daczac

Hi There... I've been working steady over the past several days trying to clean my infected computer using Spybot, Malwarebytes', and my Symantec Antivirus program.

I'm at the point where there appears to be nothing left to clean, however, I'm experiencing continued computer issues:
1. cannot accesss many online virus scan websites (housecall) as they appear to be blocked
2. firewall continues to be turned off after reboot
3. cannot restore to any past check points
4. and the most noticable issue - a Logon UI error window appears about ten times during the desktop loading along with accompanying "send error to Microsoft" window.
5. also a message that says NT partion program was closed for security reasons... this is the last bogus window to appear
The speed and performance of the computer appers normal.

Here are some of the more note worthy viruses/malware that were cleaned from the system: Trojan.Vundo.H, Trojan.Zlob.H, Trojan.Pandex, Trojan.TinyDownloader705, lsass.exe (Trojan.Agent), Win32.Joleee.K, windres.exe, w32.Mytob@mm.

You're my last hope before I reformat the HD and reinstal XP. Attached are the log files you have requested. Thanks for your well anticipated help... dave

Attached Files

	attach.zip (5.0 KB, 1 views)
	DDS.txt (11.8 KB, 1 views)

sjb007

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

** Can I please ask that all future logs are copied and pasted directly into your reply unless instructed to aid analysis - Thanks **

daczac

Hi Again... I followed all necessary directions regarding ComboFix although I couldn't get access to microsoft site to install windows recovery console. Other than that it went OK. Here is the log report from ComboFix. Thanks...

ComboFix 09-04-18.07 - Dave 18/04/2009 12:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1529 [GMT -3:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Config\Desktop_.ini
c:\documents and settings\All Users\Documents\Fonts\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\0007872F\Desktop_.ini
c:\documents and settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
c:\documents and settings\All Users\Documents\My Videos\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\Internet Explorer 6.0\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\Support\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\TaxLinkF\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\Tracker\Desktop_.ini
c:\documents and settings\All Users\Documents\QT2007R1\Utils\Desktop_.ini
c:\documents and settings\All Users\Documents\Quick books backup 2008\Desktop_.ini
c:\documents and settings\All Users\Documents\Softwrap\Desktop_.ini
c:\documents and settings\All Users\Documents\Softwrap\ULEADUVS9E2005042001\Desktop_.ini
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\windows\dhcp\svchost.exe
c:\windows\Install.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AFISICX
-------\Legacy_DHCPSRV
-------\Legacy_SOPIDKC
-------\Legacy_TDCTXTE
-------\Service_at1394
-------\Service_DhcpSrv


