One Tough Virus Infection will not allow any application to launch

[evilfantasy]

This should work.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply.

[Atech]

Finally got bitdefender to update and ran it.  No problems found!!?

I'm going to take a wait-n-see attitude.  If flickers...... D-Bomb the drive!!


Thanks Again

This case is closed!!

[Atech]

Ok Will do

[Atech]

Log Post from Dr.Web

RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
Aurora.exe/Setup/WinTOTAL.zip\Utils/GetContent.exe;C:\Documents and Settings\Mister W\Desktop\Aurora.exe/Setup/WinTOTAL.zip;Modification of BackDoor.Generic.983;;
Setup/WinTOTAL.zip;C:\Documents and Settings\Mister W\Desktop;Archive contains infected objects;;
Aurora.exe;C:\Documents and Settings\Mister W\Desktop;Archive contains infected objects;Moved.;
Morph20.exe/data017\data008;C:\Documents and Settings\Xavier\Desktop\Morph20.exe/data017;Adware.Ipinsight;;
data017;C:\Documents and Settings\Xavier\Desktop;Archive contains infected objects;;
Morph20.exe;C:\Documents and Settings\Xavier\Desktop;Archive contains infected objects;Moved.;
Install_AIM.exe\data038;C:\Program Files\AIM\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;C:\Program Files\AIM;Archive contains infected objects;Moved.;
A0000534.reg;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Trojan.StartPage.1505;Deleted.;
A0000536.exe/Setup/WinTOTAL.zip\Utils/GetContent.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000536.exe/Setup/WinTOTAL.zip;Modification of BackDoor.Generic.983;;
Setup/WinTOTAL.zip;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;;
A0000536.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
A0000537.exe/data017\data008;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000537.exe/data017;Adware.Ipinsight;;
data017;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;;
A0000537.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
A0000538.exe\data038;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4\A0000538.exe;Adware.Aws;;
A0000538.exe;C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP4;Archive contains infected objects;Moved.;
aur0149.z_\Utils/GetContent.exe;C:\WIN2000\MODEM\Upgrades\aur0149.z_;Modification of BackDoor.Generic.983;;
aur0149.z_;C:\WIN2000\MODEM\Upgrades;Archive contains infected objects;Moved.;
GetContent.exe;C:\WIN2000\UTILS;Modification of BackDoor.Generic.983;Moved.;
icwsetup.exeCommon Startup;C:\WINNT\pss;Trojan.Inject.5806;Deleted.;
mobn.exe\data009;C:\WINNT\system32\mobn.exe;Adware.WildMedia.origin;;
mobn.exe;C:\WINNT\system32;Archive contains infected objects;Moved.;
mobupd.exe;C:\WINNT\system32;Adware.WildMedia;Moved.;

[Atech]

System is still buggy, unable to download any system updates from MS update.  I can browse the site but when I tell MS to check system; I get an error message that I don't have yhe correct files registered.  Then it seems to register them at 100% but then say it is unable to continue.

[Atech]

I registered all the dll's assocated with windows update, when I tried to do a custom or express update, it fails with that message "files unregistered or mssing"

[evilfantasy]

Open Malwarebytes' Anti-Malware.

• Click the Update tab.
• Click Check for Updates
  
• If an update is found, it will download and install.
• Click the Scanner tab.
  
• Select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[Atech]

ComboFix 09-07-09.07 - Bill 07/11/2009 11:14.5.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.383.205 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts

.
(((((((((((((((((((((((((   Files Created from 2009-06-11 to 2009-07-11  )))))))))))))))))))))))))))))))
.

