This is the worst virus/malware I Have ever had and the first time I have had to seek advice for removal.

Here is HJT 2.0.2
StartupList report, 8/24/2008, 11:01:29 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HijackThis startup scan = C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Spybot - Search & Destroy - Scheduled Task.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 3,089 bytes
Report generated in 0.016 seconds

Here is the HJT SCAN log
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1015 AM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 922 bytes

Now, on to what it has done.

First, it changed my desktop picture. The new picture was telling me my computer was infected lol.
Then A window popped up asking to install some kind of "anti virus". It had no cancel button, and could not be moved. Only an "AGREE/INSTALL" lol. I opened task manager and closed it.

So the first thing I do is open spybot. I run the update, it downloads and tries to connect to 127.0.0.1 for the install... which errors and fails. thinking it was a fluke I goto google to find spyboy and re-download...

only to find that it changes all of my google searches. Even if I copy the link its a long string of crap that sends me all over the place. So google fails. I goto download.com and download spybot from there, only to find the file corrupted. then I try downloading AVG... Corrupted. Whatever I have corrupts these files if I try to download, from firefox or IE i tried both.

So I find the spybot website and realize it also blocks websites. I cant even come to this forum from the infected computer, its blocked out. It blocks trend, norton, etc...

So to re-cap:
Corrupts anti-virus downloads
Redirects google searches
blocks websites associated with anti-malware
changed desktop picture
tried to install fake anti mal-ware program
ALSO Randomely freezes startup? I have to restard several times to get in.
Even safe mode freezes up.


So I come to an uninfected computer and download HJT, make a log bring the log back to this computer and here I am.

Yes I am planning a full restore, obviously I was just trying to avoid this if possible but can do easilly enough. I thought maybe you would have experience with this particular malicious pos

After some searching I realize I might need to get combofix, malwarebytes, javara, java runtime, and otscan it, I have downloaded all of these on my good computer (since infected computer wont connect to those sites) and I just need to run out and buy a blank CD to burn it all so I can bring it over to the infected one...

Attempted to install recovery console and it pops up with

"combofix has detected rootkit activity and needs to restart your machine"

So I let it do it. And... thats it? I tried again and got the same result. Im not going to run combofix until someone tells me to though.

Hello extinct,

Because of the volume of posts to your own topic, it would have appeared you were already being assisted. :eek: Volunteer analysts look for topics with no response.

For people waiting who have not resolved their problem, we have a sticky topic:
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/forumdisplay.php?f=37)

If you still require help, please start a new topic and include a fresh HijackThis log with a link to this thread in your new topic.

Best wishes,