desparately seeking assistance to remove trojan virus

[padraig]

last week I received a notice from Malewarebyte's anti-malware software that my system (Windows XP) was infected with a trojan virus. I have run removal no less than 10 times and now it replicates and kills my programs. It has since redirected my IE7 to antivirus software pages.

I cannot rid my computer of this and am in serious need of some very basic support. I'm not stupid, but I sure could use some step by step assistance if anyone has that type of patience.

[Allan]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[KornmonGrim]

Ok i know a way. Does it tell you the process name? The name of it?
If you know this info please reply and if you wish for me to help please PM me or reply "Help" as in as connect and look for it manually and remove it manually.

[padraig]

Okay,

I have gotten through about 20% of the help forum and have had to switch between my regular log in and running in safe mode because the links on the instructions page will not work. My IE7 browser continues to either get redirected or will not load the webpage.

I completed a scan using SAS but when I pushed the "finish" button it shut down power to my entire PC.

I am sorry but can anyone help?

[SuperDave]

Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose. You will need to do this on a clean computer.

[padraig]

I had to use a PC at the public library to burn a recover CD. An hour later I followed the instructions provided on the link but the CD does not boot my PC. I attempted a safe boot, but again it will not read the CD drivem I am using my CrackBerry to send this as the library is closed.
It must be Murphy's Law at work here, as I am out of town this coming week and cannot test any other solutions after tonight.
Thanks!

[SuperDave]

You will probably have to change your BIOS to boot from the CD. Please contact us when you return.

[padraig]

I have tried several times to connectn but whatever has taken over blocks all attempts to load this web page. Blackberry is my only communication on this forum. All attempts to boot from downloaded USB or CD are ignored. Should I reformat?

[SuperDave]

Did you go into your BIOS and change the boot sequence to show your Diskdrive to boot first?

[padraig]

i tried but found nothing to show me how to do this

[SuperDave]

Go here. You will need to change the boot sequence. Set it so your computer boots from the diskdrive(CD-ROM). If you have more than one diskdrive (CD-ROM) select the one where you will place your disk.

[padraig]

well, after many steps I have eliminated the trojan that first attacked my internet connection then infected my anti-virus software...ironic huh?

thanks Super Dave for your patience and guidance. I am contemplating an external harddrive purchase to image my C: just in case.

Cheers,
Padraig

[SuperDave]

Why not go to this link and follow the directions and post the required logs. That way you will be sure your computer is clean.

[padraig]

Thanks Super Dave, I guess that would help others too. I work out of town so weekends are the only time that I have access to this PC. Here are the logs for SAS before and then after, along with the logs for AVG before and after.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2010 at 06:37 PM

Application Version : 4.22.1014

Core Rules Database Version : 4766
Trace Rules Database Version: 2578

Scan type       : Quick Scan
Total Scan Time : 00:06:21

Memory items scanned      : 440
Memory threats detected   : 3
Registry items scanned    : 489
Registry threats detected : 58
File items scanned        : 6752
File threats detected     : 10

Trojan.Dropper/Sys-NV
   C:\WINDOWS\SYSTEM32\DSWAVE32.DLL
   C:\WINDOWS\SYSTEM32\DSWAVE32.DLL
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\441d49b854

Trojan.Agent/Gen
   C:\WINDOWS\SYSTEM32\12A.TMP
   C:\WINDOWS\SYSTEM32\12A.TMP
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig15
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig4
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig5
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig20
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig25
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str14
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig10
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str6
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str7
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str8
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str9
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str10
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str13
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str1
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str2
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str5
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig7
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig8
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig6
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str16
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str17
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str19
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig18
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig17
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str22
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str23
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str25
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#str26
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig24
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\SOFTWARE\XML#dig23

Trojan.Agent/Gen-NumTemp
   C:\WINDOWS\SYSTEM32\11.TMP
   C:\WINDOWS\SYSTEM32\11.TMP

Adware.Vundo/Variant-X32[Header]
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{015FAB16-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{015FAB16-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{015FAB16-B268-4248-9549-7469CB348D20}\InprocServer32
   HKCR\CLSID\{015FAB16-B268-4248-9549-7469CB348D20}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\D3DRM32.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021548D5-E78F-41F4-9513-C06289008553}
   HKCR\CLSID\{021548D5-E78F-41F4-9513-C06289008553}
   HKCR\CLSID\{021548D5-E78F-41F4-9513-C06289008553}\InprocServer32
   HKCR\CLSID\{021548D5-E78F-41F4-9513-C06289008553}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\DINPUT3232.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02BF562D-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{02BF562D-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{02BF562D-B268-4248-9549-7469CB348D20}\InprocServer32
   HKCR\CLSID\{02BF562D-B268-4248-9549-7469CB348D20}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\FONTEXT32.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{042A91AA-E78F-41F4-9513-C06289008553}
   HKCR\CLSID\{042A91AA-E78F-41F4-9513-C06289008553}
   HKCR\CLSID\{042A91AA-E78F-41F4-9513-C06289008553}\InprocServer32
   HKCR\CLSID\{042A91AA-E78F-41F4-9513-C06289008553}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{057EAC5B-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{057EAC5B-B268-4248-9549-7469CB348D20}
   HKCR\CLSID\{057EAC5B-B268-4248-9549-7469CB348D20}\InprocServer32
   HKCR\CLSID\{057EAC5B-B268-4248-9549-7469CB348D20}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\EAPPPRXY32.DLL
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{015FAB16-B268-4248-9549-7469CB348D20}
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{021548D5-E78F-41F4-9513-C06289008553}
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02BF562D-B268-4248-9549-7469CB348D20}
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{042A91AA-E78F-41F4-9513-C06289008553}
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{057EAC5B-B268-4248-9549-7469CB348D20}

Adware.Tracking Cookie
   C:\Documents and Settings\Patrick\Cookies\patrick@atdmt[2].txt
   C:\Documents and Settings\Patrick\Cookies\patrick@interclick[2].txt
   C:\Documents and Settings\Patrick\Cookies\patrick@doubleclick[2].txt

Trojan.Unclassified/Cognac
   HKU\S-1-5-21-2796421550-788906634-1267632633-1006\Software\Cognac

[padraig]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/03/2010 at 06:47 PM

Application Version : 4.35.1000

Core Rules Database Version : 4766
Trace Rules Database Version: 2578

Scan type       : Quick Scan
Total Scan Time : 00:02:15

Memory items scanned      : 498
Memory threats detected   : 0
Registry items scanned    : 497
Registry threats detected : 0
File items scanned        : 502
File threats detected     : 31

Trojan.Agent/Gen-FakeAV[LSASS]
   C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SYSTEMPROC\LSASS.EXE
   C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\1.TMP

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@imrworldwide[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@theclickcheck[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@smartadserver[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@kontera[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@linksynergy[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
   C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt