Virus taking over all anti spyware programs...

[cookie10]

Hello,

First off, thank you for taking the time to solve this. I have a virus on my computer that pops up every now and then on Windows Defender as Renos.js. It won't let me access any anti-spyware programs and has already disallowed access for Malwarebytes, Adware, and PC Doctor. Also, it automatically redirects some webpages and brings up pop ups randomly but rarely. The one thing I was successfully able to run was VIPRE in safe mode command line, and although that found a bunch of things, it was not able to solve the root of this problem at all.

I am unable to open dds.scr. It opens into notepad with gibberish written in it. Is there a specific way to run it?
The virus also shut down gmer.exe part way through the scan. I guess the scan triggered some file. Please let me know how to proceed.

Thanks again!

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.



Combofix
Download ComboFix from one of these locations:

Link 1
Link 2


and rename it to cook.exe before saving it to your desktop.

Double click on the renamed ComboFix.exe & follow the prompts.

• When finished it will produce a log at C:\ComboFix.txt for you
• Please include the log in your next reply.

[cookie10]

Appreciate the help Ian. I have attached the ComboFix log. One thing though. After it ran, I tried to open any application (IE, Firfox) and tried to open the log and it kept complaining about marked for deletion in registry. I restarted and it all works fine now.


ComboFix 09-10-25.02 - Arjun 10/26/2009 1:12.1.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2046.1270 [GMT -4:00]
Running from: c:\users\Arjun\Desktop\cook.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: VirusScan Enterprise + AntiSpyware Enterprise *disabled* (Updated) {24E45799-D058-4314-AC5D-1B2EE5C3151F}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\recycler\S-1-5-21-27793569-4117847827-3021538996-1005

