AV virus

[broach]

My OS is xp media edition. I somhow got a virus that told me that i needed AV care to clean my computer. I attempted to delet it and dont see it anymore, but my web pages keep redirecting. also I can not get to my task manager, windows closes it to protect my computer. below is my report from my DDS.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Brandon at 12:37:20.10 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.363 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Brandon\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = https://one.asburyseminary.edu/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [RIMDeviceManager] "c:\program files\common files\research in motion\rimdevicemanager\RIMDeviceManager.exe" -RunServer
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} - hxxp://zone.msn.com/bingame/wedd/default/WeddingDash.1.0.0.50.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-29 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-8-29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-8-29 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-8-29 159600]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-10 14336]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-9-29 604488]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-8-29 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-8-29 33056]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-8-25 348752]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-10 14336]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-21 13:12:08 0 d-----w- c:\docume~1\alluse~1\applic~1\SP
2009-10-20 11:49:33 0 d-----w- c:\program files\Windows Police Pro
2009-10-19 21:30:12 0 d-----w- c:\docume~1\brandon\applic~1\IObit
2009-10-19 21:29:56 0 d-----w- c:\program files\IObit
2009-10-19 00:57:22 0 d-----w- c:\docume~1\brandon\applic~1\Logs
2009-10-15 19:38:21 0 ----a-w- c:\windows\DVM.INI
2009-10-10 01:46:32 0 d-----w- c:\program files\iPod
2009-10-10 01:46:27 0 d-----w- c:\program files\iTunes
2009-10-10 01:46:27 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-09 11:14:57 3252 ----a-w- c:\windows\system32\wbem\Outlook_01ca48d1bc132dfe.mof
2009-10-08 18:22:52 27496 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-08 18:22:52 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-10-08 18:22:52 208744 ----a-w- c:\windows\system32\muweb.dll
2009-10-08 00:02:26 0 d-----w- c:\documents and settings\brandon\Tracing
2009-10-07 23:59:37 0 d-----w- c:\program files\Microsoft
2009-10-07 23:59:04 0 d-----w- c:\program files\Windows Live SkyDrive
2009-10-07 23:55:29 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-11-03 01:15:45 256 ----a-w- c:\documents and settings\brandon\pool.bin
2009-09-30 02:58:51 36196 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-29 19:31:56 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-09-29 19:31:51 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-12-12 16:52:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121220081213\index.dat

============= FINISH: 12:39:14.32 ===============

[thewall]

Hello broach Welcome to the TSF Virus/Trojan/Spyware Help forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.




After 3 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.












Thanks,



thewall

[broach]

