Unknown virus; Weird symptoms... TDSS rootkit variant?

[JGagne]

Hello all, Here I go posting again.. This time the right way...

I have been helped a little bit before, but the problem still hasn't been resolved (in another forum completely). I was told it's a nasty one - a TDSS rootkit variant, I believe I was told. Seems to have something to do with hidden files like MSDVX or something of the sort. I know my registry is most likely infected, but no clue where to look. Antivirus programs keep detecting the same infections over and over again. I experience a few symptoms:
- Minor slowdowns; computer performance is decent considering my laptop is infected
- I can't uninstall programs, be it by the uninstaller that came with the installed program, or by the control panel (there's no uninstall/change button)
- I can't copy files to a DVD (nothing happens when I hit burn files to a DVD [using autorun options])
- Certain programs won't run unless I change their names to winlogon.exe or something of the sort; MBA-M doesn't run anymore at all, but it did before...
- That's most of it...

Here's a few more details that might be good to know: I'm running Vista Home Premium on a HP Pavillion laptop, I got the virus July 2nd [from malicious software], not an expert with computers...

Now for the DDS.txt log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by User at 10:57:10.46 on 09/07/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2813.1894 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\User\Desktop\TechSupport\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\winlogon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SpeedBitVideoAccelerator] "c:\program files\speedbit video accelerator\VideoAccelerator.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\4a4ha8ci.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-7-28 15416]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-5 130936]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2009-5-26 3026]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-5-15 176128]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 24880]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-5-28 341328]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-5 348752]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-5-27 193840]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-1-23 52736]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S4 AESTFilters;AESTFilters;c:\windows\system32\driverstore\filerepository\stwrt.inf_f691e717\AEstSrv.exe [2008-7-28 73728]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-07-08 19:19 <DIR> --d----- c:\program files\ESET
2009-07-07 00:02 <DIR> --d----- c:\programdata\Norton
2009-07-07 00:02 <DIR> --d----- c:\progra~2\Norton
2009-07-06 23:58 <DIR> --d----- c:\programdata\NortonInstaller
2009-07-06 23:58 <DIR> --d----- c:\progra~2\NortonInstaller
2009-07-06 23:38 <DIR> --d----- c:\users\user\appdata\roaming\GetRightToGo
2009-07-06 23:25 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-07-06 23:25 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-07-06 23:24 <DIR> --d----- c:\users\user\appdata\roaming\SUPERAntiSpyware.com
2009-07-06 23:24 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-06 21:41 <DIR> --d----- c:\users\user\appdata\roaming\Malwarebytes
2009-07-06 16:53 691 a------- c:\users\user\appdata\roaming\GetValue.vbs
2009-07-06 16:53 35 a------- c:\users\user\appdata\roaming\SetValue.bat
2009-07-06 15:46 5,450 a------- c:\windows\system32\tmp.reg
2009-07-05 23:02 121 a------- c:\windows\bdagent.INI
2009-07-05 13:32 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-05 13:31 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-05 13:31 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-05 13:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-05 13:31 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-05 13:31 <DIR> --d----- c:\programdata\PC Tools
2009-07-05 13:31 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-05 13:31 <DIR> --d----- c:\progra~2\PC Tools
2009-07-05 12:58 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-07-05 12:58 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-07-05 09:18 <DIR> --d----- c:\program files\RegSpy
