I have a nasty virus on my computer - which I tried to get rid of with combofix on my own, it didn't work, I posted on bleepingcomputer and got no help, and so I found this place and maybe someone will help me. Perhaps pskelley, I saw a post of his and he certainly had a lot more useful things to say about the post of his I saw than the guy on bleepingcomputer had for my problem.

This is 3 months old. Yes, 3 months. I have all but given up, but someone suggested I go here. AVG identifies it as Trojan Horse Downloader.Zlob.XST

First there's this iiFwxXQg.dll in windows\system32 that combofix left without fixing but it left a bunch of stuff. Particularly this wpa thing. I can actually delete the iiFwxXQg entries from the registry, but not the wpa ones - and the iiFwxXQg entries are back when the computer is restarted. Also, it did a nice little rude trick on me when I fought with it a couple of times. Now any time I start up windows in regular mode, it insists I have not registered windows with Microsoft and insists I call up microsoft, give them a code and get an activation code again. Then when it's actually running, it very strongly tries to persuade me to connect to the internet (I have that cable firmly uprooted from the back of the cable and it is NOT going back in) - I have a feeling the virus is trying to connect to the internet to download its components that I was able to remove successfully. It doesn't NORMALLY actually TELL me in a popup window that the internet connection is gone and ask me if I want to connect or work in offline mode but it does NOW - it NORMALLY just has a "network cable unplugged" in the bottom right corner. But when I start in windows safe mode, it doesn't require that I reregister windows, it's only normal mode. Here is what the combofix log says. Everything on this list from September 4 through 2 am on September 5 is a part of the virus, and everything on September 10 as well. Everything else is legitimate stuff.

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-10 23:44 . 2008-09-10 23:44 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-10 23:37 . 2008-09-10 23:44 2,364 --a------ C:\WINDOWS\system32\wpa.dbl
2008-09-05 06:09 . 2008-09-05 06:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-09-05 06:02 . 2008-09-05 06:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-05 06:01 . 2007-10-05 13:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-05 06:01 . 2008-09-05 06:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 05:56 . 2008-09-05 10:39 6,995 --a------ C:\1.nri
2008-09-05 01:18 . 2008-09-05 01:18 34,176 --a------ C:\WINDOWS\system32\iiFwxXQg.dll
2008-09-05 01:17 . 2008-09-04 19:51 86,016 --a------ C:\WINDOWS\sxmaokgf.exe
2008-09-04 21:59 . 2008-09-04 21:59 264,629 --a------ C:\WINDOWS\version.exe
2008-08-29 10:43 . 2008-08-29 10:43 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-08-29 10:43 . 2008-08-29 10:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\Global Forex Trading
2008-08-29 10:34 . 2008-08-29 10:34 <DIR> d-------- C:\Program Files\DealBook 360
2008-08-29 10:34 . 2008-08-29 10:34 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield Installation Information
2008-08-18 19:29 . 2008-08-18 19:29 <DIR> d-------- C:\Program Files\Wisdom-soft AutoScreenRecorder Free
2008-08-18 10:47 . 2008-08-18 10:53 9,624,587 --a------ C:\creationistsilliness3.mp4
2008-08-18 10:28 . 2008-08-18 10:45 25,219,690 --a------ C:\creationistsilliness2.mp4
2008-08-18 10:20 . 2008-08-18 10:26 8,898,985 --a------ C:\creationistsilliness1.mp4
2008-08-12 08:43 . 2008-08-12 08:43 <DIR> d-------- C:\Program Files\DVD Decrypter


I know that hijackthis classified that iiFwxXQg.dll process in the same category as winlogon and it was the ONLY thing alongside winlogon. I bought a hard drive enclosure, hoping that I could access the hard drive with my laptop but apparently because it's a multipartition drive it won't work with that. Nor will any of my OLDER (120 MHz era) computers acknowledge the existence of the drive when I try to use it as a slave. Or rather, one of them does - and it refuses to even boot up with it there as a slave.

I got it from an e-book I downloaded with the innocuous title of "asteroids, comets, and meteors" which I got through bittorrent (it tells me the IP, the $#^$# is still seeding it! He's identified as 24.2.115.160:49152
c-24-2-115-160.hsd1.mn.comcast.net Azureus/3110 - do you suppose this could be useful in tracking him down and getting him arrested or something?). I don't know if it's a real book within that or it's just more of the virus or what, but it's the password generator program is what put the virus on my computer - I know because as soon as I ran it and it told me the password was BOOGER suddenly my computer started telling me "should I allow these changes to the registry" and I kept telling it no. But apparently Spybot teatimer didn't stop all of them, because I certainly never answered yes to any of them but there it was on my computer. Someone please suggest what I should do.