Check


ComboFix 09-11-08.03 - Brandon 11/09/2009 19:48.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.695 [GMT -5:00]
Running from: c:\documents and settings\Brandon\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point
.
ADS - system32: deleted 142 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brandon\Application Data\Logs\scns.log
c:\program files\Windows Police Pro
c:\windows\kb913800.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\taskmgr.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NWCWORKSTATION
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-03 19:19 . 2009-11-03 19:19 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Opera
2009-11-03 19:18 . 2009-11-09 21:02 -------- d-----w- c:\program files\Opera
2009-10-27 00:44 . 2009-10-27 00:44 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-27 00:43 . 2009-10-27 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-27 00:43 . 2009-10-27 00:43 -------- d-----w- c:\program files\NOS
2009-10-21 13:12 . 2009-11-03 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-10-19 21:30 . 2009-10-19 21:30 -------- d-----w- c:\documents and settings\Brandon\Application Data\IObit
2009-10-19 21:29 . 2009-10-19 21:29 -------- d-----w- c:\program files\IObit
2009-10-19 03:19 . 2009-10-19 03:19 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-10-19 03:18 . 2009-10-19 03:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-10-19 01:09 . 2009-10-19 01:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-19 00:57 . 2009-11-10 00:53 -------- d-----w- c:\documents and settings\Brandon\Application Data\Logs
2009-10-14 10:39 . 2009-10-14 10:39 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 00:56 . 2009-01-05 12:17 256 ----a-w- c:\documents and settings\Brandon\pool.bin
2009-11-09 21:04 . 2008-08-26 01:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-09 21:03 . 2008-08-26 01:04 -------- d-----w- c:\program files\Spyware Doctor
2009-10-28 00:57 . 2008-08-29 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 00:55 . 2008-10-25 01:39 -------- d-----w- c:\documents and settings\Brandon\Application Data\Move Networks
2009-10-12 00:49 . 2009-03-26 16:20 -------- d-----w- c:\documents and settings\Brandon\Application Data\uTorrent
2009-10-10 01:49 . 2008-08-31 20:30 -------- d-----w- c:\documents and settings\Brandon\Application Data\Apple Computer
2009-10-10 01:47 . 2009-10-10 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-10 01:47 . 2009-10-10 01:46 -------- d-----w- c:\program files\iTunes
2009-10-10 01:46 . 2009-10-10 01:46 -------- d-----w- c:\program files\iPod
2009-10-10 01:46 . 2008-08-31 20:27 -------- d-----w- c:\program files\Common Files\Apple
2009-10-10 01:43 . 2009-10-10 01:42 -------- d-----w- c:\program files\QuickTime
2009-10-08 00:02 . 2008-08-26 01:05 41360 ----a-w- c:\documents and settings\Brandon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 23:59 . 2009-10-07 23:59 -------- d-----w- c:\program files\Microsoft
2009-10-07 23:59 . 2009-10-07 23:58 -------- d-----w- c:\program files\Windows Live
2009-10-07 23:59 . 2009-10-07 23:59 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-07 23:55 . 2009-10-07 23:55 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-30 03:02 . 2009-09-29 19:28 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-09-30 03:02 . 2009-09-29 19:28 -------- d-----w- c:\documents and settings\Brandon\Application Data\TweakNow RegCleaner
2009-09-30 02:58 . 2009-09-30 02:58 36196 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-29 21:55 . 2009-09-29 19:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-09-29 21:46 . 2009-03-27 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-09-29 19:31 . 2009-09-29 19:31 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-09-29 19:31 . 2009-09-29 19:31 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-29 19:31 . 2009-09-29 19:31 -------- d-----w- c:\documents and settings\Brandon\Application Data\TuneUp Software
2009-09-29 19:30 . 2009-09-29 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-09-29 19:29 . 2009-09-29 19:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-09-21 21:09 . 2009-09-21 21:09 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-11 14:18 . 2004-08-10 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 21:10 . 2009-08-30 02:22 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-29 08:08 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 13:09 . 2009-08-28 13:07 13526617 ----a-w- c:\documents and settings\Brandon\Application Data\Research In Motion\BlackBerry Media Sync\AutoUpdate\Updates\2.0.0.27\BlackBerryMediaSync.exe
2009-08-26 08:00 . 2004-08-10 11:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 02:30 . 2009-08-18 02:30 0 ----a-w- c:\windows\nsreg.dat
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2008-05-12 1422608]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"igfxtray"=c:\windows\system32\igfxtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0\bin\jusched.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"SigmatelSysTrayApp"=stsystra.exe
"Media Codec Update Service"=c:\program files\Essentials Codec Pack\WECPUpdate.exe -s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/29/2009 9:22 PM 206256]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [8/29/2009 9:25 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [8/29/2009 9:25 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/29/2009 9:22 PM 159600]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [9/29/2009 2:31 PM 604488]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [8/10/2004 6:00 AM 14336]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/10/2004 6:00 AM 14336]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [8/29/2009 9:22 PM 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/25/2008 8:05 PM 348752]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [8/29/2009 9:25 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 14:54]

2009-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-09 c:\windows\Tasks\User_Feed_Synchronization-{BF24E708-2575-453B-80C0-7E5F05C16496}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://one.asburyseminary.edu/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
AddRemove-Adobe ConnectNow - c:\documents and settings\Brandon\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\acaddin\acaddin.exe
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(228)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2009-11-10 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 00:59

