Kollah? - Cannot run any security programs

OK. When I run avenger, this pops up before I can execute: "Error: Failed to open 'C:\cleanup.exe' for reading (error 5: access is denied.). Here is the avenger report:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Tue Aug 25 06:15:37 2009

06:12:34: Error: Failed to open 'C:\cleanup.exe' for reading (error 5: access is denied.)
06:15:15: Error: Failed to open 'C:\cleanup.exe' for reading (error 5: access is denied.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\scecli.dll|C:\WINNT\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

DDS
ATTACH.TXT


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/3/2007 6:46:02 PM
System Uptime: 8/25/2009 6:19:05 AM (0 hours ago)

Motherboard: Dell Inc. | | 0KF623
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 106.725 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is FIXED (NTFS) - 233 GiB total, 220.286 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Abexo Free Registry Cleaner
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AnswerWorks Runtime
Apple Software Update
AutoCAD 2002
BearShare
BitTorrent
CA Anti-Spam
CA Anti-Spyware
CA Anti-Virus
CA Internet Security Suite
CDBurnerXP
Citrix Presentation Server Client
Conexant D850 56K V.9x DFVc Modem
Corel Paint Shop Pro X
Dell Resource CD
Dell ResourceCD
DNA
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment Standard Edition v1.3.1_16
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KODAK EASYSHARE Gallery Upload ActiveX Control
Lexmark 810 Series
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office XP Professional with FrontPage
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
PC Pitstop Optimize 1.0t
Power Tab Editor 1.7
PRS-500 USB driver
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
SigmaTel Audio
SUPERAntiSpyware Free Edition
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2008 wwiiper
TurboTax Deluxe 2007
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
User Profile Hive Cleanup Service
WebFldrs XP
Winamp (remove only)
WinCleaner Complete PC Care Version 10
Windows Driver Package - Sony Corporation (PRSUSB) USB (08/08/2006 1.0.03.08080)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
WinZip
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

8/23/2009 8:12:14 PM, error: VETMONNT [105] - File infection: A0051464.exe is Win32/Ertfor.AK trojan.
8/23/2009 8:10:55 PM, error: VETMONNT [105] - File infection: A0047704.exe is Win32/Ertfor.AK trojan.
8/23/2009 8:08:39 PM, error: VETMONNT [105] - File infection: A0041304.exe is Win32/Ertfor.AK trojan.
8/22/2009 8:16:40 PM, error: Service Control Manager [7000] - The VET Message Service service failed to start due to the following error: Access is denied.
8/22/2009 8:16:27 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.

