View Full Version : Computer infected win 32 Trojan SPY (2) HJT w/o word wrap
correctomundo
2009-10-20, 06:08
I have deactivated Tea Timer, ran Erunt and backed up the Registry, and now I am posting my HIJACKTHIS LOG
Thanks I need some help
Correctomundo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:41, on 10/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\TEMP\VRT2.tmp
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
--
End of file - 10364 bytes
Hello correctomundo
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
Please download Malwarebytes' Anti-Malware from Here ( http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
correctomundo
2009-10-21, 08:47
I did the TFC
I did Root repeal
I run Malwarebytes' Anti-Malware and I clean was is checked and when I restart the computer it runs the Windows Welcome screen, and then I get a
USERNIT LOGON Error
If I choose to close the computer will hang but I can hit CTRL- Alt _Delete and get into the Help Center and I hit support and click go to Microsoft newsgroup
then I get a desk top and browser
I cannot boot into SAFE Mode
I cannot access the windows recovery console
Please advise
GRR/Correctomundo
correctomundo
2009-10-21, 08:55
I can manipulate files through my Mail attachment mode, I have a back up hard drive.
I think i am missing a rundll file
I have a system recovery windows XP disk
In addition I have a Browser But no desktop
Lost and confused
Gary
Gary, try this
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Last Known Good
Then press the Enter Key on your Keyboard
Another option
2. A more powerful option
ctrl+Alt+del - to invoke TaskManager
Applications(tab)
New Task - (type)C:\WINDOWS\ServicePackFiles\i386\msconfig.exe
(System Configuration Utility panel should appear)
Select - TOOLS(tab) - Select - System Restore - Press Launch(button)
or type: C:\WINDOWS\system32\restore\rstrui.exe -enter
This should invoke the System Restore Panel from which you can select a prior Restore Point
Can you get into Malwarebytes through task manager Ctrl...Alt...Del ( File>New Task ) go there if you can and copy and paste the log for me to see
correctomundo
2009-10-21, 18:26
Malwarebytes Scan before IREMOVE SELECTED10/21
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
10/21/2009 11:20:16 AM
mbam-log-2009-10-21 (11-20-04)3
Scan type: Quick Scan
Objects scanned: 101294
Time elapsed: 3 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netlogin (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin (Trojan.Agent) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Temp\cvc36.tmp (Worm.Parite) -> No action taken.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> No action taken.
I am now going to Run Remove selected and see if I scan again before I have to REBOOT to finish the scan
Gary
correctomundo
2009-10-21, 18:44
PLEASE REALIZE I HAVE NOT REBOOTED, I HAVE A DESKTOP , BUT I HAVE NO PRINTERS
SHOULD I SYSTEM RESTORE
I AM AFRAID TO TURN OFF MY COMPUTER
gARY
Ok I have made some progress first Root Repeal
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/21 00:01
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAC98000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B42000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA350000 Size: 49152 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace06b8
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace0574
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace0a52
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace014c
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace064e
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace008c
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace00f0
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace076e
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace072e
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaace08ae
==EOF==
Next Malwarebytes Final scan before I reboot.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2
10/21/2009 11:27:01 AM
mbam-log-2009-10-21 (11-27-01).txt
Scan type: Quick Scan
Objects scanned: 101294
Time elapsed: 3 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netlogin (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Temp\cvc36.tmp (Worm.Parite) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
NOW THE CURRENT HJT LOG AFTER FINAL MALAWARE SCAN BUT BEFORE REBOOT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:44, on 10/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\lsm32.sys
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
--
End of file - 9905 bytes
WAITING TO HEAR FROM YOU
GARY
Gary, do a system restore and we can go from there
correctomundo
2009-10-21, 19:08
All system restore points are gone except when I got infected with the virus
What should I do?
Gary
Gary,
Its best to do a system restore so you can log into windows, we can start the cleanup after your able to reboot.
correctomundo
2009-10-21, 20:00
System restore did not take. I have a blue screen No desktop. I can get into the Task Manager and move around
Next ?
