Malware keeps returning

[Taekwonty11]

Hello, new to the site and in need of help. A couple days ago, I turned my computer on and noticed three new desktop icons, all linking to porn sites (youporn, nudetube, etc.)

I ran Ad-Aware Pro and removed everything it found (can no longer remember) but the icons returned every time I turned my computer back on (my computer doesn't reboot, different problem though as it has happened for a while, I think).

Getting angry, I downloaded Malwarebytes Anti-Malware, ran a scan, and got rid of whatever it found (again, no specifics for that day). This, I thought fixed the problem, but the next day it came back again (not quite 24 hours but overnight).

I did this again yesterday and again, this morning, those icons were back. I ran Malwarebytes and it found 35 items. I saved the log for today. I will post it as a reply to this thread in case it is necessary for the best help possible.

Some more information: When I thought I got rid of everything yesterday, whenever I would turn my computer back on, the icons would not come back but the message: "error loading C:\Windows\TEMP\msxm192z.dll The specified module could not be found" I have a feeling that if I turned my computer off and on now, this message would come up.

Also, I am aware I have two anti-spyware/malware programs running at once, a big no-no. I did not uninstall one or the other because:
a) I paid for them both. That is, I registered both Ad-Aware and Malwarebytes
b) I wasn't sure which one is better than the other.

I registered Malwarebytes yesterday and it has IP Protection and I get constant pop-up messages from it saying it has blocked some random IP's. Probably every ten minutes I get a few.

I hope I supplied enough info, I will answer any questions you have.

DDS (Ver_09-10-24.04) - NTFSx86
Run by Tyler at 10:52:11.93 on Sun 10/25/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.730 [GMT -4:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Alienware\Command Center\AlienFusionService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\Windows\system32\lxdncoms.exe
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Alienware\Command Center\AlienFusionController.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\MsgTranAgt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tyler\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34363034343526706F3D35373335303841
uDefault_Page_URL = hxxp://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34363034343526706F3D35373335303841
mStart Page = hxxp://www.alienware.com/mothership
mDefault_Page_URL = hxxp://www.alienware.com/mothership
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\SideBar.exe /autoRun
uRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
mRun: [AlienFX Controller] "c:\program files\alienware\command center\AlienwareAlienFXController.exe"
mRun: [AlienFusion Controller] "c:\program files\alienware\command center\AlienFusionController.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [iolo Startup] "c:\program files\iolo\common\lib\ioloLManager.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\tyler\appdata\roaming\mozilla\firefox\profiles\c3njr53l.default\
FF - prefs.js: browser.search.selectedEngine - Search With Everclear
FF - prefs.js: browser.startup.homepage - www.searchwitheverclear.com
FF - component: c:\users\tyler\appdata\roaming\mozilla\firefox\profiles\c3njr53l.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFExternalAlert.dll
FF - component: c:\users\tyler\appdata\roaming\mozilla\firefox\profiles\c3njr53l.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-18 64288]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-9-24 12800]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-7-20 61424]
R2 AlienFusionService;Alienware Fusion Service;c:\program files\alienware\command center\AlienFusionService.exe [2008-3-5 8192]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-17 609792]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-7-17 609792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1170768]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2007-12-5 98984]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-22 269648]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2008-3-27 31248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-21 24652]
R3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2008-7-11 304640]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-7-11 47616]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-7-15 12032]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-22 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-22 38224]
R3 StkCMini;Syntek AVStream USB2.0 2M WebCam;c:\windows\system32\drivers\StkCMini.sys [2008-3-27 1403280]
RUnknown BtwSrv;BtwSrv; [x]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [2009-8-12 29184]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-10-10 179712]
S3 t3;SB Xtreme Audio Notebook (Vista);c:\windows\system32\drivers\t3.sys [2008-7-16 401408]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\Usbicp.sys [2008-7-15 14592]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-5 132128]
SUnknown fastnetsrv;fastnetsrv; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-10-25 14:04:38 40960 ----a-w- c:\windows\system32\1717448.exe
2009-10-25 14:04:27 828 ----a-w- c:\windows\system32\5877955.exe
2009-10-24 17:58:46 40960 ----a-w- c:\windows\system32\2690501.exe
2009-10-24 17:58:34 700 ----a-w- c:\windows\system32\8590662.exe
2009-10-23 16:50:59 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-23 16:50:48 0 d-----w- c:\users\tyler\appdata\roaming\SUPERAntiSpyware.com
2009-10-23 16:08:15 0 d-----w- c:\program files\RegCleaner
2009-10-23 03:43:42 0 d-----w- c:\windows\system32\InstallShield Installation Information
2009-10-23 01:57:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-23 01:57:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-23 00:38:42 65536 --sha-w- c:\users\tyler\NTUSER.DAT{d0097e82-bf68-11de-81b2-001fc6509a87}.TM.blf
2009-10-23 00:38:42 524288 --sha-w- c:\users\tyler\NTUSER.DAT{d0097e82-bf68-11de-81b2-001fc6509a87}.TMContainer00000000000000000002.regtrans-ms
2009-10-23 00:38:42 524288 --sha-w- c:\users\tyler\NTUSER.DAT{d0097e82-bf68-11de-81b2-001fc6509a87}.TMContainer00000000000000000001.regtrans-ms
2009-10-23 00:03:06 0 d-----w- c:\users\tyler\appdata\roaming\AVG8
2009-10-22 22:48:15 0 d-----w- c:\users\tyler\appdata\roaming\Malwarebytes
2009-10-22 22:48:03 0 d-----w- c:\programdata\Malwarebytes
2009-10-22 22:48:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 01:28:14 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-19 01:26:47 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-03 01:23:03 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-03 01:22:48 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-03 01:22:46 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-03 00:57:26 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-10-02 15:44:09 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-29 01:43:55 0 d-----w- C:\Temp
2009-09-29 00:39:22 0 d-----w- c:\programdata\PMB Files
2009-09-27 15:41:26 65536 --sha-w- c:\users\tyler\NTUSER.DAT{b6e29a47-ab7b-11de-bf21-806e6f6e6963}.TM.blf
2009-09-27 15:41:26 524288 --sha-w- c:\users\tyler\NTUSER.DAT{b6e29a47-ab7b-11de-bf21-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
2009-09-27 15:41:26 524288 --sha-w- c:\users\tyler\NTUSER.DAT{b6e29a47-ab7b-11de-bf21-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms

==================== Find3M ====================

2009-10-25 14:21:56 99455 ----a-w- c:\programdata\nvModes.dat
2009-10-19 03:53:41 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-19 03:53:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-19 03:53:38 143360 ----a-w- c:\windows\inf\infstor.dat
2009-10-03 01:23:03 22328 ----a-w- c:\users\tyler\appdata\roaming\PnkBstrK.sys
2009-09-14 09:29:50 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 09:17:47 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42:52 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 14:29:52 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2009-08-28 14:29:44 2116008 ----a-w- c:\windows\system32\Incinerator.dll
2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 12:40:58 834048 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 19:42:00 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-08-26 19:42:00 12288 ----a-w- c:\windows\system32\smrgdf.exe
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 29696 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 37888 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 31232 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 47104 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 39936 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:14 28672 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:13 30208 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-08 21:47:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-08 21:30:50 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-08-04 12:34:19 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 12:34:19 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 19:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-08-02 04:41:21 54652 ----a-w- c:\windows\fonts\pkmndp.ttf
2009-08-02 04:41:21 20648 ----a-w- c:\windows\fonts\pkmnrs.ttf
2009-08-02 04:41:21 20604 ----a-w- c:\windows\fonts\pkmnem.ttf
2009-08-02 04:41:21 20404 ----a-w- c:\windows\fonts\pkmnfl.ttf
2009-08-02 04:41:21 19644 ----a-w- c:\windows\fonts\pkmnemn.ttf
2009-08-02 04:41:21 18800 ----a-w- c:\windows\fonts\pkmnems.ttf
2008-03-06 18:15:06 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:52:52.27 ===============

