Virtumonde - I've got it too

I need some clarification

Hi Shaba,

Open Notepad and copy the contents of the following box to a new file.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save it as fix.reg (save type: "All files" (*.*)) to your desktop.​

Done

It should look like this ->​

There was a also a file called NTREGOPT created with the icon you provided in addition to the fix.reg file.

Go to Desktop, double-click fix.reg and merge the infomation with the registry.​

When I double-clicked on fix.reg I got a Windows message saying "Windows cannot open this file". I assumed that you really meant I should double click on NTREGOPT and did so. When I did this it went through some registry optimization.

Reboot.

Rerun DDS and post back fresh DDS logs, please.​

I did this.

I await further instructions.
 
No, if I like you to run NTREGOPT, I would have told so :)

So please follow my previous instructions exactly, re-run DDS and post back fresh DDS logs. You will need to save fix.reg as all files (*.*) and include REGEDIT4 to file and .reg to filename or it won't work.
 
Still confused

Shaba,

I'm trying hard to get this right, but I'm running into problems. I'm double clicking on the fix.reg icon. Windows doesn't know what program to use to open the .reg file extension. I'm getting this message - "Windows cannot open this file".

I've attached a screen shot in .jpg format

Do you want me to go to the Program, Run window and type in fix.reg?
 
I see.

So file association is messed up.

Go here, download & run REG File Association Fix.

If it doesn't work, go to start - run - regedit and choose import and import that
REG File Association Fix.
 
dds1

Hi Shaba,

I was able to run fix.reg.
*****************************

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2004 6:32:25 PM
System Uptime: 7/17/2009 9:12:00 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-LA
Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2079/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 109 GiB total, 81.197 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.557 GiB free.
E: is CDROM ()
J: is CDROM ()
K: is Removable
L: is Removable
M: is Removable
N: is Removable
Y: is NetworkDisk (NTFS) - 74 GiB total, 59.876 GiB free.
Z: is NetworkDisk (NTFS) - 74 GiB total, 59.876 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1794: 7/14/2009 12:34:20 PM - Installed BotHunter.
RP1795: 7/14/2009 4:41:16 PM - System Checkpoint
RP1796: 7/15/2009 5:43:46 PM - System Checkpoint
RP1797: 7/17/2009 6:49:08 AM - System Checkpoint

==== Installed Programs ======================


7-Zip 3.13
Adobe Acrobat 7.0 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Flash Player ActiveX
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.1
Adobe Setup
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Advanced Port Scanner v1.2
ArcSoft ShowBiz 2
Audacity 1.2.3
AXIS Media Control
B2 Spice A_D v4 Pro
BotHunter
CCleaner (remove only)
Color LaserJet 2600n
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
EAGLE 4.11
ERUNT 1.1j
FileZilla Client 3.2.2.1
Free Solitaire
FreeRIP v2.942
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP OfficeJet Series 700 (Remove Only)
HP Photo & Imaging 3.0
HPIZ Fix2
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Java(TM) 6 Update 7
KBD
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MDI2PDF 2.4
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition
Microsoft Project 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2008
QuickProjects
QuickTime
RealOne Player
RecordNow!
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel MSCN Audio Player
SimpleOCR 3.1
SkinsHP1
SkinsHP2
Skype web features
Skype™ 4.1
SPSS 12.0.1 for Windows
Spybot - Search & Destroy
Symantec AntiVirus
TaxCut Deluxe 2005
TaxCut Pennsylvania 2006
TaxCut Pennsylvania 2007
TaxCut Pennsylvania 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TextPad 5
TrayApp
Trillian
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoCacheView
VLC media player 0.9.8a
WAV MP3 Converter 2.3 build 679
Waver Version 2.95
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.0.2
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/17/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
7/16/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
7/16/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
7/16/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
7/15/2009 9:00:01 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
7/15/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
7/15/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
7/15/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
7/15/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
7/15/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
7/15/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
7/14/2009 12:11:57 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000C6EFEDEBE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/13/2009 2:47:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/12/2009 3:40:47 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
7/12/2009 3:12:44 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
7/12/2009 3:00:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/11/2009 8:29:01 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
7/10/2009 7:11:13 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '~efe2.tmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/10/2009 4:28:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
 
