Tough little virus

[billermo]

I have a virus on my office machine. This computer was reformatted but the person who did it neglected to put an AV on it, and within a day it was badly infected.

I've installed AVG Free and a few AS programs, but it's blocking most of them from updating, and AVG isn't able to clean out this virus so far. I'm not even sure if this is one infection or a number of them. The first symptom was that IE was being redirected to the virus/spyware's preferred websites.

As per instructions, here is the DDS file:


DDS (Ver_09-02-01.01) - FAT32x86
Run by n at 18:33:41.34 on Thu 03/12/2009
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [UniKey] c:\program files\unikey 3.6\UniKeyNT.exe
uRun: [Google Update] "c:\documents and settings\n\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-03-12 08:57 1,589,248 a------- c:\windows\system32\nwiz.exe
2007-01-16 20:05 168,509 ---shr-- c:\windows\system32\gmqhf.dll

============= FINISH: 18:34:44.25 ===============

[Billy O'Neal]

Hello, billermo
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

1. Please download ComboFix from one of the following mirrors, and save it to your desktop.
   • This is a mirror.
   • This is another mirror.
   • This is yet another mirror.
2. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
3. Double click on your desktop.
4. Read and accept (Press Yes) to the disclaimer.
5. For Windows XP Systems: Install the Recovery Console:
   • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
   • When prompted to accept the EULA, press OK.
   • Accept Microsoft's EULA (Press Yes).
   • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
6. ComboFix will run. Simply wait for it to finish.
7. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:

• ComboFix.txt

Billy3

[billermo]

OK I just ran Combofix, so I'm attaching the log here.

Thanks so much for your help.


ComboFix 09-03-13.02 - n 2009-03-14 17:44:55.1 - FAT32x86
Running from: c:\documents and settings\n\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-13 09:11 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2009-03-13 09:11 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-03-13 09:11 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2009-03-13 09:11 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2009-03-13 08:21 . 2009-03-13 08:21 <DIR> d---s---- c:\documents and settings\n\UserData
2009-03-12 18:32 . 2009-03-12 18:32 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-12 18:26 . 2009-03-12 18:26 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-12 18:26 . 2009-03-12 18:26 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-12 18:26 . 2009-03-12 18:26 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-12 18:26 . 2009-03-12 18:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-12 18:25 . 2009-03-12 18:25 <DIR> d-------- c:\program files\AVG
2009-03-12 18:25 . 2009-03-12 18:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-12 15:55 . 2009-03-12 15:55 <DIR> d-------- c:\documents and settings\n\Application Data\Yahoo!
2009-03-12 15:55 . 2009-03-12 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-12 15:55 . 2009-03-12 18:25 211 --a------ c:\windows\system32\BIN_STRSBW.SPT
2009-03-12 15:54 . 2009-03-12 15:55 <DIR> d-------- c:\program files\CCleaner
2009-03-12 15:51 . 2009-03-12 15:51 <DIR> d-------- c:\windows\SxsCaPendDel
2009-03-12 10:09 . 2009-03-12 10:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 10:09 . 2009-03-12 10:09 <DIR> d-------- c:\documents and settings\n\Application Data\Malwarebytes
2009-03-12 10:09 . 2009-03-12 10:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-12 10:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 10:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 09:51 . 2009-03-12 09:51 <DIR> d-------- c:\program files\Spyware Terminator
2009-03-12 09:51 . 2009-03-12 09:51 <DIR> d-------- c:\documents and settings\n\Application Data\Spyware Terminator
2009-03-12 09:51 . 2009-03-12 09:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-03-12 09:51 . 2009-03-12 09:51 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2009-03-12 08:49 . 2009-03-12 08:49 <DIR> d-------- c:\program files\Trend Micro
2009-03-12 07:58 . 2009-03-12 07:58 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-12 07:58 . 2009-03-12 07:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-12 07:58 . 2009-03-12 07:58 <DIR> d-------- c:\documents and settings\n\Application Data\SUPERAntiSpyware.com
2009-03-12 07:58 . 2009-03-12 07:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-12 07:56 . 2009-03-12 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 07:55 . 2009-03-12 07:55 <DIR> d-------- c:\program files\SpywareBlaster
2009-03-01 14:54 . 2009-03-01 14:54 <DIR> d-------- c:\documents and settings\n\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 05:13 1,519,616 ----a-w c:\windows\system32\nwiz.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="c:\program files\Unikey 3.6\UniKeyNT.exe" [2003-01-29 77824]
"Google Update"="c:\documents and settings\n\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-11 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"SpywareTerminator"="c:\progra~1\SPYWAR~2\SpywareTerminatorShield.exe" [2009-03-12 2246144]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-12 1932568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-12 18:26 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D32 Auto Protect]
--a------ 2004-05-22 12:22 221696 c:\program files\D32\VDetect.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2009-03-12 09:13 3334144 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\AVG\\AVG8\\setup.exe"=
"c:\\Documents and Settings\\n\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6801:TCP"= 6801:TCP:celhw

