[jsmitchell]

BACKGROUND

1. Gateway FX400 - Pentium D 2.8 GHz - 1G RAM
2. OS: Windows XP Media Center ver 5.1 (Build 2600.xpsp_sp3_gdr.080814-1236: Service Pack 3)
3. Browser - IE 7.0.5730.13; Firefox - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
4. Owned by kids who like on-line games, music, videos, etc.
5. System is up to date per Windows Update.


SYMPTOMS

1a. Images in IE disappeared - multimedia "display images" checkbox became unchecked. At first we could recheck it and refresh to see images, even exit IE and return and see images. But upon rebooting the problem reappeared. If the browser remained open for too long, the box became unchecked. Now, the box won't stay checked and we can't see any images.
1b. Could not run Firefox at all; eventually did get it running and can see images, but popunder ads show even with the no popup feature activated

2. Media center disabled - "ehshell.exe - Application error. The application failed to initialize properly (0xc000007b). Click on OK to terminate the application."

3. CPU is constantly at 100%. System is slowed to a crawl. Task Manager shows all these random 4K exe files spawning. Every so often a process fails, generating a dialogue warning box. Eventually the system gets overwhelmed and reboots.

3. Windows Update at first worked but progressively started to choke. Was able to go around this by going to the KB directly and download.

4. Malwarebytes at first ran OK, but now gets to 4848 files checked and chokes, even in safe mode. Spybot works but is ineffective. Tried Vundofix but that found nothing. HJT generates an error and won't create a log.


MANDATORY STEPS FOLLOWED

1. Ran ATF Cleaner - Successful

2. Ran SysRestorePoint - ERROR ("The application failed to initialize properly (0xc000007b). Click on OK to terminate the application.")

3. Ran ERUNT - Successful

4a. Ran Malwarebytes - ERROR (Opens OK, was able after several tries to update the database, hangs somewhere in windows/system32 folder after checking 4848 files; same exact problem in safe mode)
4b. Was able to run Malwarebytes a few days ago and it did complete, generated logs (which I have), but didn't fix the problem

5a. Had run Sbybot - ERROR (ran overnight in normal mode, system rebooted before I awoke)
5b. Was able to run Sbybot in safe mode yesterday, generate logs,(which I have), but didn't fix the problem

6a. HJT runs, scans, then gives the following error:

An unexplained error has occurred at procedure: modMain_CheckOther4Item()
Error #6 - Overflow
Windows version: 7.0.5730.13
MSIE version: 7.0.5730.13
HijackThis version 2.02

HJT appears to run to conclusion, generating a massive list of items (with the watermark of "no suspicious items found"), but no log pops up nor are any save options available. The "Send Log to Trend Micro" button appears to work, but does not show me any log. Notepad works fine

6b. I am able to generate an "uninstall manager" log via notepad:

7-Zip 4.65
ACDSee
Acoustica Effects Pack
Acoustica Mixcraft 3
Ad-Aware 2007
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe PhotoDeluxe Home Edition 3.1
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AIM 6
Aim Plugin for QQ Games
AIM Toolbar 5.0
AIMTunes
Anagram Genius version 9 trial
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Aqua Data Studio 4.5
AviSynth 2.5
AVS DVDMenu Editor 1.2.1.19
AVS Video Converter 5.6
AVS Video Tools 5.6
AVS4YOU Software Navigator 1.2
Backyard Baseball 2003
Backyard Football
Bonjour
Camtasia Studio 4
Canon iP1600
Canon Utilities Easy-PhotoPrint
Choice Guard
Cole2k Media - Codec Pack (Standard) 6.0.8
Compatibility Pack for the 2007 Office system
Digital Media Converter 2.63
Digital Media Reader
DivX Content Uploader
DivX Web Player
DMM Uninstall
DVD Shrink 3.2
DX-Ball 1.09
DX-Ball 2
Easy-WebPrint
ERUNT 1.1j
Free Video to iPod Converter version 2.4
Free YouTube to iPod Converter version 2.8
GameSpy Arcade
GdiplusUpgrade
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GSpot Codec Information Appliance
GWCares
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB958655)
HP Document Viewer 5.3
HP Driver Diagnostics
HP Imaging Device Functions 5.3
HP Photo Imaging Software
HP Photo Printing Software
HP Photosmart Cameras 4.5
HP Photosmart Essential 3.5
HP Product Detection
HP PSC & OfficeJet 5.3.B
HP Share-to-Web
HP Solution Center & Imaging Support Tools 5.3
Interactive User’s Guide
InterActual Player
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 1.63
Learn2 Player (Uninstall Only)
LimeWire 5.0.11
Live365 for Media Center
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
McAfee Uninstall Wizard
Media Center Extender
Media Center Extender
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo Trial
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSDN 2005 Express Edition - ENU
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Live Add-in 1.3
Microsoft Office Publisher 2003 Beta
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU
Microsoft Visual Web Developer 2005 Express Edition - ENU Service Pack 1 (KB926751)
mIRC
Mozilla Firefox (3.0.6)
Mpeg2Decoder 1.3
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MTV Overdrive for Media Center
musicshakeENG
Napster
Napster Burn Engine
Nero 7
Nero BurnRights
Netscape Internet Service
Netscape Web Accelerator
NVIDIA Drivers
NVIDIA WDM Drivers
oggcodecs 0.71.0946
Photo Story 3 for Windows
Photo! Editor 1.1
Phun beta 4.11
Pivot Stickfigure Animator
PowerDVD
Professor Franklin
Pure Networks Port Magic
QQ Games
QuickTime
RealPlayer
REXplorer Component Upgrade
Rhapsody Player Engine
ScreensaverMaker TE 2.4
Screenshot Utility
SeaStorm 3D Screensaver (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Segoe UI
Serif DrawPlus 4.0
Snood Deluxe
Soft Data Fax Modem with SmartCP
Sonic Encoders
Space Plasma 3D Screensaver (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Spyware Doctor 6.0
Steam
SwiftSwitch
Switch
TablEdit 2.65
TeamSpeak 2 RC2
Tor 0.1.1.26
TSDisp
Uninstall 1.0.0.0
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Wireless Keyboard Driver
VCW VicMan's Photo Editor 8.1
Ventrilo Client
Videora Xbox360 Converter 0.81
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtual Earth 3D (Beta)
Visualizer Photo Resize
WavePad Uninstall
Web Photo Album 1.1
Windows Backup Utility
Windows Defender
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
World of Warcraft
Yahoo! Messenger
Yahoo! SiteBuilder
ZoneAlarm

[Advertisements]

Hi jsmitchell and welcome to Geeks to Go! I'm Dave and I'll be helping you out.

4b. Was able to run Malwarebytes a few days ago and it did complete, generated logs (which I have), but didn't fix the problem

If you could post the MBAM log for me in your next reply that'd be great, depending on what it found that should give me an idea of where we can go from here.

From your description of HJT's behavior it sounds like it may have been able to run - would you look in the HJT directory (by default C:\Program Files\TrendMicro\HijackThis) to see if there's a notepad in there named hijackthis.log? Even if it gives you an error when running there may be some information there that could be of use.

So I just need whatever log HJT has if there is any and the MBAM log in your next reply.

Cheers,
Dave

[Transience]

Hi jsmitchell and welcome to Geeks to Go! I'm Dave and I'll be helping you out.

4b. Was able to run Malwarebytes a few days ago and it did complete, generated logs (which I have), but didn't fix the problem

If you could post the MBAM log for me in your next reply that'd be great, depending on what it found that should give me an idea of where we can go from here.

From your description of HJT's behavior it sounds like it may have been able to run - would you look in the HJT directory (by default C:\Program Files\TrendMicro\HijackThis) to see if there's a notepad in there named hijackthis.log? Even if it gives you an error when running there may be some information there that could be of use.