Dds1

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2004 6:32:25 PM
System Uptime: 7/17/2009 9:12:00 AM (7 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-LA
Processor: AMD Athlon(tm) XP 2800+ | Socket A | 2079/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 109 GiB total, 81.192 GiB free.
D: is FIXED (FAT32) - 6 GiB total, 0.557 GiB free.
E: is CDROM ()
J: is CDROM ()
K: is Removable
L: is Removable
M: is Removable
N: is Removable
Y: is NetworkDisk (NTFS) - 74 GiB total, 59.844 GiB free.
Z: is NetworkDisk (NTFS) - 74 GiB total, 59.844 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1794: 7/14/2009 12:34:20 PM - Installed BotHunter.
RP1795: 7/14/2009 4:41:16 PM - System Checkpoint
RP1796: 7/15/2009 5:43:46 PM - System Checkpoint
RP1797: 7/17/2009 6:49:08 AM - System Checkpoint

==== Installed Programs ======================


7-Zip 3.13
Adobe Acrobat 7.0 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9
Adobe Flash Player ActiveX
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.1
Adobe Setup
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Advanced Port Scanner v1.2
ArcSoft ShowBiz 2
Audacity 1.2.3
AXIS Media Control
B2 Spice A_D v4 Pro
BotHunter
CCleaner (remove only)
Color LaserJet 2600n
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
EAGLE 4.11
ERUNT 1.1j
FileZilla Client 3.2.2.1
Free Solitaire
FreeRIP v2.942
GoToMeeting 4.0.0.320
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP OfficeJet Series 700 (Remove Only)
HP Photo & Imaging 3.0
HPIZ Fix2
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
Intel(R) Extreme Graphics Driver
InterVideo WinDVD Player
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Java(TM) 6 Update 7
KBD
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
MDI2PDF 2.4
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition
Microsoft Project 2000 SR-1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Works 7.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
NVIDIA Drivers
NVIDIA Ethernet Driver
NVIDIA Gart Driver
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PrintScreen
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2008
QuickProjects
QuickTime
RealOne Player
RecordNow!
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
SigmaTel MSCN Audio Player
SimpleOCR 3.1
SkinsHP1
SkinsHP2
Skype web features
Skype™ 4.1
SPSS 12.0.1 for Windows
Spybot - Search & Destroy
Symantec AntiVirus
TaxCut Deluxe 2005
TaxCut Pennsylvania 2006
TaxCut Pennsylvania 2007
TaxCut Pennsylvania 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TaxCut Premium 2006
TextPad 5
TrayApp
Trillian
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoCacheView
VLC media player 0.9.8a
WAV MP3 Converter 2.3 build 679
Waver Version 2.95
WebFldrs XP
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.0.2
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/17/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
7/17/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
7/17/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
7/17/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
7/16/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
7/16/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
7/16/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
7/15/2009 9:00:01 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
7/15/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
7/15/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
7/15/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
7/15/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
7/15/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
7/15/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
7/14/2009 12:11:57 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 000C6EFEDEBE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
7/13/2009 2:47:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/12/2009 3:40:47 PM, error: Service Control Manager [7031] - The Symantec AntiVirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
7/12/2009 3:12:44 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
7/12/2009 3:00:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/11/2009 8:29:01 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
7/10/2009 7:11:13 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '~efe2.tmp' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
7/10/2009 4:28:55 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
 
Dds2

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 16:00:34.23 on Fri 07/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.439 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Multimedia Card Reader\shwicon2k .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: troweprice.com\www3
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/0.8.0794.48/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126369175812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.8417361111
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ar174uw8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-13 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\naveng.sys [2009-7-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090710.003\navex15.sys [2009-7-11 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]