So we're dealing with something teatimer didn't stop and presumably therefore spybot can't do a thing about, I just thought I should point out since this is forums.spybot.info after all.

I have a nasty virus on my computer - which I tried to get rid of with combofix on my own, it didn't work, I posted on bleepingcomputer and got no help,



... and he certainly had a lot more useful things to say about the post of his I saw than the guy on bleepingcomputer had for my problem.


This is 3 months old. Yes, 3 months. I have all but given up,

Your helper offered sound advice back in September, apprantly you chose not to follow it.
http://www.bleepingcomputer.com/forums/topic168346.html (http://www.bleepingcomputer.com/forums/index.php?showtopic=168346&st=0&p=942378&#entry942378)

Oct 17 2007, no follow up.
http://www.bleepingcomputer.com/forums/topic112160.html#entry639912

Our volunteer helpers are at several forums, including BC.

This forum's stickied topics:
Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)

P2P programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4)

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Regards.

No follow up? The post on Oct 17 2007 at 02:47 PM was the followup. So he posted something after it, am I supposed to keep responding forever? Someone has to get the last word, I see no reason it has to be me. But that was a year ago, a virus that was resolved with combofix right away, problem solved, completely different problem from a year earlier. Has nothing to do with this. The reason you bring it up is obviously only to demonize me.

SO. As for the other thing. Sound advice? I didn't see any sound advice. He asked me to try some antispyware program that wasn't fundamentally different from any others in that it isn't a specific fix for this specific problem but rather something that will merely SCAN for and TRY to remove it on rebooting the computer - except even worse, unlike the numerous other antispyware programs that are floating around out there, this one apparently only works when it's connected to the internet, which he specifically said! From dealing with the virus in 2007, the one which was not this one but I can tell you, was very much like it, THAT one was immune to all those antispyware programs' attempts to reboot and get it before it has time to start. Superantispyware, spyware doctor, search and destroy, etcetera etcetera, one after another promised that it would remove it, and all I had to do was reboot the computer and it would take it out before it could start. And of course they ALL did the same thing, which was to fail, because they couldn't get it early enough. It was the type of process that starts right at the very, very beginning.

And so is this virus. Which is why I know that some generic antispyware program designed to scan for infections that it isn't specifically made to destroy as a sort of jack-of-all-trades-master-of-none isn't going to work. And one that requires the computer be connected to the internet or else it doesn't WORK? I explained that the thing was ACTIVELY vicious and trying to persuade me to connect to the internet. It's not just a trojan. It's a trojan DOWNLOADER. If I give that computer an internet connection, it's going to turn it from a crippled computer to a dead computer faster than I can say "I told you so". Kind of like saying "I'll give you the cure to your cold but first you have to stick your hand in that box filled with malaria carrying mosquitoes" and count to 5. No, I'm not going to connect the computer to the internet and no, I thought that the advice was not sound, it was absolutely dreadful.

Sound advice would be "oh, this is the ????? virus, we see that all the time. Here, run this script in combofix and it will remove it for you." Or "please show us your complete combofix and hijackthis logs and I'll give you the script you need". Or something I can't think of, but isn't the same old thing I tried zillions of times on that first virus in 2007 that didn't work on it and so I can't imagine could possibly work on the SUPER virus now which is even stronger than the one a year ago, a perspective cure which at the same time requires me to take a risk like letting it connect to the internet.

Hello Sandor,
No follow up? The post on Oct 17 2007 at 02:47 PM was the followup. So he posted something after it, am I supposed to keep responding forever? Someone has to get the last word, I see no reason it has to be me. But that was a year ago, a virus that was resolved with combofix right away, problem solved, completely different problem from a year earlier. Has nothing to do with this. The reason you bring it up is obviously only to demonize me.

Oct 17 2007, 03:06 PM. Last post in that topic and it is relevant because of the history.

Helper:

Click the Show Report button and Copy&Paste the entire report in your next reply.

SO. As for the other thing. Sound advice? I didn't see any sound advice.
<snip>
Sound advice would be "oh, this is the ????? virus, we see that all the time. Here, run this script in combofix and it will remove it for you." Or "please show us your complete combofix and hijackthis logs and I'll give you the script you need". Or something I can't think of, but isn't the same old thing I tried zillions of times on that first virus in 2007 that didn't work on it and so I can't imagine could possibly work on the SUPER virus now which is even stronger than the one a year ago, a perspective cure which at the same time requires me to take a risk like letting it connect to the internet.
As it appears you do not wish to take the advice of trained malware analysts who volunteer their time, there is no reason for you to request assistance.

Good day.