2009-07-04 17:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-04 17:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-04 17:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-04 17:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-04 17:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 08:50 <DIR> --d----- C:\DVDVideoSoft
2009-07-03 17:25 81,984 a------- c:\windows\system32\bdod.bin
2009-07-03 17:17 850 a------- c:\windows\system32\ProductTweaks.xml
2009-07-03 17:17 385 a------- c:\windows\system32\user_gensett.xml
2009-07-03 17:09 <DIR> --d----- c:\program files\BitDefender
2009-07-03 15:37 2,927,104 a------- c:\windows\WinExplore.exe
2009-07-03 15:13 <DIR> --d----- C:\VundoFix Backups
2009-07-03 12:31 <DIR> --d----- C:\New Folder
2009-07-03 10:18 <DIR> --d----- C:\HijackThis
2009-07-02 23:03 <DIR> --d----- c:\program files\Trend Micro
2009-07-02 22:42 <DIR> --d----- c:\program files\CleanUp!
2009-07-02 22:15 <DIR> --d----- c:\users\user\appdata\roaming\Uniblue
2009-07-02 22:11 <DIR> --d----- c:\programdata\SecTaskMan
2009-07-02 22:11 <DIR> --d----- c:\progra~2\SecTaskMan
2009-07-02 22:11 <DIR> --d----- c:\program files\Security Task Manager
2009-07-02 15:22 <DIR> --d----- c:\program files\Pure Networks
2009-07-02 15:19 24,880 a------- c:\windows\system32\drivers\pnarp.sys
2009-07-02 15:19 26,416 a------- c:\windows\system32\drivers\purendis.sys
2009-07-02 13:17 1,638,912 a------- c:\windows\system32\mshtml.tlb
2009-07-02 13:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-02 13:17 915,456 a------- c:\windows\system32\wininet.dll
2009-07-02 13:17 1,469,440 a------- c:\windows\system32\inetcpl.cpl
2009-07-02 12:03 1,753,088 a------- c:\windows\system32\ExGrid.dll
2009-07-02 12:03 <DIR> --d----- c:\program files\common files\eSellerate
2009-07-02 12:03 <DIR> --d----- c:\program files\AnswersThatWork
2009-06-30 23:54 102,400 a------- c:\windows\system32\tsccvid.dll
2009-06-29 22:26 <DIR> --d----- c:\program files\DivX
2009-06-29 16:50 <DIR> --d----- c:\program files\New Folder
2009-06-27 23:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-06-27 23:47 <DIR> --dsh--- c:\windows\ftpcache
2009-06-27 22:30 <DIR> --d----- c:\windows\system32\URTTEMP
2009-06-27 22:28 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-27 22:28 22,328 a------- c:\users\user\appdata\roaming\PnkBstrK.sys
2009-06-27 22:28 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-06-27 22:28 669,184 a------- c:\windows\system32\pbsvc.exe
2009-06-27 22:28 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-06-27 22:24 <DIR> --d----- c:\programdata\Media Center Programs
2009-06-27 22:24 <DIR> --d----- c:\progra~2\Media Center Programs
2009-06-27 20:50 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-06-27 20:50 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-06-27 20:50 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-27 20:50 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-06-27 20:37 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-06-27 20:05 <DIR> --d----- c:\program files\MagicISO
2009-06-26 08:32 <DIR> --d----- c:\programdata\ATI
2009-06-25 00:38 1,196,032 a------- c:\windows\RtkUpd.exe
2009-06-25 00:38 2,172,416 a------- c:\windows\system32\RtkHDMI.dll
2009-06-25 00:38 694,784 a------- c:\windows\system32\RHDMIExt.dll
2009-06-25 00:38 143,328 a------- c:\windows\system32\drivers\RtHDMIV.sys
2009-06-25 00:37 42 a------- c:\windows\system32\DriverChecker.lie
2009-06-25 00:00 <DIR> --d----- C:\ATI
2009-06-24 23:56 <DIR> --d----- c:\program files\PC Drivers HeadQuarters
2009-06-23 10:57 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-06-23 01:58 <DIR> --d----- c:\users\user\appdata\roaming\Autodesk
2009-06-23 01:55 <DIR> --d----- c:\programdata\Big Fish Games
2009-06-23 01:55 <DIR> --d----- c:\progra~2\Big Fish Games
2009-06-23 01:53 <DIR> --d----- c:\programdata\Trymedia
2009-06-23 01:53 <DIR> --d----- c:\progra~2\Trymedia
2009-06-23 01:52 <DIR> --d----- c:\program files\Peggle
2009-06-23 01:51 <DIR> --d----- c:\programdata\FLEXnet
2009-06-23 01:45 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-06-23 01:43 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-06-23 01:41 <DIR> --d----- c:\programdata\Autodesk
2009-06-23 01:38 <DIR> --d----- c:\program files\Autodesk
2009-06-23 01:38 509,448 a------- c:\windows\system32\XAudio2_2.dll