=============== Created Last 30 ================

2009-07-15 14:26 <DIR> --d----- C:\_OTM
2009-07-13 16:00 <DIR> --d----- c:\documents and settings\owner\.SunDownloadManager
2009-07-13 15:20 <DIR> --d----- c:\program files\Trend Micro
2009-07-13 15:03 <DIR> --d----- c:\docume~1\owner\applic~1\SRI
2009-07-12 14:50 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-12 14:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 14:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-12 14:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-11 08:31 179 a------- c:\windows\system\hpsysdrv .DAT
2009-07-10 15:56 <DIR> --d----- c:\temp\FR90PE
2009-07-06 15:21 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-07-06 15:21 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-07-06 15:21 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-07-06 15:21 20,992 a------- c:\windows\system32\dshowext.ax
2009-07-06 15:16 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-07-05 13:41 <DIR> --d----- c:\windows\pss
2009-06-29 20:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-29 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-25 16:01 <DIR> --d----- c:\documents and settings\owner\Tracing
2009-06-25 15:56 81,736 a------- c:\windows\system32\lmdimon8.dll
2009-06-25 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Applications

==================== Find3M ====================

2009-07-17 09:13 27,660 a------- c:\windows\system32\hkcmd.exe
2009-07-16 14:12 27,660 a------- c:\windows\system32\ctfmon.exe.tmp
2009-05-10 20:49 34,720 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-06 17:07 60,744 a------- c:\documents and settings\owner\g2mdlhlpx.exe
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2007-05-03 22:14 839 a------- c:\docume~1\owner\applic~1\waver_2.95.dat
2007-02-03 14:36 439,296 a------- c:\documents and settings\owner\GoToAssist_phone__317_en.exe
2006-12-04 16:30 389,120 a------- c:\documents and settings\owner\remote.exe
2004-01-01 23:43 0 a--sh--- c:\windows\sminst\HPCD.sys
2008-09-13 11:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 16:01:17.93 ===============
 
Everything is fine!

Shaba,

Thank you for your help. I have a new appreciation for how hard it is to remove viruses. This forum provides an invaluable service.

Noiserider
 
Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can delete fix.reg

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :)
 
It's back again

Shaba,

I've got this icon on the takbar that keeps popping up asking me to download and-spyware and AntiMalware says I'm infected again. Help:D:

Malwarebytes' Anti-Malware 1.38
Database version: 2413
Windows 5.1.2600 Service Pack 3

7/19/2009 6:24:51 AM
mbam-log-2009-07-19 (06-24-43).txt

Scan type: Quick Scan
Objects scanned: 96426
Time elapsed: 12 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{7957fd21-c584-4476-b26b-4691a7ac4e5d} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7957fd21-c584-4476-b26b-4691a7ac4e5d} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\l6KC08v3.dll (Trojan.BHO) -> No action taken.
c:\WINDOWS\system32\j0IA32t6.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken.
 
Well then it just means that you will need to keep infected computer totally offline or cleaning makes no sense as something downloads it back.

Is that possible?
 
I can keep it offline

I have another "healthy" computer where I can communicate with you and keep this one offline as we clean it. The problem will be getting results from the cleaning programs (Malware, dds, etc.) to the "healthy" computer then to you via this thread. Should I just use a thumb drive?
 
That is fine as long as autorun is disabled.

So please hold shift down when inserting thumb drive.

Transfer combofix via thumb drive to infected computer.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
 
combofix cause Windows reboot

I ran combofix. It says "preparing to run" and then seconds later the PC reboots and I get a MS error report that is shown in the attached jpg file.

I've examined the computer and there is no spyware running and the firewall is disabled - as far as I can tell.
 
Windows Firewall Looks Compromised

Shaba,

I looked at Windows Firewall to see if it was on or off. I wanted to make sure it wasn't causing problems with combofix. I can't turn it on or off. The .jpg image is attached.
 
You must log in or register to reply here.
Back
Top