Virus creating a text file at my desktop

An unknown virus is creating a text file at my desktop, which is also running process like : cmd.exe, xcopy.exe, reg.exe. the consequences are : it has removed folder option, taskmanager, regedit etc. the most irritating part is that it shuts down the windows after some time (not restart).  if i manage to kill the process like cmd.exe (by enabling it from gpedit.msc) then virus doesnt shuts down the pc or doesnt spread if pen drive is inserted. But when i restart the pc it starts once again.
i have checked drives by doing showing hidden system files and folder where it creats a vbb.exe folder and a autorun.inf file.  
i have checked the process through process viewer from microsoft which show s that cmd.exe process is running under the medeaplayer.exe folder on that process window. which resides in the system32\usmt\       , i have checked maually and i havent got any file like that on that usmt folder.

Help me out...............plz
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs.
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this will help stop the spread of future infection.

Then show us a Hijackthis log.

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
saakibAuthor Commented:

i am sending here the text file of Hijackthis and  a screen shot from process explorer where the process responsible for this is black marked. the process shows it origin at C:\windows\system32\usmt\
but i m not getting any trace there (no existance of those types of file).

one more thing : i just need to clean my pc   ,   affected pendrive has been formatted.

Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:

Also try running these tools and show us the logfiles.
1.  Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

saakibAuthor Commented:
Thanks for your prompt reply. Sorry for late response :-(

FYI: i m not getting any entry like C:\WINDOWS\system32\usmt\mediaplayer.exe
so what can i do ?

Do i need to run those sdfix and combo fix       after fixing through hijackthis ? i dont afford to loose data :-(  i am afraid if anything gose wrong after running those i have no other option rather than suicide (lolz.)

saakibAuthor Commented:
i have done these following things :
Fix these entries in Hijackthis:
O4 - HKLM\..\Run: [ABUGCHECK] C:\WINDOWS\system32\usmt\pos.bat  
O4 - HKLM\..\Run: [VBB] C:\WINDOWS\system32\usmt\mediaplayer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

And delete these files below:
But the problem is Post.bat is regenerating after restarting computer and those three entries are also re creating in the hijack tool     plz Help.    
Fixing entries in Hijackthis alone will not fix the problem, we need to delete those files as well. If you don't want to run SDFix and or Combofix, tell me, is your System Restore turned on?
If so, then try rolling back to a date before this has happened. Try System Restore back to a date before you got infected.

Start > All Programs > Accessories > System Tools > System Restore
then choose a restore point before you got infected and we'll start from there.
saakibAuthor Commented:
Thnks for your reply.
Sorry i dont hav system restore enabled. i m not getting the mediaplayer.exe file to delete.
pos.bat is re creating after deletation.
if u can assure me that nothing will happen in my os after Sdfix and combofix i can Try :-(
plz let me know the steps to be taken.

SDFix.exe and Combofix.exe are very reliable tools and I've used them many times and suggested their use many times, but I can not guarantee that things will go as smoothly as always, so you must use these tools at your own risk.

Try deleting those files in Safe Mode,
then run an online scan afterwards. I'm sorry but I can't assure you that everything will be okay as sometimes things can happen when running any scanners.
saakibAuthor Commented:
**Try deleting those files in Safe Mode, the whole folder C:\WINDOWS\system32\usmt **

Did u mean the entire USMT folder..........will it recreate autometically after os being restarted ??
i dont think that OS will start properly with out this folder and those files inside it.
could u plz explain.
Sorry, no not the whole folder.... maybe use a third party tool like Killbox to delete those files at reboot.
saakibAuthor Commented:
OK i will get back to u ..after trying things....
saakibAuthor Commented:
Hey Dear,
Sorry for Late response.!!    :-(
i had gone through all the procedure regarding sdfix and combo fix.....................Yahooooooooooo it seems its alright now.......plz check the attachment log files after fixing and let me know if nything further is required to be done..............

Thank you very much....:-)
saakibAuthor Commented:
Ok i have got the answer of my question  and the full credit goes to "rpggamergirl"
Thanks a lot for ur nice support.

Admin plz close this question i hav got my solution.

Please close the question(if problem is solved) you don't need the Admins to close it for you, just click on the "Accept this Solution" button in any of my comments that helped you, thanks!

Looking at the logs:
The above files showing in the logs, whether they still exist or already gone.
Check to make sure they're gone, they're hidden so you need to show hidden files and folder first.

It was a flash_drive infection, so you might like to consider running Flash_Disinfector also. The tool creates a harmless "autorun.inf' in each partition to stop further spread of future flash-drive infection.
Download and run this tool and follow the prompts:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.