trojan horse generic

[PCBEEF]

Hi Guys,

I have a problem and need your help. Appreciate it!

Here's the DDS logfile

DDS (Ver_09-07-30.01) - NTFSx86
Run by Diana at 12:55:11.81 on Sat 01/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1200 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Nero\Nero 9\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 9\Nero StartSmart\NMDllHost.exe
C:\WINDOWS\TEMP\tor5A.tmp
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Diana\Local Settings\Temporary Internet Files\Content.IE5\FN4GS38S\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://track.moreniche.com/hit.php?w=155970&s=5
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MJCore class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\jcore\Jcore2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRunOnce: [CleanSetup] cmd /C rmdir /S /Q "c:\documents and settings\diana\local settings\temp\nro.tmp\"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [pridl] "c:\documents and settings\diana\application data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
dRun: [cft] c:\documents and settings\diana\application data\cft\cft.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\diana\applic~1\mozilla\firefox\profiles\bdvuw5wp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mozilla firefox\components\WWShow.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-27 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-27 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-27 298776]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2009-7-27 30720]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-7-20 935208]

=============== Created Last 30 ================

2009-08-01 12:52 <DIR> --d----- c:\docume~1\diana\applic~1\cft
2009-08-01 12:47 <DIR> --d----- c:\program files\WWShow
2009-08-01 12:42 <DIR> --d----- c:\program files\Jcore
2009-08-01 12:42 71 a------- C:\***** Health.url
2009-08-01 12:41 <DIR> --d----- c:\docume~1\diana\applic~1\pridl
2009-08-01 12:16 <DIR> --d----- c:\program files\Nero
2009-08-01 12:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-07-30 22:54 <DIR> --d----- c:\windows\pss
2009-07-29 19:14 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-29 19:14 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-28 08:16 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-28 08:16 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-28 04:26 57,398 ac------ c:\windows\system32\dllcache\imjpdadm.exe
2009-07-28 04:25 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-28 04:25 57,600 a------- c:\windows\system32\drivers\redbook.sys
2009-07-28 04:24 <DIR> --d----- c:\program files\common files\ODBC
2009-07-28 04:24 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-28 04:23 5,632 ac------ c:\windows\system32\dllcache\kbdycc.dll
2009-07-28 04:23 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-28 04:21 1,296,669 ac------ c:\windows\system32\dllcache\SP3.CAT
2009-07-28 04:20 689 a------- c:\windows\system32\$winnt$.inf
2009-07-27 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-07-27 22:42 <DIR> --d----- c:\program files\AVG
2009-07-27 22:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-27 22:27 <DIR> --d----- c:\docume~1\diana\applic~1\AVG8
2009-07-27 22:01 <DIR> --d----- c:\program files\iPod
2009-07-27 22:01 <DIR> --d----- c:\program files\iTunes
2009-07-27 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-27 22:01 <DIR> --d----- c:\program files\Bonjour
2009-07-27 21:39 <DIR> --d----- c:\program files\VideoLAN
2009-07-27 21:23 <DIR> --d----- c:\program files\CCleaner
2009-07-27 21:08 <DIR> --dsh--- c:\documents and settings\diana\IECompatCache
2009-07-27 21:08 <DIR> --dsh--- c:\documents and settings\diana\PrivacIE
2009-07-27 21:03 <DIR> --dsh--- c:\documents and settings\diana\IETldCache
2009-07-27 20:53 <DIR> --d----- c:\program files\Messenger Plus! Live
2009-07-27 20:52 <DIR> --d----- c:\documents and settings\diana\Tracing
2009-07-27 20:42 <DIR> --d----- c:\program files\Microsoft
2009-07-27 20:42 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-27 20:37 <DIR> --d----- c:\documents and settings\diana\.rainlendar2
2009-07-27 20:36 <DIR> --d----- c:\program files\Rainlendar2
2009-07-27 19:42 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-27 19:41 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-07-27 19:21 <DIR> --dsh--- c:\documents and settings\diana\UserData
2009-07-27 18:55 <DIR> --d----- c:\program files\Realtek
2009-07-27 18:50 <DIR> --d--r-- c:\program files\Skype
2009-07-27 18:32 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-27 18:32 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-27 18:31 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-27 18:30 <DIR> --d----- c:\program files\Online Services
2009-07-27 18:30 <DIR> --d----- c:\program files\Messenger
2009-07-27 18:30 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-27 18:29 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-29 23:16 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-27 22:43 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-27 22:43 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-27 22:43 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-27 18:55 315,392 a------- c:\windows\HideWin.exe
2009-07-27 18:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-27 18:30 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-04 03:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-17 00:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-17 00:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-10 04:20 323,641 a------- c:\windows\system32\usrdtea.dll
2009-06-10 04:12 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-06-10 04:12 1,847,808 a------- c:\windows\system32\win32k.sys
2009-06-10 04:12 346,112 a------- c:\windows\system32\localspl.dll
2009-06-10 04:10 155,648 a------- c:\windows\system32\wscript.exe
2009-06-10 04:10 90,112 a------- c:\windows\system32\wshext.dll
2009-06-10 04:10 361,600 a------- c:\windows\system32\drivers\tcpip.sys
2009-06-10 04:10 225,856 a------- c:\windows\system32\drivers\tcpip6.sys
2009-06-10 04:10 247,326 a------- c:\windows\system32\strmdll.dll
2009-06-10 04:10 333,952 a------- c:\windows\system32\drivers\srv.sys
2009-06-10 04:10 180,224 a------- c:\windows\system32\scrobj.dll
2009-06-10 04:10 172,032 a------- c:\windows\system32\scrrun.dll
2009-06-10 04:10 203,136 a------- c:\windows\system32\drivers\RMCast.sys
2009-06-10 04:10 144,896 a------- c:\windows\system32\schannel.dll
2009-06-10 04:10 1,307,648 a------- c:\windows\system32\msxml6.dll
2009-06-10 04:09 1,106,944 a------- c:\windows\system32\msxml3.dll
2009-06-10 04:09 245,248 a------- c:\windows\system32\mswsock.dll
2009-06-10 04:09 74,240 a------- c:\windows\system32\mscms.dll
2009-06-10 04:09 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 04:09 691,712 a------- c:\windows\system32\inetcomm.dll
2009-06-10 04:09 286,720 a------- c:\windows\system32\gdi32.dll
2009-06-10 04:09 253,952 a------- c:\windows\system32\es.dll
2009-06-10 04:09 155,648 a------- c:\windows\system32\cscript.exe
2009-06-10 04:09 272,128 a------- c:\windows\system32\drivers\bthport.sys
2009-06-10 04:06 138,496 a------- c:\windows\system32\drivers\afd.sys
2009-06-04 05:12 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 12:55:27.87 ===============