==== End Of File ===========================


DDS
DDS.TXT


DDS (Ver_09-07-30.01) - NTFSx86
Run by NEWXPOWNER at 6:20:43.04 on Tue 08/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.133 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
C:\WINNT\system32\svchost -k rpcss
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k NetworkService
C:\WINNT\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\stsystra.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe -k LocalService
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINNT\eHome\ehRecvr.exe
C:\WINNT\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINNT\system32\svchost.exe -k LocalService
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
svchost
C:\WINNT\ehome\mcrdsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINNT\system32\dllhost.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINNT\System32\alg.exe
C:\Documents and Settings\NEWXPOWNER\Desktop\Computer Fix\dds.pif
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
mWinlogon: Userinit=c:\winnt\system32\userinit.exe,c:\winnt\system32\sdra64.exe,
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\winnt\ehome\ehtray.exe
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winnt\system32\hkcmd.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LXBSCATS] rundll32 c:\winnt\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
LSP: c:\winnt\system32\VetRedir.dll
Trusted Zone: turbotax.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\jkkji.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R1 VET-FILT;VET File System Filter;c:\winnt\system32\drivers\vet-filt.sys [2008-3-29 26376]
R1 VET-REC;VET File System Recognizer;c:\winnt\system32\drivers\vet-rec.sys [2008-3-29 21128]
R1 VETEFILE;VET File Scan Engine;c:\winnt\system32\drivers\vetefile.sys [2008-6-4 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\winnt\system32\drivers\vetfddnt.sys [2008-3-29 21512]
R1 VETMONNT;VET File Monitor;c:\winnt\system32\drivers\vetmonnt.sys [2008-3-29 32264]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-3-29 144960]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\winnt\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\winnt\system32\drivers\veteboot.sys [2008-6-4 108368]
S2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-3-29 242952]
S3 PRSUSB;Sony Reader;c:\winnt\system32\drivers\PRSUSB.sys [2006-8-16 18944]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-08-22 20:14 135,168 a------- C:\zip.exe
2009-08-22 20:14 19,286 a------- C:\cleanup.exe
2009-08-22 20:14 574 a------- C:\cleanup.bat
2009-08-10 22:26 <DIR> --d----- c:\winnt\system32\wbem\Repository
2009-08-10 22:25 <DIR> --d----- c:\docume~1\newxpo~1\applic~1\IObit
2009-08-10 22:25 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-08-10 22:25 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ParetoLogic
2009-08-10 22:25 <DIR> --d-h--- c:\winnt\PIF
2009-08-10 22:25 <DIR> --d----- c:\docume~1\newxpo~1\applic~1\Malwarebytes
2009-08-10 22:23 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-10 22:23 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-10 22:23 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-10 22:23 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-09 14:57 <DIR> --d----- c:\program files\IObit
2009-08-09 13:45 580,640 a--sh--- c:\winnt\system32\drivers\fidbox.dat
2009-08-09 13:45 23,328 a--sh--- c:\winnt\system32\drivers\fidbox2.dat
2009-08-09 13:45 9,896 a--sh--- c:\winnt\system32\drivers\fidbox.idx
2009-08-09 13:45 3,236 a--sh--- c:\winnt\system32\drivers\fidbox2.idx
2009-08-09 13:45 1,814 a------- C:\rollback.ini
2009-08-09 13:38 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\ParetoLogic Anti-Virus PLUS
2009-08-09 13:31 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-08-09 11:48 <DIR> --d----- c:\winnt\system32\XPSViewer
2009-08-09 11:47 597,504 -c------ c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 11:47 575,488 -c------ c:\winnt\system32\dllcache\xpsshhdr.dll
2009-08-09 11:47 89,088 -c------ c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 11:47 575,488 -------- c:\winnt\system32\xpsshhdr.dll
2009-08-09 11:47 117,760 -------- c:\winnt\system32\prntvpt.dll
2009-08-09 11:47 1,676,288 -c------ c:\winnt\system32\dllcache\xpssvcs.dll
2009-08-09 11:47 1,676,288 -------- c:\winnt\system32\xpssvcs.dll
2009-08-09 10:55 <DIR> --d----- c:\winnt\system32\CatRoot
2009-08-07 09:44 189,325 a------- c:\winnt\system32\wisdstr.exe
2009-08-07 09:44 75,776 a------- C:\yedfjdy.exe
2009-08-07 09:44 19,456 a------- C:\niawndos.exe
2009-08-07 09:44 19,456 a------- C:\hcel.exe
2009-08-07 09:44 9,728 a------- C:\umoikchf.exe

==================== Find3M ====================

2009-08-10 19:42 2,478 a------- c:\winnt\system32\tmp.reg
2009-07-13 10:08 286,720 a------- c:\winnt\system32\wmpdxm.dll
2009-06-26 11:50 666,624 a------- c:\winnt\system32\wininet.dll
2009-06-26 11:50 81,920 a------- c:\winnt\system32\ieencode.dll
2009-06-16 09:36 119,808 a------- c:\winnt\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\winnt\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\winnt\system32\quartz.dll
2008-09-07 10:15 60,200 a------- c:\docume~1\newxpo~1\applic~1\GDIPFONTCACHEV1.DAT
2007-11-25 12:10 307 a------- c:\documents and settings\newxpowner\x.dat
2007-11-25 12:09 266,729 a------- c:\documents and settings\newxpowner\z.dat
2006-01-14 11:42 251 a------- c:\program files\wt3d.ini

============= FINISH: 6:27:54.42 ===============
 
Hi,

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Archive it to zip file and attach to your reply.
"%userprofile%\desktop\win32kdiag.exe" -f -r
 
Hi,

Yes, we are making progress :)



IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BearShare
BitTorrent
DNA



I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
OK. Here's what I have. The first time I clicked on it it wanted me to choose what program to use. The second time it came up with something like "can't run......virus". I can't remember what it exactly said. I restarted and it ran. Only thing that came up was something about a rootkit - C:|winnt\system32\sdra64.exe. It restarted and ran fine. I attached the combofix.txt file, but couldn't find the NEW DDS.TXT file you had bolded.
 