2009-07-11 09:29 . 2009-07-11 09:29   --------   d-----w-   c:\winnt\LastGood.Tmp
2009-07-10 22:27 . 2009-07-10 22:27   --------   d-----w-   c:\documents and settings\Bill\DoctorWeb
2009-07-10 20:36 . 2009-07-10 21:41   --------   d-----w-   c:\winnt\BDOSCAN8
2009-07-10 07:16 . 2009-07-10 09:04   --------   d--h--w-   C:\$AVG8.VAULT$
2009-07-10 06:48 . 2009-06-26 17:36   1008896   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-10 06:43 . 2009-07-10 06:43   11952   ----a-w-   c:\winnt\system32\avgrsstx.dll
2009-07-10 06:43 . 2009-07-10 06:43   335752   ----a-w-   c:\winnt\system32\drivers\avgldx86.sys
2009-07-10 06:42 . 2009-07-10 06:42   27784   ----a-w-   c:\winnt\system32\drivers\avgmfx86.sys
2009-07-10 06:42 . 2009-07-11 01:20   --------   d-----w-   c:\winnt\system32\drivers\Avg
2009-07-10 06:42 . 2009-07-10 06:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 06:42 . 2009-07-10 06:42   108552   ----a-w-   c:\winnt\system32\drivers\avgtdix.sys
2009-07-10 06:41 . 2009-07-10 06:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2009-07-09 19:35 . 2009-07-09 19:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sprint
2009-07-09 19:15 . 2009-07-09 19:15   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sprint
2009-07-09 19:04 . 2008-10-15 18:58   27072   ----a-w-   c:\winnt\system32\drivers\PCASp50.sys
2009-07-09 19:03 . 2005-03-15 18:11   17920   ----a-w-   c:\winnt\system32\apintfnt.dll
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\drivers\usbohci.sys
2009-07-09 19:03 . 2008-04-13 17:45   17152   ----a-w-   c:\winnt\system32\dllcache\usbohci.sys
2009-07-09 19:01 . 2007-01-18 17:24   26496   ----a-r-   c:\winnt\system32\drivers\RimSerial.sys
2009-07-09 18:55 . 2009-07-09 18:55   --------   d-----w-   c:\program files\Common Files\Research in Motion
2009-07-09 18:55 . 2009-07-09 19:03   --------   d-----w-   c:\program files\Sierra Wireless
2009-07-09 18:54 . 2009-07-09 19:02   --------   d-----w-   c:\program files\Common Files\Motorola Shared
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Novatel Wireless
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\program files\Sprint
2009-07-09 18:54 . 2009-07-09 18:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sprint
2009-07-09 18:45 . 2009-07-09 18:45   --------   d-----w-   c:\documents and settings\Bill\Application Data\Sierra Wireless
2009-07-09 17:43 . 2009-07-09 17:48   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\program files\Sierra Wireless Inc
2009-07-09 17:35 . 2009-07-09 17:35   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Sierra Wireless
2009-07-08 19:56 . 2009-07-08 19:56   --------   d-----w-   c:\documents and settings\Administrator\Application Data\DriverCure
2009-07-08 19:55 . 2009-07-10 01:06   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 19:53 . 2009-07-08 19:53   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-08 18:45 . 2009-07-09 19:23   117760   ----a-w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-08 18:42 . 2009-07-08 18:42   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-08 18:41 . 2009-07-08 22:30   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-07-08 18:41 . 2009-07-08 18:41   --------   d-----w-   c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2009-07-08 07:38 . 2009-07-08 07:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   c:\program files\Safer Networking
2009-07-08 07:37 . 2009-07-08 07:37   --------   d-----w-   C:\!KillBox
2009-07-08 07:34 . 2009-07-08 07:34   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-07 23:04 . 2009-07-07 23:04   94104   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-07-07 21:39 . 2009-07-07 21:39   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-07-07 21:33 . 2009-07-07 22:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 21:33 . 2009-07-07 21:48   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2009-06-20 04:07 . 2009-06-20 04:07   --------   d-s---w-   c:\winnt\system32\%USERPROFILE%
2009-06-17 05:12 . 2009-06-17 05:12   --------   d-----w-   c:\winnt\system32\Mozilla Shared

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-11 06:04 . 2003-07-04 04:21   --------   d-----w-   c:\program files\CLEARview
2009-07-11 00:31 . 2004-06-22 22:39   --------   d-----w-   c:\program files\AIM
2009-07-08 19:57 . 2009-01-30 19:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\DriverCure
2009-07-07 21:05 . 2008-12-27 02:46   --------   d-----w-   c:\program files\CleanUp!
2009-06-24 01:52 . 2004-08-30 21:40   --------   d-----w-   c:\documents and settings\Pat\Application Data\WeatherBug
2009-06-18 02:17 . 2007-11-03 23:20   --------   d-----w-   c:\program files\Windows Live Toolbar
2009-06-09 13:54 . 2009-06-08 20:13   0   ----a-w-   c:\winnt\system32\drivers\c1fd68c2.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36   1008896   ----a-w-   c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-10 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-10 06:43   11952   ----a-w-   c:\winnt\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"wuauserv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"SQLAgent$ALAMODE"=3 (0x3)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$ALAMODE"=2 (0x2)
"dhcpsrv"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [7/9/2009 11:43 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [7/9/2009 11:42 PM 108552]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/9/2009 11:42 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2009 11:42 PM 298776]
S3 ati2mpaa;ati2mpaa;c:\winnt\system32\drivers\ati2mpaa.sys [10/3/2001 8:23 AM 281856]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S4 MSSQL$ALAMODE;MSSQL$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe [5/4/2005 1:04 AM 9158656]
S4 SQLAgent$ALAMODE;SQLAgent$ALAMODE;c:\program files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlagent.EXE [5/3/2005 10:42 PM 323584]
.
Contents of the 'Scheduled Tasks' folder