So I just need whatever log HJT has if there is any and the MBAM log in your next reply.

Cheers,
Dave

[jsmitchell]

Dave, great to hear from you.

A few moments ago I got a call from my ISP, Cablevision, that people were using my computer as a spambot. So that's a big clue. I've since disconnected from the net on that computer and am transfering files back and forth with a flash drive.

Another clue, which I neglected to mention, was that the first suspicious error was for a file called hpqthb08.exe which is part of HP's Image Zone software. HP has since replaced that software so I uninstalled Image Zone early on but that didn't solve anything. In fact, things might have gotten worse from there. I see that another guy got in serious trouble trying to cure that a while back: http://www.geekstogo...n...ambot&st=15. I'm not saying the two are related, but perhaps that file is a clue to something.

HJT still won't give me a log. The error always occurs at the point of "04 Registry and Start Menu autoruns..." being displayed. Yes, I can see the results. I tried to "ignore" one checked item to see it that feature worked (I could restore it anyhow) but it didn't. Not sure if that means other features have also been disabled.

Here are the Malwarebytes files prior to the program hanging early in the scanning process. After that I've added the spybot log.

=====

Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

2/15/2009 1:52:02 PM
mbam-log-2009-02-15 (13-52-02).txt

Scan type: Quick Scan
Objects scanned: 129438
Time elapsed: 27 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 14
Registry Values Infected: 9
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 52

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Ldelu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\hs78344kjkfd.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\27236f (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSantispyware2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc9ac151 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gyubup (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trarowal (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows automatic update (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xccinit (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\hs78344kjkfd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\crypts.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\Ldelu.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\UACbenepxya.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACfdctlrpj.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjbppkdux.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvpxewfkk.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccbXrPf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqlepjti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\27236f.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACoyroyidq.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\DBE6.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\UACc663.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\3xl5h25.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\d1x.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\porn2.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\0E0RE9JS\nkuyivi[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\4GPZ86JY\pifccddur[1].txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\PH9LMOPE\surboccgqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\PH9LMOPE\bluivja[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\PH9LMOPE\upd105320[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\WYOX5T5S\FlashPlayer[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\YS90Y5EY\nkuyivi[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\E9T13WBP\bbsuper0[1].htm (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\E9T13WBP\surboccgqn[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\FMALMZJJ\bluivja[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\G1WXMO1E\scijpzqww[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\G4V9L28O\bluivja[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\Content.IE5\JTFCB9Y5\bbsuper2[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\abowudehibewa.dll (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-8305313750-3617052089-235155415-0069\mwau.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\cxfagn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xyephkl.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccefb090131.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\inf\rundll33.exe (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\xccdf32_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccdfb16_090131.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aaaamonb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtqpMec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\matrix31290.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dudeeli\Local Settings\Temp\winlognn.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\UACfmiltqoq.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxrtoydmk.log (Trojan.Agent) -> Quarantined and deleted successfully.


=====

Malwarebytes' Anti-Malware 1.34
Database version: 1764
Windows 5.1.2600 Service Pack 3

2/15/2009 2:46:52 PM
mbam-log-2009-02-15 (14-46-52).txt

Scan type: Quick Scan
Objects scanned: 128742
Time elapsed: 27 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=====

Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 5:57:01 PM
mbam-log-2009-02-16 (17-57-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 235512
Time elapsed: 2 hour(s), 3 minute(s), 1 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 7
Files Infected: 35

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\soxpeca.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\noytcyr.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xccinit (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP102\A0031773.exe (Adware.NetPumper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090216135800390.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
\boot.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccefb090131.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soxpeca.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\udxfytw.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\inf\rundll33.exe (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\xccdf16_090131a.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\xccdf32_090131a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccdfb16_090131.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

=====

Malwarebytes' Anti-Malware 1.34
Database version: 1769
Windows 5.1.2600 Service Pack 3

