19:03 . 2009-01-24 19:03   <DIR>   d--------   c:\program files\PC Connectivity Solution
2009-01-24 19:03 . 2009-01-28 04:41   <DIR>   d--------   c:\program files\Nokia
2009-01-24 19:03 . 2009-01-24 19:03   <DIR>   d--------   c:\program files\DIFX
2009-01-24 19:03 . 2009-01-24 19:08   <DIR>   d--------   c:\documents and settings\Chris\Application Data\PC Suite
2009-01-24 19:03 . 2008-09-15 07:56   91,136   --a------   c:\windows\system32\nmwcdcls.dll
2009-01-24 11:45 . 2009-02-12 13:06   <DIR>   d--------   c:\documents and settings\Chris\Application Data\foobar2000
2009-01-24 11:43 . 2009-01-24 11:43   <DIR>   d--------   c:\program files\foobar2000
2009-01-23 15:52 . 2009-01-23 15:52   <DIR>   d--------   c:\program files\TagRename
2009-01-23 15:45 . 2009-01-23 15:45   <DIR>   d--------   c:\program files\Bulk Rename Utility
2009-01-23 15:31 . 2009-01-23 15:31   <DIR>   d--------   c:\program files\Empty
2009-01-23 14:58 . 2009-02-17 15:43   <DIR>   d--------   c:\documents and settings\Chris\Application Data\LimeWire
2009-01-23 14:57 . 2009-01-23 14:58   <DIR>   d--------   c:\program files\LimeWire
2009-01-23 13:18 . 2009-02-16 01:41   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2009-01-23 13:18 . 2009-02-16 02:22   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 13:04 . 2009-01-23 13:04   <DIR>   d--------   c:\documents and settings\All Users\Application Data\RoboForm
2009-01-23 12:58 . 2009-01-23 12:58   <DIR>   d--------   c:\program files\Siber Systems
2009-01-23 04:48 . 2009-01-23 05:16   <DIR>   d--------   c:\program files\Music Alarm Clock
2009-01-23 01:11 . 2009-01-23 01:14   <DIR>   d--------   c:\program files\Ycopy
2009-01-23 01:00 . 2009-01-23 01:00   <DIR>   d--------   c:\program files\iTunes
2009-01-23 01:00 . 2009-01-23 01:00   <DIR>   d--------   c:\program files\iPod

.

[attachment deleted by admin]

[h4cker]