R2 hmnqlfxnm;Driver Manager;c:\windows\system32\svchost.exe [2004-08-03 14336]
R3 abp470n5;abp470n5; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-12 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-12 107912]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-03-12 142592]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-12 298264]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-02-11 38496]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - AFD
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - hmnqlfxnm
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MBAMSwissArmy
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - rspndr
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sp_rsdrv2
*Deregistered* - sp_rssrv
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hmnqlfxnm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62441a88-09f0-11de-af9f-000c6ea42f92}]
\Shell\AuTopLay\commanD - G:\bdllsn.cmd
\Shell\AutoRun\command - G:\bdllsn.cmd
\Shell\eXPLore\CoMManD - G:\bdllsn.cmd
\Shell\OpEn\commaNd - G:\bdllsn.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{828e581f-0589-11de-af92-000c6ea42f92}]
\SHELl\AutOPLay\cOMmand - G:\rsok.pif
\SHELl\AutoRun\command - G:\rsok.pif
\SHELl\ExPlORe\ComMand - G:\rsok.pif
\SHELl\open\COmmand - G:\rsok.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eea433a6-032d-11de-af8f-000c6ea42f92}]
\Shell\AutoRun\command - G:\kt9.com
\Shell\open\Command - G:\kt9.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eea433a7-032d-11de-af8f-000c6ea42f92}]
\Shell\AUToPlAy\coMmand - G:\lqhts.exe
\Shell\AutoRun\command - G:\lqhts.exe
\Shell\ExPlORE\COmMand - G:\lqhts.exe
\Shell\opeN\CoMmand - G:\lqhts.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-839522115-725345543-1003.job
- c:\documents and settings\n\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 17:41]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-D32 Initiation - c:\program files\D32\D32Ini.exe
MSConfigStartUp-mtd2002Svr - c:\program files\mtd2002\mtdserver.exe
MSConfigStartUp-Device Detector - DevDetect.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 17:47:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hmnqlfxnm]
"ServiceDll"="c:\windows\system32\gmqhf.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-14 17:50:05
ComboFix-quarantined-files.txt 2009-03-14 10:50:00

Pre-Run: 12,545,941,504 bytes free
Post-Run: 12,663,603,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

280

[Billy O'Neal]

Hello, billermo
We need to re-run ComboFix with some additonal directives.

1. Please disable any running anti-virus programs.

   If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html

2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
4. Open notepad and copy/paste the text in the quotebox below into it:
   
   Code:

   driver::
   hmnqlfxnm
   abp470n5
   netsvc::
   hmnqlfxnm
   file::
   G:\bdllsn.cmd
   G:\lqhts.exe
   G:\kt9.com
   G:\rsok.pif
   registry::
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{62441a88-09f0-11de-af9f-000c6ea42f92}]
   [-HKEY_CLASSES_ROOT\CLSID\{62441a88-09f0-11de-af9f-000c6ea42f92}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{828e581f-0589-11de-af92-000c6ea42f92}]
   [-HKEY_CLASSES_ROOT\CLSID\{828e581f-0589-11de-af92-000c6ea42f92}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eea433a6-032d-11de-af8f-000c6ea42f92}]
   [-HKEY_CLASSES_ROOT\CLSID\{eea433a6-032d-11de-af8f-000c6ea42f92}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eea433a7-032d-11de-af8f-000c6ea42f92}]
   [-HKEY_CLASSES_ROOT\CLSID\{eea433a7-032d-11de-af8f-000c6ea42f92}]
   [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
   "wuauserv"=-
   [HKEY_LOCAL_MACHINE\software\microsoft\security center]
   "UacDisableNotify"=-
   [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
   "UacDisableNotify"=-
   [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv]
   "Start"=dword:2
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
   "6801:TCP"=-