2/17/2009 1:06:25 PM
mbam-log-2009-02-17 (13-06-24).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 256309
Time elapsed: 1 hour(s), 43 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 21

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090216180242750.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090216183924078.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090216195203421.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090216225325265.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217001625718.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217005056140.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217015500812.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

=====

--- Report generated: 2009-02-19 15:58 ---
Zango: [SBI $97CF1A76] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID
MyWay.MyWebSearch: [SBI $205CC8F2] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\FunWebProducts
Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOp tions
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Fi rewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explore r.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\Fi rewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explore r.exe
Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegis tryTools
ISearchTechnology.WinButler: [SBI $E7C36CB1] Executable (File, fixed)
C:\Documents and Settings\Dudeeli\Local Settings\Temp\removalfile.bat
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf
Refpron: [SBI $F531BF62] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\m
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udno
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udws
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udaf
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udro
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udtd
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udma
Refpron: [SBI $CAF76633] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso
Win32.Delf.uc: [SBI $88B8013A] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\Fi rewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\sys tem32\winlogon.exe
Win32.Delf.uc: [SBI $14B30E85] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\Fi rewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\sys tem32\winlogon.exe
Win32.Joleee.K: [SBI $39C82568] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del
Win32.TDSS.rtk: [SBI $1C88479D] Settings (Directory, fixed)
C:\Documents and Settings\NetworkService\Application Data\twain_32\
Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
C:\WINDOWS\system32\WvuCbccf.ini2
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
C:\WINDOWS\system32\WvuCbccf.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $D510A69C] Configuration file (File, fixed)
C:\WINDOWS\system32\yolnroby.ini
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Virtumonde: [SBI $1E12D746] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-332015932-3086523362-698477518-1010\Software\Microsoft\fias4013
Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
C:\WINDOWS\Tasks\maftvunm.job
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
LinkSynergy: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Clickbank: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
WebTrends live: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Right Media: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Statcounter: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
CasaleMedia: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
BurstMedia: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
FastClick: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
Zedo: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
AdRevolver: Tracking cookie (Internet Explorer: Dudeeli) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: Dudeeli (default)) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

[Transience]

Well... looks like we've got a pretty nasty piece of work here. Let's get down to business:

Download Combofix from any of the links below, but at the dialog box that appears asking you where you'd like to save the file, change its name from ComboFix.exe to Combo-Fix.exe. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3




--------------------------------------------------------------------
Notes:

• Before running ComboFix, you should disable all Antivirus and Antispyware applications so they don't interfere. You can often do this just by right-clicking on the system tray icon and clicking "Disable" or similar. If you need further instructions for how to disable your programs, look here.
• ComboFix will temporarily disconnect your machine from the internet and change your clock settings, this is normal and both will be restored before the program terminates.
• Do not attempt to run any programs or click on ComboFix's window while it is running, just allow it to run uninterrupted aside from okaying any prompts. It may appear to be doing nothing at times, this is normal, don't worry.

Next:

• Double click on ComboFix.exe and follow the prompts.
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a serious problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install it.

* Note: If the Recovery Console is already installed on your computer, ComboFix will ignore the installation routines and continue its malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. The program will scan for malware and then perform various fixes. You may be asked to reboot, okay the prompt and allow your computer to reboot. Log in as normal and allow ComboFix to complete its run without doing anything else.

When it's finished, the program's log will appear in notepad as well as saving itself to C:\ComboFix.txt. Please include the full contents of the log in your next reply.

Next:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat (Vista users please right-click it and select Run as Administrator) to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt in your next reply.

Hopefully both of those will work ok, just need the logs from ComboFix and SDFix in your next reply.

[jsmitchell]

Dave, the computer is now running ComboFix. It successfully created a new restore point, asked about adding the recovery software (I said yes), connected to Microsoft, successfully downloaded it, but when run it gave a quick flashing error about an invalid drive partition. I then said yes to do the scan. Should I still proceed to sdfix when that's done even though the recovery software may not be working properly, or is that now too late to do?