OK. Here are the two logs as attachments. Do you know where we stand with this problem? Is it a virus? Malware? Something quite complicated, or is it pretty common? I just want to know where we are at with this process. Thanks for all of your help.
 
Hi,

One of the latest infections is/was present in your system. I won't give any exact estimations of the time when we've finished but things are going according to the plans.


Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\proquota.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Folder::
c:\program files\BearShare
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Uninstall old Adobe Reader versions and get the latest one (9.1 + updates 9.1.2 & 9.1.3 for it) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 16.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
 
Hi,

Are you familiar with these files:
C:\Documents and Settings\NEWXPOWNER\Application Data\Business Logic\UWC\Backup\J39266.8334409259.WCU
C:\Documents and Settings\NEWXPOWNER\Application Data\Business Logic\UWC\Backup\J39412.9101906019.WCU
C:\Documents and Settings\NEWXPOWNER\Application Data\Business Logic\UWC\Backup\J39418.7573638657.WCU

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
FCopy::
C:\WINNT\ServicePackFiles\i386\proquota.exe | c:\windows\system32\proquota.exe
C:\WINNT\ServicePackFiles\i386\proquota.exe | c:\windows\system32\dllcache\proquota.exe
File::
C:\Cory's Stuff\Misc. Files\BearshareSINSTALLOLD.exe
C:\WINDOWS-OLD\default.htm
C:\WINNT\system32\sdra64(10).exe
C:\WINNT\system32\sdra64(11).exe
C:\WINNT\system32\sdra64(12).exe
C:\WINNT\system32\sdra64(13).exe
C:\WINNT\system32\sdra64(14).exe
C:\WINNT\system32\sdra64(15).exe
C:\WINNT\system32\sdra64(16).exe
C:\WINNT\system32\sdra64(2).exe
C:\WINNT\system32\sdra64(3).exe
C:\WINNT\system32\sdra64(4).exe
C:\WINNT\system32\sdra64(5).exe
C:\WINNT\system32\sdra64(6).exe
C:\WINNT\system32\sdra64(7).exe
C:\WINNT\system32\sdra64(8).exe
C:\WINNT\system32\sdra64(9).exe
I:\Cory's Folder\Cory's Stuff\Misc. Files\BearshareSINSTALLOLD.exe


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
 
No, I am not familiar with those documents. I am not aware of what a WCU extension is. Will this change the latest instructions?
 
Hi,

Delete those three .WCU files too. You may need to make hidden files visible to find them:

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
 
Here you go. Just a note. I ran CA Anti-Spyware last night and Kollah came up again but this time CA was able to quarantine and delete it.

Thanks
 
Hi,

We need to run ComboFix again due to my bug in script :oops:

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
FCopy::
C:\WINNT\ServicePackFiles\i386\proquota.exe | c:\WINNT\system32\proquota.exe
C:\WINNT\ServicePackFiles\i386\proquota.exe | c:\WINNT\system32\dllcache\proquota.exe


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. Any remaining problems?
 
I will run tonight. The only problem I have had since the beginning was when I tried to run any spyware, virus or malware programs I would receive this message: "“Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the file.” Will I need to uninstall and reinstall to run? I can't delete any of the Spybot files as it says I do not have any rights. I also receive this error if I try to change any of the settings in the CA Antivirus program (Not the CA anti-spyware program). Whenever it tries to update these two programs it is unable to install the updated files.
 
In addition to the previous post, one more question. Based upon the problems I have been having, as well as the various procedures I have been going through, has our computer been compromised? Would anyone have been able to access any of our information?
 
Hi,

Do this for every .exe file you get that error:
1. Copy this file to the same folder with problematic .exe file.
2. Drag 'n' drop problematic .exe to this fixer to release its lock.

Based upon the problems I have been having, as well as the various procedures I have been going through, has our computer been compromised? Would anyone have been able to access any of our information?
Click to expand...
There're chances for that. It would be recommended to change your online passwords from other, clean system for just in case.
 
You must log in or register to reply here.
Back
Top