help with a virus

[blu_smiley]

when i press F8 the 'advance options' menu doesnt appear..
instead it's  'boot device' and asks me to select a drive O__O

[evilfantasy]

OK, just do the combofix log.

[blu_smiley]

combofix log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Now download The Avenger By Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the Input script manually box.
  
• Click on the Magnifying Glass Icon which will open a new window titled View/edit script
  
• Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\temp\kimochiz.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\spdauth.exe

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

• Now click the 'Done' button.
  
• Click on the Green Light and OK the prompt.
  
• You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
  
• A log file from Avenger will be produced at C:\avenger.txt
  

The Avenger will automatically do the following:

• It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions.
  
  • This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  
  • Please attach the C:\avenger.txt in your next post.
  ----------
  
  
  Run the BitDefender Online Scanner
  Click I Agree to the license and then select Click here to scan
  DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
  That will make your logs huge and we don't need to see clean files.
  
  Once Bitdefender completes the scan:
  Click-on the Detected Problems tab.
  Then select Click here to export the scan report
  
  When the window comes up to save the report, change the Save as type: box to:
  Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save
  
  This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
  (take notice of where you save it so you can find it later)
  
  This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
  
  If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us
  
  Post the bdscan.txt file as an Attachment.
  
  ----------
  
  Next post please add
  avenger log
  bitdefender log
  new hijackthis log

[blu_smiley]

avenger, bdscan and hjt logs attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

We need to do some work in the registry to get rid of the TELLCOMA.EXE.

Backup the registry

1. Click Start, click Run, type (or copy and then paste) %SystemRoot%\system32\restore\rstrui.exe, and then click OK.
2. On the Welcome to System Restore page, click Create a restore point, and then click Next .
3. On the Create a Restore Point page, type a name for the restore point and then click Create
4. After the restore point has been created, click Close.
* Remember or write down the name you give the restore point.

Kill the tellcoma process
Open Windows Task Manager by pressing CTRL+ALT+DELETE all at the same time and choose the processes tab.

In the list of running programs locate the process:
TELLCOMA.EXE and right click it then choose End task

Close Task Manager.

Remove tellcoma from the registry

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run

3. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>RunServices

5. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

6. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run

7. In the right panel, locate and delete the entry:
Microsoft Telecoma Center = "tellcoma.exe"

8. Leave Registry Editor open.

Restoring EnableDCOM and RestrictAnonymous Registry Entries


1. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole

2. In the right panel, locate the entry:
EnableDCOM = "N"

3. Right-click on this registry entry and choose Modify. Change the value of this entry to:
EnableDCOM = "Y"

4. Close Registry Editor.

Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Run Housecall

Use the Trend Micro Housecall Scan

• Click Scan Now. It's Free
  
• Read and put a Check next to Yes, I accept the Terms of Use
  
• Then click Launch HouseCall Wait for the Java-Based Housecall Kernel Test
  
• Click Starting Housecall and wait for the updates to finish.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
  • It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start.
  • Please wait while HouseCall scans your system…
  • Once the scan is complete, it will take you to the summary page.
• Under Cleanup options choose Clean all detected infections automatically
  
• Click the Clean now>> button.
  
• When presented with a notification According to your instructions, all detected infections were cleaned..., click OK
  
  • The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\
  Check for Updates
  
  Go to www.windowsupdate.microsoft.com and check for any updates.
  
  Next post
  Housecall log
  New HijackThis log
  
  

[blu_smiley]

I cant find TELLCOMA.EXE in task manager

[evilfantasy]

Open the registry and see if you can find the entries in there and follow those instructions.

[blu_smiley]

went to the registry but couldnt find the entries

[evilfantasy]

Post a fresh hijackthis log please.

[blu_smiley]

hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Post a fresh hijackthis log please.

Scan saved at 4:25:02 p.m., on 3/01/2008

I need a NEW hijackthis log.

[blu_smiley]

^ But that is a new one..
i scanned it only like 15 minutes ago

[evilfantasy]

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, two text files will open -
• main.txt <- this one will be maximized
  
• and extra.txt <-this one will be minimized
• Attach the contents of main.txt in your post.
  
• Please also attach extra.txt to your post.

What DSS will do:

• Create a new System Restore point in Windows XP and Vista.
• Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

[blu_smiley]

main and extra txt attached

[file cleanup - saving space - attachment deleted by admin]