[jsmitchell]

It's been a bumpy ride but I see some progress...

1. Ran Combofix and watched it, on and off, go through about 90 minutes of repairing. At some point when I checked it, it said "Combo fix is preparing to reboot". Task manager showed that the task was still running, so I let it proceed for about 45 minutes before figuring out it wasn't going to reboot on it's own.

2. I rebooted to Safe Mode, just in case. Combofix took over, did a few quick things, and said it was preparing a log, don't run anything. As there was disk thrashing for quite a while, I let it go. After another 45 minutes or so, when that stopped, I monitored sed.cfexe until there was no activity for a while, then did a ctrl-break. When asked if I wanted to terminate the batch file I said "no" and apparently that transferred the process to regt.cfexe. When that stopped working, I tried ctrl-break repeatedly to no avail. I ended the process, saw there was a log file (even though notepad never popped up) and copied it to my flash drive (see below).

3. I then initiated the manual process to install the Recovery Console. I got all the way to the end and it failed because the Boot.ini file was missing. I knew that because I always got a message, briefly, upon reboot of "Bad or missing boot.ini. Starting from c:\windows\" which appears to not cause any problems. At one point I created a "standard" boot.ini file according to the Microsoft KB but none of the desktop icons showed up so I rebooted to the dos prompt and deleted it. I'm hoping there's a utility to rebuild it based on my registry. I still need in stall Recovery Console.

4. I ran sdfix and immediately the computer rebooted. I went back to safe mode, so no file, and ran the program again. For a few seconds it said "checking running processes and services" (I think), then rebooted. No log file. I figured it was not to be.

5. The good news is that the CPU is no longer pegged at 100% so the computer seems normal. IE will now display pictures again and seems snappy.

6. The bad news is that even after redownloading and reinstalling Malwarebytes and HJT, they both do not work. Malwarebytes hangs at c:\windows\system32\vga.dll (it used to just hang generically at c:\windows\system32\). HJT still won't pop-up a log file. Media Center still gives me an error message.

