Author Topic: One Tough Virus Infection will not allow any application to launch (Read 17569 times)

Atech · « **on:** July 09, 2009, 04:12:47 PM »

Hello, This is a tough one. Early stage of this infection would not allow any exe to launch, nor could I change a

name and extension (to com) and get the application to launch. I could not boot to safe mode, windows explorer

tools "folder options" missing, policies changed that restricted windows installer from installing any new

applications. Then the popups, first the system32/cmd.exe, whata cluster *&%$ that was, command windows opening up

5 at-a-time. Then once you got past that, and launched IE, it redirects links to different sites, If I managed

to launch a search and used any of these tags; antivirus, antispyware, HJT, the system would reboot. If I open

Control Panel I am unable to open "Add or Remove Programs" I receive this message error "system32/rundll32.exe" application not found.

[attachment deleted by admin]

evilfantasy · « **Reply #1 on:** July 09, 2009, 04:58:30 PM »

This looks like a Virut infection but we will have a closer look.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with the fixes we need to make. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Atech · « **Reply #2 on:** July 09, 2009, 06:26:28 PM »

OK got it. Also FYI, I'm unable to use the infected computer on-line, so everything has to be done via USB drive bewteen the infected computer and non-infected computer.... Very touch, the infected computer has twice tried to pass a hidden file on the usb drive, I have it in virus vault.

[attachment deleted by admin]

evilfantasy · « **Reply #3 on:** July 09, 2009, 08:56:45 PM »

Use this on your flash drive to protect it during and after this process.

Flash Drive Cleanup

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your Desktop.

* Double-click Flash_Disinfector.exe to run it.
* Your desktop and icons may disappear. This is normal.
* It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
* Follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* There will be no GUI interface or log file produced.
* Reboot your computer when done.[/list]

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

----------

Go to Add or Remove Programs and uninstall:

ParetoLogic\DriverCure

.
----------

Copy this into Notepad and then transfer over the Notepad file to the infected computer.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
fc98e6536a9f048e41a65f73efc2525e
cvjser5usjfyigsfhjhswybn4wgss80
26d261c5
c1fd68c2
f609df78
Viewpoint Manager Service

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\program files\Common Files\ParetoLogic

File::
c:\winnt\system32\drivers\f609df78.sys
c:\winnt\Tasks\ParetoLogic Registration.job
c:\winnt\Tasks\ParetoLogic Update Version2.job

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]

[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Application Data^Microsoft^Shortcuts^icwsetup.exe]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{746ae4e8-aedd-4a3b-9ea8-c9373c1dac12}\progid]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B2C7B2A1-00F3-42BD-F434-00AABA2C8952}\InProcServer32]

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains]

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation]

[HKEY_LOCAL_MACHINE\software\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\InstalledVersion]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

If the Internet connection is still not back try resetting it with this tool.

Download and run WinSockFix.
This is a two step process that will Back up the Registry and Reset the Winsock Stack.

Double click on WinsockXPFix.exe to open.
On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
On the ERDNT Welcome screen, click "OK".
On the Backup to: screen, click "OK".
On the Folder does not exist question screen click "Yes".
You will see a status screen as your registry is being backed up.
On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
On the Winsock and TCP Repair Utility screen, click "Fix".
On the Apply the VB_Winsock fix? screen click "Yes".
The screen will display a status message "repair completed please reboot."
On the Repair Completed screen click "OK" to reboot your computer.
If your computer was not using DHCP, you will need to reconfigure TCP/IP.
Hopefully you should have connectivity restored.

.
Note: Resetting the Winsock in SP2 might remove third-party LSPs and restores Winsock to factory default setting. Existing programs that uses their own LSPs may need to be reinstalled. Example: Google Desktop Search.

Atech · « **Reply #4 on:** July 09, 2009, 11:46:28 PM »

This is ComboFix log 2

ComboFix 09-07-08.04 - Administrator 07/09/2009 21:40.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.241 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: f:\scanlogs\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\winnt\system32\drivers\f609df78.sys"
"c:\winnt\Tasks\ParetoLogic Registration.job"
"c:\winnt\Tasks\ParetoLogic Update Version2.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Master.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Patch.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Update.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Master.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Patch.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Update.xml
c:\program files\Common Files\ParetoLogic
c:\program files\Common Files\ParetoLogic\UUS2\Images\Logo.png
c:\program files\Common Files\ParetoLogic\UUS2\LiteUnzip.dll
c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
c:\program files\Common Files\ParetoLogic\UUS2\ParetoLogicUpdate.chm
c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Manager\CPtask.xml
c:\program files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewCP.cpl
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
c:\program files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
c:\program files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_.dll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\DataTracking.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\MTS3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\MTS3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1159435808.mtx
c:\program files\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
c:\program files\Viewpoint\Viewpoint Toolbar\3.9.0\eula.txt
c:\program files\Viewpoint\Viewpoint Toolbar\3.9.0\Uninstaller.exe
c:\program files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
c:\program files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarSystemInfo.dll
c:\program files\Viewpoint\Viewpoint Toolbar\delB5.tmp\delB6.tmp
c:\program files\Viewpoint\Viewpoint Toolbar\delB5.tmp\delB7.tmp
c:\winnt\system32\drivers\f609df78.sys
c:\winnt\Tasks\ParetoLogic Registration.job
c:\winnt\Tasks\ParetoLogic Update Version2.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fc98e6536a9f048e41a65f73efc2525e
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_26d261c5
-------\Service_c1fd68c2
-------\Service_f609df78
-------\Service_fc98e6536a9f048e41a65f73efc2525e
-------\Service_Viewpoint Manager Service

