Virus Yet again

[Google]

My computer restarts everytime I start it up right after the BSOD shows up for a few seconds....

I've attatched logs and etc...



[Saving space - attachment deleted by admin]

[Google]

So I am in safe mode right now, since it keeps restarting...

[evilfantasy]

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[Google]

Ok, that combofix did apparently not work in safe mode. So I decided to restore my computer to an earlier date, and now it doesnt restart, but combofix still doesn't work, so heres a new HJT log....

(attatched)

And I had disabled avira AV and comodo firewall. How do I reenable Avira? I m guessing that I just start up comodo firewall to re enable that, but I cant seem to reenable Avira....

[Saving space - attachment deleted by admin]

[evilfantasy]

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

[Google]

Oj ,that doens't work either. When I double click on runthis.bat orw hatever its called, it says that it cannot be found....

[evilfantasy]

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

[Google]

HAHAHAHA this doesn't work either.....Just freezes. Second time I've tried it too....

[evilfantasy]

If this doesn't work I'm not sure what to tell you. Time for a repair install or re-install....

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

[Google]

Ok, that didnt work but I got the drwebcureit to work:

psexec.cfexe;C:\32788R22FWJFW;Program.PsExec.171;;
Cheat Engine.exe;C:\Documents and Settings\User\My Documents\CE\Cheat Engine;Trojan.DownLoader.53869;Deleted.;
EmptyProcess.exe;C:\Documents and Settings\User\My Documents\CE\Cheat Engine;Win32.HLLW.Viking.34;Deleted.;
pscan.dll;C:\Documents and Settings\User\My Documents\CE\Cheat Engine;Trojan.Starter.585;Deleted.;
DXwnd.exe;C:\Documents and Settings\User\My Documents\DxWND;Trojan.PWS.Akak.13;Deleted.;
GameMon.des;C:\Program Files\Nexon\MapleStory\GameGuard;Trojan.Packed.650;Deleted.;
Dc105.exe\32788R22FWJFW\psexec.cfexe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004\Dc105.exe;Program.PsExec.171;;
Dc105.exe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004;Archive contains infected objects;Moved.;
Dc113.exe\SDFix\apps\Process.exe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004\Dc113.exe;Tool.Prockill;;
Dc113.exe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004;Archive contains infected objects;Moved.;
Dc61.exe\data023;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004\Dc61.exe;Trojan.Popuper.7010;;
Dc61.exe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004;Archive contains infected objects;Moved.;
Dc96.exe;C:\RECYCLER\S-1-5-21-1445563323-3637782785-1872043566-1004;Trojan.DownLoad.5987;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0175675.dll;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP126;Trojan.Popuper.7010;Deleted.;
A0182769.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP127\A0182769.exe;Program.PsExec.171;;
A0182769.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP127;Archive contains infected objects;Moved.;
A0186078.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP128;Tool.Prockill;;
A0187233.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP128;Tool.Prockill;;
A0187720.dll;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130;Trojan.DownLoad.5987;Deleted.;
A0187721.dll;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130;Trojan.Popuper.7010;Deleted.;
stream000\prls;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130\A0187722.msi\stream000;Program.ProxyOSS.38;;
stream000\prmrsr;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130\A0187722.msi\stream000;Program.ProxyOSS.38;;
stream000;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130\A0187722.msi;Archive contains infected objects;;
A0187722.msi;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP130;Archive contains infected objects;Moved.;
A0189244.des;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP131;Trojan.Packed.650;Deleted.;
A0189400.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132\A0189400.exe;Program.PsExec.171;;
A0189400.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132;Archive contains infected objects;Moved.;
A0189402.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132\A0189402.exe;Tool.Prockill;;
A0189402.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132;Archive contains infected objects;Moved.;
A0189403.exe\data023;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132\A0189403.exe;Trojan.Popuper.7010;;
A0189403.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132;Archive contains infected objects;Moved.;
A0189404.exe;C:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP132;Trojan.DownLoad.5987;Deleted.;
WeatherBug.exe;E:\WINDOWS\system32;Adware.Minibug;;
A0183477.dll;I:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP127;Program.InspectorSpy;;
A0183478.dll;I:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP127;Trojan.KeyLogger;Deleted.;
A0183480.exe;I:\System Volume Information\_restore{BD387D2C-FBB8-431A-A31D-0CEE57379E91}\RP127;Trojan.KeyLogger;Deleted.;
DXwnd.exe;I:\Program Files\Maplestory;Trojan.PWS.Akak.13;Deleted.;
GameMon.des;I:\Program Files\Maplestory\GameGuard;Trojan.Packed.650;Deleted.;
you can be my superstar.mp3;I:\Program Files\FrostWire\Songs;Trojan.Click.18899;Incurable.Moved.;
T-5745425-Superheist - Two Faced (Check your head up).mp3;I:\Program Files\FrostWire\Incomplete;Trojan.Click.18899;Incurable.Moved.;
EmptyProcess.exe;I:\Cheat Engine;Win32.HLLW.Viking.34;Deleted.;

[evilfantasy]

Try ESET again.

[Google]

Ok, well that worked also:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3556 (20081026)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d12f1a432da3a740a61da4e1bdc1b417
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-26 10:07:42
# local_time=2008-10-26 03:07:42 (****, ********** Time)
# country="*****"
# osver=5.1.2600 NT Service Pack 2
# scanned=587277
# found=2
# scan_time=16953
C:\Documents and Settings\User\DoctorWeb\Quarantine\T-5745425-Superheist - Two Faced (Check your head up).mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned)   EDCE69BFB92090AACF5E361955A1FE09
C:\Documents and Settings\User\DoctorWeb\Quarantine\you can be my superstar.mp3   WMA/TrojanDownloader.Wimad.N trojan (unable to clean - deleted)   00000000000000000000000000000000

[evilfantasy]

Looks like everything has been cleaned up.

How is everything now?

[Google]

Seems fine, thanks alot. Anything else I need to do?

[evilfantasy]

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide