?
Solved

Help, I have been attacked - Virus/Maleware!  Need help finding and curing!

Posted on 2009-02-20
98
Medium Priority
?
2,910 Views
Last Modified: 2013-11-22
Help! My PC has been attacked. Yesterday several shortcuts were popping up on my desktop and (VIP Casino, Cheap Software, Cheap Pharmacy On-Line, Search On-line, SMS Trap) and then good ol Spyware Protect 2000 and Windowsclick took over (along with I am sure a host of nieces and nephews).

I am currently posting this using my laptop.

Anyway, here is what it has caused:

In IE 6, which I dont use much, windows just pop open over and over and I cant stop them. I have to shut down the computer.

In Mozilla Firefox, my default browser, the following is happening, but not limited to:

1. Slow loads on pages.

2. Unable to access help sites such as mybleepingcomputer.com, Maleware.org, or places used to download such things as ComboFix, Hijack This, etc&&page opens up and says :Mozilla Firefox cannot open web page&.

3. I cannot access certain websites past the Login page such as Experts-Exchange and others. The page times out after entering my username and password. Sometimes when I do click on a site that I am trying to get help from, then Windowsclick takes over and redirects me to where they want me to go! Another site that is hijacking me is mobilreads.com&.another re-directing site/problem

And in general:
4. When trying to run ComboFix, Spybot, Ewido anti-spy, Smitfraud, Ad-Aware&the programs will not launch. I DID get ComboFix to run (and have attached my most current log below) only by changing its name. I tried that with the others, however, Spybot still wont launch, Ewido starts and then gives an error message, Ad-Aware starts and then I get the error message that says: System Error: 1810 has occurred. Description: Service is not on line. Application Terminates.&then when I try to go to their site for support&..SEE # 2 above! The Ad-Aware logo stays up on my bottom tool bar and I cant close it&.I have to go to Task Manager which shows its still running&but it aint!

5. I ran AVG Anti-Virus overnight and it found a Trojan as follows:
 C:\WINNT\System32|wpv 361235072128.cpx. Says it was a Trojan Horse 5Heur2.RLK. Anyway, it took care of it, but nothing I can see has changed.

6. I noticed in my Task Manager that svchost.exe is running 6 different times and using from 4200k to 19,000 k in memory. Also, services.exe (shown just like that&all lower case) is running around 3800k. I know I read somewhere that a virus or something under that name exists, but I cant tell it between the normal services.exe&.does any of the above here in number 5 have any bearing?

Below are both my most current Log Files from A.) Hijack This and B.) ComboFix

Any help with this would be greatly appreciated!!!!!

Greg

LOG FILE HIJACK THIS:
 
Logfile of HijackThis v1.99.1
Scan saved at 3:31:42 PM, on 02/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Documents and Settings\Owner\My Documents\Greg\ComputerPrograms\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
 
END
 
LOG FILE COMBOFIX:
 
"Owner" - 2009-02-20 15:36:06    Service Pack 3  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"
 
 
(((((((((((((((((((((((((((((((   Files Created from 2009-01-20 to 2009-02-20  ))))))))))))))))))))))))))))))))))
 
 
2009-02-19 22:49	49,152	--a------	C:\WINNT\nircmd.exe
2009-02-19 22:26	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 21:46	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45	<DIR>	d--------	C:\MGtools
2009-02-19 21:38	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:37	15,360	--a------	C:\WINNT\iehost.dll
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2009-02-19 12:30	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-15 17:42	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:24	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-08 18:21	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:12	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\AVGTOOLBAR
2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2009-02-08 17:09	1,048,576	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2009-02-08 13:52	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2009-02-08 12:46	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\Move Networks
 
 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2009-02-20 21:04:22	--------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 02:12:14	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\ComcastToolbar
2009-02-19 05:13:26	--------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02:32	--------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26:32	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\Arcsoft
2009-02-10 23:26:56	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2009-02-09 17:35:45	--------	d-----w	C:\Program Files\Google
2009-01-12 19:36:39	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36:39	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-05 22:33:03	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31:18	--------	d-----w	C:\Program Files\Coupons
2008-12-22 15:51:52	809	----a-w	C:\WINNT\eReg.dat
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{12c7290a-157b-4f43-b109-97e792c598ed}=C:\WINNT\iehost.dll [2009-02-19 16:37]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 21:33]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-08 18:11]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL [2006-11-07 13:21]
{A057A204-BACC-4D26-9990-79A187E2698E}=C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-08 18:12]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 00:03]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12]
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" /L*v C:\WINNT\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
"RunNarrator"=Narrator.exe
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs	eaphost
dot3svc	dot3svc
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent
	
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
 
Contents of the 'Scheduled Tasks' folder
2008-10-09 01:20:55  C:\WINNT\tasks\AppleSoftwareUpdate.job
2008-10-15 06:47:22  C:\WINNT\tasks\MP Scheduled Scan.job
2005-12-24 21:45:34  C:\WINNT\tasks\XoftSpy.job
 
********************************************************************
 
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 15:41:55
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
disk error: C:\WINNT\
 
please note that you need administrator rights to perform deep scan
 
********************************************************************
 
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
 
Completion time: 2009-02-20 15:43:27
C:\ComboFix-quarantined-files.txt ... 2009-02-20 15:42
C:\ComboFix2.txt ... 2009-02-20 00:16
C:\ComboFix3.txt ... 2009-02-19 23:12
 
	--- E O F ---

Open in new window

0
Comment
Question by:GiforGOD
  • 40
  • 27
  • 17
  • +5
98 Comments
 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 800 total points
ID: 23696963
Prior to running any anti-virus/malware suite disable System Restore. Directions can be found here:
http://support.microsoft.com/kb/310405
If you are unable to view the above link follow these steps.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Reboot into Safe Mode (F8 at startup) and run your antimalware/antivirus scans.
When you have finished running your scans and the threats have been removed enable System Restore.
Steps to turn on System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
If you can get into Safe Mode and run your scans Combofix and another trusted suite (Malwarebytes) should remove the threat.
www.malwarebytes.org
The program is small enough that you can copy it from another system and install on your own via a thumbdrive.
If you can copy malwarebytes from another location, download HiJackThis as well.
 http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23697001
Davids recommendations will do the job, but i would suggest that while your already in safe mode to go ahead and go to control panel add remove programs and remove anything suspicious or unused.
Also go to start - run - type in msconfig  then select the startup tab and unclick anything you dont want to run at start up.

Then when you have a chance, if you dont have one, create a limited user account and use that for your everyday usage.

good luck too you.
0
 
LVL 4

Expert Comment

by:brawney
ID: 23697014
I had this happen to me recently as well as to a friend of mine.  I ran various anti-virus products (AVG for example - http://free.avg.com/) and Spy Bot Search and Destroy (http://www.safer-networking.org/en/index.html) - both are free.  This took forever but was able to clean all the junk off the system.

These attacks are so annoying.  It makes the machine unusable.  It is so frustrating.  These people should be castrated.

I got attacked by this virus / malware while running FireFox 3 one day.  I thought FF was less prone to these attacks.  I believe the attacks are coming in via Java applets, not javascript, so I have since disabled Java in both FF and IE.  In FF the setting is in Tools - Options - Content (button) and its a check box named "Enable Java".  Have not had the problem since.  This won't help you clean your system, but it may help you in the future.

Good luck.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Expert Comment

by:antang
ID: 23697147
I had a couple of computers (one here at my office and another a friends) that even after running different anti-virus products (AVG, Ad-ware, Spy Bot, Clam) and cleaning the systems, they still could not recover the changes they did to browsers and system.

I got an external drive and copied all the user data, formatted hard drive and reinstalled Windows.  I then made sure Windows was updated and installed anti-virus software and made sure to scan the files again that I saved to the external drive before coping back to computer.

You may want to try doing this if you have the time and all your programs that you had installed available.

Good luck,
0
 

Author Comment

by:GiforGOD
ID: 23697293
Okay, did as David said...disabled System Restore and started back in safe mode. The following occurred:
1. Still could not run Ad-Aware and got new error message: Exception EAccesViolation in module AD-Aware 2007.exe at 001DD084
2. Spybot would not launch.
3. Rogue Remover says I'm clean (won't count on it anymore).
4. Combofix started to run and then said it found a ReTool something or other and wanted to restart the computer....I didn't want to take a chance so I clicked out of it.
5. I ran HiJack This again and have log posted below.
6. I ran AVG and it detected and cleaned 16 infections and have also posted that log below
7. I went through Control Panel in Safe Mode as Dirtpatch-Jenkins said to, however, didn't see anything there that I didn't recognize.

Here is log from AVG and the Hijack This log from scan in Safe Mode.

I now have to log off this computer and re-connect my PC to the internet. I will get bac to you and let you know if these things worked, albiet, limited in ability to run some of the programs that David suggested.

Back in a bit and thanks so far!
AVG 8.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2008 AVG Technologies
Program version 8.0.228, engine 8.0.237
Virus Database: Version 270.11.1/1962  2009-02-20
 
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\winlogon.exe (212) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\services.exe (256) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\lsass.exe (268) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\system32\svchost.exe (560) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\WINNT\explorer.exe (772) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgui.exe (1328) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgscanx.exe (1308) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.
C:\Program Files\AVG\AVG8\avgcsrvx.exe (1296) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
 
------------------------------------------------------------
Objects scanned     : 146437
Found infections    :   16
Found PUPs          :    0
Healed infections   :   16
Healed PUPs         :    0
Warnings            :    0
------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:44:33 PM, on 2/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\hijackthis\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

Open in new window

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697369
Okay, your system is hammered. The following entries state that they were moved to a virus vault and are listed as Trojans.
 
?\globalroot\systemroot\system32\UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\winlogon.exe (212) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\services.exe (256) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\lsass.exe (268) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\system32\svchost.exe (560) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\WINNT\explorer.exe (772) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgui.exe (1328) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgscanx.exe (1308) Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
\?globalrootsystemrootsystem32UACmrisqxnv.dll Trojan horse Generic12.BRSC Object was moved to Virus Vault.  
C:\Program Files\AVG\AVG8\avgcsrvx.exe (1296) Trojan horse Generic12.BRSC Object was moved to Virus Vault.
--------------------------------------
Unknown application. Remove if you cannot determine it's origin.
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINNT\iehost.dll
Unncessary entries. Can be removed.
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Your log file is clean minus the entries I listed.
Please run Combofix and allow it to finish running.
Restart your computer and test your internet connection.
If it does not work, then click Start ->Settings and Control Panel.
Select Network connections. Locate your connection and right click on it.
In the menu click the Repair option. When the repair proccess has finished, your connection should be working again. Reboot to test.



0
 

Expert Comment

by:adamant40
ID: 23697399
I have been having really good results running Malwarebytes' Anti-Malware software. It's free, it doesn't add any running tasks, and it has fixed 3 systems that I spent hours on with other utilities. Worth trying
The website is www.malwarebytes.org and you can download it from download.com

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button  
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697443
Adman,
Thank you for the input but he's tried your suggestions. At this point he's fighting just to get applications to launch.
0
 

Author Comment

by:GiforGOD
ID: 23697450
David and everyone else: Here is where I am at since your last posting David....

Okay, after running AVG in safe mode and getting 16 items cleaned, I then downloaded Malware on my thumbdrive from the conncetion I have on my laptop. Upon restarting computer, ComboFix came up and ran its scan (a log from it is below). The computer then started up. The system restore was already in the "on" position.

When I went to install the Malware....it wouldn'tlaunch the install...until I changed its name. It then installed but when I went to run it...it wouldn't launch.

I then restarted again in Safe Mode and tried to run the Malware....but it wouldn't run in Safe Mode either.....

Going to reconnect PC and internet, follow David's newest steps and see. I will be back.

Thanks in advance - See Attached Combofix log from last run out of Safe Mode:
ComboFix 08-08-27.06 - Owner 2009-02-20 17:33:44.4 - NTFSx86
 
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
- REDUCED FUNCTIONALITY MODE -
.
 
(((((((((((((((((((((((((   Files Created from 2009-01-20 to 2009-02-20  )))))))))))))))))))))))))))))))
.
 
2009-02-19 23:29 . 2009-02-19 23:29	262,144	--a------	C:\Documents and Settings\PRC656~1
2009-02-19 23:27 . 2009-02-19 23:27	262,144	--a------	C:\Documents and Settings\PROFIL~4
2009-02-19 22:49 . 2005-11-09 00:26	38,400	--a------	C:\WINNT\system32\moveex.exe
2009-02-19 22:26 . 2009-02-19 22:29	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 22:01 . 2009-02-19 22:03	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2009-02-19 21:46 . 2005-01-13 21:41	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45 . 2009-02-19 21:48	<DIR>	d--------	C:\MGtools
2009-02-19 21:45 . 2009-02-19 21:48	51,086	--a------	C:\MGlogs.zip
2009-02-19 21:38 . 2009-02-19 21:39	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35 . 2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 21:13 . 2009-02-19 21:13	262,144	--a------	C:\Documents and Settings\PROFIL~3
2009-02-19 21:09 . 2009-02-19 21:09	262,144	--a------	C:\Documents and Settings\PROFIL~2
2009-02-19 16:38 . 2009-02-20 02:30	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:37 . 2009-02-19 16:37	15,360	--a------	C:\WINNT\iehost.dll
2009-02-19 16:36 . 2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:36 . 2009-02-19 16:36	21,446	--a------	C:\WINNT\system32\sf.ico
2009-02-19 16:36 . 2009-02-19 16:36	13,942	--a------	C:\WINNT\system32\m3.ico
2009-02-19 16:36 . 2009-02-19 16:36	13,942	--a------	C:\WINNT\system32\c.ico
2009-02-19 16:36 . 2009-02-19 16:36	11,062	--a------	C:\WINNT\system32\p.ico
2009-02-19 16:36 . 2009-02-19 16:36	7,662	--a------	C:\WINNT\system32\m.ico
2009-02-19 16:36 . 2009-02-19 16:36	4,286	--a------	C:\WINNT\system32\s.ico
2009-02-19 16:35 . 2009-02-19 16:35	364,044	--a------	C:\WINNT\system32\wpv091234555431.cpx
2009-02-19 16:35 . 2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39 . 2009-02-19 12:39	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ALM
2009-02-19 12:30 . 2009-02-19 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-02-19 12:09 . 2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44 . 2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-16 15:44 . 2008-12-04 21:42	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44 . 2008-12-04 21:46	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44 . 2008-12-13 20:01	77,824	--a------	C:\WINNT\system32\xvid.ax
2009-02-15 17:42 . 2009-02-20 00:23	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36 . 2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36 . 2009-02-19 21:37	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\uTorrent
2009-02-09 11:51 . 2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36 . 2008-07-31 16:17	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36 . 2008-07-31 16:17	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35 . 2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:27 . 2009-02-09 11:28	16,826	--ah-----	C:\WINNT\vuepro32.GID
2009-02-09 11:24 . 2003-03-29 09:32	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-09 11:24 . 2003-03-29 09:32	258,007	--a------	C:\WINNT\vuesav32.hlp
2009-02-09 11:24 . 2009-02-09 11:33	135	--a------	C:\WINNT\vuesav32.ini
2009-02-08 18:21 . 2009-02-20 16:56	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12 . 2009-02-20 08:30	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12 . 2009-02-08 18:15	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2009-02-08 18:12 . 2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12 . 2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12 . 2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:11 . 2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11 . 2009-02-19 23:29	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\avg8
2009-02-08 18:10 . 2009-02-08 18:12	8,192	--a------	C:\Documents and Settings\PROFIL~1
2009-02-08 17:09 . 2003-04-11 06:31	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Symantec
2009-02-08 17:09 . 2003-04-11 06:27	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\InterTrust
2009-02-08 17:09 . 2008-01-28 20:07	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Apple Computer
2009-02-08 17:09 . 2009-02-08 18:12	<DIR>	d--------	C:\Documents and Settings\Administrator
2009-02-08 13:52 . 2009-02-08 14:20	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2009-02-08 12:46 . 2009-02-08 12:48	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Move Networks
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 21:04	---------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 04:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-20 02:12	---------	d-----w	C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2009-02-19 18:20	---------	d-----w	C:\Program Files\Common Files\Adobe
2009-02-19 05:13	---------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02	---------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26	---------	d-----w	C:\Documents and Settings\Owner\Application Data\Arcsoft
2009-02-18 19:23	20	---h--w	C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2009-02-10 23:26	---------	d-----w	C:\Documents and Settings\Owner\Application Data\WeatherBug
2009-02-09 17:35	---------	d-----w	C:\Program Files\Google
2009-01-17 03:35	3,594,752	----a-w	C:\WINNT\system32\dllcache\mshtml.dll
2009-01-12 19:36	806	----a-w	C:\WINNT\system32\drivers\SYMEVENT.INF
2009-01-12 19:36	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-12 19:36	10,635	----a-w	C:\WINNT\system32\drivers\SYMEVENT.CAT
2009-01-05 22:33	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31	---------	d-----w	C:\Program Files\Coupons
2008-12-19 09:10	70,656	------w	C:\WINNT\system32\dllcache\ie4uinit.exe
2008-12-19 09:10	13,824	------w	C:\WINNT\system32\dllcache\ieudinit.exe
2008-12-19 05:25	634,024	------w	C:\WINNT\system32\dllcache\iexplore.exe
2008-12-19 05:23	161,792	----a-w	C:\WINNT\system32\dllcache\ieakui.dll
2008-12-11 10:57	333,952	------w	C:\WINNT\system32\dllcache\srv.sys
2004-01-23 02:39	35,942,843	----a-w	C:\Program Files\NIS2004.exe
2008-09-03 20:37	32,768	--sha-w	C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.
[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code]
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}]
2009-02-19 16:37	15360	--a------	C:\WINNT\iehost.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11 1601304]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [2004-07-13 15:19 95352]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" [2008-04-13 18:12 78848]
"RunNarrator"="Narrator.exe" [2008-04-13 18:12 53760 C:\WINNT\system32\narrator.exe]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-08 18:12 10520 C:\WINNT\system32\avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv
"vidc.mpng"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
"vidc.mvjp"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
"vidc.444p"= C:\Program Files\VideoEditing\[u]0[/u].947\686\tabdec.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
--a------ 2008-04-24 12:25 202560 C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
--a------ 2002-08-06 13:24 53248 C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-07-10 03:13 114688 C:\WINNT\system32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
--a------ 2006-05-18 17:23 65536 C:\Program Files\Photo Toolkit\IvBar\phototoolkitmem.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-07-10 03:25 155648 C:\WINNT\system32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
--a------ 2005-08-09 02:27 401408 C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:21 1694208 C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-10-06 18:10 208941 C:\Program Files\Real\RealPlayer\realplay.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-05-03 01:56 36975 C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-06 18:10 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 22:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2006-04-07 15:02 1343488 C:\Program Files\AWS\WeatherBug\Weather.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
--a------ 2004-11-05 01:17 1372160 C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2004-03-18 08:33 892928 C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
--a------ 2002-08-06 13:24 90112 C:\WINNT\GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2004-03-03 11:50 19968 C:\WINNT\LOGI_MWX.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe [N/A]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"
"AntiVirusOverride"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
 
 
*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
 
2008-10-09 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
 
2008-10-15 C:\WINNT\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
 
2005-12-24 C:\WINNT\Tasks\XoftSpy.job
- C:\Program Files\XoftSpy\XoftSpy.exe []
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)
 
 
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p1m658x0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.foodnetwork.com/
FF -: plugin - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p1m658x0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - C:\Program Files\Google\Picasa3\npPicasa3.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\np32dsw.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npCouponPrinter.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\nppdf32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 5\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.
 
**************************************************************************
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 17:34:42
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
.
Completion time: 2009-02-20 17:40:19
ComboFix-quarantined-files.txt  2009-02-20 23:40:15
ComboFix2.txt  2009-02-20 21:43:27
 
Pre-Run: 35,990,200,320 bytes free
Post-Run: 35,978,903,552 bytes free
 
315	--- E O F ---	2009-02-12 09:04:36

Open in new window

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697510
Okay, we have some progress.
If you are running into brick walls with my latest suggestions then can you log on as a different user? There is no doubt that the system is infected. However, you may have better success under a new profile or one that is not corrupted. Please see if you can log on with a new profile (create one if you must). If you can log on in that manner (Safe Mode) please test your antimalware applications. They may run under that profile vice your current one.
David
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697549
It doesn't look like you installed the Combofix Recovery Console installed.
Combofix works in reduced mode unless it is installed.
If you didn't have any success with my last post then please install the Recovery Console and scan again.
I am going to be away from this post for about 1.5 hours. I will check back in around 6PM PST.
David
0
 

Author Comment

by:GiforGOD
ID: 23697622
David, I must have run a different ComboFix that I found in safe mode. I have run another along with Hijack This and have posted the logs below.

I deleted those files you suggested from the previous HJ log, have restarted in regular mode under my profile and tested the internet.......again, can't get into some sites (like Experts-Exchange) once I enter my username and pass.
btw, I am on the internet on both my pc and laptop now....you helped me fix an unrelated problem on my laptop...thanks....I'll give some points on that too!


Logfile of HijackThis v1.99.1
Scan saved at 6:21:27 PM, on 02/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
 
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Owner\My Documents\Greg\ComputerPrograms\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINNT\system32\GPhotos.scr/200
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
 
***************************
"Owner" - 2009-02-20 18:22:02    Service Pack 3  
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Owner\Desktop\"
 
 
(((((((((((((((((((((((((((((((   Files Created from 2009-01-21 to 2009-02-21  ))))))))))))))))))))))))))))))))))
 
 
2009-02-20 17:45	38,496	--a------	C:\WINNT\system32\drivers\mbamswissarmy.sys
2009-02-20 17:45	15,504	--a------	C:\WINNT\system32\drivers\mbam.sys
2009-02-20 17:45	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2009-02-20 17:45	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-02-19 22:49	28,672	--a------	C:\WINNT\nircmd.exe
2009-02-19 22:26	1,244	--a------	C:\WINNT\system32\tmp.reg
2009-02-19 21:46	11,254	--a------	C:\WINNT\system32\locate.com
2009-02-19 21:45	<DIR>	d--------	C:\MGtools
2009-02-19 21:38	<DIR>	d--------	C:\Program Files\RogueRemover FREE
2009-02-19 21:35	<DIR>	d--------	C:\Deckard
2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
2009-02-19 12:39	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2009-02-19 12:30	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-02-19 12:09	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid
2009-02-15 17:42	41,472	--a------	C:\WINNT\Dkilecuguv.dll
2009-02-15 17:36	<DIR>	d--------	C:\Program Files\uTorrent
2009-02-15 17:36	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2009-02-09 11:51	111,020	--ah-----	C:\WINNT\system32\mlfcache.dat
2009-02-09 11:36	9,200	---------	C:\WINNT\system32\drivers\cdralw2k.sys
2009-02-09 11:36	9,072	---------	C:\WINNT\system32\drivers\cdr4_xp.sys
2009-02-09 11:35	<DIR>	d--------	C:\WINNT\system32\IOSUBSYS
2009-02-09 11:24	991,232	--a------	C:\WINNT\vuesav32.scr
2009-02-08 18:21	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-08 18:12	325,128	--a------	C:\WINNT\system32\drivers\avgldx86.sys
2009-02-08 18:12	107,272	--a------	C:\WINNT\system32\drivers\avgtdix.sys
2009-02-08 18:12	10,520	--a------	C:\WINNT\system32\avgrsstx.dll
2009-02-08 18:12	<DIR>	d--------	C:\WINNT\system32\drivers\Avg
2009-02-08 18:12	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\AVGTOOLBAR
2009-02-08 18:11	<DIR>	d--------	C:\Program Files\AVG
2009-02-08 18:11	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2009-02-08 17:09	1,310,720	--a------	C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2009-02-08 17:09	<DIR>	d--------	C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2009-02-08 13:52	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2009-02-08 12:46	<DIR>	d--------	C:\DOCUME~1\Owner\APPLIC~1\Move Networks
 
 
((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2009-02-21 00:06:51	--------	d-----w	C:\Program Files\Mozilla Firefox 3 Beta 5
2009-02-20 02:12:14	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\ComcastToolbar
2009-02-19 05:13:26	--------	d-----w	C:\Program Files\Incomplete
2009-02-19 04:02:32	--------	d-----w	C:\Program Files\LimeWire
2009-02-18 19:26:32	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\Arcsoft
2009-02-10 23:26:56	--------	d-----w	C:\DOCUME~1\Owner\APPLIC~1\WeatherBug
2009-02-09 17:35:45	--------	d-----w	C:\Program Files\Google
2009-01-12 19:36:39	60,808	----a-w	C:\WINNT\system32\S32EVNT1.DLL
2009-01-12 19:36:39	124,464	----a-w	C:\WINNT\system32\drivers\SYMEVENT.SYS
2009-01-05 22:33:03	3,751,995	----a-w	C:\WINNT\system32\GPhotos.scr
2009-01-02 03:31:18	--------	d-----w	C:\Program Files\Coupons
2008-12-22 15:51:52	809	----a-w	C:\WINNT\eReg.dat
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}=C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 21:33]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll [2009-02-08 18:11]
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}=C:\PROGRA~1\COMCAS~3\COMCAS~1.DLL [2006-11-07 13:21]
{A057A204-BACC-4D26-9990-79A187E2698E}=C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2009-02-08 18:12]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 00:03]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-02-08 18:11]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-13 18:12]
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINNT\System32\msiexec.exe" /L*v C:\WINNT\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress
"RunNarrator"=Narrator.exe
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Palm\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=C:\WINNT\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINNT\pss\NkbMonitor.exe.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Joost.lnk]
backup=C:\WINNT\pss\Joost.lnkStartup
 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMpi]
C:\WINNT\GWMDMpi.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\System32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
"C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\System32\igfxtray.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KEMailKb]
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ltho]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Gateway]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\WINNT\$hf_mig$\KB887472\SP2QFE\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Photoshop Image Service]
photoshop2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPRoyUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTPUpdater]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zdrinit]
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WudfSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"SSDPSRV"=3 (0x3)
"SCardSvr"=3 (0x3)
"SAVScan"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"getPlus(R) Helper"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"FastTrakSvc"=2 (0x2)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)
"WinDefend"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"SNDSrvc"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs	eaphost
dot3svc	dot3svc
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent
	