2009-07-11 c:\winnt\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: &Define - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Look Up in &Encyclopedia - c:\program files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-11 11:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-11 11:34
ComboFix-quarantined-files.txt  2009-07-11 18:33
ComboFix2.txt  2009-07-10 18:50

Pre-Run: 6,347,952,128 bytes free
Post-Run: 6,539,554,816 bytes free

160   --- E O F ---   2009-05-17 15:02



Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 3:42:47 PM
mbam-log-2009-07-11 (15-42-28).txt

Scan type: Quick Scan
Objects scanned: 124641
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\mmkl.kl.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{277e1fe0-cf65-11d3-b377-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d54a7c0-c379-11d3-b377-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{78429873-f771-11d3-ae1d-0050dac24e8f} (Adware.Iwon) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c298fb42-e3e2-11d3-adcd-0050dac24e8f} (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Pat\Start Menu\Programs\WhenU (Adware.WhenUSave) -> No action taken.
C:\Program Files\MySearch (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar\History (Adware.MyWebSearch) -> No action taken.
c:\program files\MySearch\bar\Settings (Adware.MyWebSearch) -> No action taken.

Files Infected:
c:\documents and settings\Pat\start menu\Programs\WhenU\Customer Support.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU Save.url (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU SaveNow.url (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall Instructions.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU Help Desk.lnk (Adware.WhenUSave) -> No action taken.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU.com Website.url (Adware.WhenUSave) -> No action taken.
c:\program files\MySearch\bar\History\search (Adware.MyWebSearch) -> No action taken.
c:\documents and settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:53 PM, on 7/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINNT\system32\ctfmon.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sprint RcAppSvc (sprintrcappsvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O24 - Desktop Component 0: (no name) - http://i.a.cnn.net/cnn/.element/img/1.3/video/broadband/player/2.0/broadband_hdr.gif

--
End of file - 4428 bytes

[evilfantasy]

Everything in the Malwarebytes log says No action taken.

Did you remove those after copying the log?

[Atech]

I must've copied wrong log to post.  Here is the post removal log.

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 3:43:29 PM
mbam-log-2009-07-11 (15-43-29).txt

Scan type: Quick Scan
Objects scanned: 124641
Time elapsed: 15 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mmkl.kl.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{277e1fe0-cf65-11d3-b377-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6d54a7c0-c379-11d3-b377-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{78429873-f771-11d3-ae1d-0050dac24e8f} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c298fb42-e3e2-11d3-adcd-0050dac24e8f} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d49e9d35-254c-4c6a-9d17-95018d228ff5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Pat\Start Menu\Programs\WhenU (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Pat\start menu\Programs\WhenU\Customer Support.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU Save.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Learn More About WhenU SaveNow.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall Instructions.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\Uninstall.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU Help Desk.lnk (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\documents and settings\Pat\start menu\Programs\WhenU\WhenU.com Website.url (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Documents\gifnoc.xtx (Trojan.Agent) -> Quarantined and deleted successfully.

[evilfantasy]

Download GMER and save it to your desktop.

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.
.
----------

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[Atech]

Hello, still with it here... not throwing in the towel!!

Here are the Logs

[attachment deleted by admin]

[evilfantasy]

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]

:files

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Be sure to update SAS if you already have it installed.

Download and install SUPERAntiSpyware Free for Home Users

* Start SUPERAntiSpyware and click Check for updates[/list]If you encounter any problems while downloading the updates, manually download and unzip them from here

* Once the update is finished, on the main screen, click Scan your computer
* Check Perform Complete Scan
* Click Next to start the scan.

* When finished SUPERAntiSpyware will list all the infections found.
* Make sure everything found has a check next to it and press Next
* Then click Finish

- It is possible that the SUPERAntiSpyware asks to reboot the PC in order to delete some files, please do so.
 
Locate the SUPERAntiSpyware log as follows:

* Click: Preferences
* Click the Statistics/Logs tab
* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log
* The log will open in your default text editor (such as Notepad)
* Post the SUPERAntiSpyware log in your reply.

[Atech]

is this infection cause by a rootkit?  Is it possible that we need stronger medicine?

[attachment deleted by admin]

[evilfantasy]

Actually I am not really finding anything else.

Is the computer still slow?