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 19:35 . 2009-07-09 19:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sprint
2009-07-09 19:15 . 2009-07-09 19:15   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sprint
2009-07-09 19:04 . 2008-10-15 18:58   27072   ----a-w-   c:\winnt\system32\drivers\PCASp50.sys
2009-07-09 19:03 . 2005-03-15 18:11   17920   ----a-w-   c:\winnt\system32\apintfnt.dll
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\drivers\usbohci.sys
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\dllcache\usbohci.sys
2009-07-09 19:01 . 2007-01-18 17:24   26496   ----a-r-   c:\winnt\system32\drivers\RimSerial.sys
2009-07-09 18:55 . 2009-07-09 18:55   --------   d-----w-   c:\program files\Common Files\Research in Motion
2009-07-09 18:55 . 2009-07-09 19:03   --------   d-----w-   c:\program files\Sierra Wireless
2009-07-09 18:54 . 2009-07-09 19:02   --------   d-----w-   c:\program files\Common Files\Motorola Shared
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Novatel Wireless
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Sprint
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sprint
2009-07-09 18:45 . 2009-07-09 18:45   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sierra Wireless
2009-07-09 17:43 . 2009-07-09 17:48   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\program files\Sierra Wireless Inc
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sierra Wireless
2009-07-08 19:56 . 2009-07-08 19:56   --------   d-----w-   c:\documents and settings\Administrator\Application Data\DriverCure
2009-07-08 19:55 . 2009-07-10 01:06   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 19:53 . 2009-07-08 19:53   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-08 18:45 . 2009-07-09 19:23   117760   ----a-w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 18:42 . 2009-07-08 18:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-08 18:41 . 2009-07-08 22:30   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-08 18:41 . 2009-07-08 18:41   --------   d-----w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2009-07-08 07:38 . 2009-07-08 07:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   c:\program files\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   C:\!KillBox
2009-07-08 07:34 . 2009-07-08 07:34   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-07 23:04 . 2009-07-07 23:04   94104   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-07 21:33 . 2009-07-07 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 21:33 . 2009-07-07 21:48   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-06-20 04:07 . 2009-06-20 04:07   --------   d-s---w-   c:\winnt\system32\%USERPROFILE%
2009-06-17 05:12 . 2009-06-17 05:12   --------   d-----w-   c:\winnt\system32\Mozilla Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 23:59 . 2009-06-08 23:32   95436   ----a-w-   c:\winnt\system32\drivers\26d261c5.sys
2009-07-08 19:57 . 2009-01-30 19:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\DriverCure
2009-07-08 19:31 . 2009-07-08 19:31   312847   ------w-   c:\winnt\system32\647abd38a58580908918e8a3395fb887.TMP
2009-07-08 19:02 . 2009-07-08 19:02   312847   ------w-   c:\winnt\system32\f1864ab73dbdccf734bbec48fddfe5cf.TMP
2009-07-07 21:24 . 2009-07-07 21:24   312847   ------w-   c:\winnt\system32\8aab370f9a360b00da9c3c7d5e63494e.TMP
2009-07-07 21:05 . 2008-12-27 02:46   --------   d-----w-   c:\program files\CleanUp!
2009-06-24 01:52 . 2004-08-30 21:40   --------   d-----w-   c:\documents and settings\Pat\Application Data\WeatherBug
2009-06-18 02:17 . 2007-11-03 23:20   --------   d-----w-   c:\program files\Windows Live Toolbar
2009-06-09 13:54 . 2009-06-08 20:13   0   ----a-w-   c:\winnt\system32\drivers\c1fd68c2.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.02.19 )))))))))))))))))))))))))))))))))))))))))
.
- 1980-01-01 06:00 . 2009-07-09 19:02   58012 c:\winnt\system32\perfc009.dat
+ 1980-01-01 06:00 . 2009-07-10 05:11   58012 c:\winnt\system32\perfc009.dat
+ 1980-01-01 06:00 . 2009-07-10 05:11   391894 c:\winnt\system32\perfh009.dat
- 1980-01-01 06:00 . 2009-07-09 19:02   391894 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SQLAgent$ALAMODE"=3 (0x3)
"sopidkc"=2 (0x2)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$ALAMODE"=2 (0x2)
"dhcpsrv"=2 (0x2)
"dfgdjhse5rjfmkfsderhkldtd576ogd80"=2 (0x2)
"cvjser5usjfyigsfhjhswybn4wgss80"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=

S1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
S1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
S3 ati2mpaa;ati2mpaa;c:\winnt\system32\drivers\ati2mpaa.sys [10/3/2001 8:23 AM 281856]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S4 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/4/2005 1:04 AM 9158656]
S4 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 10:42 PM 323584]
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\winnt\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-10 22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 05:17
ComboFix2.txt 2009-07-10 00:12

Pre-Run: 7,628,197,888 bytes free
Post-Run: 7,593,283,584 bytes free

237   --- E O F ---   2009-05-17 15:02

Atech · « **Reply #5 on:** July 10, 2009, 12:55:41 AM »

By the way Thanks for that Tip and utility for the USB flash drive...