*Newly Created Service* - NMSSVC
 
Contents of the 'Scheduled Tasks' folder
2008-10-09 01:20:55  C:\WINNT\tasks\AppleSoftwareUpdate.job
2008-10-15 06:47:22  C:\WINNT\tasks\MP Scheduled Scan.job
2005-12-24 21:45:34  C:\WINNT\tasks\XoftSpy.job
 
********************************************************************
 
catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 18:27:43
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
disk error: C:\WINNT\
 
please note that you need administrator rights to perform deep scan
 
********************************************************************
 
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACwelnnxel.sys"
 
Completion time: 2009-02-20 18:29:10
C:\ComboFix-quarantined-files.txt ... 2009-02-20 18:28
C:\ComboFix2.txt ... 2009-02-20 17:40
C:\ComboFix3.txt ... 2009-02-20 00:16
 
	--- E O F ---

Open in new window

0
 

Author Comment

by:GiforGOD
ID: 23697684
Okay, I started computer up under my daughters old profile. Malware still would not launch. Started Firefox and went to several web sites that I have been having the trouble getting past the login page, Experts-Excahnge included, and still unable to get past it. Note that there are no error messages, the page just wont load and it times out. I can get on other sites such as facebook, my banking, some sites that I pay bills on, etc..

I'm at a loss. Just can't figure it out. Perhaps with those last log files I sent you, you may see something that I don't see.

Thanks in advance and we will keep trying
Greg

0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23697767
First thing - from a SAFE computer - log on to any banking sites etc and change your passwords.

You are being attacked with who knows what... maybe a keylogger or anything in there.
0
 

Author Comment

by:GiforGOD
ID: 23697773
I have done that several that I can get into...thanks..plan to do that to the one's I can't get into once I get this mess fixed.
0
 

Author Comment

by:GiforGOD
ID: 23697826
Problem is.....I can't access any web pages in safe mode, regardless of what profile I am on.....
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23697829
im working on getting a bootdisk on my server for you to download,, it has recent virus definitions loaded..

do you have a comp you can download it from and burn to cd?
0
 

Author Comment

by:GiforGOD
ID: 23697866
Yes. Remember, I can only seem to run AVG, ComboFix and Hijack This. All others, such as Ad-Aware, Spybot, and the newly dowloaded and installed, Malware-Anti-Malware will not launch. Please instruct me on what to do with this bootdisk.....and am I to trust you?!? (J/K)
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23697886
The boot disk is in iso format, burn it to cd - put the cd in the drive and reboot the comp... if you get a boot from cd window press a button..

It will run from the cd - you will run the virus scan from the menu - it takes a while running from cd -
after the virus scan is complete highlight all the found viri and right click and set to delete.

You can then run the registry cleaner - same thing just about. lots faster though.

after its done take the disk out and reboot.

i am remote controlling my server right now trying to get the file up for you,, will put a link in when its done,

as far as the trusting me part... youve already been over-ridden,, what can it hurt? lol.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697903
Greg, can you go to the other system (the one that you can get on the internet with) and try this? It's a small download and it designed to correct and repair Winsock 2 settings, caused by buggy or improperly removed Internet software, and that results in the loss of Internet access.
It's worth a shot.
http://www.download.com/LSPFix/3000-2085_4-10417026.html
David
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697915
Just thinking. About once a month someone posts a question about a system that is absolutely hammered. Looks like it's your turn Greg. No worries. We'll get you through it. If Jenkins can get that antimalware/virus ISO to you that will be huge.
David
0
 

Author Comment

by:GiforGOD
ID: 23697964
David, I am downloading from the link you sent on my PC (the infected one)....please note, I am able to get on the internet.....that's not the problem. It's what I am unale to do on it when I get there. I am going to run the program and will get back with you as soon as its complete.
Thanks
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697969
Great. And I understand about the sites you cannot visit. Good luck!
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23697981
Sorry for the delay - i couldnt find my thumb drive - lol... a friend uploaded it to rapidshare, you can get it here -

http://rapidshare.com/files/200600592/avtbart.rar.html

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23697982
Greg, just out of curiosity can you locate and then copy/paste your Host file for me?
It's located at:
My Computer > C: (or whatever drive Windows is on) > WINDOWS > system32 > drivers > etc > hosts
Or you can just go to Start and Search For Files and Folders
Then type in Hosts and select Search.
david
0
 

Author Comment

by:GiforGOD
ID: 23697997
David, I just ran the program and am restarting the computer so we will see in a second if that helped at this point.

I wanted to point something out to you....below is a small section of code from ComboFix that I noticed while analyzing it. The entries shown are some things that were created around the hour or so that I began getting those shortcuts popping up on my desktop. None of the items you see in this code are things I downloaded or wanted, let alone installed. Could any of these be causing some problems?
2009-02-19 16:38	<DIR>	d--------	C:\Program Files\XPPoliceAntivirus
2009-02-19 16:36	<DIR>	d--hs----	C:\WINNT\system32\twain32
2009-02-19 16:35	21,505	--ah-----	C:\WINNT\system32\digeste.dll
 
and:
 
2009-02-16 15:44	815,104	--a------	C:\WINNT\system32\xvidcore.dll
2009-02-16 15:44	180,224	--a------	C:\WINNT\system32\xvidvfw.dll
2009-02-16 15:44	<DIR>	d--------	C:\Program Files\Xvid

Open in new window

0
 
LVL 27

Accepted Solution

by:
David-Howard earned 800 total points
ID: 23698013
Outstanding catch Greg.
Remove this file:
XPPoliceAntivirus
You can read about the above file here:
http://www.spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.XPPoliceAntivirus.htm
It's fake antivirus.
Remove this file:
digeste.dll
The above file is Trojan.Downloader.Bredolab.
Remove them, reboot and test please.
David

0
 

Author Comment

by:GiforGOD
ID: 23698014
David, I am checking for the Hosts now
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698019
Remove this file too.
twain32
David
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698022
Safe Mode Greg, make sure you're in Safe Mode when you pull those three files.
David
0
 

Author Comment

by:GiforGOD
ID: 23698026
David, before I "remove" those files. How should I go about that. I've tred uninstalls on these fakes before and made more of a mess...what's your take. (I'm still searching Hosts...what info do you need from that?
0
 

Author Comment

by:GiforGOD
ID: 23698046
David, there are no Hosts in Windows, System 32, however, after doing Search, I found the following in WINNT:
hosts
hosts.20031227-175815.backup
Imhosts.sam
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698056
Do a search for the files I listed and rename their extensions.
As an example:
Locate digeste.dll and rename it to digeste.123
Reboot and test.
Do this one at a time on the three I listed.