I really appreciate you helping me
I am going to run a Malaware Byte Scan, just to see what happens or there is mo Malaware Program
Next
Gary
Gary,
You backed up your registry with ERUNT, using Task Manager, go to the folder you saved it in and run it.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
correctomundo
2009-10-21, 21:40
I cannot find ERDNT.exe
I have no search ability
it is not in the ERUNT Program Folder
I also have no notepad
This is frustrating
Gary
Do you have your Windows CD or the Recovery CD that came with your computer, sounds like a System repair is in order
correctomundo
2009-10-22, 00:36
windows XP Product Recovery CD Rom is in my hand
Please advise
Gary
Gary,
I am going to link you to our sister site that will help you do a system repair. After there done post back here with a new HJT log and lets see where we are at.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
correctomundo
2009-10-22, 01:11
What post do I read , what am I going to do?
"how to" with simple Windows task
How to Reformat and Reinstall your Operating System
or something else
Going to dinner be back in 2 hours
Gary
Gary,
The people in that forum are windows experts and they will be better equipped to help you. Just go to that site and register, like this forum its free and then start a new thread asking for someone to help you do a system repair. You can link them to this thread if you wish, I will keep an eye out on that forum and make sure your being helped. Just give them a brief rundown of whats going on and that you want to repair your system. After your done, post back here with a new HJT log and we can start from ground one again and make sure there is no malware present.
Gary,
Are you able to get into Malwarebytes thru task manager ?
If so, go to the Quarantine folder , select these two entries and restore them, there infected but it may get you back into windows and we can deal with them later
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netlogin
correctomundo
2009-10-22, 03:58
I have a desktop but a very unstable system
I have a control panel also
Gary
correctomundo
2009-10-22, 04:13
I have run ERDNT.exe and restored registry but windows does not load as it used to I had to go to ctl-alt del and load explorer exe from the task manager
so I now have reinfected my computer and have an unstable system
Should we start over with root repeal etc?
or do we go to the other forum?
Gary
Run this program and lets see whats going on. If its malware causing this we can work on cleaning it, if not then a system repair may be needed..
This wont fix anything but I need to see the report
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
correctomundo
2009-10-22, 04:41
cannot find the site or link for rsit.exe it appears to have been declared unstable and compromised
Gary
Try this one
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
correctomundo
2009-10-22, 05:13
new hijack this log 10/21/2009
Thanks again Ken for working with me
Gary
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:55, on 10/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\sv3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchust.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
--
End of file - 10151 bytes
Good Morning,
You have a very heavily infected computer, thats the reason for the instability.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
correctomundo
2009-10-22, 17:20
Combofix will not run it says go to Bleeping computer (WHICH I DID) and load the current version
also in the warning which says my version is compromised it says my version may be infected with the virus virut
Gary
Gary,
Virut, I was kind of afraid of that. Run this tool and post the report.
Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:
Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply
correctomundo
2009-10-23, 08:00
Ken I rebooted and I am running the program again, it takes awhile as you know but I did not know what to do with the various things that were not eradicated cured or deleted. after you read this log get back to me and tell me if you want me to try to cure,delete or move the other items
thanks
Gary
Process in memory: C:\WINDOWS\System32\svchost.exe:3572;;Win32.Parite.2;Eradicated.;
svchust.exe;c:\windows;Win32.Parite.2;Cured.;
qja1c.tmp;c:\windows\temp;Win32.Parite.2;Deleted.;
RegUBP2b-Gary.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[2].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[4].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\2WHK716G;Win32.Parite.2;Cured.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[3].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[8].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\441TC34B;Win32.Parite.2;Cured.;
svc[1].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[2].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[6].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\6042FWHZ;Win32.Parite.2;Cured.;
svc[10].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[11].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[3].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[4].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[5].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[7].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[8].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
svc[9].php;C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\PAN5DU9B;Win32.Parite.2;Cured.;
A0005466.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP1;Tool.Prockill;;
A0010588.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP2;Win32.Parite.2;Cured.;
A0010651.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP2;Tool.Prockill;;
A0011002.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011009.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011398.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Tool.Prockill;;
A0011494.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0011509.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0012525.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0012528.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013536.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013548.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013557.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0013590.exe\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3\A0013590.exe;Probably BATCH.Virus;;
A0013590.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Archive contains infected objects;Moved.;
A0013592.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Adware.Cfd;;
A0015536.INS;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Probably DLOADER.Trojan;;
A0015547.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015548.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015549.exe;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP3;Win32.Parite.2;Cured.;
A0015553.reg;C:\System Volume Information\_restore{5E4AC574-7D47-4190-9115-F14BF9D6C1B2}\RP4;Trojan.StartPage.1505;Deleted.;
isvchost.exe;C:\WINDOWS;Win32.Parite.2;Cured.;
SC.INS;C:\WINDOWS;Probably DLOADER.Trojan;;
sv2.exe;C:\WINDOWS;Win32.Parite.2;Cured.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
acj8A.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
cha10.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
cra1.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
dca15.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
dzd7E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
fha16.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
fqd50.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gnj8E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gwa12.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
gzd53.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
jca10.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
jja16.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
kxa13.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
lgd77.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
nha15.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ona17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ona1D.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
owd52.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
qsa1.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
sqj90.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
sxd7D.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
tqa1E.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
tra3.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
ujaA.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
vad4F.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
VRT2.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
VRT4.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
VRT6.tmp;C:\WINDOWS\Temp;Probably DLOADER.Trojan;;
xaa17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
xla17.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
yza14.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
zxa14.tmp;C:\WINDOWS\Temp;Win32.Parite.2;Deleted.;
Great, if you had Virut ( which is uncleanable ) Dr Web would have found it
Lets try running Combofix again, drag your current copy to the trash and run it this way renamed. If it still gives you issues than run it in Safemode.
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
If it gives you a warning about being infected, its not, run it anyway
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
correctomundo
2009-10-23, 16:29
combofix please be aware in order to get it to boot after reboot I did a ctl-alt delete and ran explorer exe through the task manager very quickly as soon as welcome screen came up because my usernit exe is defective
Thanks
Gary
here is the combo fix log
ComboFix 09-10-22.01 - Gary 10/23/2009 8:55.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.636 [GMT -4:00]
Running from: c:\documents and settings\Gary\desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\IEToolbar
c:\program files\Protection System
c:\program files\Protection System\uninst.exe
c:\windows\9129837.exe
c:\windows\Fonts\services.exe
c:\windows\Install.txt
c:\windows\isvchost.exe
c:\windows\svchost.exe
c:\windows\system32\1995463.exe
c:\windows\system32\2471582.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\6279718.exe
c:\windows\system32\6to4ex.dll
c:\windows\system32\8.tmp
c:\windows\system32\8377344.exe
c:\windows\system32\certstore.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\F.tmp
c:\windows\system32\FInstall.sys
c:\windows\system32\Iasv32.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Install.txt
c:\windows\system32\Ipripv32.dll
c:\windows\system32\Irmonv32.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\TEMP\hba18.tmp
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\vna1.tmp
----- BITS: Possible infected sites -----
hxxp://updates.swarmcast.net
c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\system32\spoolsv.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_6to4
-------\Service_Ias
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.