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 00:38   ---------   d-----w   c:\documents and settings\Chris\Application Data\.purple
2009-02-18 21:41   ---------   d-----w   c:\program files\Unlocker
2009-02-18 21:31   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2009-02-17 12:26   ---------   d-----w   c:\program files\Java
2009-02-17 12:23   410,984   ----a-w   c:\windows\system32\deploytk.dll
2009-02-17 08:47   ---------   d-----w   c:\documents and settings\Chris\Application Data\BitTorrent
2009-02-17 05:47   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-02-16 09:57   ---------   d-----w   c:\program files\ATI Technologies
2009-02-16 07:46   ---------   d-----w   c:\program files\CCleaner
2009-02-16 06:19   ---------   d-----w   c:\program files\Windows Sidebar
2009-02-16 06:19   ---------   d-----w   c:\program files\Windows Media Connect 2
2009-02-16 06:09   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-02-16 05:36   ---------   d-----w   c:\program files\Starcraft
2009-02-16 03:50   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-15 09:33   201,352   ----a-w   c:\windows\system32\PnkBstrB.exe
2009-02-15 09:33   140,216   ----a-w   c:\windows\system32\drivers\PnkBstrK.sys
2009-02-15 00:26   ---------   d-----w   c:\documents and settings\Chris\Application Data\DNA
2009-02-12 17:49   ---------   d-----w   c:\program files\DNA
2009-02-11 21:55   ---------   d-----w   c:\program files\PeerGuardian2
2009-02-11 16:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-02-11 11:31   ---------   d-----w   c:\program files\CallWave
2009-02-11 10:58   ---------   d-----w   c:\program files\Pidgin
2009-02-08 05:51   ---------   d-----w   c:\program files\EA GAMES
2009-02-07 09:02   335,872   ----a-w   c:\windows\HideWin.exe
2009-01-29 17:00   ---------   d-----w   c:\program files\MagicISO
2009-01-29 13:50   ---------   d-----w   c:\program files\Citrix
2009-01-25 00:58   ---------   d-----w   c:\program files\McAfee
2009-01-23 06:52   ---------   d-----w   c:\program files\Common Files\GTK
2009-01-22 08:52   ---------   d-----w   c:\program files\Microsoft Games
2009-01-19 23:42   ---------   d-----w   c:\documents and settings\Chris\Application Data\TeamViewer
2009-01-18 19:04   ---------   d-----w   c:\documents and settings\Chris\Application Data\GRETECH
2009-01-18 18:57   ---------   d-----w   c:\program files\GRETECH
2009-01-17 18:04   ---------   d-----w   c:\program files\Dell
2009-01-16 16:24   3,596,288   ------w   c:\windows\system32\dllcache\mshtml.dll
2009-01-12 23:44   ---------   d-----w   c:\documents and settings\All Users\Application Data\LightScribe
2009-01-12 23:42   ---------   d-----w   c:\program files\Common Files\McAfee
2009-01-12 23:42   ---------   d-----w   c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-12 23:42   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2009-01-12 23:40   ---------   d-----w   c:\program files\Common Files\LightScribe
2009-01-12 17:56   ---------   d-----w   c:\program files\RogueRemover FREE
2009-01-12 17:48   ---------   d-----w   c:\documents and settings\Chris\Application Data\Malwarebytes
2009-01-12 17:48   ---------   d-----w   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-12 16:10   ---------   d-----w   c:\program files\SlySoft
2009-01-12 01:01   ---------   d-----w   c:\program files\NovaLogic
2009-01-11 08:51   22,328   ----a-w   c:\documents and settings\Chris\Application Data\PnkBstrK.sys
2009-01-11 08:50   682,280   ----a-w   c:\windows\system32\pbsvc.exe
2009-01-11 08:50   66,872   ----a-w   c:\windows\system32\PnkBstrA.exe
2009-01-11 08:43   ---------   d-----w   c:\program files\Activision
2009-01-11 08:41   ---------   d-----w   c:\documents and settings\Chris\Application Data\DAEMON Tools Pro
2009-01-11 02:59   ---------   d-----w   c:\program files\EA SPORTS
2009-01-10 21:32   88,064   ----a-w   c:\windows\ScUnin.exe
2009-01-10 21:30   ---------   d-----w   c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-01-10 21:27   ---------   d-----w   c:\documents and settings\Chris\Application Data\DAEMON Tools
2009-01-10 21:26   ---------   d-----w   c:\program files\DAEMON Tools Lite
2009-01-10 21:26   ---------   d-----w   c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-10 21:19   717,296   ----a-w   c:\windows\system32\drivers\sptd.sys
2009-01-10 20:28   ---------   d-----w   c:\documents and settings\Chris\Application Data\U3
2009-01-10 19:07   ---------   d-----w   c:\program files\Spearit
2009-01-10 19:07   ---------   d-----w   c:\documents and settings\Chris\Application Data\Spearit
2009-01-10 19:07   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spearit
2009-01-09 13:52   ---------   d-----w   c:\program files\Common Files\Adobe AIR
2009-01-09 13:51   ---------   d-----w   c:\program files\Common Files\Adobe
2009-01-09 13:35   ---------   d-----w   c:\program files\TeamViewer
2009-01-09 11:35   86,016   ----a-w   c:\windows\system32\OpenAL32.dll
2009-01-09 11:35   262,144   ----a-w   c:\windows\system32\wrap_oal.dll
2009-01-08 23:08   ---------   d-----w   c:\program files\Futuremark
2009-01-08 22:21   ---------   d-----w   c:\program files\BitTorrent
2009-01-08 22:00   ---------   d-----w   c:\program files\SystemRequirementsLab
2009-01-08 21:58   ---------   d-----w   c:\program files\Common Files\Futuremark Shared
2009-01-08 19:22   ---------   d-----w   c:\program files\Aspell
2009-01-08 19:05   60,744   ----a-w   c:\documents and settings\Chris\g2mdlhlpx.exe
2009-01-08 18:11   ---------   d-----w   c:\documents and settings\Chris\Application Data\ATI
2009-01-08 18:10   ---------   d-----w   c:\program files\Common Files\ATI Technologies
2009-01-08 18:08   ---------   d-----w   c:\program files\Common Files\InstallShield
2009-01-08 18:01   ---------   d-----w   c:\program files\Intel
2009-01-08 17:46   ---------   d-----w   c:\documents and settings\Chris\Application Data\Talkback
2009-01-08 14:52   ---------   d-----w   c:\program files\Microsoft Silverlight
2009-01-08 14:49   ---------   d-----w   c:\program files\Alwil Software
2009-01-08 14:37   ---------   d-----w   c:\program files\VistaExperience.org
2009-01-08 14:37   ---------   d-----w   c:\program files\Styler
2009-01-08 14:37   ---------   d-----w   c:\documents and settings\Chris\Application Data\Styler
2009-01-08 14:27   ---------   d-----w   c:\program files\Stardock
2009-01-08 14:27   ---------   d-----w   c:\program files\Resource Hacker 3.4.0
2009-01-08 14:27   ---------   d-----w   c:\program files\Kristanix
2009-01-08 14:27   ---------   d-----w   c:\program files\Common Files\Stardock
2009-01-08 14:27   ---------   d-----w   c:\program files\Alky for Applications
2009-01-08 14:26   ---------   d-----w   c:\program files\Common Files\Java
2009-01-08 14:24   ---------   d-----w   c:\program files\Reference Assemblies
2009-01-08 14:24   ---------   d-----w   c:\program files\MSBuild
2009-01-08 14:16   ---------   d-----w   c:\program files\Desktop
2009-01-08 14:15   ---------   d-----w   c:\program files\Microsoft PowerToys
2009-01-08 14:15   ---------   d-----w   c:\program files\LClock
2009-01-08 14:15   ---------   d-----w   c:\program files\HashTab Shell Extension
2009-01-03 11:24   81,920   ----a-w   c:\windows\system32\frapsvid.dll
2008-12-20 23:56   827,904   ----a-w   c:\windows\system32\wininet.dll
2008-12-20 23:56   827,904   ------w   c:\windows\system32\dllcache\wininet.dll
2008-12-19 05:25   634,024   ------w   c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:24   161,792   ------w   c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57   333,952   ------w   c:\windows\system32\dllcache\srv.sys
.