Ok here is the first scan log in normal mode, also I am post for the computer this was not allowing any of this type of behavior(logon to a computer virus/spyware forum).\

Here is the combofix scan log for Normal mode

ComboFix 09-07-08.04 - Bill 07/09/2009 23:04.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.111 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 19:35 . 2009-07-09 19:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sprint
2009-07-09 19:15 . 2009-07-09 19:15   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sprint
2009-07-09 19:04 . 2008-10-15 18:58   27072   ----a-w-   c:\winnt\system32\drivers\PCASp50.sys
2009-07-09 19:03 . 2005-03-15 18:11   17920   ----a-w-   c:\winnt\system32\apintfnt.dll
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\drivers\usbohci.sys
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\dllcache\usbohci.sys
2009-07-09 19:01 . 2007-01-18 17:24   26496   ----a-r-   c:\winnt\system32\drivers\RimSerial.sys
2009-07-09 18:55 . 2009-07-09 18:55   --------   d-----w-   c:\program files\Common Files\Research in Motion
2009-07-09 18:55 . 2009-07-09 19:03   --------   d-----w-   c:\program files\Sierra Wireless
2009-07-09 18:54 . 2009-07-09 19:02   --------   d-----w-   c:\program files\Common Files\Motorola Shared
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Novatel Wireless
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Sprint
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sprint
2009-07-09 18:45 . 2009-07-09 18:45   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sierra Wireless
2009-07-09 17:43 . 2009-07-09 17:48   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\program files\Sierra Wireless Inc
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sierra Wireless
2009-07-08 19:56 . 2009-07-08 19:56   --------   d-----w-   c:\documents and settings\Administrator\Application Data\DriverCure
2009-07-08 19:55 . 2009-07-10 01:06   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 19:53 . 2009-07-08 19:53   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-08 18:45 . 2009-07-09 19:23   117760   ----a-w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 18:42 . 2009-07-08 18:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-08 18:41 . 2009-07-08 22:30   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-08 18:41 . 2009-07-08 18:41   --------   d-----w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2009-07-08 07:38 . 2009-07-08 07:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   c:\program files\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   C:\!KillBox
2009-07-08 07:34 . 2009-07-08 07:34   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-07 23:04 . 2009-07-07 23:04   94104   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-07 21:33 . 2009-07-07 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 21:33 . 2009-07-07 21:48   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-06-20 04:07 . 2009-06-20 04:07   --------   d-s---w-   c:\winnt\system32\%USERPROFILE%
2009-06-17 05:12 . 2009-06-17 05:12   --------   d-----w-   c:\winnt\system32\Mozilla Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 23:59 . 2009-06-08 23:32   95436   ----a-w-   c:\winnt\system32\drivers\26d261c5.sys
2009-07-08 19:57 . 2009-01-30 19:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\DriverCure
2009-07-08 19:31 . 2009-07-08 19:31   312847   ------w-   c:\winnt\system32\647abd38a58580908918e8a3395fb887.TMP
2009-07-08 19:02 . 2009-07-08 19:02   312847   ------w-   c:\winnt\system32\f1864ab73dbdccf734bbec48fddfe5cf.TMP
2009-07-07 21:24 . 2009-07-07 21:24   312847   ------w-   c:\winnt\system32\8aab370f9a360b00da9c3c7d5e63494e.TMP
2009-07-07 21:05 . 2008-12-27 02:46   --------   d-----w-   c:\program files\CleanUp!
2009-06-24 01:52 . 2004-08-30 21:40   --------   d-----w-   c:\documents and settings\Pat\Application Data\WeatherBug
2009-06-18 02:17 . 2007-11-03 23:20   --------   d-----w-   c:\program files\Windows Live Toolbar
2009-06-09 13:54 . 2009-06-08 20:13   0   ----a-w-   c:\winnt\system32\drivers\c1fd68c2.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.02.19 )))))))))))))))))))))))))))))))))))))))))
.
- 1980-01-01 06:00 . 2009-07-09 19:02   58012 c:\winnt\system32\perfc009.dat
+ 1980-01-01 06:00 . 2009-07-10 05:55   58012 c:\winnt\system32\perfc009.dat
+ 1980-01-01 06:00 . 2009-07-10 05:55   391894 c:\winnt\system32\perfh009.dat
- 1980-01-01 06:00 . 2009-07-09 19:02   391894 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"SQLAgent$ALAMODE"=3 (0x3)
"sopidkc"=2 (0x2)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$ALAMODE"=2 (0x2)
"dhcpsrv"=2 (0x2)
"dfgdjhse5rjfmkfsderhkldtd576ogd80"=2 (0x2)
"cvjser5usjfyigsfhjhswybn4wgss80"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=

R3 ati2mpaa;ati2mpaa;c:\winnt\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]
R3 PCDRDRV;Pcdr Helper Driver;c:\atf\Qctest\PCDoc\PCDRDRV.sys

R3 sasenum;sasenum;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
R4 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [2008-12-18 9158656]
R4 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [2005-05-04 323584]
S1 sasdifsv;sasdifsv;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-06-23 9968]
S1 saskutil;saskutil;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-06-23 72944]

