[Richiiee]

Last night my firewall (Sygate) said there was a program requesting to connect to the internet. I do not remember what it was, but I know it looked like it had something to do with Microsoft or Windows because it was named something along the lines of something Microsoft would call one of their .exe's. So a few hours later, my computer is sluggish. I go to check the Task Manager... and it won't let me! It says "Task Manager has been disabled by your administrator". I AM the admin, so I know something is up. AVG suddenly starts showing me that Win32/Tanatos.M is infecting EVERYTHING! Windows Meida Player, Inter Explorer, Google Chrome, VLC Player, RealPlayer, Wordpad, paint, everything!

I googled a way to access the Task Manager and it gave me a code to run. Tried it, didn't work. Then i realized it actually DOES work, it's just that the virus quickly disables the Task Manager before I can get into it. So I ran the code in Start > Run one more time, and extremely quickly did Ctrl+Alt=Delete before it could disable it and I got in! I found a whole bunch of .exes that I've never seen before, like:

winkqrmmr.exe
winpfkp.exe
noytd.exe
ycln.exe
mvul.exe
rfpav.exe
winpoflfl.exe
winejlpg.exe

I googled them all and for most of them, nothing came up. So now I'm positive it's a virus. AVG keeps going nuts telling me it's infecting everything, and when I click Heal or Remove, it says the healing failed! I try to block it from the network in Sygate... and Sygate won't open! The virus is blocking my firewall from starting. Even tried starting it with Start > Run and the virus automatically closes it in less than a second.

AVG is doing nothing but warning me that it's infecting every single program, and my firewall is useless. Somebody please help me! My computer has become almost unuseable! And I have homework to work on...

Thanks.


Oh, and I'm doing an AVG scan right this moment and it's elapsed 12 minutes and it already found 26 threats, and they're all Tanatos and Heur! Help!



Edit: Argh! I think it ended the Explorer.exe task! Now I can't see my taskbar or open any new windows! I rebooted and NOTHING loads. No taskbar, no icons, Task Manager doesn't open. Just showing my wallpaper. Somebody PLEASE help me. I have no computer now! (Typing this on my sister's).


I can't even get into post a HiJackThis log, but I didn't know where else to put this problem - it's urgent.

Edited by Richiiee, 30 October 2008 - 06:48 PM.

[Advertisements]

I just did a full Windows XP repair and nothing has changed. Would somebody please help me?

[Richiiee]

I just did a full Windows XP repair and nothing has changed. Would somebody please help me?

[Richiiee]

My flash drive was plugged into my comoputer during all of this and I brought it to school to use it and the school's virus scanner said there was an infected .exe file that I've never heard of! This thing has infected my flash drive and corrupted all the data!

Would somebody PLEASE help me.

[Ltangelic]

Hey Richiiee,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me.

• To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
• If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
• Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
• Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here.
• Please do not start multiple topics (especially when you are already being assisted by a malware staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at GeekstoGo, and this can further hinder our ability to assist other users. Please be considerate and stick to one thread. If you have not received a single reply to your topic for 3 days or more, feel free to visit here and post a thread in the Waiting Room with a link to your original topic.

I will be back with a fix soon. Thanks for your patience and understanding.

[Ltangelic]

Hey Richiiee,

I noticed that you have posted another topic over at BleepingComputer, please do not post multiple topics at multiple forums as it wastes Helpers' time. I have already PMed a staff member over at BC to close your topic. Please only post to this thread from now onwards. Thanks.

Now, let's proceed on to fix your computer. Since your computer can't post a HijackThis, let's go on to run a stronger tool.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by Ltangelic, 31 October 2008 - 07:15 AM.

[Richiiee]

Sorry about the multiple topic posting.

Unfortunately my explorer.exe process won't work and I can't get it to run because I can't get into the task manager. When I boot up, it just shows my desktop with no icons, no taskbar, nothing. Would I be able to plug my hard drive into another computer and access its files from there while booting off anotehr hard drive? There's really nothing I can do on my computer...

Maybe I could burn those files onto a CD on anotehr computer and boot off the CD on my computer...?

[Richiiee]

Okay well I manually moved my hard drive into my sister's computer (she has Spybot S&D and SuperAnti-Spyware). I didn't open any files on my hard drive due to risk of contamination, and I created a restore point for before I installed the hard drive. I'm running on my sister's hard drive with mine as the secondary so I can view its files, as if it were an external hard drive. Does this help? Sorry if this just complicates the issue - I can move it back if you'd like.

[Ltangelic]

Hey Richiiee,

That's a pretty risky move, please go on to run ComboFix on your sister's computer.