=====

ComboFix 09-02-19.01 - Dudeeli 2009-02-20 16:51:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.430 [GMT -5:00]
Running from: C:\Documents and Settings\Dudeeli\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217140108812.log
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090217165357703.log
C:\Documents and Settings\Dudeeli\Local Settings\Temporary Internet Files\fbk.sts
C:\Documents and Settings\Dudeeli\reader_s.exe
C:\Documents and Settings\LocalService\Application Data\twain_32
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds
C:\windows\Install.txt
C:\windows\system32\8.tmp
C:\windows\system32\9.tmp
C:\windows\system32\A.tmp
C:\windows\system32\bversion.dll
C:\windows\system32\CcEvtSvc.exe
C:\windows\system32\config\systemprofile\reader_s.exe
C:\windows\system32\d3d8caps.dat
C:\windows\system32\drivers\ntndis.sys
C:\windows\system32\E.tmp
C:\windows\system32\fhpatch.dll
C:\windows\system32\fiplock.dll
C:\windows\system32\fzhgix.dll
C:\windows\system32\Install.txt
C:\windows\system32\IPHACTION.dll
C:\windows\system32\iphy.dll
C:\windows\system32\kernel32_check.dll
C:\windows\system32\reader_s.exe
C:\windows\system32\tmp.reg
C:\windows\system32\tmpxccacj0.exe
C:\windows\system32\w.exe
C:\windows\system32\xcchit32.ini
C:\windows\system32\xkkioacx.dll
C:\windows\wiaserviv.log
C:\windows\xccwinsys.ini
C:\xcrashdump.dat
E:\Autorun.inf
C:\windows\system32\IpSvchostF.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_CCEVTSVC
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_OREANS32
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_CcEvtSvc
-------\Service_oreans32
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-20 18:49 . 2009-02-20 18:49 0 --------- C:\WINDOWS\system32\IpSvchostF.dll
2009-02-20 10:35 . 2009-02-20 10:35 <DIR> d-------- C:\Program Files\ERUNT
2009-02-20 10:27 . 2009-02-20 10:27 <DIR> d-------- C:\Program Files\7-Zip
2009-02-20 02:12 . 2009-02-20 02:12 <DIR> d-------- C:\VundoFix Backups
2009-02-19 23:03 . 2009-02-19 23:06 164,804 --a------ C:\WINDOWS\system32\75.tmp
2009-02-19 23:03 . 2009-02-19 23:03 88,065 --a------ C:\WINDOWS\system32\72.tmp
2009-02-19 23:03 . 2009-02-19 23:03 24,577 --a------ C:\WINDOWS\system32\6F.tmp
2009-02-19 23:03 . 2009-02-19 23:03 9,216 --a------ C:\WINDOWS\system32\74.tmp
2009-02-19 23:03 . 2009-02-19 23:03 208 --a------ C:\WINDOWS\system32\6D.tmp
2009-02-19 22:36 . 2009-02-19 22:39 162,724 --a------ C:\WINDOWS\system32\71.tmp
2009-02-19 22:36 . 2009-02-19 22:36 88,065 --a------ C:\WINDOWS\system32\6E.tmp
2009-02-19 22:36 . 2009-02-19 22:36 9,216 --a------ C:\WINDOWS\system32\70.tmp
2009-02-19 22:36 . 2009-02-19 22:36 208 --a------ C:\WINDOWS\system32\6A.tmp
2009-02-19 19:34 . 2009-02-19 19:37 164,804 --a------ C:\WINDOWS\system32\6C.tmp
2009-02-19 19:34 . 2009-02-19 19:34 88,065 --a------ C:\WINDOWS\system32\69.tmp
2009-02-19 19:34 . 2009-02-19 19:34 24,577 --a------ C:\WINDOWS\system32\66.tmp
2009-02-19 19:34 . 2009-02-19 19:34 9,216 --a------ C:\WINDOWS\system32\6B.tmp
2009-02-19 19:34 . 2009-02-19 19:34 208 --a------ C:\WINDOWS\system32\62.tmp
2009-02-19 19:29 . 2009-02-19 19:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Tracing
2009-02-19 18:48 . 2009-02-19 18:50 162,724 --a------ C:\WINDOWS\system32\68.tmp
2009-02-19 18:48 . 2009-02-19 18:48 88,065 --a------ C:\WINDOWS\system32\64.tmp