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 05:22 . 2009-10-26 05:28 -------- d-----w- c:\users\Arjun\AppData\Local\temp
2009-10-26 05:22 . 2009-10-26 05:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-22 04:28 . 2009-10-22 06:09 0 ----a-w- c:\windows\system32\SBRC.dat
2009-10-22 02:24 . 2009-09-07 18:02 27944 ----a-w- c:\windows\system32\sbbd.exe
2009-10-22 02:24 . 2009-08-05 19:58 93872 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-22 02:24 . 2009-10-22 06:09 -------- d-----w- C:\VIPRERESCUE
2009-10-21 06:03 . 2009-10-21 06:03 -------- d-----w- c:\windows\Sun
2009-10-20 22:04 . 2009-10-20 22:09 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 20:58 . 2009-10-26 02:03 0 ----a-r- c:\windows\win32k.sys
2009-10-20 20:45 . 2009-10-23 18:32 -------- d-----w- c:\users\Arjun\AppData\Roaming\Logic Minimizer
2009-10-20 20:45 . 2009-10-20 20:45 -------- d-----w- c:\program files\Logic Minimizer
2009-10-15 01:58 . 2009-08-27 05:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-10-15 01:57 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-15 01:57 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-15 01:53 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-09 01:29 . 2009-10-09 01:29 -------- d-----w- c:\programdata\NCH Swift Sound
2009-10-05 00:50 . 2009-10-05 00:50 -------- d-----w- c:\users\Arjun\Office Genuine Advantage
2009-10-04 20:52 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-04 20:52 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-04 20:51 . 2009-10-04 20:51 -------- d-----w- c:\program files\iPod
2009-10-04 20:51 . 2009-10-04 20:52 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-04 20:51 . 2009-10-04 20:52 -------- d-----w- c:\program files\iTunes
2009-10-04 20:50 . 2009-10-04 20:50 -------- d-----w- c:\program files\Bonjour
2009-10-04 20:49 . 2009-10-04 20:49 -------- d-----w- c:\program files\QuickTime
2009-10-03 03:22 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 07:36 . 2009-10-01 07:38 -------- d-----w- c:\windows\system32\ca-ES
2009-10-01 07:36 . 2009-10-01 07:38 -------- d-----w- c:\windows\system32\eu-ES
2009-10-01 07:36 . 2009-10-01 07:38 -------- d-----w- c:\windows\system32\vi-VN
2009-09-30 21:19 . 2009-09-30 21:26 -------- d-----w- c:\program files\MSECACHE
2009-09-30 20:42 . 2009-09-30 20:42 -------- d-----w- c:\users\Arjun\AppData\Roaming\JAM Software
2009-09-30 20:42 . 2009-09-30 20:42 -------- d-----w- c:\program files\JAM Software
2009-09-30 20:21 . 2009-09-30 20:21 -------- d-----w- c:\windows\system32\EventProviders
2009-09-30 19:46 . 2009-09-30 19:46 518 ----a-w- c:\users\Arjun\AppData\Roaming\iolo\Registry\Last\restore.bat
2009-09-30 17:00 . 2008-12-09 14:59 20392 ----a-w- c:\windows\system32\drivers\elrawdsk.sys
2009-09-30 16:57 . 2009-09-30 16:57 74703 ----a-w- c:\windows\system32\mfc45.dll
2009-09-30 16:56 . 2009-09-30 19:53 -------- d-----w- c:\users\Arjun\AppData\Roaming\iolo
2009-09-30 16:56 . 2009-09-30 19:36 -------- d-----w- c:\programdata\iolo
2009-09-28 03:25 . 2009-09-28 03:32 -------- d-----w- c:\users\Arjun\AppData\Roaming\Trillian
2009-09-27 20:55 . 2009-09-27 20:55 -------- d-----w- c:\program files\Veetle
2009-09-27 02:19 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 01:53 . 2008-10-16 21:33 -------- d-----w- c:\programdata\Lavasoft
2009-10-20 20:34 . 2007-03-26 13:09 -------- d-----w- c:\program files\Java
2009-10-15 07:13 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-15 07:03 . 2007-03-23 18:40 -------- d-----w- c:\programdata\Microsoft Help
2009-10-14 01:08 . 2007-03-24 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-13 22:32 . 2007-08-23 17:09 1356 ----a-w- c:\users\Arjun\AppData\Local\d3d9caps.dat
2009-10-09 01:29 . 2009-07-04 00:12 -------- d-----w- c:\users\Arjun\AppData\Roaming\NCH Swift Sound
2009-10-09 01:28 . 2009-07-04 00:12 -------- d-----w- c:\program files\NCH Swift Sound
2009-10-09 01:04 . 2007-03-23 16:14 -------- d-----w- c:\users\Arjun\AppData\Roaming\Apple Computer
2009-10-09 01:02 . 2007-05-11 04:26 -------- d-----w- c:\users\Arjun\AppData\Roaming\uTorrent
2009-10-05 20:38 . 2008-05-13 15:12 -------- d-----w- c:\users\Arjun\AppData\Roaming\Skype
2009-10-05 20:02 . 2008-05-13 15:13 -------- d-----w- c:\users\Arjun\AppData\Roaming\skypePM
2009-10-04 20:51 . 2007-07-31 21:38 -------- d-----w- c:\program files\Common Files\Apple
2009-10-04 20:46 . 2007-07-31 21:38 -------- d-----w- c:\programdata\Apple
2009-10-01 07:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-01 07:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-01 07:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-01 07:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-30 19:35 . 2008-07-29 19:10 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-29 23:22 . 2009-07-06 01:39 -------- d-----w- c:\program files\Digsby
2009-09-28 03:39 . 2007-03-23 22:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\program files\OrCAD_Demo
2009-09-25 03:15 . 2009-09-24 22:32 -------- d-----w- c:\program files\Hotspot Shield
2009-09-19 18:26 . 2009-09-19 18:26 -------- d-----w- c:\programdata\HP
2009-09-19 16:22 . 2009-09-19 16:22 -------- d-----w- c:\users\Arjun\AppData\Roaming\StreamTorrent
2009-09-19 16:22 . 2009-09-19 16:22 -------- d-----w- c:\program files\StreamTorrent 1.0
2009-09-15 20:04 . 2009-09-15 20:04 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-10 16:48 . 2009-10-15 01:59 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 04:44 . 2009-03-19 21:48 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 16:40 . 2009-09-04 16:40 488960 ----a-w- c:\users\Arjun\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\octosh...070-0-main.dll
2009-09-03 15:50 . 2007-03-23 06:53 99472 ----a-w- c:\users\Arjun\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-03 15:11 . 2007-03-23 18:49 -------- d-----w- c:\program files\Microsoft Works
2009-08-31 23:08 . 2009-08-31 23:08 -------- d-----w- c:\users\Arjun\AppData\Roaming\TokBox-Desktop.140E496FAF651FC6D79F73D360E855D4667C7B11.1
2009-08-31 23:08 . 2009-08-31 23:08 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-31 23:07 . 2009-08-31 23:08 38208 ----a-w- c:\users\Arjun\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-29 23:11 . 2009-08-29 23:11 -------- d-----w- c:\program files\SAMSUNG
2009-08-29 00:27 . 2009-09-02 20:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 20:53 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-27 15:10 . 2009-08-27 15:10 319488 ----a-w- c:\users\Arjun\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-08-27 05:22 . 2009-10-15 01:59 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 01:59 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-15 01:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 20:44 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 20:44 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 20:44 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 20:44 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 20:44 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 20:44 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 20:44 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 20:44 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 20:44 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 20:44 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 20:44 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-04 12:34 . 2009-10-15 01:59 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:34 . 2009-10-15 01:59 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-31 19:23 . 2009-01-22 17:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-09-25 03:08 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPKMAPMN"="c:\program files\ThinkPad\Utilities\TpKmapMn.exe" [2007-01-22 63024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0400Ext.ax"="c:\windows\system32\V0400Ext.ax" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2008-01-11 558368]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2008-01-11 214576]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 66928]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-14 820520]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"V0400Mon.exe"="c:\windows\V0400Mon.exe" [2007-08-23 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"TpShocks"="TpShocks.exe" - c:\windows\System32\TpShocks.exe [2007-11-22 181536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-08 23:44 89600 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Arjun^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CCC.lnk]
backup=c:\windows\pss\CCC.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a2,9c,83,64,6b,42,ca,01