2009-10-23 13:14 . 2009-10-23 13:14 600026 ----a-w- c:\windows\isvchost.exe
2009-10-23 05:09 . 2009-10-23 05:10 2268672 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\cooliris-win-iefull-release-1.11.5.29501.en-US.msi
2009-10-23 00:31 . 2009-10-23 03:16 -------- d-----w- c:\documents and settings\Gary\DoctorWeb
2009-10-22 00:58 . 2009-10-22 00:58 152 ----a-w- c:\windows\system32\api.reg
2009-10-22 00:58 . 2009-10-22 01:10 40960 ----a-w- c:\windows\sv3.exe
2009-10-22 00:58 . 2009-10-22 00:58 40960 ----a-w- c:\windows\system32\csrs32.exe
2009-10-22 00:58 . 2009-10-23 12:54 151552 ----a-w- c:\windows\sv2.exe
2009-10-22 00:21 . 2009-10-22 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-10-21 18:48 . 2009-10-21 18:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-10-21 18:48 . 2009-10-23 12:53 745436 ----a-w- c:\windows\svchust.exe
2009-10-21 18:07 . 2009-10-21 18:07 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-21 17:08 . 2009-10-23 13:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-21 17:08 . 2009-10-22 01:09 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Cooliris
2009-10-21 17:08 . 2009-10-21 18:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-10-21 04:11 . 2009-10-21 04:11 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2009-10-21 04:11 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 04:11 . 2009-10-22 00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 04:11 . 2009-10-21 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-21 04:11 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 08:57 . 2009-10-20 08:57 47104 ----a-w- c:\windows\system32\kadg0.dll
2009-10-20 08:15 . 2009-10-20 09:38 47104 ----a-w- c:\windows\system32\kapg1.dll
2009-10-20 02:03 . 2009-10-21 18:06 -------- d-----w- c:\program files\ERUNT
2009-10-19 23:28 . 2009-09-03 09:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-19 20:23 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-19 20:21 . 2009-10-19 20:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-17 11:30 . 2009-10-17 11:31 -------- d-----w- c:\program files\iTunes
2009-10-17 11:30 . 2009-10-17 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-17 11:28 . 2009-10-17 11:29 -------- d-----w- c:\program files\QuickTime
2009-10-14 00:06 . 2009-10-14 00:06 0 ----a-w- c:\windows\nsreg.dat
2009-10-14 00:06 . 2009-10-14 00:06 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Mozilla
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 13:14 . 2009-10-23 13:14 501072 ----a-w- c:\windows\svchost.exe
2009-10-23 13:14 . 2009-10-23 13:14 88576 ----a-w- c:\windows\system32\8.tmp
2009-10-23 13:14 . 2009-10-23 13:14 52 ----a-w- c:\windows\system32\7.tmp
2009-10-23 12:52 . 2009-10-23 12:52 88576 ----a-w- c:\windows\system32\15.tmp
2009-10-23 12:52 . 2009-10-23 12:52 52 ----a-w- c:\windows\system32\14.tmp
2009-10-23 09:01 . 2009-10-23 09:01 88576 ----a-w- c:\windows\system32\193.tmp
2009-10-23 09:01 . 2009-10-23 09:01 52 ----a-w- c:\windows\system32\192.tmp
2009-10-23 08:04 . 2009-10-23 08:04 88576 ----a-w- c:\windows\system32\184.tmp
2009-10-23 08:04 . 2009-10-23 08:04 52 ----a-w- c:\windows\system32\183.tmp
2009-10-23 07:22 . 2009-10-23 07:22 88576 ----a-w- c:\windows\system32\17A.tmp
2009-10-23 07:22 . 2009-10-23 07:22 52 ----a-w- c:\windows\system32\179.tmp
2009-10-23 06:39 . 2009-10-23 06:39 88576 ----a-w- c:\windows\system32\16E.tmp
2009-10-23 06:39 . 2009-10-23 06:39 52 ----a-w- c:\windows\system32\16C.tmp
2009-10-23 05:58 . 2009-10-23 05:58 88576 ----a-w- c:\windows\system32\94.tmp