0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698061
You may need to enable Hidden Files.
To see hidden files:
1.
 On the Tools menu in Windows Explorer, click Folder Options.
 2.
 Click the View tab.
 3.
 Under Hidden files and folders, click Show hidden files and folders.
To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.

0
 

Author Comment

by:GiforGOD
ID: 23698072
Okay, I have always had view hidden files, so I will do one at a time and reboot each time. I'll let you know.
Dirtpatch, I haven't forgotten you. I am gonna try these easier routes first and then see what happens.

Thanks guys...hang on
0
 

Author Comment

by:GiforGOD
ID: 23698092
David, how should I delete the XPPolice program in Program Files. And, if there are any other links to it found in the search?
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698112
Yes. It's bogus software.
0
 

Author Comment

by:GiforGOD
ID: 23698126
How do I remove it though. Inside the folder there is no .exe file but there are the following:
There are two .dll files, s .dat file. a .cfg file and then a folder with plugins with 3 .dat files and a folder with three .wav files.

How would you go about this. Rename them all or drag the whole XPPoliceAntivirus folder to the trash? Its not in Add and Remove.....
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698131
Sorry...I had two things going on at a once.
See if you can locate the file here and then rename it.
C:\Program Files\XPPoliceAntivirus\xppolice.exe
To perform manual removal of XP Police Antivirus rogue anti-spyware, you should do the following:

Delete XP Police Antivirus corrupt files:

%Program Files%\XPPoliceAntivirus
%Program Files%\XPPoliceAntivirus\AVCoreFn.dll
%Program Files%\XPPoliceAntivirus\bdconf.cfg
%Program Files%\XPPoliceAntivirus\Core.dll
%Program Files%\XPPoliceAntivirus\setup.dat
%Program Files%\XPPoliceAntivirus\xppolice.exe
%Program Files%\XPPoliceAntivirus\Plugins
%Program Files%\XPPoliceAntivirus\Plugins\ceva_dll.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_emu.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_vfs.cvd
%Program Files%\XPPoliceAntivirus\Plugins\ceva_vfs.ivd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.cvd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.ivd
%Program Files%\XPPoliceAntivirus\Plugins\cevakrnl.rvd
%Program Files%\XPPoliceAntivirus\sounds
%Program Files%\XPPoliceAntivirus\sounds\alert.wav
%Program Files%\XPPoliceAntivirus\sounds\click.wav
%Program Files%\XPPoliceAntivirus\sounds\fire.wav
%UserProfile%\Desktop\XP Police Antivirus.lnk
%UserProfile%\Start Menu\XP Police Antivirus.lnk

Remove XP Police Antivirus registry entries:

HKEY_CURRENT_USER\Software\XP Police Antivirus
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698132
To enter the Registry select Start>Run and then type in Regedit
Then drill to HKEY_CURRENT_USER\Software\XP Police Antivirus
Delete this Registry entry.
Reboot and test.

0
 

Author Comment

by:GiforGOD
ID: 23698154
Okay, I have done all that and will now reboot.
0
 

Author Comment

by:GiforGOD
ID: 23698197
Have rebooted....still can't launch Malware Anti-Malware, still can't log in to Experts-Exchange or another site that I use, and some others.

I also noted that when I go to the official Malwarebyte.org site I am redirected to a site that "looks" like it, but its just a search portal.......that has a header that says Malewarebytes.org...what you need, when you need it....but its fake.
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23698215
Get the disk image... its not hard to do. just boot from the cd,, it has a user interface...easy peasy
0
 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 800 total points
ID: 23698216
Okay Greg, at this point I'm going to recommend that you download a suite. If you can get there.
I've used it for one year and it works.
http://www.pctools.com/spyware-doctor/?ref=afl_nenextech
You will have to purchase it but the license is for one year.
This is the first time I've recommended a paid for suite. However, your system seems that is so badly infected this may be one of about three recourses that we have. The other two are a boot and scan ISO that was recommended earlier or an XP Repair (or at the worst an XP Reinstall).
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698221
Hey Jenkins. Did you post the link for Greg? I would love to have him download and try your ISO instead of paying for a suite. But I don't see the link for the ISO.
0
 

Author Comment

by:GiforGOD
ID: 23698235
Guys,  I work nights at FedEx and have to go in in a few minutes. Please reply to this post as soon as you can.

I will download the infor that Jankins has for me and try it in the morning.
I have Spyware Doctor on my laptop. Don't know if I can get it over to my PC. I thinks its a trial version, but have used it before.

Will either of you be on tomorrow?
Thanks SO MUCH for your help so far! I will get back to it as soon as I can. Thanks!!!
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23698271
I will be around after 1PM and no later than 6PM.
David
0
 
LVL 8

Assisted Solution

by:Dirtpatch-Jenkins
Dirtpatch-Jenkins earned 1200 total points
ID: 23698286
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23699658

[code]<pre>
----a-w           579,072 2008-01-22 18:03:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2008-01-27 01:10:57  C:\Program Files\iTunes\iTunesHelper .exe
</pre>[/code


The above section of the CF log shows sign of a vundo file infector.

Your Combofix.exe has expired, please update it before running a scan or delete that one you have and download a fresh copy of Combofix.

And the log from AVG shows file patcher which could be virut or sality. If it's virut, I would usually recommend a reformat as virut infected files are uncleanable, but if the infection has just started you can still remove the infection and just replaced all corrupted/deleted files.
Dr Web CureIt does a good job deleting all infected files.

Virut:
http://www.freedrweb.com/

Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23700004
0
 

Author Comment

by:GiforGOD
ID: 23701467
The cf log indicates dates of January 2008, doesn't it? How would that be effecting me now?

XChaningIT, look further up in post....been there, done that, can't launch it.

Thanks though!

