nothing worked!

[ehajek]

Original thread

help! my computer is infected!

So, I tried doing all the preliminary steps and nothing worked. When I tried uninstalling one of my anti-viruses (spyware doctor) the little icon of security system version 4.51 said that " unins000.exe is infected " and it would not let me uninstall the spyware let alone even open it. Then, when I tried to uninstall limewire the same icon said that " A~NSISu_.exe is infected " and once more would not let me uninstall it or open it.

I decided to go to the next step by getting DDS and running it so I could should you the text and whatnot. But, once I had saved it to my desktop and tried opening it, the system secrurity bug told me that " dds.scr is infected " and would not open it or run it. When I tried the other DDS, the same thing happened. Then, when I saved GMER to my desktop and extracted the files onto my desktop also, once more the icon would not open it or run it saying that " gmer.exe is infected ".

My computer seems to not let me into anything that may lead me to deleting the virus or getting into my system to get my anti-virus to delete it. I cannot even run things that would tell me about my system. This is getting absolutely ridiculous and I'm very hopeless at the momment...

Please help!

[amateur]

Hello and welcome to TSF.

Please try to rename DDS.scr (right click and rename) to DDS.com and see if it will run. If not, try this tool:

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
  
• Please attach info.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\rsit\info.txt
   

3. Click Upload.

================

And for GMER, try this version please:

Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[ehajek]

its is still not working... nothing will open. for the DDS, it opened briefly but then closed again and would not open. I tried it a couple of times and it is still not working...

[amateur]

Hi,

Are you able to boot into Safe Mode?

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for
more information.

If you're able, try running them in Safe Mode.

If not, please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

How to disable your security applications

[ehajek]

When I tried to reboot in safe mode and pessed F8 nothing happened so I tried to do what you said: to try and disable any anti-viruses and anti-spyware applications and run ComboFix anyway. Well, it didn't work as I could not access my anti-viruses and anti-spyware because of the virus. Also, Combo Fix wouldn't open because the virus won't let anything open at all (I can only use the internet... I can't get to any of my configurations or even my Word files). It just keeps saying that everything is infected and that the application could not be executed..

[amateur]

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\combofix.exe"

[ehajek]

I copy pasted the link into 'run' and the box which asks me if I want to run or save the program pops up but once I press run nothing happens and the little virus icon on the bottom of my screennext to the time says "application cannot be executed.ComboFix.exe is infected".

[amateur]

Since you have internet access, please try this online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

[ehajek]

I tried doing the scan but then the virus blocked Java so I could not press accept. I decided to try and download Java again to see if it would work but then the Java site said that they encountered a problem when they tried to automatically install java on the computer. When all this was happening the virus kept telling me that the actions were imposible to execute and that everything was "infected". It's as if anything that needs to execute will get blocked except for the internet.

[amateur]

Hi,

I am not very hopeful, but let's try if you can do a system restore to a date before this started.

Start>All Programs>Accessories>SystemTools>System Restore.

If you are not able to navigate,

Open the Task Manager (Ctrl-Alt-Del) and click File > New Task and then type the following command then click OK.

%systemroot%\system32\restore\rstrui.exe

This should open the system restore wizard.

If Task Manager is disabled:

Press the Windows key + R key (or, click Start>Run). That will bring up the Run Window. Type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

[amateur]

Hi,

I have been consulting my colleagues and have received some valuable suggestions.

Let's try these and see if we can get some logs to work with.

Please rename Combofix.exe as Svchost.exe (right click on Combofix.exe and click rename) and see if it runs now. If successful, please post the log it produces.

If not successful, we would like you try a few things and let us know:

1. Please let us know if you can access the Device Manager.

Right click on My Computer>Properties>Hardware>Device Manager.

2. Click Start>Run and type in regedit and click OK. Does that bring up the Registry Editor? Don't do anything there yet, just exit and let us know.

3. Click Start>Run and type in C:\Windows\System32\cmd.exe and click OK. Does that bring up the DOS command window? If successful, just type Exit and press OK and let us know.

If not, try this:

Click Start>Run and type in C:\Windows\System32\command.com and let me know. Don't do anything yet, just type Exit and press enter to exit it and let us know.

[ehajek]

Hi, sorry about the delay. I tried everything you suggested and still nothing will open. I was able to go into safe mode the other day ( I retried as I was getting quite desperate for the computer to run ) but unfortunately when I got into the system to delete the false security system by removing it from the computer once into normal mode, it reappeared. So, still no developments.

[amateur]

Have you seen my post above, post #11?

Quote:

Please rename Combofix.exe as Svchost.exe (right click on Combofix.exe and click rename) and see if it runs now. If successful, please post the log it produces.

If not successful, we would like you try a few things and let us know:

1. Please let us know if you can access the Device Manager.

Right click on My Computer>Properties>Hardware>Device Manager.

2. Click Start>Run and type in regedit and click OK. Does that bring up the Registry Editor? Don't do anything there yet, just exit and let us know.

3. Click Start>Run and type in C:\Windows\System32\cmd.exe and click OK. Does that bring up the DOS command window? If successful, just type Exit and press OK and let us know.