[amateur]

Hello and welcome to TSF.

Please note that the fixes may require more than one round to properly eradicate. Stay with me until you're given the "all clear", even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions in the order they are presented, and please do no self-fixing or running of scanners unless requested by me or another helper at this forum.

Please also note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  
  How to disable AVG
  
  Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
  
  * Click on Tools.
  * Select Advanced Settings.
  * In the left hand pane, scroll down to "Resident Shield".
  * In the main pane, deselect the option to "Enable Resident Shield."
  * To re-enable AVG 8 later when done, please select "Enable Resident Shield" again.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done

How to disable your security applications

[PCBEEF]

Hi thanks for getting back to me.

I get the following message when running combofix even when trying to run it in safe mode.

!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package have been compromised.
Please download a fresh copy from bleeping computer.

Note: You may have been infected with a file patching virus (Virut)

I tried googling and people just seem to recommend formatting and removing all the executables.

[amateur]

Hi,

That doesn't sound good. Let's check some system files for Virut.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\winlogon.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If the file is analyzed before click Reanalyse file now button.
• Wait until the file is analyzed.
• Once scanned, save (copy and paste) the results.
  
• Please repeat the process for the following files:
  
  
  • C:\WINDOWS\SYSTEM32\lsass.exe
    
  • C:\WINDOWS\explorer.exe
    
    
  • Please copy/paste the results in your next reply.
    

[amateur]

Hi,

Are you still with us? Please note that if I don't hear from you within two days, this thread will be closed.

[PCBEEF]

Sorry for the late reply.

I was trying to follow your steps however it seems like the site was being blocked some how. I could access the same webpage on a different computer but not the infected one.

I tried booting into safemode to try again however, somehow one of the system files was corrupted, i believe it was ntfs.sys. So I decided to just wipe the computer clean and do a format.

I've deleted all the executables from my second partition just in case those were infected and currently haven't had any problems.

Whats a good scanner to use to make sure that the rootkit is gone for sure?

[amateur]

Hi,

Thanks for letting me know. With Virut infection, the best course of action is to reformat and reinstall anyway. I was just trying to confirm that indeed the system was infected with Virut. You now will have a fresh start. However, in case you didn't know, here are some facts about Virut:

Virut is a polymorphic file infector, infecting all the executable files(.exe) and screen saver files(.scr) by way of corrupting them beyond repair. Unfortunately, many experts in the community believe the best approach is to reformat and reinstall. While backing up your files prior to r/r, please make sure that you do not backup any executables, screen savers and compressed files such as zip, rar and cab, and also the htm/html/php files as they may also contain infected files. Latest variants also infect the .jpg, .pdf and .doc files, which makes backing up any personal documents and pictures risky.

There's no tool that can fix this infection at the moment. Some tools claim to disinfect it but they also end up corrupting the system files in the end just like the virut itself.

Do not back up to another machine or another internal harddrive, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

Virut is mostly spread via crack and keygen sites. It is also a backdoor trojan. This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Here's some further information on this infection:

http://www.microsoft.com/security/en...=Win32%2fVirut
http://vil.nai.com/vil/content/v_143034.htm
http://www.avast.com/eng/win32-virut.html
http://www.symantec.com/security_res...558-99&tabid=1

Quote:

Whats a good scanner to use to make sure that the rootkit is gone for sure?

I am not sure which rootkit you're referring to. If you're referring to Virut, you can have your system scanned on line with Kaspersky, Panda or Eset . You can also scan individual files at VirusTotal or Jottie

Happy Surfing and Think Prevention!

[PCBEEF]

Thank you so much for your help. I truly appreciate the time and effort you've put in in helping me diagnose this problem.

Feel free to close this thread, if I have any problems I'll create another thread.

Cheers.

[amateur]

You're welcome. Stay safe!