2009-06-23 01:38 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2009-06-23 01:38 238,088 a------- c:\windows\system32\xactengine3_2.dll
2009-06-23 01:38 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2009-06-23 01:38 467,984 a------- c:\windows\system32\d3dx10_39.dll
2009-06-23 01:38 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-06-23 00:51 <DIR> --d----- c:\programdata\PopCap Games
2009-06-23 00:51 <DIR> --d----- c:\program files\PopCap Games
2009-06-23 00:51 <DIR> --d----- c:\progra~2\PopCap Games
2009-06-22 14:42 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-22 14:42 <DIR> --d----- c:\users\user\appdata\roaming\DAEMON Tools Lite
2009-06-21 23:06 <DIR> --d----- C:\C++ Without Fear
2009-06-20 23:34 <DIR> --d----- C:\C++ 3D Buzz
2009-06-14 22:38 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 22:38 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 22:38 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 22:38 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 22:38 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-13 09:35 1,900,184 a------- c:\programdata\shs_setup_4056-345359.exe
2009-06-13 09:35 1,900,184 a------- c:\progra~2\shs_setup_4056-345359.exe
2009-06-12 18:36 <DIR> --d----- c:\programdata\Adobe Systems
2009-06-12 18:28 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-06-09 19:17 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-09 19:17 636,928 a------- c:\windows\system32\localspl.dll
2009-06-09 19:17 784,896 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-07-08 18:13 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-08 18:13 86,016 a------- c:\windows\inf\infstor.dat
2009-07-08 18:13 51,200 a------- c:\windows\inf\infpub.dat
2009-07-04 21:06 8,224 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-03 14:22 747,544 a------- c:\windows\system32\perfh00C.dat
2009-07-03 14:22 156,842 a------- c:\windows\system32\perfc00C.dat
2009-06-12 15:37 129,864 a---h--- c:\windows\system32\mlfcache.dat
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-26 11:50 3,026 a------- c:\windows\system32\drivers\hwinterface.sys
2009-05-24 22:45 17,408 a------- C:\psapi.dll
2009-05-24 22:34 737,280 a------- c:\windows\iun6002.exe
2009-05-16 00:01 4,933,632 a------- c:\windows\system32\drivers\atikmdag.sys
2009-05-15 23:24 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-05-15 23:24 335,872 a------- c:\windows\system32\atieclxx.exe
2009-05-15 23:23 176,128 a------- c:\windows\system32\atiesrxx.exe
2009-05-15 23:22 159,744 a------- c:\windows\system32\atitmmxx.dll
2009-05-15 23:22 356,352 a------- c:\windows\system32\atipdlxx.dll
2009-05-15 23:22 278,528 a------- c:\windows\system32\Oemdspif.dll
2009-05-15 23:22 11,776 a------- c:\windows\system32\atimuixx.dll
2009-05-15 23:22 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-05-15 23:19 2,411,008 a------- c:\windows\system32\atidxx32.dll
2009-05-15 23:08 3,064,832 a------- c:\windows\system32\atiumdag.dll
2009-05-15 22:53 2,847,744 a------- c:\windows\system32\atiumdva.dll
2009-05-15 22:42 51,712 a------- c:\windows\system32\atimpc32.dll
2009-05-15 22:42 51,712 a------- c:\windows\system32\amdpcom32.dll
2009-05-15 22:41 172,032 a------- c:\windows\system32\atiadlxx.dll
2009-05-15 22:40 11,376,640 a------- c:\windows\system32\atioglxx.dll
2009-05-15 22:27 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-05-15 22:00 53,248 a------- c:\windows\system32\aticalrt.dll
2009-05-15 22:00 53,248 a------- c:\windows\system32\aticalcl.dll
2009-05-15 21:59 3,174,400 a------- c:\windows\system32\aticaldd.dll
2009-05-10 15:24 34 a------- c:\users\user\jagex_runescape_preferences.dat
2009-05-05 15:33 118,784 a------- c:\windows\system32\atibtmon.exe
2009-04-23 15:04 189,051 a------- c:\windows\system32\atiicdxx.dat
2009-04-14 22:42 2,134,016 a------- c:\windows\system32\python26.dll
2008-08-31 15:54 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-27 21:42 340,236 a------- c:\windows\inf\perflib\040c\perfi.dat
2008-05-27 21:42 340,236 a------- c:\windows\inf\perflib\040c\perfh.dat
2008-05-27 21:42 37,390 a------- c:\windows\inf\perflib\040c\perfd.dat
2008-05-27 21:42 37,390 a------- c:\windows\inf\perflib\040c\perfc.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-03 23:52 1,004 a--sh--- c:\windows\system32\sys_drv.dat