If not, try this:

Click Start>Run and type in C:\Windows\System32\command.com and let me know. Don't do anything yet, just type Exit and press enter to exit it and let us know.

Or, were you not able to access the Device Manager, the Registry Editor or the DOS command window?

If so,

• Please download this tool and save it to your desktop.
• Right click on Fixswen.inf and click Install

Try running Combofix now and post the log it produces.

[amateur]

Hi,

Please skip all previous instructions.

Download this file to your desktop and double click on it. (Many thanks to sUBs, the author of Combofix. )

Combofix should run now. Please follow the previous instructions for running Combofix and post its log.

[ehajek]

yay! it worked! however, i had to run it with my antivirus on because i couldn't turn it off. anyways, it seems to have gotten rid of the security system but i will still post the log it gave me in a post after this. thank you sooo much! :)

[ehajek]

ComboFix 09-05-17.08 - Emilie 21/05/2009 11:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.270 [GMT -4:00]
Running from: c:\documents and settings\Emilie\Desktop\Svchost.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Emilie\Start Menu\Programs\System Security
c:\documents and settings\Emilie\Start Menu\Programs\System Security\System Security 2009 Support.lnk
c:\documents and settings\Emilie\Start Menu\Programs\System Security\System Security 2009.lnk
c:\windows\system32\5Br31hOX.exe.a_a
c:\windows\system32\LWDNAv0D.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-19 22:39 . 2009-05-21 14:56 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-05-18 02:12 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-18 02:12 . 2009-03-06 20:45 130424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-18 02:12 . 2009-05-20 16:00 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-18 01:54 . 2009-05-18 01:54 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-18 01:54 . 2009-05-18 01:54 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-18 01:54 . 2009-05-18 01:54 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-18 01:54 . 2009-05-18 01:54 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-18 01:54 . 2009-05-18 02:02 -------- d-----w c:\documents and settings\Emilie\Application Data\AVGTOOLBAR
2009-05-18 01:54 . 2009-05-18 01:54 -------- d-----w c:\program files\AVG
2009-05-18 01:54 . 2009-05-21 14:55 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-18 01:40 . 2009-05-18 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\12037814
2009-05-11 12:52 . 2009-05-11 12:52 -------- d-----w c:\documents and settings\Emilie\Saved Games
2009-05-11 12:52 . 2009-05-11 12:52 -------- d-----w c:\documents and settings\Emilie\Local Settings\Application Data\Oberon Games
2009-05-03 20:57 . 2009-05-20 15:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-03 20:57 . 2009-05-03 20:57 -------- d-----w c:\program files\Oberon Media
2009-05-03 20:57 . 2009-05-03 20:57 -------- d-----w c:\program files\MSN Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 23:32 . 2008-10-24 15:49 -------- d-----w c:\program files\LimeWire
2009-05-19 23:30 . 2008-10-24 15:54 -------- d-----w c:\program files\Incomplete
2009-05-18 20:02 . 2009-05-18 20:02 0 ----a-w c:\windows\system32\drivers\is-DDGST.tmp
2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2003-03-31 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-02-19 15:14 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-02 20:44 325000 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-02 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-02 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-02-25 536576]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"SSA.exe"="c:\program files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 2061816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"12037814"="c:\documents and settings\All Users\Application Data\12037814\12037814.exe" [2009-05-18 355365]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-18 1947928]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-18 01:54 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:HTTPS
"21:TCP"= 21:TCP:FTP
"80:UDP"= 80:UDP:HTTP
"443:UDP"= 443:UDP:HTTPS
"21:UDP"= 21:UDP:FTP
"1834:UDP"= 1834:UDP:Windows Media Format SDK (iexplore.exe)
"1835:UDP"= 1835:UDP:Windows Media Format SDK (iexplore.exe)
"1836:UDP"= 1836:UDP:Windows Media Format SDK (iexplore.exe)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/05/2009 9:54 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/05/2009 9:54 PM 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [17/05/2009 9:54 PM 298776]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lush.ca/shop/english
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {930F32F3-E16A-4A7A-80C7-91D8BA0671CB} = 207.164.234.129 207.164.234.193
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 11:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-21 11:07
ComboFix-quarantined-files.txt 2009-05-21 15:07

Pre-Run: 32,854,331,392 bytes free
Post-Run: 33,273,004,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

138 --- E O F --- 2009-05-13 07:01

[sUBs]

You are using an old copy of ComboFix. It gets updated several times a day. Your infection is still present & will reappear in next boot. Please download/run a fresh copy of ComboFix.

[ehajek]

where can I get a fresh copy of combofix? do I click on the link that was sent to me again?

[amateur]

Hi,

Yay!!!!.... finally.

Quote:

thank you sooo much!

The credit is to sUBs, the author of Combofix.


It should ask you if you want to update Combofix when you double click on it. Please allow it. If it doesn't, delete that copy and download a fresh one from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.

[ehajek]

i tried disabling my antispyware applications by clicking with the right click but i couldn't figure out how to do it. do i have to go into properties?