2009-10-23 05:58 . 2009-10-23 05:58 52 ----a-w- c:\windows\system32\93.tmp
2009-10-23 04:48 . 2009-10-23 04:48 88576 ----a-w- c:\windows\system32\13.tmp
2009-10-23 04:48 . 2009-10-23 04:48 52 ----a-w- c:\windows\system32\B.tmp
2009-10-23 00:44 . 2009-10-23 00:44 88576 ----a-w- c:\windows\system32\11.tmp
2009-10-23 00:44 . 2009-10-23 00:44 52 ----a-w- c:\windows\system32\A.tmp
2009-10-23 00:39 . 2005-11-09 16:46 90112 ----a-w- c:\windows\DUMP66d8.tmp
2009-10-22 02:49 . 2009-10-22 02:49 88576 ----a-w- c:\windows\system32\87.tmp
2009-10-22 02:49 . 2009-10-22 02:49 46080 ----a-w- c:\windows\system32\86.tmp
2009-10-22 02:49 . 2009-10-22 02:49 1 ----a-w- c:\windows\system32\85.tmp
2009-10-22 02:49 . 2009-10-22 02:49 152 ----a-w- c:\windows\system32\84.tmp
2009-10-22 02:15 . 2009-10-22 02:15 88576 ----a-w- c:\windows\system32\6C.tmp
2009-10-22 02:15 . 2009-10-22 02:15 46080 ----a-w- c:\windows\system32\6B.tmp
2009-10-22 02:15 . 2009-10-22 02:15 1 ----a-w- c:\windows\system32\6A.tmp
2009-10-22 02:15 . 2009-10-22 02:15 152 ----a-w- c:\windows\system32\69.tmp
2009-10-22 01:45 . 2009-10-22 01:45 88576 ----a-w- c:\windows\system32\4E.tmp
2009-10-22 01:45 . 2009-10-22 01:45 46080 ----a-w- c:\windows\system32\4D.tmp
2009-10-22 01:45 . 2009-10-22 01:45 1 ----a-w- c:\windows\system32\4C.tmp
2009-10-22 01:45 . 2009-10-22 01:45 152 ----a-w- c:\windows\system32\4B.tmp
2009-10-22 01:08 . 2009-10-22 01:08 1 ----a-w- c:\windows\system32\6.tmp
2009-10-22 01:08 . 2009-10-22 01:08 152 ----a-w- c:\windows\system32\5.tmp
2009-10-22 00:56 . 2009-10-22 00:56 88576 ----a-w- c:\windows\system32\12.tmp
2009-10-22 00:56 . 2009-10-22 00:56 1 ----a-w- c:\windows\system32\10.tmp
2009-10-22 00:56 . 2009-10-22 00:56 152 ----a-w- c:\windows\system32\E.tmp
2009-10-21 18:47 . 2009-10-21 18:47 88576 ----a-w- c:\windows\system32\76.tmp
2009-10-21 18:47 . 2009-10-21 18:47 1 ----a-w- c:\windows\system32\74.tmp
2009-10-21 18:47 . 2009-10-21 18:47 152 ----a-w- c:\windows\system32\73.tmp
2009-10-21 17:55 . 2009-10-21 17:55 88576 ----a-w- c:\windows\system32\4A.tmp
2009-10-21 17:55 . 2009-10-21 17:55 46080 ----a-w- c:\windows\system32\49.tmp
2009-10-21 17:55 . 2009-10-21 17:55 1 ----a-w- c:\windows\system32\48.tmp
2009-10-21 17:55 . 2009-10-21 17:54 152 ----a-w- c:\windows\system32\45.tmp
2009-10-21 17:07 . 2009-10-21 17:07 1 ----a-w- c:\windows\system32\D.tmp
2009-10-21 17:07 . 2009-10-21 17:07 152 ----a-w- c:\windows\system32\C.tmp
2009-10-21 05:59 . 2009-10-21 05:59 88576 ----a-w- c:\windows\system32\35.tmp
2009-10-21 05:59 . 2009-10-21 05:59 52 ----a-w- c:\windows\system32\34.tmp
2009-10-19 19:19 . 2005-11-19 06:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-19 05:17 . 2009-10-19 05:17 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-19 05:17 . 2004-08-04 12:00 360320 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2009-10-19 04:26 . 2005-11-16 20:43 -------- d-----w- c:\documents and settings\Gary\Application Data\Apple Computer
2009-10-17 11:30 . 2005-11-16 20:41 -------- d-----w- c:\program files\iPod
2009-10-17 11:30 . 2007-10-17 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-10-15 11:00 . 2005-11-20 04:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-14 01:09 . 2005-08-18 16:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-14 01:08 . 2008-10-29 01:18 -------- d-----w- c:\program files\Sling Media
2009-10-14 00:36 . 2008-10-28 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 00:36 . 2008-12-25 05:39 -------- d-----w- c:\program files\Microsoft Silverlight
.