David, Jenkins, I am back on and am going to try the reboot disc once I get it. I'll be in touch.
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23701771
Sorry about that!  long post lol

try this...boot in safe mode, rename the malwarebytes install file (to anything) and try to install it then....that should get it to run.
0
 

Author Comment

by:GiforGOD
ID: 23701989
I had to do that initially and it did not work, however, I did not do that in safe mode...would that make a diff?
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702021
yes of course....it doesnt load a lot of startup files, etc...

i would do this IN THIS ORDER (important)

If you are transferring these files from another computer via USB stick make sure you WRITE-PROTECT it..cause the virus you have will most likely jump onto your USB drive and keep infecting your machine.

1) Safe Mode
2) (rename the downloaded file) ComboFix- http://download.bleepingcomputer.com/sUBs/ComboFix.exe
3) (rename the downloaded file) Malwarebytes- http://www.malwarebytes.org/mbam/program/mbam-setup.exe
4) Avast- www.avast.com (boot-time scan)

let me know how you make out.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23702090
Were you able to download Spyware Detector Greg?
0
 

Author Comment

by:GiforGOD
ID: 23702196
Xchanging - I have a good copy of combofix. The one you read was an old combofix that I found in Safe Mode and ran...I since posted a log with the newer version.

As for the others, I will download them on my laptop, write protect (although I am not sure how you do that) and put them on my thumb drive. Then you say to install on my infected computer in SAFE mode?

DAVID, I was able to download and run. It is the "Free" version. While it doesn't fix anything in that version, it gives me all the details that I need to delete files, registry keys, etc. Is that okay?

I haven't done Jenkins fix yet cause I downloaded the file and it is 68 megs...unfortunately, my thumb drive is only 60 megs and my laptop doesnt burn CD's. My daughter's does and we are going to do it later. I really want to try that.

Any thoughts on the above?
0
 

Author Comment

by:GiforGOD
ID: 23702200
David, I am currently doing a FULL SCAN with Spyware Doctor. Like I said, on the smart scan, I was able to get good info on some things we hadn't seen before. Now I see in the active log that there are some other things popping up, including another Trojan downloader...man, what a mess!
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702206
yes def in safe mode.

the link i sent you should be the latest version...if you boot in Safe Mode with networking it will as you if you want to download the latest version if there is a newer one available.

certain USB drives have little switches on them to write protect kinda like an old cassette tape.

Dont forget to rename the files before running them.
0
 

Author Comment

by:GiforGOD
ID: 23702228
Mine is a Lexar...it doesn't have that switch. Can I download the files, put them on the thumb drive and rename them there, before I load them on my PC? Would that be the same>

Also, what do I rename? If I just do the setup file name, is that enough? It seems as if I may need to rename the .exe as well?
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702241
just rename the setup file once you copy them to your computer from the USB drive.  Some will not run if they are only on the thumb drive.

name them anything....a series of numbers, etc...anything.  The setup files only..that should do it.  Leave the extension (.exe)...you cant remove that or the file will not work at all.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23702325
Yeah, Greg it sure seems like a mess. Any chance of you just getting your data off of that system and reinstalling XP? There is no telling what is lurking. Keyloggers, etc. If you do any type of banking, etc. on this system your information could very well be at risk.
0
 

Author Comment

by:GiforGOD
ID: 23702351
Wow, that would have to be my last resort. It can be done, and actually can be refreshing at the same time. My fear there is losing something, or not bein able to save it like it should be. All my Outlook stuff.....certain programs that have data saved like Family Tree (my wife's project).....I have no problem saving downloaded programs and re-installing them, but I am not so sure about other things. What do you suggest....
0
 

Author Comment

by:GiforGOD
ID: 23702368
Xchanging...the link to ComboFix through bleeping...is invalid. Do you have another?
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23702416
You can always do a search for *.doc *.jpeg, etc. The * is a wildcard and will search for all files with whatever extension it is attached to. An example of this would be a search for *.doc
That will search for and list all documents (From Word) that reside on the system.
The same would hold true for jpegs, Excel files (*.xls), etc.
Another option would be to copy each profile to removeable media (CDR, etc.)
You would simply right click Start, select Explore and then locate say your profile. Right click on Greg (as an example) and select Copy. Then copy that profile to removeable media. Repeat as necessary with all profiles.
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702436
That link seems to work fine for me.

Try this.. http://www.forospyware.com/sUBs/ComboFix.exe
0
 

Author Comment

by:GiforGOD
ID: 23702489
David, if I do the Profile copy, then after I reload XP, how do I get the copied profiles back on the clean version?
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702498
"paste" it back into the new installation.

Before you do that i would make scan your profile with your antivirus....its most likely very infected.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23702500
You would simply access or open the folder (Profile) and then select what you want to copy (My documents, photos, etc.) If you copy the entire profile it will bring over My Documents, My Favorites, etc. The problem can be when people create folders on C: outside of their profile. Like if your wife created a Family Tree folder on root (C:) it would not automatically copy over. You have to search or look for created folders of this type and manually copy them.
0
 

Author Comment

by:GiforGOD
ID: 23702666
David, I have Jenkins file. When I put it in either my DVD or CD drive, and reboot, windows XP starts up to my profile page. I thought it was supposed to run before windows starts? Do I just start and then run the CD software?
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23702718
If the XP CD is in your drive on boot watch for Boot from CD message. Hit any key and the XP CD will start to load.
http://support.microsoft.com/kb/316941
0
 

Author Comment

by:GiforGOD
ID: 23702740
Okay, call me stupid, but I am really confused. I burned the file Jenkins had on a CD. I put it in both the CD and DVD drive, however, when I rebooted each time, it went right to the normal start up.

Are you saying that i have to have my original XP reboot disc in?
If I do what you say, and the XP CD starts to load, where does the CD with Jenkins file come into play?

Forgive my ignorance on this one.......
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23702742
You may have to change the boot order in bios... set it to cd/dvd first
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23702746
OH wait a minute... it was a rar file.. compressed,, you need to unrar and then burn the iso file.

do you have nero or a similar burning app?
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702751
First of all Is this 'Jenkin's' file your profile??  If so thats only data NOT a bootable CD.

yes you need your Windows XP CD to boot off if you're trying to reinstall WIndows after backing up your profile.

0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23702754
if you dont have burner software here is a free one...
http://infrarecorder.org/

once you unrar the iso, burn the image(iso) with infrarecorder.

