One Tough Virus Infection will not allow any application to launch

[Atech]

Computer is slow at certain task, like going to any sites that have microsoft URL.  Still have major problems with microsoft update.  I did a services pack update, which did give a clue that something is running under stealth.  I've reloaded hundreds of XP systems, and have updated services packs many times.  But this one exhibits one strange behavior, on reboot (after service pack 3 applied) it had three command windows open after windows was completely loaded.  They stayed open about 10 second then closed.

[evilfantasy]

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
Is the problem fixed?

----------

If not...

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[Atech]

  Dial-a-fix did the job.  Upon reboot, system connected to MS update, downloaded all updates, system installed the updates.  I now have confidence that this system will be able to operate normally. 

Thanks for your excellent professional Troubleshooting and Malware extraction techniques!

With High Regards

Atech

[Atech]

  Hmmm, just when you though it was safe to go back-into-thMalwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/13/2009 12:51:40 AM
mbam-log-2009-07-13 (00-51-33).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 198453
Time elapsed: 2 hour(s), 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit (Hijack.Regedit) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
e water!  

[Atech]

And there's more

Here's what spynot has to say


Win32.Iroffer.af: [SBI $E19E27B1]  Data (File, nothing done)
  C:\WINNT\Client
  Properties.size=0
  Properties.md5=D41D8CD98F00B204E9800998ECF8427E
  Properties.filedate=1065381757
  Properties.filedatetext=2003-10-05 12:22:36

Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

MyWay.MyWebSearch: [SBI $D6FC06E2] Class ID (Registry key, nothing done)
  HKEY_CLASSES_ROOT\CLSID\{DC250EB2-2928-41c5-89C9-5FF86FEE1691}

WildTangent: [SBI $CC7760FE] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program Files\WildTangent\Apps\DRM0301Java.jar...

Microsoft.WindowsSecurityCenter.AntiVir usOverride: [SBI $3604910C] Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

BonziBuddy: [SBI $0ABCD7B1] Program directory (Directory, nothing done)
  C:\Program Files\BonziBuddy\

BonziBuddy: [SBI $EBA31E67] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-3563514748-1417066420-3376078148-1006\Software\VB and VBA Program Settings\BONZIBUDDY

NewtonKnows: [SBI $9F6FF28E] Class ID (Registry key, nothing done)
  HKEY_CLASSES_ROOT\CLSID\{6600D22F-083F-11D6-99DE-D172E92EBC2A}

NewtonKnows: [SBI $FA85E989] Interface (Registry key, nothing done)
  HKEY_CLASSES_ROOT\Interface\{6600D22C-083F-11D6-99DE-D172E92EBC2A}

NewtonKnows: [SBI $0D7AE83A] Type library (Registry key, nothing done)
  HKEY_CLASSES_ROOT\TypeLib\{6600D220-083F-11D6-99DE-D172E92EBC2A}

StarWare: [SBI $A82637BF] Settings (Registry key, nothing done)
  HKEY_USERS\.DEFAULT\Software\Starware322

StarWare: [SBI $A82637BF] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-18\Software\Starware322

StarWare: [SBI $8008440B] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\BrowserSearch\

StarWare: [SBI $157F2D4F] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Configurator\

StarWare: [SBI $9780440A] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ErrorSearch\

StarWare: [SBI $76047FA3] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Layouts\

StarWare: [SBI $E5A2946D] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Manager\

StarWare: [SBI $3F6D43DB] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Reference\

StarWare: [SBI $461B2748] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\RelatedSearch\

StarWare: [SBI $D5728ACA] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Toolbar\

StarWare: [SBI $007CB757] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ToolbarLogo\

StarWare: [SBI $F5040D20] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ToolbarSearch\

StarWare: [SBI $6F569955] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\TravelSearch\

StarWare: [SBI $FDA327EC] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Weather\

StarWare: [SBI $F26334AD]  Web page (File, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Weather\AlertArchive.xml
  Properties.size=112
  Properties.md5=895945C70D7AB748FFDA17CA2338D3D2
  Properties.filedate=1187326290
  Properties.filedatetext=2007-08-16 21:51:30

StarWare: [SBI $A6C3D1ED] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\

StarWare: [SBI $4AFA1DB7] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\

StarWare: [SBI $BF882AFD] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\

StarWare: [SBI $37E48ACD] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\active\

StarWare: [SBI $4A2FB6EE]  Picture (File, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\active\Games0.bmp
  Properties.size=1208
  Properties.md5=984A8652D52AE5D4F27503FF3F851D76
  Properties.filedate=1187326300
  Properties.filedatetext=2007-08-16 21:51:39

StarWare: [SBI $465B4952] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Games\images\default\

StarWare: [SBI $2ABAE699] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\

StarWare: [SBI $3C8A2EAC] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\

StarWare: [SBI $ACFB606D] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\active\

StarWare: [SBI $9016F550] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Movies\images\default\

StarWare: [SBI $D7FD12CF] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\Screensavers\

StarWare: [SBI $0C066ECE] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\

StarWare: [SBI $78757AD7] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\

StarWare: [SBI $0B99A6BB] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\active\

StarWare: [SBI $FF01E077] Program directory (Directory, nothing done)
  C:\WINNT\system32\config\systemprofile\Application Data\Starware322\ScreensaversMarketingSitePager\images\default\

Right Media: Tracking cookie (Internet Explorer: Bill) (Cookie, nothing done)
 


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-07 unins000.exe (51.41.0.0)
2009-07-07 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-07-07 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-07-07 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-07-07 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-07-07 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-07-07 Includes\Trojans.sbi (*)
2009-07-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[evilfantasy]

Just let SpyBot fix those. They are not a real threat but should be fixed still.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Atech]

Hmm, I've cleaned all of the cache's done all of the suggested items.  The system will  appear totally clean... for about 3 reboots... then strange things begin to happen.  Now mind this, I've totally isolated this system from the internet.  So it's not going on-line and down loading these new infections.  There has to be a generator somewhere on the system that start the process all over again, locking out the registry, infecting exe files, changing system polices.  The system has degraded so badly I am no longer able to launch any spyware or virus applications loaded.  I know how to remedy all of this, but it seems like a futile effort...  Are you (or do you know of anyone who is) proficient with Icesword?

Thanks for your thoughts in-advance
Atech

[evilfantasy]

You don't need IceSword, we already ran GMER. Besides it hasn't updated in a very long time.

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.

• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

.
A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[Atech]

Hello EF,
I hate it when forum users don't log the final outcome of a problem. That being said, I am here to share the outcome of all our efforts.  The system degraded to a state worse then the first case. All of the steps I used to access the registry failed, no exe or com files where able to launch, unable to browse the internet freely. Meaning I could go to any search engine, but was not allowed to open any sites that had to do with virus, spyware, malware, if I did the browser closed.  I know we gave it our best shot, but this system could not be saved.  I imaged the drive and then D-bombed it this evening (a type of low level reformat) and will do a fresh system install.  No data extracted from the old system will be moved forward to the new one, until we better understand what we are dealing with.

Thanks till you are better paid
Atech

[evilfantasy]

Thanks for letting me know.