Pre-Run: 78,360,477,696 bytes free
Post-Run: 78,330,224,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 0C3D1CFFE67F792083ECA3417E90330B

[thewall]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  taskmgr.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[broach]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:09 on 09/11/2009 by Brandon (Administrator - Elevation successful)

========== filefind ==========

Searching for "taskmgr.exe"
C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe ------ 155648 bytes [01:42 18/09/2008] [00:12 14/04/2008] CE44C8372AF0B5FFA35913B9DD3704B1
C:\WINDOWS\system32\taskmgr.exe --a--- 155648 bytes [11:00 10/08/2004] [00:12 14/04/2008] 5AAE9C1E7E7BCFDAF02FE22775FA8668

-=End Of File=-

[thewall]

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

[broach]

Check

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 10, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 10, 2009 11:57:53
Records in database: 3187525
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 60137
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:02:41


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.u 1
C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe Infected: Virus.Win32.Virut.ce 1
C:\WINDOWS\system32\taskmgr.exe Infected: Virus.Win32.Virut.ce 1

Selected area has been scanned.

[thewall]

I'll be back with some more instructions but in the meantime I want to get both of these files off of your machine. They are both infected and we don't want them to spread more infections through the machine.


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[broach]

where do i get a ComboFix?

[broach]

after I used combofix last time it disapeared off my desktop

[thewall]

That's OK, it was pulled earlier today for a little while until a new version comes out. When it connected to the Internet it received a command to delete itself.


We'll do it manually.



Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

• Hide extensions for known file types
• Hide protected operating system files (Recommended)

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

• Show hidden files and folders

Click Apply and then click OK



Use Windows Explorer to find and delete these files:

C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\ServicePackFiles\i386\taskmgr.exe

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete


Now do the opposite of what you did above to Hide extensions for known file types and
to Hide protected operating system files (Recommended)


Reboot your computer






Next thing to do is I need you to have some other files checked.



Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\Explorer.EXE
Click Submit.
Please post the results of this scan to this thread.

Do the same for

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\SYSTEM32\lsass.exe

[broach]

Filename: explorer.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 6 Nov 2009 11:37:56 (CET) Permalink

Filename: svchost.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 9 Nov 2009 13:03:18 (CET) Permalink

Filename: winlogon.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 5 Nov 2009 15:04:42 (CET) Permalink

Filename: lsass.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Sat 31 Oct 2009 18:32:16 (CET) Permalink

[thewall]

Before we proceed further are you still experiencing any other symptoms other than your Task Manager won't work?

[broach]

actualy I have not experienced any redericts while googling

[thewall]

Good, we are making some progress.

I am going to have to get you to rescan those files. The reason is the returns you got were cached. This is where they have already scanned them before. When you do it this time you will see where it says:

Quote:

This file has been scanned before. The results for this previous scan are listed below.

Right below that is a button marked "Scan Again" please rescan each one. If they don't return anything bad on the file you can do like you did last time and just copy what it says. However if you do get a return please right click on the Permalink and copy the link location so you can include it in your next reply. You can paste the link location directly into the window. This is very important because of the virus that was showing on the two files we had you delete. We have to try to rule out the possibility it spread.

[broach]

Filename: Explorer.EXE
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 12 Nov 2009 02:21:51

Filename: svchost.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 12 Nov 2009 02:24:32 (CET) Permalink

Filename: winlogon.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Thu 12 Nov 2009 02:26:52 (CET) Permalink

Filename: lsass.exe
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Thu 12 Nov 2009 02:29:27 (CET) Permalink

[thewall]

That looks good. Seems you might have dodged a very nasty bullet. Do you have your installation CD?

[broach]

I do not

[thewall]

Using the SystemLook program from post #4 above run the following:

Quote:

:filefind
taskmgr.*

[broach]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 22:17 on 11/11/2009 by Brandon (Administrator - Elevation successful)

========== filefind ==========

Searching for "taskmgr.* "
No files found.

-=End Of File=-