5. Save this as CFScript.txt, in the same location as ComboFix.exe
6. 
   Refering to the picture above, drag CFScript into ComboFix.exe
7. When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:

• ComboFix.txt

Billy3

[billermo]

OK I just ran it. Here is the ComboFix.txt file....

[Billy O'Neal]

Hello, billermo
Infection appears to be taken care of -- however this machine does have a LOT of damage. In particular, the Windows Managment Instrumentation service is failing to start -- upon which other major parts of windows depend.

Please give the WMI repair instructions listed here a shot. Let me know if you run into any problems with those instructions -> http://windowsxp.mvps.org/repairwmi.htm

Billy3

[billermo]

I got as far as running the VBS script that diagnoses whatever problems there are. I'll attach that file. I have to admit that it's not clear to me what to do next. I noticed the warning that Windows Firewall was off, so I turned that one back on.

By the way, in layman's terms, what is WMI?

THANKS for helping me get rid of that virus!

[Billy O'Neal]

Hello, billermo
We need to execute a Batch File

1. Go to Start -> Run, and type "notepad" into the box.
2. Press ok.
3. Copy and paste the following code into notepad:
   
   Code:

   WMIDiag CheckConsistency
   shutdown -r -f -t 00

4. Go to File -> Save
5. To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
6. Enter fix.bat into the "File name:" box just above the "Save as Type" box.
7. Double click fix.bat on your desktop.

Billy3

[billermo]

OK, I've just done that.

Are there more steps for me to do after this? Was that like the name of the file suggests, a fix to the problem? Or just one step?

Anyway, thanks again!

[billermo]

Just in case, I ran the WMI Diagnosis script again.

Here is the new log file it produced.

[Billy O'Neal]

Hello, billermo
To be honest -- at this point I'm not entirely sure what the problem is.
You should start another thread over here if you're still having issues:
http://www.techsupportforum.com/micr...ws-xp-support/

They know more about general software diagnosis than I do. I've honestly got no idea how to repair this issue.

Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix

1. Please go to Start -> Run
2. Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
   
3. Press OK (Or hit enter).
4. Allow ComboFix to remove itself.

We Need to Clean Up Our Mess

1. Please download OTCleanIt from one of the following mirrors and save it to your desktop:
   • Mirror 1
   • Mirror A
2. Double click the icon.
3. Push the large "Cleanup" button.
4. Allow your system to reboot.

Recommendations
Below are some recommendations to lower your chances of (re)infection.

1. Install Spyware Blaster and update it regularly
   If you wish, the commercial version provides automatic updating.
2. Install the MVPs hosts file, and update it regularly
   You can use the HostMan host file manager to do this automaticly if you wish.
   For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
3. Install an Anti-Spyware program, and update it regularly
   Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
   SUPERAntiSpyware is another good scanner with high detection and removal rates.
   Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
4. Keep Windows (and your other Microsoft software) up to date!
   I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
   
   If you are using Windows XP or earlier
   Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
   
   If you are using Windows Vista
   1. Click the "Start Menu" (or Windows Orb)
   2. Click "All Programs"
   3. Click "Windows Update"
   4. On the left, choose "Change Settings"
   5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
   6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
   7. Click "Check for Updates" in the upper left corner.
   8. Follow the instructions to install the latest updates.
   9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
5. Keep your other software up to date as well
   Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
6. Stay up to date!
   The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Billy3

[billermo]

OK thanks.

I successfully removed ComboFix, and went and posted this question about WMI over in that other thread.

Thanks again