R0 TPDIGIMN;TPDIGIMN;c:\windows\System32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R1 ElRawDisk;ElRawDisk;c:\windows\System32\drivers\elrawdsk.sys [9/30/2009 1:00 PM 20392]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\System32\drivers\smiif32.sys [8/30/2006 7:04 PM 13744]
R1 SBRE;SBRE;c:\windows\System32\drivers\SBREDrv.sys [10/21/2009 10:24 PM 93872]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [12/8/2006 7:37 PM 11152]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [3/25/2007 1:29 PM 5120]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [12/14/2007 4:37 PM 58224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/30/2007 11:04 PM 24652]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [5/2/2007 11:43 AM 179712]
R3 HSXHWICH;HSXHWICH;c:\windows\System32\drivers\HSXHWICH.sys [10/18/2006 11:08 AM 248320]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [12/18/2006 2:24 PM 2596352]
S3 PCD5SRVC{DF187064-5DA14001-05040000};PCD5SRVC{DF187064-5DA14001-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PCDR5\PCD5SRVC.pkms [12/10/2007 4:20 PM 21280]
S3 VF0400Afx;VF0400 Audio FX;c:\windows\System32\drivers\V0400Afx.sys [8/4/2009 4:31 PM 142656]
S3 VF0400Vfx;VF0400 Video FX;c:\windows\System32\drivers\V0400Vfx.sys [8/4/2009 4:31 PM 7424]
S3 VF0400Vid;Live! Cam Notebook Pro (VF0400);c:\windows\System32\drivers\V0400Vid.sys [8/4/2009 4:31 PM 166720]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 6:25 AM 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\System32\drivers\VSTICH3.SYS [11/2/2006 6:25 AM 242176]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [5/27/2008 7:29 PM 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CCA08FFD-3F64-A525-170F-FB2D73CDC661} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{7CF4358C-A628-4BEE-B507-A7344112B457}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Arjun\AppData\Roaming\Mozilla\Firefox\Profiles\5pefy36z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.washingtonpost.com/
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Arjun\AppData\Roaming\Mozilla\Firefox\Profiles\5pefy36z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{DF187064-5DA14001-05040000}]
"ImagePath"="\??\c:\progra~1\PCDR5\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3076422568-2508882760-1115363979-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A930CBE3-4CDA-15B8-30AD-32FFEECFF29B}*]
"iakomckahhjedkkopf"=hex:69,61,66,65,6b,63,62,69,6f,68,66,66,67,6e,67,6f,6c,6b,
00,00
"jaepkbonjnhfbblpeohl"=hex:6a,61,63,65,6c,62,6b,70,62,6c,6c,6b,6a,61,61,6b,6a,
6c,64,70,00,f2

[HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\cook\CF11422.exe
c:\windows\System32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\iPod\bin\iPodService.exe
c:\cook\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 1:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 05:35

Pre-Run: 1,089,314,816 bytes free
Post-Run: 2,258,554,880 bytes free

- - End Of File - - 3EB8089665ED403E1C31D2E256405701

[cookie10]

Sorry, by works fine I mean that the programs and text file could be opened without the aforementioned error. The computer is still infected though.

[Glaswegian]

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

RegLock::
[HKEY_USERS\S-1-5-21-3076422568-2508882760-1115363979-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A930CBE3-4CDA-15B8-30AD-32FFEECFF29B}*]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Folder::
c:\program files\Viewpoint

Driver::
Viewpoint Manager Service

Looking at the image below as an example



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript onto ComboFix.exe.

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up having to re-install Windows!


Please post the log C:\ComboFix.txt for further review.

[cookie10]

I have attached the log. After running ComboFix, same error occurred as mentioned above and couldn't open firefox or any other application until restart as it complained of a registry key marked for deletion.

[Glaswegian]

Hi again

Can you tell me the exact message you receive – and exactly when it is received?

How is your system running now?


Online Scan

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimise scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


Please post back with the Kaspersky Log.

[cookie10]

Hi,

In response to your questions, my system seems to be better now in that I don't get a renos.js warning from windows defender, and it seems as though anti-spyware programs run.

The exact error I was talking about earlier was immediately after ComboFix was done running. I tried to open Firefox or the log itself or any other application and it complained about a registry key marked for deletion. When I restarted, the error was not there anymore and I was able to proceed normally.

I tried running Kaspersky but after accepting and while the update download is trying to start up, I get the error "Launch of Java application is interrupted! Please establish and uninterrupted internet connection for work with this program." I'm not sure why I get this because Java is loaded and I've already accepted the license and everything.

Thanks.

[cookie10]

In any case, I was finally able to run DDS and have attached the log in case you wanted to take a look.

[Glaswegian]

Hi

OK – we’ll try a different scanner – it’s always a good second check.

Online Scan
Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Note that Panda may take several hours to scan your system.


Please note that I will not be back online until Saturday – I’m attending a wedding.

[cookie10]

Log is attached. Thanks!

[Glaswegian]

That was clear.

How are things running now? Still receiving the error message?

[cookie10]

Nope. I think everything is running well now. Thanks a lot for you help!

[Glaswegian]

Hi again

Good to hear. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.


The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below



Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:


ComboFix /Uninstall



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:


General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.


Ad-aware 2008 Free Edition
Download and install Ad-Aware 2008 Free Edition. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.



MVPS Hosts File[/b]
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Chrome
Maxthon
Safari

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall for XP does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm



Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.


Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
• Yellow for caution
• Red to stop

WOT has an addon available for both Firefox and IE.


ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.


Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?


Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

[cookie10]

I have Vista and typed the command 'ComboFix /Uninstall' in the Start -> Search box and I get an error message that says Windows cannot find cook.exe ... make sure you type the name correctly ...

[Glaswegian]

I don't have Vista - is there not a Run/Command box similar to the image in my last post?

[cookie10]

Found it and uninstalled. FYI - In Vista, its under Start -> Accessories -> Run.
Thanks again for all your help.