============= FINISH: 10:58:13.88 ===============


I thank anyone who tries to help in advance, and I understand that you guys have other cases to solve, even though I'm impatient. So take your time, but please hurry :P

Justin

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

The Installed Programs section of your Attach.txt log seems incomplete. Several programs are missing, Adobe, Mozilla, etc. Also no Windows Updates are showing. Was the log altered in any way?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

------------------------------------------------------

Download ComboFix and Save it to your Desktop.

* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Get help here
• Double-click on Combo-Fix.exe & follow the prompts.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

[JGagne]

Wow, lots here. Just to let you know, if you're still on, I'm going to bed, but I'll do everything asked ASAP (most likely July 12th around 11 AM EST time...). As for financial and stuff, I was informed already. Only things I have passwords for are forums, MSN/Hotmail [basically just talk to friends], and Facebook.

As for fixing stuff on my own, I've been told not to do so before as well, so yup, got it.

As for the log, it was NOT altered. Copy-pasted right on. But as I think I mentioned, I can't remove programs using Control Panel. I might not have mentioned, though, that when I ran an uninstaller for AVG [the one that came with the download/install], it said it couldn't uninstall because the program wasn't installed, yet it obviously was. This have to do with a threat?

As for Vista, learned about the Admin thing and the renaming programs if necessary trick (winlogon.exe or something of the sort).

As for the patience element, I've had the virus since July 2nd... Obviously if I were that impatient, I would've gone to a shop to fix it :P

ComboFix log will be posted tomorrow, as mentioned above.

Thank you for your help, and I'm sure you'll be hearing lots of thank you's from me.
Justin.

[JGagne]

Alright, ran ComboFix... However, I just about dug a hole and buried myself in it.

Here's the story: I turned off System Restore about a week ago to see if the virus was in the folder, but I forgot to turn it back on. Now, I ran ComboFix, it found rootkit activity. As I was writing down the threats (like the prompt had asked), the screensaver went on, causing BSOD. Laptop restarted, so I ran ComboFix again. Computer was restarted by ComboFix. Then, the log popped up. However, the computer froze. I tried using Ctrl+Alt+Del, but an error message popped up saying it couldn't show that screen. I manually turned off the computer, and now, when I turn it back on, it doesn't work. It starts up fine, but once I get to the login screen, it stays black (I can't see the users).

Now I can't get the computer working, let alone paste the log. Save As... wasn't even working. So, what do I do? I can't system restore, Safe Mode doesn't work... Can I use the command prompt somehow? Or am I dead - game over?

Thanks.

[chemist]

Hello, JGagne.

Quote:

Or am I dead - game over?

Really hard to say without having a log to look at.

Sure wish you hadn't turned off System Restore, as doing that deleted all your restore points.

Let's try Last Known Good Configuration:

• Restart your computer.
• After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
• In some systems, this may be the F5 key.
• Instead of Windows loading as normal, a menu should appear.
• Use the up arrow key to highlight Last Known Good Configuration and press 'Enter'.
• Login on your usual account.

------------------------------------------------------

If that didn't work, try Safe Mode with Command Prompt:

• Restart your computer.
• After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
• In some systems, this may be the F5 key.
• Instead of Windows loading as normal, a menu should appear.
• Use the up arrow key to highlight Safe Mode with Command Prompt and press 'Enter'.
• Login on your usual account.

------------------------------------------------------

For this to work, you may have to right-click the cmd window and choose 'Run as Administrator'.

Type cd \ and press 'Enter'.(Note the space between cd and \)

Type cd \windows and press 'Enter'.

Type explorer.exe and press 'Enter'.

Let me know what happened.

------------------------------------------------------

[JGagne]

Neither worked. Still only see a black screen. Without logging in, I can't even see the command prompt... Does explorer.exe really affect the login screen? I know it affects the desktop/menu bar, but didn't know about the login screen. You can also name it the Welcome Screen, I guess...

It's not looking too good.

Here's what I'm thinking as options:
- Is there a way I can copy-paste some files/folders from my clean Vista laptop onto a USB, then use F9 from the startup menu (Esc when computer boots) to boot from the USB? Or even a CD/DVD? I've got tons, if that's a possibility. Although, my clean laptop runs Vista Basic, and my infected runs Vista Premium.. Does that matter?
- Just give up completely
- Try restoring to factory default [this should remove infections too, right?] - I've been trying to avoid this one...
- Take it into a computer store (this is if NOTHING works; call me a cheapie :P)

Thanks for trying to help, and for not calling me a total dumbass for disabling System Restore and putting it back on. Even though you, the viewers, and myself all think it...
Justin.

[chemist]

Hello again, JGagne. Did you ever get to the command prompt?

Quote:

Even though you, the viewers, and myself all think it...

Not at all. And it's not your fault. Many sites on the web wrongly recommend turning off System Restore as a first step. It should only be done when you are sure you are clean.