Post me the logs when you are done.

Edited by Ltangelic, 01 November 2008 - 05:26 AM.

[Richiiee]

Sorry once again for going off-track of your things I should do, but I've come up with another idea of what we could possibly do. I downloaded Combofix on my sister' computer, but it only scans her hard drive ©, not mine (D). So I found another hard drive in my house and installed a fresh copy of Windows onto it and updates to SP2 and installed AntiVir, Super-Antispyware and Sygate Firewall.

I'm thinking maybe I could put my old hard drive with all my data into the computer and use it as a secondary just as I did with my sister's computer, and drag and drop some of my important files onto this new version of Windows. I would only take things I really need, and as few files as possible to decrease the chance of infecting this computer. Also while I'm doing this I would have all 3 of those security programs watching to make sure no viruse from my old hard drive sneaks into my new one.

After I take all my important files, I would fun Combofix and make sure nothing on my new hard drive is infected, then post the log for you to check. Then I could just reformat my old hard drive and store it away somewhere or something. (Wouldn't need the old one anymore, this new one is much bigger anyway).


So to sum it up in a nutshell:

1. Install Windows XP w/SP2 and AntiVir/SuperAntiSpyware/Sygate Firewall (Already done)
2. Plug my old hard drive in and take only the files I really need onto this new hard drive
3. Scan this new hard drive with ComboFix to make sure the fiels I took haven't infected this new hard drive


Is that a good plan?

Edited by Richiiee, 01 November 2008 - 07:14 PM.

[Richiiee]

Alright, I got my important documents onto this new hard drive with a new Windows XP SP2 installed on it. This is the ComboFix log I just ran. Just want to double check to make sure this new system isn't infected with anything I brought from the old hard drive. Thanks again an sorry for all the mixups.

ComboFix 08-11-02.01 - Richie 2008-11-02 13:03:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.200 [GMT -5:00]
Running from: C:\Documents and Settings\Richie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-02 09:53 . 2008-11-02 10:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-11-02 09:45 . 2008-11-02 09:45 <DIR> d-------- C:\Program Files\Java
2008-11-02 09:45 . 2008-11-02 09:45 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-11-02 09:45 . 2008-11-02 09:45 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-11-02 09:26 . 2008-11-02 09:26 0 --a------ C:\WINDOWS\nsreg.dat
2008-11-02 08:18 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-11-02 08:18 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-11-02 08:18 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-11-01 20:28 . 2008-11-02 11:59 <DIR> d-------- C:\Program Files\New Folder
2008-11-01 16:41 . 2004-08-03 22:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-11-01 16:00 . 2008-11-01 16:00 <DIR> d-------- C:\Program Files\Bit Che
2008-11-01 16:00 . 2008-11-01 16:00 <DIR> d-------- C:\Documents and Settings\Richie\Application Data\Convivea
2008-11-01 15:59 . 2008-11-01 15:59 <DIR> d-------- C:\Program Files\eRightSoft
2008-11-01 15:59 . 2008-11-01 15:59 <DIR> d-------- C:\Documents and Settings\Richie\Application Data\vlc
2008-11-01 15:58 . 2008-11-01 15:58 <DIR> d-------- C:\Program Files\VideoLAN
2008-11-01 15:52 . 2008-11-01 15:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-11-01 15:51 . 2008-11-01 15:51 <DIR> d-------- C:\Program Files\Real
2008-11-01 15:51 . 2008-11-01 15:52 <DIR> d-------- C:\Program Files\Common Files\Real
2008-11-01 15:49 . 2008-11-01 15:49 <DIR> d-------- C:\Program Files\uTorrent
2008-11-01 15:48 . 2008-11-01 15:50 <DIR> d-------- C:\Documents and Settings\Richie\Application Data\uTorrent
2008-11-01 13:48 . 2008-11-01 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-11-01 13:42 . 2008-11-01 13:42 <DIR> d-------- C:\Program Files\Avira
2008-11-01 13:42 . 2008-11-01 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-11-01 13:27 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-11-01 13:27 . 2008-11-01 15:51 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-11-01 13:27 . 2008-11-01 15:51 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-11-01 13:08 . 2008-11-01 13:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-11-01 12:46 . 2008-11-01 12:46 <DIR> d-------- C:\Program Files\Sygate
2008-11-01 12:46 . 2008-11-01 12:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-01 12:46 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-11-01 12:46 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-11-01 12:46 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-11-01 12:46 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-11-01 12:46 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-11-01 12:46 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-11-01 12:46 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-11-01 12:43 . 2008-11-01 12:54 <DIR> d-------- C:\Documents and Settings\Richie\Contacts
2008-11-01 12:42 . 2008-11-01 12:42 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-11-01 12:35 . 2008-11-01 12:40 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-11-01 12:34 . 2008-11-01 13:12 <DIR> d-------- C:\Program Files\Windows Live
2008-11-01 12:34 . 2008-11-01 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 16:07 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-20 05:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r C:\WINDOWS\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-01 133104]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-11-01 185872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-10-19 2782352]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-02 152984]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 327040]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 281856]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-01 11:25]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Richie\Application Data\Mozilla\Firefox\Profiles\ohgtz9qa.default\
FF -: plugin - C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 13:06:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Richie\LOCALS~1\Temp\RGI4.tmp