------- Sigcheck -------

2008-04-14 04:42  1050624  97de5aa1ac4cbb18c7d4746b1cbeb432   c:\windows\explorer.exe

2008-04-14 04:42  43008  72e89bf37972d6c06d2043a604fac50e   c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-22 1288704]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2408448]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-23 160592]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-22 203720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 77824]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3121152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 434176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 148888]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-12-20 c:\windows\system32\advpack.dll]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
Styler.lnk - c:\documents and settings\Chris\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [2009-01-08 15086]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CallWave.lnk - c:\program files\CallWave\IAM.exe [2009-01-08 1940280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
--a------ 2009-01-09 15:54 2262352 c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-11-22 18:36 203720 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-08 16:21 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-17 06:23 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 16:17 1850608 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Spearit\\Move Me\\MoveMe.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\UnrealTournament\\System\\ThAux.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Red Storm Entertainment\\RavenShield\\system\\ravenshield.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\EA GAMES\\Command and Conquer Generals\\game.dat"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"c:\\Program Files\\CallWave\\IAM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [2009-01-08 71720]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-08 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-12 206096]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [2009-01-08 185640]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 93696]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-01-28 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-01-28 8320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b7b37d0-f566-11dd-b58b-001bdc00487b}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0a99071-df45-11dd-b56d-001bdc00487b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0a99073-df45-11dd-b56d-001bdc00487b}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\mxjo42s3.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 18:43:43
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1957994488-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Clsid]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-823518204-1957994488-1801674531-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1c,02,e7,de,63,2b,14,4f,28,4c,82,db,68,51,da,2a,ff,c2,d4,f2,59,8a,fe,
   ff,32,45,5b,90,25,f8,5c,f1,f5,aa,0c,b5,87,58,02,41,8f,5d,a1,f1,44,ea,e7,38,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-823518204-1957994488-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:af,e9,c8,10,c7,90,29,dc,57,0e,a2,f3,1b,ab,0b,ef,0b,b9,85,56,b9,
   62,7f,74,57,0e,b1,f8,07,4f,ff,7f,59,3b,ce,29,e1,da,5f,bf,85,6e,94,ab,68,a8,\
"rkeysecu"=hex:8f,4a,b1,21,97,d7,5d,6a,18,7a,44,87,84,2c,89,e6
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1424)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-02-18 18:44:54
ComboFix-quarantined-files.txt  2009-02-19 00:44:51

Pre-Run: 10,903,908,352 bytes free
Post-Run: 11,011,399,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

415   --- E O F ---   2009-02-11 22:12:56

[h4cker]

After I booted my machine I got a few messages that came up. Sorry about the image, but you will have to zoom in to see it.




http://img25.imageshack.us/my.php?image=virusimagerj5.jpg

[evilfantasy]

I hate to tell you this but I think this is Virut.. See this conversation http://www.computerhope.com/forum/index.php/topic,77096.0.html

Virut spreads through every .exe, .dll and .scr and other critical files on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even re-infects infected files with itself. It's a computer killer...

ll viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

In short. There is no solution for this other than a reformat and reinstall.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[/list]

[h4cker]

You are correct. I am running the Dr.Webb tool and it has found remnants of the worm in multiple files. I will continue to push forward, in attempt to remove it as I do not want to re-format without a fight. I will do as advised as a test subject  .

I will post the log after it has completed.

[evilfantasy]

You can try but I haven't seen it work yet.

[h4cker]

I'm sure that you've already thought about it, but hey, maybe not. Install windows on a separate drive and setup the original drive with the virus as a slave and remove the viruses that way?

[evilfantasy]

Virut spreads through every .exe, .dll and .scr and other critical files on a computer. It's polymorphic,

You can't contain isolate to remove it. It's always spreading to new and already infected files.

Dr Web will show a bunch of files and report them as cured. But it's not the case. It spreads from .vir (files quarantined) back to the recently cured files. A never ending cycle.

[h4cker]

Understandable. I have an external drive connected to my PC. What is your suggestion to care of the situation? As I'm sure it has spread to the external, so when I reformat - it may just re-infect the newly installed OS.

[BC_Programmer]

Understandable. I have an external drive connected to my PC. What is your suggestion to care of the situation? As I'm sure it has spread to the external, so when I reformat - it may just re-infect the newly installed OS.

are their any executables on the external?