.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\winnt\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Count"=dword:000005c9
"Time"=hex:d8,07,0c,00,06,00,1b,00,00,00,28,00,05,00,1f,02

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000002
"Count"=dword:00000809
"Time"=hex:d8,07,0c,00,06,00,1b,00,02,00,2e,00,09,00,e5,00

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:000000c7
"Time"=hex:d9,07,07,00,03,00,08,00,13,00,07,00,02,00,f4,00

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919FBD3-A96B-4679-AF26-F551439BB5FD}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000001
"Count"=dword:00000002
"Time"=hex:d5,07,0a,00,04,00,14,00,03,00,29,00,11,00,0b,03
"Blocked"=dword:00000002
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1604)
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-10 23:29
ComboFix-quarantined-files.txt 2009-07-10 06:29
ComboFix2.txt 2009-07-10 05:17
ComboFix3.txt 2009-07-10 00:12

Pre-Run: 7,173,222,400 bytes free
Post-Run: 7,164,768,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

179 --- E O F --- 2009-05-17 15:02

evilfantasy · « **Reply #6 on:** July 10, 2009, 10:45:07 AM »

Have you been able to get the computer back online yet?

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=-
"sopidkc"=-
"dfgdjhse5rjfmkfsderhkldtd576ogd80"=-
"cvjser5usjfyigsfhjhswybn4wgss80"=-

RegLock::
[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\iexplore]

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{014DA6C9-189F-421A-88CD-07CFE51CFF10}\iexplore]

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2c7b2a1-00f3-42bd-f434-00aaba2c8952}\iexplore]

[HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919FBD3-A96B-4679-AF26-F551439BB5FD}\iexplore]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Atech · « **Reply #7 on:** July 10, 2009, 01:11:56 PM »

Yes I was, Please see post #6

Ok here's how thing went through the night!

I was able to load AVG, It was able to scan the system. if found 22 infections and they are in the Virus Fault. The first log is from that scan. the second log is from Combofix. Also I disable the AVG resident shield before running Combofix.

[attachment deleted by admin]

evilfantasy · « **Reply #8 on:** July 10, 2009, 01:34:55 PM »

AVG only found two new infections. The others were already quarantined by HijackThis and ComboFix.

It looks like we got everything. How is the computer running now?

evilfantasy · « **Reply #9 on:** July 10, 2009, 01:46:13 PM »

Also have a look at this. I'm fairly sure we got everything but you might consider some of the information here. Since the virus took away your internet connection then I'm not sure how much information might or might not have been available to any attacker.

The computer was infected by a trojan, which has Backdoor Functionality. This can give intruders complete control of the computer, logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately!

Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
Change [color=redall[/color] of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.

Because of its backdoor functionality, your PC was very likely compromised and there is no way to be sure it can ever again be trusted.
Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall.

.
To help you make a more informed decision, please read the following articles:

.
Should you have any questions, please feel free to ask

Atech · « **Reply #10 on:** July 10, 2009, 01:59:45 PM »

The computer is running fine... I'm the one that's skeptical

Is it really fixed??!!! After all of this!! I'm sure it is... I now have a new respect for computer forums... I'd like to become a removal specialist!!

thanks much ComputerHope

Thank You Evilfantasy.

Atech 2 B!!!

Oh NO!!! As I was typing you added another post! I had the disk "D Ban" on the table ready to wipe, but decided to give it a try

evilfantasy · « **Reply #11 on:** July 10, 2009, 02:05:05 PM »

We should do another scan just to be sure. Better safe then sorry...

A little cleanup first.

* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

BitDefender Online Scanner is available only works with Internet Explorer! Click here for the latest version of Internet Explorer

* Scan with the BitDefender Online Scanner
* Click Start Scanner to begin.
* Place a check mark next to I agree with the Terms and Conditions then click Start Here
* Agree to the license and then Install the ActiveX control.
* Please DO NOT change any of the Scanning Options!
* Click Start Scan to begin updating the BitDefender Online Scanner. The scan will start once the definitions are up-to-date.

* This scan can take a while so please be patient and let it complete.

* Once BitDefender completes the scan:
* Click-on the Detected Problems tab.
* Then select Click here to export the scan report

This will save a file named bdscan.html I would suggest saving it to the desktop so you can easily find it. (take notice of where you save it so you can find it later)

You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

* Click Upload
* Locate the file and double click it.
* Copy the link below Share This Link: and post it back here.

Atech · « **Reply #12 on:** July 10, 2009, 03:01:55 PM »

Virus signatures were not able to load. I did not do the scan because BitDefender could vouch for the accuracy of the scan

evilfantasy · « **Reply #13 on:** July 10, 2009, 03:05:33 PM »

Try this one.

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

Atech · « **Reply #14 on:** July 10, 2009, 03:36:37 PM »

No go! My suspicions are on the rise. I was a USB broadband connection to connect to internet, it just did something unusual.

Also system is slowing down after attemp to do on-line scanning??!!

Time for another scan log?

evilfantasy · « **Reply #15 on:** July 10, 2009, 04:07:38 PM »

This should work.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start
An information notice will appear, click OK.
This starts a short scan that will scan the files currently running in memory.
If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
If or when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Settings > Change Settings
Under the Scanning tab UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply.