Log from Malwarebytes this morning:

Malwarebytes' Anti-Malware 1.41
Database version: 3015
Windows 6.0.6002 Service Pack 2

10/25/2009 10:26:05 AM
mbam-log-2009-10-25 (10-26-05).txt

Scan type: Quick Scan
Objects scanned: 100474
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 11
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
c:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.Exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\Temp\VRT9701.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\SC.INS (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\mal.db (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Windows\System32\wmdtc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

[CatByte]

Hi,

Please do the following:

Download Combofix from either of the links below but rename it to combo.exe before saving it to your desktop.


Link 1
Link 2


--------------------------------------------------------------------

Double click on the renamed ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

NOTE: VERY IMPORTANT: You must disable all your security programs prior to running ComboFix or they will interfere.

[Taekwonty11]

Hey, tried using the links you gave me for Combofix and I get the message:

"!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/comb...o-use-combofix

Note: You may be infected with a file patching virus (Virut)"

I shutdown Ad-Aware and Malwarebytes.

[CatByte]

Hi,

We need to confirm the presence of virut on your machine.

Please do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

  
  c:\windows\system32\userinit.exe
  

• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Please do the same for the following files:
c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\spoolsv.exe


NEXT


We would be grateful if you could assist us in our research into this infection by providing us with some samples and information from your machine. This will only take a minute or two to complete, and is very simple. If you wish to help us, please do the following:

• Download VAPrep.bat and save it to your Desktop.
• Double-click VAPrep.bat to run it. It will only take a moment to complete.
• When done, please right-click the VAPrep folder which should now be on your Desktop. Select Send To >> Compressed (zipped) Folder.
• Next, please go to this webpage.
• Browse to the VAPrep.zip zipped folder you just created.
• Click Send File.

Once done, you can delete the VAPrep folder and .zip file from you Desktop. Thanks for helping us out.

[Taekwonty11]

I did VAPrep for you.

VirSCAN.org Scanned Report :
Scanned time : 2009/10/26 19:26:22 (EDT)
Scanner results: 51% Scanner(s) (19/37) found malware!
File Name : userinit.exe
File Size : 45056 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 168bb38dfbd71d14c27c3f128085a4eb
SHA1 : 79864c734f9ac5d5f6e16519ab0cdfd50d7de415
Online report : http://virscan.org/report/f1656c4c06...eb94b6b1e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091027020148 2009-10-27 4.50 -
AhnLab V3 2009.10.24.00 2009.10.24 2009-10-24 0.98 Win32/Virut.E
AntiVir 8.2.1.44 7.1.6.151 2009-10-26 0.25 W32/Virut.Gen
Antiy 2.0.18 20091026.3088324 2009-10-26 0.12 -
Arcavir 2009 200910261058 2009-10-26 0.05 -
Authentium 5.1.1 200910261248 2009-10-26 1.21 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091026-0 2009-10-26 0.01 -
AVG 8.5.288 270.14.33/2461 2009-10-27 0.48 -
BitDefender 7.81008.4461643 7.28582 2009-10-27 4.57 Win32.Virtob.Gen.12
CA (VET) 35.1.0 7083 2009-10-25 7.62 -
ClamAV 0.95.2 9942 2009-10-27 0.01 -
Comodo 3.12 2744 2009-10-26 1.36 -
CP Secure 1.3.0.5 2009.10.26 2009-10-26 0.06 -
Dr.Web 4.44.0.9170 2009.10.26 2009-10-26 6.05 Win32.Virut.56
F-Prot 4.4.4.56 20091026 2009-10-26 1.19 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.10.26.11 2009-10-26 0.11 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 10.990 2009-10-26 0.19 -
GData 19.8595/19.524 20091026 2009-10-26 5.57 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091026 2009.10.26 2009-10-26 0.43 -
Ikarus T3.1.01.72 2009.10.26.74277 2009-10-26 4.30 -
JiangMin 11.0.800 2009.10.26 2009-10-26 4.17 Win32/Virut.br
Kaspersky 5.5.10 2009.10.26 2009-10-26 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.10.26.18 2009-10-26 0.52 Win32.Virut.cr.61440
McAfee 5.3.00 5783 2009-10-26 3.46 New Win32.g3
Microsoft 1.5202 2009.10.27 2009-10-27 6.44 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-10-26 4.01 W32/Virut.DY
Panda 9.05.01 2009.10.26 2009-10-26 2.59 Suspicious file
Trend Micro 8.700-1004 6.578.05 2009-10-26 0.05 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.10.26 2009-10-26 1.20 W32.Virut.G
Rising 20.0 21.53.04.00 2009-10-26 0.96 Win32.Infected.GEN [Suspicious]
Sophos 3.00.1 4.46 2009-10-27 2.65 -
Sunbelt 5470 5470 2009-10-26 1.70 -
Symantec 1.3.0.24 20091026.007 2009-10-26 0.06 -
nProtect 20091026.02 6018743 2009-10-26 7.45 -
The Hacker 6.5.0.2 v00054 2009-10-26 0.71 -
VBA32 3.12.10.11 20091026.1631 2009-10-26 1.91 -
VirusBuster 4.5.11.10 10.112.80/2014774 2009-10-26 3.04 Win32.Virut.AB.Gen


