Virus has disabled my System Restore

[deadful_melody]

Hello, first time posting on the forums here.

My computer's contracted a nasty virus that has disabled my System Restore, and continually tries to delete my Spybot registry entries (I am running Spybot 1.3).

I think the restore files are still on the recovery partition (it's nearly 4 gig in size), but the restore calendar has only one date, today, when the computer was infected.

I downloaded and ran Hijackthis 2.0.2 (results below). I have not done the Kapersky or installed the Spybot 1.5 because I am unsure if it will conflict with the currently running Spybot 1.3, which keeps popping up messages.

Here is the Hijack this output. The BHO object "atlc.dll" is new and obviously a source of trouble....I see it in the address line of my browser when I get redirected to shopping pages I didn't try to go to.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:57 PM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\S3apphk.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcpack.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A0ED3DB7-5956-48AF-8979-9B2AD828475A} - C:\WINDOWS\System32\atlc.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\mldsrngl.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinmndt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\REGION\customizeIe.wsf
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: msupd31582.exe
O4 - Global Startup: msupd39588.exe
O4 - Global Startup: Update_0711_KB010623.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/288e32c81131677...zip/RdxIE2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/control...b/ikcntrls.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6618 bytes


Any help will be appreciated. Thank you.

[Mr_JAk3]

Hello deadful_melody and welcome to the Forums

One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post

[deadful_melody]

Thanks for your reply, Mr_JAk3.

I have decided to reformat and reinstall.

At the moment I have no Recovery disk, just the D: partition with the recovery information. However, I do not trust that this is uninfected, since the System Restore files are on the same partition and the virus managed to knock those out of commission. So I have ordered a set of recovery CDs and will have them within the week.

Thanks again for your advice (and the links).

[Mr_JAk3]

Hi

I'll respect your decision to do a clean install. Yes it is best to wait for the CD's just in case.

Some helpful links.

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...

• Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).
  
  These are good (free) firewalls:
  - Kerio
  - Sygate
  - Outpost
  
  These are good (free) antiviruses:
  - Antivir
  - Avast
  - AVG
  
• Get all Windows updates installed!

Please ask me if you have any questions

Then here are a few things that you can do in order to make your fresh computer more secure:

• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use Ewido
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?