S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running

[JeffeVerde]

Figured out why I couldn't delete the RC install (special rights inherited from the parent folder). Cleared the rights and was finally able to delete the files.

Reran CF and let it install RC again. It installed the files but it's still not updating BOOT.INI. I mentioned that there are several "Access is denied" lines before it starts scanning -- I noticed that after it unpacked the RC files, there was a line "SED: can't read C:\Boot.bak: No such file or directory"

Here's the log-
============================
ComboFix 09-08-10.06 - Owner 08/14/2009 0:42.14.1 - NTFSx86
Running from: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-14 07:37 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 02:40 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-13 23:15 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-13 16:41 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_06.10.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 07:29 . 2009-08-14 07:29 16384 c:\windows\temp\Perflib_Perfdata_440.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]

.
Contents of the 'Scheduled Tasks' folder

2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]

2009-08-13 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 00:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-14 0:48
ComboFix-quarantined-files.txt 2009-08-14 07:47
ComboFix2.txt 2009-08-13 06:16

Pre-Run: 60,752,646,144 bytes free
Post-Run: 60,703,936,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

233 --- E O F --- 2009-08-02 22:01

[Blade81]

Hi,

I've asked the creator of the tool what could cause the issue. I'll be back with further instructions ASAP.

[Blade81]

Hi,

Let's give RC installing one more try. Please make sure your antivirus protection is all disabled. If installing still fails and the system runs otherwise without issues then I think we'll leave it not installed.

[JeffeVerde]

Hi,

Let's give RC installing one more try. . .

Got it! The infestation had stripped the rights on ATTRIB.EXE. The "access denied" errors where occuring as CF tried to change the SHR attributes on BOOT.INI, and it never created a BOOT.BAK because it couldn't modify BOOT.INI in the first place.

I re-enabled rights on ATTRIB.EXE, and CF ran without errors, and added an RC launch option to BOOT.INI. BOOT.INI now reads-

[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

[JeffeVerde]

err -- I ran CF, and CF added an RC option to BOOT.INI

[Blade81]

Good catch

Let's optimize boot.ini a bit to make boot menu appear less time during the bootup.

Make boot.ini contents to be like this:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

That will make boot menu appear for 3 seconds.



Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste "c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe" /u in the runbox and click OK

Next we remove all used tools.

Please download OTC and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  
  2. Click the start button (at the lower left hand corner of your screen)
  3. Click run
  4. In the dialog box, type services.msc
  5. hit enter, then locate dns client
  6. Highlight it, then double-click it.
  7. On the dropdown box, change the setting from automatic to manual.
  8. Click ok

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

[JeffeVerde]

I'll procede with the rest of the cleanup steps. But re:

That will make boot menu appear for 3 seconds.

I'm not seeing the boot loader menu during startup. I have to F11 or F8 and "select OS" to get it. Also, if I select the option in MSCONFIG or TrendMicro's TISTOOL utility, to have the system restart in safe mode, it doesn't have any effect - it just comes up in normal mode. Maybe another file that's had it's access rights stripped?

[Blade81]

Hi,

When infection was present permissions of those commands you tried may have got altered (just like happened for attrib.exe for example). It's impossible for me to know what commands were attempted than those I've instructed here. That's why users shouldn't do anything else than what their helpers instruct them to do. Does msconfig.exe have right permissions?

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

[tashi]

Blade81.