VirSCAN.org Scanned Report :
Scanned time : 2009/10/26 19:31:21 (EDT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2926592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d07d4c3038f3578ffce1c0237f2a1253
SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
Online report : http://virscan.org/report/a41b77a312...fb451671f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091027020148 2009-10-27 4.35 -
AhnLab V3 2009.10.24.00 2009.10.24 2009-10-24 0.96 -
AntiVir 8.2.1.44 7.1.6.151 2009-10-26 0.24 -
Antiy 2.0.18 20091026.3088324 2009-10-26 0.12 -
Arcavir 2009 200910261058 2009-10-26 0.09 -
Authentium 5.1.1 200910261248 2009-10-26 1.20 -
AVAST! 4.7.4 091026-0 2009-10-26 0.11 -
AVG 8.5.288 270.14.33/2461 2009-10-27 0.35 -
BitDefender 7.81008.4461643 7.28582 2009-10-27 3.98 -
CA (VET) 35.1.0 7083 2009-10-25 8.95 -
ClamAV 0.95.2 9942 2009-10-27 0.34 -
Comodo 3.12 2744 2009-10-26 1.04 -
CP Secure 1.3.0.5 2009.10.26 2009-10-26 0.48 -
Dr.Web 4.44.0.9170 2009.10.26 2009-10-26 6.06 -
F-Prot 4.4.4.56 20091026 2009-10-26 1.18 -
F-Secure 7.02.73807 2009.10.26.11 2009-10-26 8.79 -
Fortinet 2.81-3.120 10.990 2009-10-26 0.30 -
GData 19.8595/19.524 20091026 2009-10-26 5.45 -
ViRobot 20091026 2009.10.26 2009-10-26 0.41 -
Ikarus T3.1.01.72 2009.10.26.74277 2009-10-26 4.31 -
JiangMin 11.0.800 2009.10.26 2009-10-26 4.51 -
Kaspersky 5.5.10 2009.10.26 2009-10-26 0.07 -
KingSoft 2009.2.5.15 2009.10.26.18 2009-10-26 0.60 -
McAfee 5.3.00 5783 2009-10-26 3.38 -
Microsoft 1.5202 2009.10.27 2009-10-27 6.01 -
Norman 6.01.09 6.01.00 2009-10-26 4.01 -
Panda 9.05.01 2009.10.26 2009-10-26 2.07 -
Trend Micro 8.700-1004 6.578.05 2009-10-26 0.03 -
Quick Heal 10.00 2009.10.26 2009-10-26 1.99 -
Rising 20.0 21.53.04.00 2009-10-26 1.10 -
Sophos 3.00.1 4.46 2009-10-27 2.66 -
Sunbelt 5470 5470 2009-10-26 1.54 -
Symantec 1.3.0.24 20091026.007 2009-10-26 0.10 -
nProtect 20091026.02 6018743 2009-10-26 7.40 -
The Hacker 6.5.0.2 v00054 2009-10-26 1.08 -
VBA32 3.12.10.11 20091026.1631 2009-10-26 2.12 -
VirusBuster 4.5.11.10 10.112.80/2014774 2009-10-26 3.12 -