Atech · « **Reply #16 on:** July 10, 2009, 04:08:21 PM »

Finally got bitdefender to update and ran it. No problems found!!?

I'm going to take a wait-n-see attitude. If flickers...... D-Bomb the drive!!

Thanks Again

This case is closed!!

Atech · « **Reply #17 on:** July 10, 2009, 04:12:28 PM »

Ok Will do

Atech · « **Reply #18 on:** July 11, 2009, 12:18:52 AM »

Log Post from Dr.Web

RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Aurora.exe/Setup/WinTOTAL.zip\Utils/GetContent.exe;C:\Documents and Settings\Mister W\Desktop\Aurora.exe/Setup/WinTOTAL.zip;Modification of BackDoor.Generic.983;;
Setup/WinTOTAL.zip;C:\Documents and Settings\Mister W\Desktop;Archive contains infected objects;;
Aurora.exe;C:\Documents and Settings\Mister W\Desktop;Archive contains infected objects;Moved.;
Morph20.exe/data017\data008;C:\Documents and Settings\Xavier\Desktop\Morph20.exe/data017;Adware.Ipinsight;;
data017;C:\Documents and Settings\Xavier\Desktop;Archive contains infected objects;;
Morph20.exe;C:\Documents and Settings\Xavier\Desktop;Archive contains infected objects;Moved.;
Install_AIM.exe\data038;C:\Program Files\AIM\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;C:\Program Files\AIM;Archive contains infected objects;Moved.;
A0000534.reg;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Trojan.StartPage.1505;Deleted.;
A0000536.exe/Setup/WinTOTAL.zip\Utils/GetContent.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000536.exe/Setup/WinTOTAL.zip;Modification of BackDoor.Generic.983;;
Setup/WinTOTAL.zip;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;;
A0000536.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
A0000537.exe/data017\data008;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000537.exe/data017;Adware.Ipinsight;;
data017;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;;
A0000537.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
A0000538.exe\data038;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000538.exe;Adware.Aws;;
A0000538.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
aur0149.z_\Utils/GetContent.exe;C:\WIN2000\MODEM\Upgrades\aur0149.z_;Modification of BackDoor.Generic.983;;
aur0149.z_;C:\WIN2000\MODEM\Upgrades;Archive contains infected objects;Moved.;
GetContent.exe;C:\WIN2000\UTILS;Modification of BackDoor.Generic.983;Moved.;
icwsetup.exeCommon Startup;C:\WINNT\pss;Trojan.Inject.5806;Deleted.;
mobn.exe\data009;C:\WINNT\system32\mobn.exe;Adware.WildMedia.origin;;
mobn.exe;C:\WINNT\system32;Archive contains infected objects;Moved.;
mobupd.exe;C:\WINNT\system32;Adware.WildMedia;Moved.;

Atech · « **Reply #19 on:** July 11, 2009, 12:40:13 AM »

System is still buggy, unable to download any system updates from MS update. I can browse the site but when I tell MS to check system; I get an error message that I don't have yhe correct files registered. Then it seems to register them at 100% but then say it is unable to continue.

Atech · « **Reply #20 on:** July 11, 2009, 02:50:29 AM »

I registered all the dll's assocated with windows update, when I tried to do a custom or express update, it fails with that message "files unregistered or mssing"

evilfantasy · « **Reply #21 on:** July 11, 2009, 10:56:59 AM »

Open Malwarebytes' Anti-Malware.

Click the Update tab.
Click Check for Updates
If an update is found, it will download and install.
Click the Scanner tab.
Select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Atech · « **Reply #22 on:** July 11, 2009, 05:10:22 PM »

ComboFix 09-07-09.07 - Bill 07/11/2009 11:14.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.205 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts

.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 09:29 . 2009-07-11 09:29   --------   d-----w-   c:\winnt\LastGood.Tmp
2009-07-10 22:27 . 2009-07-10 22:27   --------   d-----w-   c:\documents and settings\Bill\DoctorWeb
2009-07-10 20:36 . 2009-07-10 21:41   --------   d-----w-   c:\winnt\BDOSCAN8
2009-07-10 07:16 . 2009-07-10 09:04   --------   d--h--w-   C:\$AVG8.VAULT$
2009-07-10 06:48 . 2009-06-26 17:36   1008896   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-10 06:43 . 2009-07-10 06:43   11952   ----a-w-   c:\winnt\system32\avgrsstx.dll
2009-07-10 06:43 . 2009-07-10 06:43   335752   ----a-w-   c:\winnt\system32\drivers\avgldx86.sys
2009-07-10 06:42 . 2009-07-10 06:42   27784   ----a-w-   c:\winnt\system32\drivers\avgmfx86.sys
2009-07-10 06:42 . 2009-07-11 01:20   --------   d-----w-   c:\winnt\system32\drivers\Avg
2009-07-10 06:42 . 2009-07-10 06:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 06:42 . 2009-07-10 06:42   108552   ----a-w-   c:\winnt\system32\drivers\avgtdix.sys
2009-07-10 06:41 . 2009-07-10 06:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2009-07-09 19:35 . 2009-07-09 19:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sprint
2009-07-09 19:15 . 2009-07-09 19:15   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sprint
2009-07-09 19:04 . 2008-10-15 18:58   27072   ----a-w-   c:\winnt\system32\drivers\PCASp50.sys
2009-07-09 19:03 . 2005-03-15 18:11   17920   ----a-w-   c:\winnt\system32\apintfnt.dll
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\drivers\usbohci.sys
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\dllcache\usbohci.sys
2009-07-09 19:01 . 2007-01-18 17:24   26496   ----a-r-   c:\winnt\system32\drivers\RimSerial.sys
2009-07-09 18:55 . 2009-07-09 18:55   --------   d-----w-   c:\program files\Common Files\Research in Motion
2009-07-09 18:55 . 2009-07-09 19:03   --------   d-----w-   c:\program files\Sierra Wireless
2009-07-09 18:54 . 2009-07-09 19:02   --------   d-----w-   c:\program files\Common Files\Motorola Shared
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Novatel Wireless
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Sprint
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sprint
2009-07-09 18:45 . 2009-07-09 18:45   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sierra Wireless
2009-07-09 17:43 . 2009-07-09 17:48   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\program files\Sierra Wireless Inc
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sierra Wireless
2009-07-08 19:56 . 2009-07-08 19:56   --------   d-----w-   c:\documents and settings\Administrator\Application Data\DriverCure
2009-07-08 19:55 . 2009-07-10 01:06   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 19:53 . 2009-07-08 19:53   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-08 18:45 . 2009-07-09 19:23   117760   ----a-w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 18:42 . 2009-07-08 18:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-08 18:41 . 2009-07-08 22:30   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-08 18:41 . 2009-07-08 18:41   --------   d-----w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2009-07-08 07:38 . 2009-07-08 07:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   c:\program files\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   C:\!KillBox
2009-07-08 07:34 . 2009-07-08 07:34   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-07 23:04 . 2009-07-07 23:04   94104   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-07 21:33 . 2009-07-07 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 21:33 . 2009-07-07 21:48   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-06-20 04:07 . 2009-06-20 04:07   --------   d-s---w-   c:\winnt\system32\%USERPROFILE%
2009-06-17 05:12 . 2009-06-17 05:12   --------   d-----w-   c:\winnt\system32\Mozilla Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 06:04 . 2003-07-04 04:21   --------   d-----w-   c:\program files\CLEARview
2009-07-11 00:31 . 2004-06-22 22:39   --------   d-----w-   c:\program files\AIM
2009-07-08 19:57 . 2009-01-30 19:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\DriverCure
2009-07-07 21:05 . 2008-12-27 02:46   --------   d-----w-   c:\program files\CleanUp!
2009-06-24 01:52 . 2004-08-30 21:40   --------   d-----w-   c:\documents and settings\Pat\Application Data\WeatherBug
2009-06-18 02:17 . 2007-11-03 23:20   --------   d-----w-   c:\program files\Windows Live Toolbar
2009-06-09 13:54 . 2009-06-08 20:13   0   ----a-w-   c:\winnt\system32\drivers\c1fd68c2.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36   1008896   ----a-w-   c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:43   11952   ----a-w-   c:\winnt\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"SQLAgent$ALAMODE"=3 (0x3)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$ALAMODE"=2 (0x2)
"dhcpsrv"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [7/9/2009 11:43 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [7/9/2009 11:42 PM 108552]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/9/2009 11:42 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:42 PM 298776]
S3 ati2mpaa;ati2mpaa;c:\winnt\system32\drivers\ati2mpaa.sys [10/3/2001 8:23 AM 281856]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S4 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/4/2005 1:04 AM 9158656]
S4 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 10:42 PM 323584]
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\winnt\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 11:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-11 11:34
ComboFix-quarantined-files.txt 2009-07-11 18:33
ComboFix2.txt 2009-07-10 18:50

Pre-Run: 6,347,952,128 bytes free
Post-Run: 6,539,554,816 bytes free

160   --- E O F ---   2009-05-17 15:02

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 3:42:47 PM
mbam-log-2009-07-11 (15-42-28).txt

Scan type: Quick Scan
Objects scanned: 124641
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\mmkl.kl.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{277e1fe0-cf65-11d3-b377-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d54a7c0-c379-11d3-b377-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{78429873-f771-11d3-ae1d-0050dac24e8f} (Adware.Iwon) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c298fb42-e3e2-11d3-adcd-0050dac24e8f} (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Pat\Start Menu\Programs\WhenU (Adware.WhenUSave) -> No action taken.
C:\Program Files\MySearch (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar\History (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

Files Infected:
c:\documents and settings\Pat\start menu\Programs\WhenU\Customer Support.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU Save.url (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU SaveNow.url (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall Instructions.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU Help Desk.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU.com Website.url (Adware.WhenUSave) -> No action taken.
c:\program files\MySearch\bar\History\search (Adware.MyWebSearch) -> No action taken.
c:\documents and settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:53 PM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sprint RcAppSvc (sprintrcappsvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O24 - Desktop Component 0: (no name) - http://i.a.cnn.net/cnn/.element/img/1.3/video/broadband/player/2.0/broadband_hdr.gif

--
End of file - 4428 bytes

evilfantasy · « **Reply #23 on:** July 11, 2009, 06:26:44 PM »

Everything in the Malwarebytes log says No action taken.

