Cant get rid of these viruses/trojans

[Ivona]

Service (registry key): VolSnap
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): VSS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Volume Shadow Copy
Description: Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\vssvc.exe
Image size: 289792
Image MD5: 7A9DB3A67C333BF0BD42E42B8596854B
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): W32Time
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): W3SVC
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): Wanarp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access IP ARP Driver
Description: Remote Access IP ARP Driver
Image path: system32\DRIVERS\wanarp.sys
Image size: 34560
Image MD5: E20B95BAEDB550F32DD489265C1DA1F6
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): WDICA
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): wdmaud
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft WINMM WDM Audio Compatibility Driver
Image path: system32\drivers\wdmaud.sys
Image size: 83072
Image MD5: 6768ACF64B18196494413695F0C3A00F
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): WebClient
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: MRxDAV

Service (registry key): winmgmt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Management Instrumentation
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %systemroot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 0
Depends On services: RPCSS

Service (registry key): Winsock
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 4
Error Control: 1

Service (registry key): WinSock2
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): WinTrust
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): WLSetupSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Live Setup Service
Description: Windows Live Setup Service
Object name: LocalSystem
Image path: "C:\Program Files\Windows Live\installer\WLSetupSvc.exe"
Image size: 266240
Image MD5: 94A85E956A065E23E0010A6A7826243B
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1

Service (registry key): WmdmPmSN
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Portable Media Serial Number Service
Description: Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1

Service (registry key): Wmi
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Management Instrumentation Driver Extensions
Description: Provides systems management information to and from drivers.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1

Service (registry key): WmiApRpl
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): WmiApSrv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WMI Performance Adapter
Description: Provides performance library information from WMI HiPerf providers.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Image size: 126464
Image MD5: E0673F1106E62A68D2257E376079F821
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): WMPNetworkSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Media Player Network Sharing Service
Description: Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play
Object name: NT AUTHORITY\NetworkService
Image path: "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Image size: 913408
Image MD5: F74E3D9A7FA9556C3BBB14D4E5E63D3B
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: upnphost,http,HTTPFilter

Service (registry key): WpdUsb
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WpdUsb
Image path: system32\DRIVERS\wpdusb.sys
Image size: 38528
Image MD5: CF4DEF1BF66F06964DC0D91844239104
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): WS2IFSL
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 0
Error Control: 0

Service (registry key): wscsvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Security Center
Description: Monitors system security settings and configurations.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,winmgmt

Service (registry key): wuauserv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Automatic Updates
Description: Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
Object name: LocalSystem
Image path: %systemroot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): WudfPf
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Driver Foundation - User-mode Driver Framework Platform Driver
Description: Provide communciation services for UMDF components.
Image path: system32\DRIVERS\WudfPf.sys
Image size: 77568
Image MD5: F15FEAFFFBB3644CCC80C5DA584E6311
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): WudfRd
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Driver Foundation - User-mode Driver Framework Reflector
Description: Reflect device requests to user-mode driver drivers
Image path: system32\DRIVERS\wudfrd.sys
Image size: 82944
Image MD5: 28B524262BCE6DE1F7EF9F510BA3985B
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): WudfSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Driver Foundation - User-mode Driver Framework
Description: Manages user-mode driver host processes
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: PlugPlay

Service (registry key): WZCSVC
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Wireless Zero Configuration
Description: Provides automatic configuration for the 802.11 adapters
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs,Ndisuio

Service (registry key): xmlprov
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Network Provisioning Service
Description: Manages XML configuration files on a domain basis for automatic network provisioning.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): yukonwxp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller
Image path: system32\DRIVERS\yk51x86.sys
Image size: 189568
Image MD5: A8D429E2268792638CFFC57552C5E736
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): {5133C90A-E327-43D4-AB00-7122B83FEFB5}
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): {7C301516-BC93-4CE8-A2BB-FFF2E5F64591}
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): {B6009217-49C5-45EA-945C-81BA61FCCF8F}
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): a12uf5xv
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

 

[Shaba]

Please do this next:

* Open SpyBot.
* Check for problems.
* When the scan completes, right click on the results list, select "Copy results to clipboard".
* Paste (Ctrl+V) those results into a new post.

 

[Ivona]

sry shaba, im a little confused, isnt that what I just did with that huge thing that I had to split up into 4/5 posts? or do you want me to do this again after I fix the problems it already found?


thanks

 

[Shaba]

Sorry missed that post

• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\WINDOWS\system32\comsa32.sys
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\m]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udma]
  
  :commands
  [EmptyTemp]
  [reboot]

• Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[Shaba]

Sorry missed that post

• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\WINDOWS\system32\comsa32.sys
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\m]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udma]
  
  :commands
  [EmptyTemp]
  [reboot]

• Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[Ivona]

heres new log

========== FILES ==========
File/Folder C:\WINDOWS\system32\comsa32.sys not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\m\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udma\\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5dc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12192008_143509

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_5dc.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat not found!

 

[Shaba]

OK looks like there was none.

Does spybot still find something?

 

[Ivona]

So i've run several scans using different progies over the past day, and all seems good i think...i got a right media tracking cookie on spybot, but cookies are harmless no?

In which case I think im finally clean!!! Thanks so much for your help Shaba, I really appreciate it. Is there any final things I need to do at all?

Thanks again

 

[Shaba]

Yes they are rather harmless.

See here how to prevent them coming.

Still some concerns?

 

[Shaba]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.