VirSCAN.org Scanned Report :
Scanned time : 2009/10/26 19:33:46 (EDT)
Scanner results: 51% Scanner(s) (19/37) found malware!
File Name : ctfmon.exe
File Size : 28672 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : f17080badb9e1dd4d089810831941f5a
SHA1 : 4d54aacf7c5a4aeb511dad26e9be294383243df6
Online report : http://virscan.org/report/eef05344fa...4ce6ca76a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091027020148 2009-10-27 4.18 -
AhnLab V3 2009.10.24.00 2009.10.24 2009-10-24 0.88 Win32/Virut.E
AntiVir 8.2.1.44 7.1.6.151 2009-10-26 0.52 W32/Virut.Gen
Antiy 2.0.18 20091026.3088324 2009-10-26 0.12 -
Arcavir 2009 200910261058 2009-10-26 0.04 -
Authentium 5.1.1 200910262206 2009-10-26 1.21 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091026-0 2009-10-26 0.01 -
AVG 8.5.288 270.14.33/2461 2009-10-27 0.47 -
BitDefender 7.81008.4461643 7.28582 2009-10-27 3.86 Win32.Virtob.Gen.12
CA (VET) 35.1.0 7083 2009-10-25 8.65 -
ClamAV 0.95.2 9942 2009-10-27 0.01 -
Comodo 3.12 2744 2009-10-26 1.35 -
CP Secure 1.3.0.5 2009.10.26 2009-10-26 0.05 -
Dr.Web 4.44.0.9170 2009.10.26 2009-10-26 5.98 Win32.Virut.56
F-Prot 4.4.4.56 20091026 2009-10-26 1.23 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.10.26.11 2009-10-26 0.10 Virus.Win32.Virut.ce [AVP]
Fortinet 2.81-3.120 10.990 2009-10-26 0.21 -
GData 19.8595/19.524 20091026 2009-10-26 5.41 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091026 2009.10.26 2009-10-26 0.47 -
Ikarus T3.1.01.72 2009.10.26.74277 2009-10-26 4.28 -
JiangMin 11.0.800 2009.10.26 2009-10-26 3.90 Win32/Virut.br
Kaspersky 5.5.10 2009.10.26 2009-10-26 0.06 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.10.26.18 2009-10-26 0.55 Win32.Virut.cr.61440
McAfee 5.3.00 5783 2009-10-26 3.41 New Win32.g3
Microsoft 1.5202 2009.10.27 2009-10-27 6.51 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-10-26 4.01 W32/Virut.DY
Panda 9.05.01 2009.10.26 2009-10-26 1.80 Suspicious file
Trend Micro 8.700-1004 6.578.05 2009-10-26 0.05 PE_VIRUX.GEN-2
Quick Heal 10.00 2009.10.26 2009-10-26 1.18 W32.Virut.G
Rising 20.0 21.53.04.00 2009-10-26 1.04 Win32.Infected.GEN [Suspicious]
Sophos 3.00.1 4.46 2009-10-27 2.70 -
Sunbelt 5470 5470 2009-10-26 1.63 -
Symantec 1.3.0.24 20091026.007 2009-10-26 0.05 -
nProtect 20091026.02 6018743 2009-10-26 7.29 -
The Hacker 6.5.0.2 v00054 2009-10-26 0.71 -
VBA32 3.12.10.11 20091026.1631 2009-10-26 1.92 -
VirusBuster 4.5.11.10 10.112.80/2014774 2009-10-26 3.00 Win32.Virut.AB.Gen