Did you remove those after copying the log?

Atech · « **Reply #24 on:** July 11, 2009, 07:09:36 PM »

I must've copied wrong log to post. Here is the post removal log.

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 3:43:29 PM
mbam-log-2009-07-11 (15-43-29).txt

Scan type: Quick Scan
Objects scanned: 124641
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mmkl.kl.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{277e1fe0-cf65-11d3-b377-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d54a7c0-c379-11d3-b377-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{78429873-f771-11d3-ae1d-0050dac24e8f} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c298fb42-e3e2-11d3-adcd-0050dac24e8f} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Pat\Start Menu\Programs\WhenU (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Pat\start menu\Programs\WhenU\Customer Support.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU Save.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU SaveNow.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall Instructions.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU Help Desk.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU.com Website.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully.

evilfantasy · « **Reply #25 on:** July 11, 2009, 07:27:51 PM »

Download GMER and save it to your desktop.

Unzip (extract) it to your desktop.
Disconnect from Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click gmer.exe to run it.
Let the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
Click the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
Then click the Scan button. Wait for the scan to finish.
Once done, click the Copy button.
This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.
.
----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

Atech · « **Reply #26 on:** July 11, 2009, 11:55:48 PM »

Hello, still with it here... not throwing in the towel!!

Here are the Logs

[attachment deleted by admin]

evilfantasy · « **Reply #27 on:** July 12, 2009, 12:18:18 AM »

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]

:files

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Be sure to update SAS if you already have it installed.

Download and install SUPERAntiSpyware Free for Home Users

* Start SUPERAntiSpyware and click Check for updates[/list]If you encounter any problems while downloading the updates, manually download and unzip them from here

* Once the update is finished, on the main screen, click Scan your computer
* Check Perform Complete Scan
* Click Next to start the scan.

* When finished SUPERAntiSpyware will list all the infections found.
* Make sure everything found has a check next to it and press Next
* Then click Finish

- It is possible that the SUPERAntiSpyware asks to reboot the PC in order to delete some files, please do so.

Locate the SUPERAntiSpyware log as follows:

* Click: Preferences
* Click the Statistics/Logs tab
* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log
* The log will open in your default text editor (such as Notepad)
* Post the SUPERAntiSpyware log in your reply.

Atech · « **Reply #28 on:** July 12, 2009, 03:18:27 PM »

is this infection cause by a rootkit? Is it possible that we need stronger medicine?

[attachment deleted by admin]

evilfantasy · « **Reply #29 on:** July 12, 2009, 05:04:13 PM »

Actually I am not really finding anything else.

Is the computer still slow?

Atech · « **Reply #30 on:** July 12, 2009, 05:55:32 PM »

Computer is slow at certain task, like going to any sites that have microsoft URL. Still have major problems with microsoft update. I did a services pack update, which did give a clue that something is running under stealth. I've reloaded hundreds of XP systems, and have updated services packs many times. But this one exhibits one strange behavior, on reboot (after service pack 3 applied) it had three command windows open after windows was completely loaded. They stayed open about 10 second then closed.

evilfantasy · « **Reply #31 on:** July 12, 2009, 06:04:43 PM »

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

Open the folder and run Dial-a-fix.exe
2 windows will open. Close the one in the background labeled Restrictive Policies
Check the box in section 1, Empty temp folders.
Check the box in section 2, Fix Windows Installer.
Check the box in section 3, Fix Windows Update.
Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
Check all boxes in section 5, labeled Registration Center.
Click Go
OK any error messages if received, but write them down and post them here.
Restart the computer when done.

.
Is the problem fixed?

----------

If not...

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
- Let this run undisturbed until the window with the blue progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

Atech · « **Reply #32 on:** July 12, 2009, 10:38:23 PM »

Dial-a-fix did the job. Upon reboot, system connected to MS update, downloaded all updates, system installed the updates. I now have confidence that this system will be able to operate normally.

Thanks for your excellent professional Troubleshooting and Malware extraction techniques!

With High Regards

Atech

Atech · « **Reply #33 on:** July 13, 2009, 02:11:32 AM »

Hmmm, just when you though it was safe to go back-into-thMalwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/13/2009 12:51:40 AM
mbam-log-2009-07-13 (00-51-33).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 198453
Time elapsed: 2 hour(s), 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit (Hijack.Regedit) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
e water!

Atech · « **Reply #34 on:** July 13, 2009, 11:10:02 AM »

And there's more

Here's what spynot has to say

Win32.Iroffer.af: [SBI $E19E27B1] Data (File, nothing done)
C:\WINNT\Client
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Properties.filedate=1065381757
Properties.filedatetext=2003-10-05 12:22:36

Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

MyWay.MyWebSearch: [SBI $D6FC06E2] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DC250EB2-2928-41c5-89C9-5FF86FEE1691}

WildTangent: [SBI $CC7760FE] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program Files\WildTangent\Apps\DRM0301Java.jar...