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-11-02 13:07:02
ComboFix-quarantined-files.txt 2008-11-02 18:06:57

Pre-Run: 220,743,458,816 bytes free
Post-Run: 220,766,994,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

124 --- E O F --- 2008-11-01 18:04:04

[Ltangelic]

Hey Richiiee,

Sorry for the delay, real life has gotten into me. Thanks for your patience in waiting.

Your ComboFix log don't look too bad, and you did a great job helping to improve your computer's situation. I think just a few more scans will do, hang in there buddy.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Uninstall Program

Please go to Add or Remove Programs and remove the following (if present):

uTorrent


Optional Removal (highlighted in green): uTorrent is a P2P program that can compromise your computer's security, its highly recommended that you remove it

NEXT

Use Windows Explorer and remove the following (if present):

C:\Program Files\uTorrent

Reboot your computer.

2) Run a scan with Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

3) Run Kaspersky online scan

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Next reply (please include):

Fresh HijackThis log
MBAM scan log
Kaspersky scan log

PS. I will be away from 4th to 5th November, please be patient and I'll get back with a fix as soon as I can, thanks for your understanding.

Edited by Ltangelic, 03 November 2008 - 07:59 AM.

[Richiiee]

Okay, Malwarebytes' didn't catch anything.

Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 2

11/7/2008 5:20:28 PM
mbam-log-2008-11-07 (17-20-28).txt

Scan type: Quick Scan
Objects scanned: 44323
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:19 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5313 bytes

And for the online scan, it keeps freezing and crashing while it updates before scanning. Any other ideas?

Also, 2 questions:

1. Can I delete ComboFix from my desktop now?
2. Would it be alright to use Malwarebytes' as my permanent anti-malware program rather than a-squared? I trust Malwarebytes' more, it uses less resources and its scans are faster.

[Ltangelic]

Hey Richiiee,

And for the online scan, it keeps freezing and crashing while it updates before scanning. Any other ideas?

Also, 2 questions:

1. Can I delete ComboFix from my desktop now?
2. Would it be alright to use Malwarebytes' as my permanent anti-malware program rather than a-squared? I trust Malwarebytes' more, it uses less resources and its scans are faster.

We'll try another online scan instead of Kaspersky.

1. I'll ask you to uninstall ComboFix after we clean up this computer, please don't remove it on your own or run it without my supervision.
2. Sure, you can uninstall a-squared Anti-Malware since it is only a trial software. However, Malwarebytes' Anti-Malware can only act as a scanner as it doesn't have real time protection against spyware in its free version. You can keep it as a malware scanner, but I'll recommend you an anti-spyware program with protection after we finish cleaning your computer.

One last online scan and we'll be done.

1) Run ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for Windows 98/ME/2K/XP and VistaDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

2) Run an online scan with ESET

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

3) Fix an entry with HijackThis

Please re-open HijackThis and Do a System Scan Only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis.

Next reply (please include):

Fresh HijackThis log
ESET online scan results

[Richiiee]

Okay here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:10 AM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Richie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5448 bytes

And just like the Kaspersky one, the scan didn't complete... it went about 3/4 of the way through the scan (it hadn't detected anything so far), and then it asked me to install ActiveX control again so I clicked yes, and the scan restarted, then it did it again.

Also, AntiVir keeps giving me popups about a trojan, the same trojan that was giving me problems before, I believe.



I tried looking around and unhiding some folders and found what I think might be the folder it's in.



Not really sure though. AntiVir gave me that popup about 5 times in the past hour and I kept clicking "Deny Access", but it kept coming back, so I moved it to Quarantine and it seems to have stopped but I'm pretty sure it's still lurking around. I'm going to run an AntiVir scan right now.

[Ltangelic]

Have you done the Eset online scan? If so, please post me the logs as well.