------- Sigcheck -------
[-] 2009-10-19 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-10-19 . 073941D59AE065910064B728DEE981EE . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2008-04-14 . FDEA57347422CEA11001017CDBFF5C54 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2005-06-11 . 072D265123BA0DE72164650865B597EF . 77824 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . ABE76286DB60CFE5118D8E4A6B1D181E . 77824 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . 3CCE02A058AA7B5BCBD59A735CB0CECD . 77824 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . 66FA6DED8ED160AADE9589B97E9CC5E1 . 77824 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[-] 2004-08-04 . C585F5D6532BBA2E7EF8CD519DA49B98 . 77824 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 . EE19B8A150726417906AC7B5C277AE55 . 46080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-04 . E77ABA5E9DCB5017177AB85403C426F4 . 44544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2004-08-04 . 8D313B4492405C23D9DDA67CEC9B25A4 . 44544 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 00E7A8967E3A424D5A7203B796A51A45 . 44544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe
[-] 2008-04-14 . 9F43812F67EB91B4E48BEA2890F2BD8D . 1053696 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[-] 2007-06-13 . 4A80FBD97374B88F42AB1F90928DBEF3 . 1053184 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[-] 2007-06-13 . 94F72526C871E3C5F246DC46C1239B93 . 1053184 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[-] 2004-08-04 . AABA49DFBCB2B3C7BE79790A857C0C78 . 1052160 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[-] 2004-08-04 . F04ED01CE85FA2CFE95543512F1A8D7E . 1052160 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 . 6A66AC311C7394F0C2B6BEA81CBC38EE . 1052160 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 . 6CAFAD84E7732B2EA2F06BB41B1A61A2 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\wscntfy.exe
[-] 2004-08-04 . 086228E32B7F28AFC8355DCF531EEFC1 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2004-08-04 . E5134C7AEABD3C0767A9655EB628F0E1 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 735BDC8AFF984D0FD8061492180B058F . 13824 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe
[-] 2008-04-14 . F1C5863B75EABF8897D46EC3B1EE303F . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2004-08-04 . 08EC683DB46326984FC5819BB6029D2E . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2004-08-04 . EB6A459C13A043C366043F53CFF6DA5C . 35328 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . DB3B978AFAE42CEA36D541C22BEA8DD0 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 135168]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 217088]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 176128]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-09 7102464]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-02-01 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 438272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]
c:\documents and settings\Gary\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 60928]
MLB.TV NexDef Plug-in.lnk - c:\documents and settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111 Configuration Utility\wpn111.exe [2006-3-19 512000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PicasaNet"="c:\program files\Hello\Hello.exe" -b
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hello\\Hello.exe"=
"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/19/2009 04:23 PM 64288]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 08:00 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 08:00 AM 114688]
R2 Ias;Windows Protected Network;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 08:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 07:17 AM 1170768]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 06:09 PM 93960]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 Net_Login;Net_Login;c:\windows\svchust.exe [10/21/2009 02:48 PM 745436]
S2 NetLogin;Net Login;c:\windows\svchost.exe [10/23/2009 09:14 AM 1168384]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;c:\windows\system32\drivers\athwpn.sys [3/19/2006 09:12 PM 43392]
S3 daqdrv;daqdrv;c:\windows\system32\daqdrv.sys [8/4/2004 08:00 AM 2304]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [3/18/2006 05:43 PM 17149]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/4/2004 08:00 AM 14336]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [3/19/2006 09:12 PM 286720]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - 6TO4
*NewlyCreated* - BTWSRV
*NewlyCreated* - IAS
*NewlyCreated* - NETLOGIN
*NewlyCreated* - NET_LOGIN
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:22]