That cd will boot directly
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23702763
XChangingIT, a friend of mine put a bart cd image with up to date virus definitions on rapidshare for him to use. thats what hes talking about.
0
 

Author Comment

by:GiforGOD
ID: 23702830
Ugh....I downloaded the CD burning file. I then extracted the ISO file. When I go to burn it with the CD burning software, I get the following message:

ERROR: Unable to parse project file, it may be corrupt. The XML processor returned: 2

?????
Next question....what do I do if I can't find my friggin XP recovery disc?  I am at a total loss here.
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 23702837
did you try booting into safe mode and removing the malware??

do you have a Dell?
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23702839
DId the rar file extract with no errors?
0
 

Author Comment

by:GiforGOD
ID: 23702848
Yes, as far as I can tell it did. It shows as "avast! BART CD 2009.iso" in a file on my desktop called Jenkins. But when I try to burn it to a CD, I get that error message.
0
 
LVL 8

Assisted Solution

by:Dirtpatch-Jenkins
Dirtpatch-Jenkins earned 1200 total points
ID: 23702855
heres a link with a short list of burning apps...

http://www.petri.co.il/how_to_write_iso_files_to_cd.htm

if the rar file extracted with no errors then it will burn, i just used the same image this afternoon
0
 

Author Comment

by:GiforGOD
ID: 23702856
Xch, I have a Gateway
0
 

Author Comment

by:GiforGOD
ID: 23702890
Thanks Jenkins....it is now recording. Once finished, what do I do>
0
 

Author Comment

by:GiforGOD
ID: 23702930
Never mind....I rebooted and the Avast is scanning now. I set it on thorough and it is running now. I will run several things on it and then get back to everyone.

I asked the question earlier,......if this doesn't work.....and I can't find my Windows XP recovery disc.....what then????
0
 
LVL 8

Assisted Solution

by:Dirtpatch-Jenkins
Dirtpatch-Jenkins earned 1200 total points
ID: 23702931
put it in the cd and reboot... it will load,, bart cd's take a while,, but once its loaded its pretty straight forward.. run the antivirus let it scan,, will take awhile... when its done right click the stuff it finds and select delete... then run the registry cleaner...
0
 

Author Comment

by:GiforGOD
ID: 23702938
gotcha
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23703097
If you don't have your OS CD you will need to hit Ebay, etc. and buy one.  You should have an OS cd no matter what the case. It's the only way you can run SFC SCANNOW, a Repair or an OS reload.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23703098
Legally.
0
 

Author Comment

by:GiforGOD
ID: 23705169
Okay, here is what took place overnight. I ran the boot disc and the Avast found and deleted the following:
WIN32:Agent-QZQ (Trojan)
WIN32:DNSChanger-VJ (Trojan)
WIN32:Downloader-AVS (Spy)
WIN32: ADWARE-GEN (ASW)
WIN32:Trojano-214 (Trojan

I then ran the registry cleaner. It was able to perform 6 of 7 functions but couldn't run the second one (Registry File Types) and came up with the error message "Can't Enumerate Subeys"

I finished everything, removed Boot CD and restarted. Tries to get on Experts-Exchange and a couple other sites that I use for my job, and again....no entry once I try to log in. ON Facebook, my daughter can get on, however, just trying to launch her friends chat, or to update her profile....the page just bogs down and won't load.

I then tried to download and launch Malwarebytes program. Even renamed it. THe program installed, but when I wne to launch it....nothing.

I am truly stumped. AVG and AVAST combined have removed over 20 viruses, spyware, or adware and I am faced with the same thing.......What now?
0
 
LVL 8

Assisted Solution

by:Dirtpatch-Jenkins
Dirtpatch-Jenkins earned 1200 total points
ID: 23705208
I cant remember if i had sent you this link yet,,
http://safecomputing.umn.edu/guides/scan_unhackme.html

You could try that... i had a buddy with a NASTY rootkit and followed their advice and was at least able to save his personal files. he decided for a reinstall even though it seemed to have removed everything...which is what i would suggest for you just as soon as you can find/get disks.
0
 

Author Comment

by:GiforGOD
ID: 23705406
Thanks Jenkins, I will try this and will let you know. I think this is my last step, and depending on the outcome, will either save me, or have to re-install. Right now, I am leaving to get some divine intervention. Beats the heck out of me.....Jesus rose from the dead in three days, I can't even get my computer to resurrect in three.......I'll get back to you in a bit. THANKS!!!
0
 

Author Comment

by:GiforGOD
ID: 23706311
JENKINS!!!!!!!!!!!!!!!!!!!!

IT WORKED!!!!!!

I HAVE BEEN FREED FROM THE BONDAGE OF THE TROJAN ARMY!

Everything is working normally now and all the sites that I could not get into or work on are now operating properly, INCLUDING EXPERTS-EXCHANGE which I am accessing on my PC AS WE SPEAK!

I am ever grateful to ALL OF YOU who walked me through this absolute mess:

David, Jenkins, XCHangingIT, your tips, your patience, and most of all, your absolute and amazing EXPERTISE has made my day (and life a lot easier for now).

As I am somewhat new to this, I am not sure how to reward points in a case like this. I am certain that Jenkins last program suggestion could probably not have cleaned me up entirely. I believe that it was a host of suggestions and recommendations that got me through.....so my next questions, and don't be shy, how do I award the points. You are all deserving!
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23706334
My reward is the thanks youve already given... divy them up as you see fit, its all good here.

Glad your back in pc action, keep an alert eye out for anything weird for awhile though, rootkits are sneaky.
0
 

Author Comment

by:GiforGOD
ID: 23706360
Jenkins and David, as I am hoping that I can download and now run several of the programs you all have suggested (i.e. Malware, Hackme, etc....what would you suggest I download and/or use on a regular basis to monitor these things. Also, I am using AGV as my anti-virus....and I am not too confident with it. I just downloaded and started using it a week ago, with updates, and all this stuff got through.....any suggestions...after all, you guys are the EXPERTS!
0
 
LVL 8

Expert Comment

by:Dirtpatch-Jenkins
ID: 23706395
Nothing is going to stop everything, but ive had very good success with avast.. free for home use.

A good real time scanner and some safe internet usage will go a far way.

Create a limited user account to use... if you need to install something you can right click and "run as" your admin account.

0
 

Author Closing Comment

by:GiforGOD
ID: 31549453
Amazing help and patience!
0
 

Expert Comment

by:antang
ID: 23711878
GiforGOD, sorry wasn't able to follow thread of weekend.  Please make sure to monitor your bank accounts and credit.  I had a co-worker that had his personal infected with same type and right after had his identity stolen.  Apparently his had a keylogger and was able to due purchases using info from his online banking and card purchases.

 
0
 

Author Comment

by:GiforGOD
ID: 23712063
Thanks for the advice. I have not seen any unusual activity as of yet, however, I did change passwords, etc.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question