VirSCAN.org Scanned Report :
Scanned time : 2009/10/26 19:35:44 (EDT)
Scanner results: Scanners did not find malware!
File Name : spoolsv.exe
File Size : 127488 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 524bfbea40e6e404737ccbc754647a2e
SHA1 : 6c8c94ff9643b766ac3e033ef0b2fd036eb4a341
Online report : http://virscan.org/report/79cc7586bd...421e58907.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091027020148 2009-10-27 4.13 -
AhnLab V3 2009.10.24.00 2009.10.24 2009-10-24 0.89 -
AntiVir 8.2.1.44 7.1.6.151 2009-10-26 0.38 -
Antiy 2.0.18 20091026.3088324 2009-10-26 0.12 -
Arcavir 2009 200910261058 2009-10-26 0.05 -
Authentium 5.1.1 200910262206 2009-10-26 1.43 -
AVAST! 4.7.4 091026-0 2009-10-26 0.01 -
AVG 8.5.288 270.14.33/2461 2009-10-27 0.33 -
BitDefender 7.81008.4461643 7.28582 2009-10-27 3.85 -
CA (VET) 35.1.0 7083 2009-10-25 6.03 -
ClamAV 0.95.2 9942 2009-10-27 0.03 -
Comodo 3.12 2744 2009-10-26 0.71 -
CP Secure 1.3.0.5 2009.10.26 2009-10-26 0.06 -
Dr.Web 4.44.0.9170 2009.10.26 2009-10-26 6.00 -
F-Prot 4.4.4.56 20091026 2009-10-26 1.95 -
F-Secure 7.02.73807 2009.10.26.11 2009-10-26 0.07 -
Fortinet 2.81-3.120 10.990 2009-10-26 0.26 -
GData 19.8595/19.524 20091026 2009-10-26 6.16 -
ViRobot 20091026 2009.10.26 2009-10-26 0.42 -
Ikarus T3.1.01.72 2009.10.26.74277 2009-10-26 4.25 -
JiangMin 11.0.800 2009.10.26 2009-10-26 6.14 -
Kaspersky 5.5.10 2009.10.26 2009-10-26 0.06 -
KingSoft 2009.2.5.15 2009.10.26.18 2009-10-26 0.67 -
McAfee 5.3.00 5783 2009-10-26 3.48 -
Microsoft 1.5202 2009.10.27 2009-10-27 6.44 -
Norman 6.01.09 6.01.00 2009-10-26 4.00 -
Panda 9.05.01 2009.10.26 2009-10-26 2.20 -
Trend Micro 8.700-1004 6.578.05 2009-10-26 0.03 -
Quick Heal 10.00 2009.10.26 2009-10-26 1.32 -
Rising 20.0 21.53.04.00 2009-10-26 0.87 -
Sophos 3.00.1 4.46 2009-10-27 3.66 -
Sunbelt 5470 5470 2009-10-26 1.64 -
Symantec 1.3.0.24 20091026.007 2009-10-26 0.06 -
nProtect 20091026.02 6018743 2009-10-26 7.76 -
The Hacker 6.5.0.2 v00054 2009-10-26 0.77 -
VBA32 3.12.10.11 20091026.1631 2009-10-26 1.91 -
VirusBuster 4.5.11.10 10.112.80/2014774 2009-10-26 2.46 -

[CatByte]

Unfortunately I have some very bad news, I am afraid you have the VIRUT FILE INFECTOR


VIRUT is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously.

Unfortunately, the cleaning of this virus is not possible.

The only thing we recommend is to do a full reformat and install.

We have an excellent tutorial on how to reformat here

and for a Vista reformat re-install HERE

We do not recommend trying to save any files from this machine as they could all be infected and will simply re-infect your system again, there is no way of being certain what this infection can do.

It used to be certain documents, pictures etc. could be saved, but not any more. Virut is now known to infect all file formats.

Read more about the VIRUT FILE INFECTOR HERE

If you don't have a Windows Installation Disk (if this came with Windows pre-installed), you may have a Manufacturer restore disk to restore the computer to its original state - this depends on the Manufacturer though. Otherwise, give the Manufacturer a call and ask them to send you a restore disk or Windows installation CD.