------------------------------------------------------

Quote:

Is there a way I can copy-paste some files/folders from my clean Vista laptop onto a USB, then use F9 from the startup menu (Esc when computer boots) to boot from the USB? Or even a CD/DVD? I've got tons, if that's a possibility. Although, my clean laptop runs Vista Basic, and my infected runs Vista Premium.. Does that matter?

I don't think so. At least, I don't know how. Not that smart.

Quote:

Just give up completely

There are still options. It appears you don't have the CD for the Vista Premium, correct? You may have the Vista Windows Recovery Environment already installed on your computer.

Whether you have the CD or not, follow the directions here >> http://www.bleepingcomputer.com/tuto...torial147.html

Pay special attention to the instructions under Figure 1. as they pertain to already having the Recovery Environment installed.

Let me know what happens.

------------------------------------------------------

[JGagne]

Haha cheap BestBuy people.. Installed Vista for 60$ [I didn't pay for it! laptop was a surprise gift], didn't give me the disk, and didn't install the Recovery thing... Luckily, still had a disk from my older laptop. Never did get to the command prompt, but I got to it from the disk.. What do I do in it though? Lol

Thanks

[chemist]

Hello again, JGagne.

Quote:

but I got to it from the disk.. What do I do in it though? Lol

Did you follow the instructions here? >> http://www.bleepingcomputer.com/tuto...torial147.html

Try the Startup Repair.

------------------------------------------------------

[JGagne]

Startup Repair is running... I'll let you know what happens; right now it's checking the disk - says it might take over an hour to complete.

[JGagne]

Startup Repair did NOT work... Any other ideas?

[chemist]

Quote:

didn't give me the disk, and didn't install the Recovery thing

I don't see any other options here. Sorry.

------------------------------------------------------

[JGagne]

Nothing I can do with the command prompt?

So, my only options are trying to reinstall Vista, return my laptop to factory condition, or spend lots of cash to get it fixed by someone capable?

[JGagne]

Just to be clear, have you given up on me, or will I be helped by someone who knows how to fix my problem? What's going to happen, if you can't help on your own? Am I on my own, or I'll be helped until my issue is resolved?

[chemist]

Hello again, JGagne. Creating threads on multiple forums or multiple threads in the same forum for the same problem only creates confusion. Orange Blossom scolded you at BC because she didn't know you were already being helped here.

I believe Startup Repair didn't work because you weren't using the right disk. Can you borrow the CD for Vista Premium from someone? Then retry Startup Repair > http://www.bleepingcomputer.com/tuto...torial148.html

[JGagne]

Don't know anyone who's got it... I really wish the people from BestBuy would've given me the CD :|

Any other options? If it comes down to having to buy the disk, I'll just get laptop back to factory condition... Or is there anyone else who'd know, on this forum?

Thanks.

[JGagne]

Oh, and maybe you could help me with this one:

Which methods can I use to copy files from one laptop to another? And could I even do that? Like... can I plug one laptop to another via USB cable and access the C: drive in my busted laptop from the working laptop? Even if I can't see the screen on my busted laptop?

Thanks.

[chemist]

Hello again, JGagne. ComboFix made a backup of your registry before it ran.

This will attempt to restore your computer to before you ran ComboFix.

Use the CD you have to get back to the command prompt in the Recovery Environment.

If you are not at C:\Windows, type cd \windows and press 'Enter'.

Type cd erdnt\subs and press 'Enter'.

Type batch erdnt.con and press 'Enter'.

The ERUNT backups will begin copying.

At the next prompt, type exit and press 'Enter'.

Windows will now begin loading.

Let me know what happened. If Windows loaded normally, post/attach new logs from dds and gmer.

------------------------------------------------------

[JGagne]

Guess what:

It didn't work -.-
At startup, the directory is X:\sources... When I put in \windows, it becomes X:\windows.
When I type cd erdnt\subs, it says The system cannot find the path specified. When I try cd C:\windows\erdnt\subs, the screen pauses, then returns to X:\windows...
When I simply type cd C:, it returns to X:... Does this have to do with the booting off the CD?
Am I doing something wrong?

Thanks.

[JGagne]

WOAH!!! Just pulled off a Justin move to the MAX!!!

Fixed the booting.. Here's what my sly self did:

I typed in C:\Windows\notepad.exe;

It worked and opened notepad;

I used Save As...

It opened explorer.exe;

I browsed to the file you mentioned;

I right-clicked hit;

I hit Run As Admin;

IT WORKED!!!

Thanks man! So... DDS and gmer, you said? Fresh start?