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 10:24 . 2009-04-18 10:25 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-17 00:19 . 2009-04-17 00:19 17376 ----a-w c:\windows\system32\drivers\mrccd7e.sys
2009-04-17 00:18 . 2009-04-17 03:25 -------- d-----w c:\windows\system32\3361
2009-04-16 19:04 . 2009-04-17 00:24 182656 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-04-16 18:58 . 2009-04-16 18:58 17376 ----a-w c:\windows\system32\drivers\raacae9.sys
2009-04-16 15:42 . 2009-04-16 15:42 997376 ------w c:\windows\system32\msgina.dll
2009-04-16 03:35 . 2009-04-16 03:35 -------- d-----w c:\documents and settings\Dave\Application Data\Uniblue
2009-04-16 03:06 . 2009-04-16 03:06 -------- d-----w c:\documents and settings\Dave\Application Data\TrojanHunter
2009-04-15 20:33 . 2009-04-18 15:33 -------- d-----w c:\windows\dhcp
2009-04-15 20:32 . 2009-04-15 21:11 0 ----a-w c:\windows\system32\drivers\60b21d51.sys
2009-04-15 20:32 . 2009-04-15 20:32 55296 ----a-w C:\rnv-x.exe
2009-04-15 20:32 . 2009-04-15 20:32 2 ----a-w C:\-1130038970
2009-04-13 15:27 . 2009-04-13 15:28 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-11 22:56 . 2009-04-11 22:57 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-25 23:31 . 2009-03-25 23:31 0 ----a-w C:\LOG64.tmp
2009-03-21 19:52 . 2009-03-21 19:52 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 14:09 . 2009-03-20 14:09 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-20 00:12 . 2009-03-20 00:28 -------- d-----w c:\documents and settings\Dave\Application Data\OfficeUpdate12
2009-03-20 00:12 . 2009-03-20 00:12 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 15:29 . 2008-02-22 15:20 -------- d-----w c:\documents and settings\Dave\Application Data\Free Download Manager
2009-04-17 17:45 . 2008-08-28 18:41 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-17 17:38 . 2008-10-29 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-17 17:03 . 2009-04-17 17:03 -------- d-----w c:\program files\Trend Micro
2009-04-17 16:45 . 2009-04-17 16:45 -------- d-----w c:\program files\CCleaner
2009-04-17 00:24 . 2004-08-11 23:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-17 00:17 . 2009-04-17 00:17 262 ----a-w C:\gadhq2g.log
2009-04-16 20:57 . 2009-04-16 20:53 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-16 19:10 . 2009-04-16 02:58 -------- d-----w c:\program files\TrojanHunter 5.0
2009-04-16 03:55 . 2009-04-16 03:55 -------- d-----w c:\program files\Unlocker
2009-04-15 22:46 . 2008-10-29 19:40 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-15 22:45 . 2008-11-11 22:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 15:29 . 2009-04-13 15:29 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-11 22:57 . 2009-04-11 22:56 -------- d-----w c:\program files\iTunes
2009-04-11 22:56 . 2007-02-07 16:18 -------- d-----w c:\program files\iPod
2009-04-11 22:56 . 2007-09-25 19:54 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 18:32 . 2008-11-11 22:21 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 18:32 . 2008-11-11 22:21 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 22:22 . 2007-01-25 20:39 -------- d-----w c:\program files\Java
2009-04-05 15:03 . 2007-01-25 20:27 82569 ----a-w c:\windows\system32\nvModes.dat
2009-03-25 23:33 . 2007-02-26 14:34 -------- d-----w c:\documents and settings\Dave\Application Data\U3
2009-03-25 23:31 . 2009-03-25 23:31 477 ----a-w C:\LOG64.log
2009-03-24 23:08 . 2008-07-26 01:01 2048 ----a-w c:\windows\system32\Tr_sttool.dat
2009-03-21 19:47 . 2007-02-07 16:20 -------- d-----w c:\program files\QuickTime
2009-03-21 19:28 . 2008-08-06 11:01 -------- d-----w c:\program files\Safari
2009-03-20 14:01 . 2007-02-07 21:03 -------- d-----w c:\program files\Common Files\Adobe
2009-03-20 14:01 . 2009-03-20 14:01 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-20 00:34 . 2007-02-03 01:31 -------- d-----w c:\program files\Microsoft Works
2009-03-19 19:32 . 2008-01-29 15:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-11 13:39 . 2009-02-27 18:15 368616 ----a-w c:\documents and settings\Dave\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 13:30 . 2007-02-09 23:17 -------- d-----w c:\program files\e-Sword
2009-03-09 08:19 . 2009-01-14 23:09 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 02:11 . 2009-01-18 17:50 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-03-08 02:07 . 2008-02-01 20:01 -------- d-----w c:\documents and settings\Dave\Application Data\Ulead Systems
2009-03-06 17:02 . 2009-03-06 15:40 -------- d-----w c:\documents and settings\Dave\Application Data\GetRightToGo
2009-03-06 15:47 . 2009-03-06 12:16 -------- d-----w c:\documents and settings\Dave\Application Data\Moyea
2009-03-06 15:46 . 2009-03-06 12:16 -------- d-----w c:\program files\Moyea
2009-03-06 15:04 . 2009-03-06 13:26 -------- d-----w c:\program files\E.M. PowerPoint Video Converter
2009-03-06 14:58 . 2009-03-06 14:56 -------- d-----w c:\program files\Powerpoint-PPT to AVI-GIF Converter
2009-03-06 14:40 . 2007-01-25 20:52 368616 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-04 20:01 . 2009-03-04 20:01 -------- d-----w c:\documents and settings\Dave\Application Data\InstallShield
2009-03-04 20:00 . 2009-03-04 20:00 477 ----a-w C:\LOGE0.log
2009-03-04 20:00 . 2009-03-04 20:00 0 ----a-w C:\LOGE0.tmp
2009-02-28 15:47 . 2009-02-12 10:37 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-28 15:06 . 2008-03-22 16:25 -------- d-----w c:\program files\Flash Slideshow Maker Professional
2009-02-27 17:57 . 2008-12-12 23:40 -------- d-----w c:\program files\Blaze Media Pro
2009-02-27 17:53 . 2009-02-27 17:53 477 ----a-w C:\LOG19B.log
2009-02-27 17:53 . 2009-02-27 17:53 0 ----a-w C:\LOG19B.tmp
2009-02-27 14:08 . 2007-02-03 01:31 -------- d-----w c:\program files\Microsoft ActiveSync
2009-02-27 14:06 . 2007-02-03 01:16 -------- d-----w c:\program files\Windows Messaging
2009-02-27 13:39 . 2009-02-27 13:39 -------- d-----w c:\program files\DigitalOfficePro
2009-02-27 13:39 . 2007-01-25 20:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 20:50 . 2009-02-26 20:50 477 ----a-w C:\LOG2B.log
2009-02-26 20:50 . 2009-02-26 20:50 0 ----a-w C:\LOG2B.tmp
2009-02-24 15:59 . 2009-02-24 15:59 477 ----a-w C:\LOG1B4.log
2009-02-24 15:59 . 2009-02-24 15:59 0 ----a-w C:\LOG1B4.tmp
2009-02-21 11:25 . 2009-02-21 11:25 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
2009-02-18 16:17 . 2009-02-18 16:17 -------- d-----w c:\program files\MSECache
2009-02-17 00:47 . 2009-02-17 00:47 524288 ----a-w c:\windows\opuc.dll
2009-02-09 11:13 . 2008-10-15 18:48 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2007-04-25 08:49 . 2009-01-09 15:22 328 ------w c:\program files\GuideMenuSetup.iss
2007-04-06 03:28 . 2009-01-09 15:25 1237 ------w c:\program files\WinDVDSetup.iss
2007-01-25 20:52 . 2007-02-02 18:35 12328 ----a-w c:\documents and settings\Dave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-25 20:46 . 2007-02-02 18:35 136 ----a-w c:\documents and settings\Dave\Local Settings\Application Data\fusioncache.dat
2007-01-25 20:46 . 2007-01-25 20:46 136 ------w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2008-08-27 13:2008-08-27 13:19 19:46 . c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1053696 883699F10EA9E7BD5E22BA296E7E26F2 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1053184 CB054B68AC2269C10A09771847E7F511 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1053184 BC48860B1DABC1D7B53BBFDA5D6D7046 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 11:00 1052160 0EB2C8EBDBF43B1031224C292A05528F c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1053696 247A67EACCADD57F6B418F868628256F c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06 130560 EC4D8C4547D8E3494E19384BA41B9548 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 11:00 128000 7E6A29D2966C3035F1D6988261916697 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 128512 D0C7B30874505D6BDC5AE748BC02ED7F c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12 128512 49876B1AEFB6DDB3C8236C10808D69A7 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 17:14 130560 F3587DAF14D553691A77E62C8D1E6CFF c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[-] 2009-02-06 10:22 130560 BA0A209C11853AE296BD14D5E0A105C9 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[-] 2009-02-06 11:11 130560 98BF35524365A89C1C855C2438A0E28E c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[-] 2009-02-06 11:06 130560 EC4D8C4547D8E3494E19384BA41B9548 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[-] 2009-02-06 11:11 130560 98BF35524365A89C1C855C2438A0E28E c:\windows\system32\services.exe
[-] 2009-02-06 11:11 130560 98BF35524365A89C1C855C2438A0E28E c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 11:00 35328 CCE18823F3D92665F628667A5184AF5D c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 35328 BA6116DA894C8DA3BC43958424EB515A c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 35328 5A26A1BCC705FE3964C6F839A6B117D5 c:\windows\system32\ctfmon.exe