Microsoft.WindowsSecurityCenter.AntiVir usOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

BonziBuddy: [SBI $0ABCD7B1] Program directory (Directory, nothing done)
C:\Program Files\BonziBuddy\

BonziBuddy: [SBI $EBA31E67] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\VB and VBA Program Settings\BONZIBUDDY

NewtonKnows: [SBI $9F6FF28E] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{6600D22F-083F-11D6-99DE-D172E92EBC2A}

NewtonKnows: [SBI $FA85E989] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{6600D22C-083F-11D6-99DE-D172E92EBC2A}

NewtonKnows: [SBI $0D7AE83A] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{6600D220-083F-11D6-99DE-D172E92EBC2A}

StarWare: [SBI $A82637BF] Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Starware322

StarWare: [SBI $A82637BF] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Starware322

StarWare: [SBI $8008440B] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\BrowserSearch\

StarWare: [SBI $157F2D4F] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Configurator\

StarWare: [SBI $9780440A] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ErrorSearch\

StarWare: [SBI $76047FA3] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Layouts\

StarWare: [SBI $E5A2946D] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Manager\

StarWare: [SBI $3F6D43DB] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Reference\

StarWare: [SBI $461B2748] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\RelatedSearch\

StarWare: [SBI $D5728ACA] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Toolbar\

StarWare: [SBI $007CB757] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ToolbarLogo\

StarWare: [SBI $F5040D20] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ToolbarSearch\

StarWare: [SBI $6F569955] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\TravelSearch\

StarWare: [SBI $FDA327EC] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Weather\

StarWare: [SBI $F26334AD] Web page (File, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Weather\AlertArchive.xml
Properties.size=112
Properties.md5=895945C70D7AB748FFDA17CA2338D3D2
Properties.filedate=1187326290
Properties.filedatetext=2007-08-16 21:51:30

StarWare: [SBI $A6C3D1ED] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\

StarWare: [SBI $4AFA1DB7] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\

StarWare: [SBI $BF882AFD] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\

StarWare: [SBI $37E48ACD] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\active\

StarWare: [SBI $4A2FB6EE] Picture (File, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\active\Games0.bmp
Properties.size=1208
Properties.md5=984A8652D52AE5D4F27503FF3F851D76
Properties.filedate=1187326300
Properties.filedatetext=2007-08-16 21:51:39

StarWare: [SBI $465B4952] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\default\

StarWare: [SBI $2ABAE699] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\

StarWare: [SBI $3C8A2EAC] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\

StarWare: [SBI $ACFB606D] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\active\

StarWare: [SBI $9016F550] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\default\

StarWare: [SBI $D7FD12CF] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Screensavers\

StarWare: [SBI $0C066ECE] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\

StarWare: [SBI $78757AD7] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\

StarWare: [SBI $0B99A6BB] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\active\

StarWare: [SBI $FF01E077] Program directory (Directory, nothing done)
C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\default\

Right Media: Tracking cookie (Internet Explorer: Bill) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.

2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-07 unins000.exe (51.41.0.0)
2009-07-07 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-07-07 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-07-07 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-07-07 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-07-07 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-07-07 Includes\Trojans.sbi (*)
2009-07-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

evilfantasy · « **Reply #35 on:** July 13, 2009, 11:21:20 AM »

Just let SpyBot fix those. They are not a real threat but should be fixed still.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Atech · « **Reply #36 on:** July 14, 2009, 02:15:26 AM »

Hmm, I've cleaned all of the cache's done all of the suggested items. The system will appear totally clean... for about 3 reboots... then strange things begin to happen. Now mind this, I've totally isolated this system from the internet. So it's not going on-line and down loading these new infections. There has to be a generator somewhere on the system that start the process all over again, locking out the registry, infecting exe files, changing system polices. The system has degraded so badly I am no longer able to launch any spyware or virus applications loaded. I know how to remedy all of this, but it seems like a futile effort... Are you (or do you know of anyone who is) proficient with Icesword?

Thanks for your thoughts in-advance
Atech

evilfantasy · « **Reply #37 on:** July 14, 2009, 09:26:48 AM »

You don't need IceSword, we already ran GMER. Besides it hasn't updated in a very long time.

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.

Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 1, to choose Option 1 (Search) then press Enter
Wait until the end of the scan
A report will be generated, post the contents of it in your next reply.

.
A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

Atech · « **Reply #38 on:** July 19, 2009, 10:47:31 PM »

Hello EF,
I hate it when forum users don't log the final outcome of a problem. That being said, I am here to share the outcome of all our efforts. The system degraded to a state worse then the first case. All of the steps I used to access the registry failed, no exe or com files where able to launch, unable to browse the internet freely. Meaning I could go to any search engine, but was not allowed to open any sites that had to do with virus, spyware, malware, if I did the browser closed. I know we gave it our best shot, but this system could not be saved. I imaged the drive and then D-bombed it this evening (a type of low level reformat) and will do a fresh system install. No data extracted from the old system will be moved forward to the new one, until we better understand what we are dealing with.

Thanks till you are better paid
Atech

evilfantasy · « **Reply #39 on:** July 19, 2009, 11:50:12 PM »

Thanks for letting me know.

Computer Hope Forum

News:

Author Topic: One Tough Virus Infection will not allow any application to launch (Read 17569 times)

Atech

evilfantasy

Atech

evilfantasy

Atech

Atech

evilfantasy

Atech

evilfantasy

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

Atech

Atech

Atech

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy

Atech

Atech

Atech

evilfantasy

Atech

evilfantasy

Atech

evilfantasy