Should you have any questions, please feel free to ask.

I am sorry there is nothing more that we can do.


More information:

Quote:

http://free.avg.com/66558
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/Vir...spx?key=143034
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, a highly regarded expert in malware removal, and an MS-MVP,
has an extremely informative blog post about Virut. - she only ever recommends a total reformat.

At least this way, you have the best chance of having a clean machine once more.

For future protection read this very well written article Think Prevention.

[Taekwonty11]

NO! Damn. So I will lose EVERYTHING on my computer?!?!?

[CatByte]

There is no way of knowing what this virus can do. It's very risky to try and save anything.
Some pictures or music files and some documents might be OK but this virus has been known to infect those file types too.

There is no guarantee that any file is free from this virus.

[Taekwonty11]

Honestly, I am just worried about my iTunes. I CANNOT just delete 3000 songs and such. Is there any way to save these?

Update: I just scanned my iTunes library with Malwarebytes and it found nothing. Is it possible that virut has not infected these? I just want to save these. Everything else can be replaced.

Also, I have an Alienware computer and everytime I boot my computer up, it says "Press F10 for Alienware respawn" or something like that. It has always said this. What is this? Can it help in any way?

[CatByte]

Put them on a separate drive, make sure nothing else is on that drive. Then scan the drive with an online scanner such as Kaspersky (without opening any of the songs)

Kaspersky On-line Scanner

You would be saving them at your own risk. If even one of those songs is infected it will just reinfect your reformatted machine.

If you have used peer2peer or torrents to obtain that music, then that is likely the source of the infection.


I don't believe the respawn will clean this infection. It needs to be a reformat - reinstall

[Taekwonty11]

Ok, now this gets complicated and I appreciate you sticking with me here. After I found out I had some virus I put a lot of my major folders onto my FreeAgent 500 GB external hard drive just in case. I am guessing these are infected as is my external drive now. What on earth do I do about this now?

[CatByte]

format your external drive as well.

It might be more advisable to start a new thread in our Vista forum.

Link back to this topic so they are aware of the seriousness of your infection and ask for advise on how best to reformat and take care of your external drives properly.

The tech experts would be best to help you with this.

[Taekwonty11]

Alright, I'm at college and we have an Office of Information Technologies. I will go there tomorrow so I make sure I reformat properly, as I have never done it before. Maybe they will also tell me if I can save my iTunes. Honestly, I can't get back everything I would lose there. I appreciate the help CatByte and may God inflict terrible anguish upon those who create such horrible things.

[CatByte]

Good luck.

[Taekwonty11]

One more quick question, if you please. Since I have synched my iPod since I have had this Virut virus, is my iPod infected too? Because I plan on reformatting and then taking whatever is on my iPod and turning them back into files on my computer, if that makes sense. Can an iPod be infected?

[CatByte]

If it was synced with an infected file, then yes, it could be infected.

There isa really no way of knowing with this infection.

Scan the ipod with the Kaspersky scanner same time you are doing your external hard drive, it may be fine.

It may be time consuming to format and load all those songs again. But if it were mine, Iwouldn't chance it and that's what I would do.

[Taekwonty11]

Hey, me again, so I reformatted and everything and now I am clean. My main goal now is to prevent this from EVER happening again.

As I said yesterday I believe my external hard drive is infected (at least I have to treat it as such) and needs to be reformatted. To do this, I believe I need to plug it into my computer. How can I reformat it without it infecting my now clean laptop? I am now running the following protection:

-AviraAntiVir Personal Free Antivirus
-COMODO Firewall
-ThreatFire

With these three layers of protection going, how can I reformat this external HDD without getting infected again?

Thanks!

[CatByte]

Hi,

It would be best if you posted a new topic in our Vista help forum and let the expert tech's there walk you through the best way to go about it, it really isn't my area of expertise.

Be sure to advise them and link to this topic, so they can see they are dealing with a virut infection.