[-] 2004-08-04 11:00 44544 871C172C4B5536ED06F8D2EC8876F088 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 46080 CC846AFD45F3C12E8DE7BACAAEEE1001 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 46080 ED45F130FE9CD5E70A4B49A45299A904 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-25 45056]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 212992]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dave^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\Dave\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze 4\\Squeeze.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=

R1 60b21d51;60b21d51;c:\windows\System32\drivers\60b21d51.sys [2009-04-15 0]
R1 raacae9;raacae9;c:\windows\System32\drivers\raacae9.sys [2009-04-16 17376]
R2 HPFECP16;HPFECP16;c:\windows\System32\drivers\HPFECP16.SYS [1998-07-01 52800]
R2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2008-07-09 26488]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
R3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-06-15 7882]
S1 mrccd7e;mrccd7e;c:\windows\System32\drivers\mrccd7e.sys [2009-04-17 17376]
S2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2005-08-25 155648]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##family#P-C]
\Shell\AutoRun\command - F:\arun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:34]

2009-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-28 11:40]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2009-04-18 c:\windows\Tasks\User_Feed_Synchronization-{C9449C4A-62B9-4D45-9D69-B0A19F7DA81B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = https://calculon.library.ns.ca/webmail/src/login.php
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://142.227.90.58/VatDec.cab
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\bvd49g3h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aidantrust.org/html/body_way.html
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 12:41
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Dave\LOCALS~1\Temp\catchme.dll 53248 bytes executable
c:\windows\TEMP\TMP00000029EC8F724CE331D8F6 524288 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\at1394]
"ImagePath"="\??\c:\windows\system32\at1394.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\DhcpSrv]
"ImagePath"="c:\windows\dhcp\svchost.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(284)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\_000023_.tmp.dllc:\windows\system32\lsass.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Wave Systems Corp\common\DataServer.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
c:\windows\system32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\5457b20e4d74937d47b86f91637bd134\update\update.exe
.
**************************************************************************
.
Completion time: 2009-04-18 12:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 15:50

Pre-Run: 13,665,701,888 bytes free
Post-Run: 13,647,405,056 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
304 --- E O F --- 2009-04-15 00:37

sjb007

Hi daczac

Unfortunatly your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too. Recent variants also modify htm, html, asp and php files.

daczac

Thanks... I'm now in the process of doing just that. Thanks for your help... dave

sjb007

As this topic is resolved as far as we can go here, I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forum