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} - hxxp://www.golfbuddyglobal.com/GBSync/GBSink.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\x3v93ogc.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Protection System - c:\program files\Protection System\psystem.exe
HKCU-Run-Security Center - c:\windows\sc.exe
HKLM-Run-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
HKU-Default-Run-ttool - c:\windows\9129837.exe
AddRemove-avast! - c:\program files\Alwil Software\Avast4\aswRunDll.exe
AddRemove-{01386D1F-ADE7-43B4-A4E9-312FC5BC726F}_is1 - c:\dj930\flash\Program Files\UnH Solutions\SWF Opener\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 09:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\Install.txt 265 bytes
c:\windows\system32\BtwSrv.dllx 45568 bytes executable
c:\windows\system32\7.tmp 52 bytes
c:\windows\system32\8.tmp 88576 bytes executable
scan completed successfully
hidden files: 4
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(644)
c:\program files\Bonjour\mdnsNSP.dll
- - - - - - - > 'explorer.exe'(2632)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combo-fix\CF3147.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\lsm32.sys
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 9:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 13:20
ComboFix2.txt 2008-11-11 22:19
Pre-Run: 88,781,328,384 bytes free
Post-Run: 88,978,399,232 bytes free
- - End Of File - - 8B26DD0E4BFD3E51088034C55E8D5755
----------------------------------------------------------------------
HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:42, on 10/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O2 - BHO: IEButton Class - {F81D52BF-F2F1-4F49-BF5F-05664E803039} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MLB.TV NexDef Plug-in.lnk = C:\Documents and Settings\Gary\Local Settings\Application Data\Autobahn\mlb-nexdef-autobahn.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {657BEC11-C6BA-4E6B-A41A-F3C5E648C9FB} (GBSinkCtrl Class) - http://www.golfbuddyglobal.com/GBSync/GBSink.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
--
End of file - 9492 bytes
Hello Gary,
This is most likely one of the heavily infected computers that I have come across in a long time. My gut feeling here are that you would be better off doing a format and reinstall of windows. Not just a system repair but a complete format and a clean install. This is like playing wack a mole, we remove some and other stuff pops up. With the system files that are infected I am still leaning towards Virut
We can try a few more things before we go to a format. Your userinit file is infected so everytime you log on to windows your bringing the infection along with it.
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Post the log and then run this online virus scanner
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
Hello Gary,
Been going over your Combofix log and you do have a file or two that are Virut related so forgo the fixes in my previous post. This infection is uncleanable as it infects every exe , scr file on your entire system including backup folders and your programs.
Example
c:\windows\system32\userinit.exe If we where to replace this with the file in your i386 folder we would just be replacing an infected file with another infected one.
The only recourse is to do a complete format of your operating system and a clean install of windows. You even need to delete the partition on your hard drive that hosts the operating system and during the set up process you can create a new one. I am afraid also that most of your stuff is gone , if you backup and save documents and pictures, its possible that there infected as well and you can reinfect yourself by re installing them.
You can read about it here
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Sorry I don't have better news for you. If you need help with the reinstall please let me know and I can link you to a windows site that can help you.
correctomundo
2009-10-23, 22:29
Ken I cannot get into safe mode tell me how to reformat and reinstall windows
Gary
Gary,
You dont need to go to safemode to format and reinstall, what needs to be done is to have your bios set so that you can boot from a CD, then you put the Windows CD in , restart and you can format and reinstall from there. You need to go to this site and post in there forum, tell them your infected with Virut and you need to do a format and reinstall. They can run you through setting the bios and doing the reinstall. This is our sister site and like here its free but you need to sign up for an account and then you can post.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Good Luck,
Ken