2009-02-19 18:48 . 2009-02-19 18:48 9,216 --a------ C:\WINDOWS\system32\67.tmp
2009-02-19 18:47 . 2009-02-19 18:47 208 --a------ C:\WINDOWS\system32\61.tmp
2009-02-19 17:56 . 2009-02-19 17:56 <DIR> d-------- C:\Program Files\Trend Micro
2009-02-19 17:49 . 2009-02-19 17:49 164,804 --a------ C:\WINDOWS\system32\65.tmp
2009-02-19 17:49 . 2009-02-19 17:49 88,065 --a------ C:\WINDOWS\system32\60.tmp
2009-02-19 17:49 . 2009-02-19 17:49 25,601 --a------ C:\WINDOWS\system32\5F.tmp
2009-02-19 17:49 . 2009-02-19 17:49 9,216 --a------ C:\WINDOWS\system32\63.tmp
2009-02-19 17:49 . 2009-02-19 17:49 208 --a------ C:\WINDOWS\system32\5C.tmp
2009-02-19 17:42 . 2009-02-19 17:45 164,804 --a------ C:\WINDOWS\system32\5E.tmp
2009-02-19 17:42 . 2009-02-19 17:42 88,065 --a------ C:\WINDOWS\system32\5B.tmp
2009-02-19 17:42 . 2009-02-19 17:42 25,601 --a------ C:\WINDOWS\system32\5A.tmp
2009-02-19 17:42 . 2009-02-19 17:42 9,216 --a------ C:\WINDOWS\system32\5D.tmp
2009-02-19 17:42 . 2009-02-19 17:42 208 --a------ C:\WINDOWS\system32\57.tmp
2009-02-19 16:39 . 2009-02-19 16:42 164,132 --a------ C:\WINDOWS\system32\59.tmp
2009-02-19 16:39 . 2009-02-19 16:39 88,065 --a------ C:\WINDOWS\system32\56.tmp
2009-02-19 16:39 . 2009-02-19 16:39 24,577 --a------ C:\WINDOWS\system32\54.tmp
2009-02-19 16:39 . 2009-02-19 16:39 9,216 --a------ C:\WINDOWS\system32\58.tmp
2009-02-19 16:39 . 2009-02-19 16:39 208 --a------ C:\WINDOWS\system32\52.tmp
2009-02-19 16:27 . 2009-02-19 16:27 88,065 --a------ C:\WINDOWS\system32\51.tmp
2009-02-19 16:27 . 2009-02-19 16:27 44,413 --a------ C:\WINDOWS\system32\55.tmp
2009-02-19 16:27 . 2009-02-19 16:27 24,577 --a------ C:\WINDOWS\system32\4E.tmp
2009-02-19 16:27 . 2009-02-19 16:27 9,216 --a------ C:\WINDOWS\system32\53.tmp
2009-02-19 16:27 . 2009-02-19 16:27 208 --a------ C:\WINDOWS\system32\4A.tmp
2009-02-19 10:46 . 2009-02-20 05:50 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Tracing
2009-02-19 09:46 . 2009-02-19 09:46 88,065 --a------ C:\WINDOWS\system32\4D.tmp
2009-02-19 09:46 . 2009-02-19 09:46 9,216 --a------ C:\WINDOWS\system32\4F.tmp
2009-02-19 09:46 . 2009-02-19 09:46 0 --a------ C:\WINDOWS\system32\50.tmp
2009-02-19 09:45 . 2009-02-19 09:46 38,913 --a------ C:\WINDOWS\system32\4C.tmp
2009-02-19 09:45 . 2009-02-19 09:45 208 --a------ C:\WINDOWS\system32\47.tmp
2009-02-19 04:46 . 2009-02-19 04:48 164,036 --a------ C:\WINDOWS\system32\4B.tmp
2009-02-19 04:46 . 2009-02-19 04:46 7,680 --a------ C:\WINDOWS\system32\48.tmp
2009-02-19 04:46 . 2009-02-19 04:46 168 --a------ C:\WINDOWS\system32\46.tmp
2009-02-19 04:41 . 2009-02-19 04:43 164,036 --a------ C:\WINDOWS\system32\49.tmp
2009-02-19 04:40 . 2009-02-19 04:40 24,577 --a------ C:\WINDOWS\system32\44.tmp
2009-02-19 04:40 . 2009-02-19 04:40 7,680 --a------ C:\WINDOWS\system32\45.tmp
2009-02-19 04:40 . 2009-02-19 04:40 168 --a------ C:\WINDOWS\system32\42.tmp
2009-02-19 02:37 . 2009-02-19 02:37 164,132 --a------ C:\WINDOWS\system32\43.tmp
2009-02-19 02:37 . 2009-02-19 02:37 25,601 --a------ C:\WINDOWS\system32\3F.tmp
2009-02-19 02:37 . 2009-02-19 02:37 7,168 --a------ C:\WINDOWS\system32\41.tmp
2009-02-19 02:37 . 2009-02-19 02:37 168 --a------ C:\WINDOWS\system32\3B.tmp
2009-02-19 02:28 . 2009-02-19 02:28 164,132 --a------ C:\WINDOWS\system32\40.tmp
2009-02-19 02:28 . 2009-02-19 02:28 25,601 --a------ C:\WINDOWS\system32\3D.tmp
2009-02-19 02:28 . 2009-02-19 02:28 7,168 --a------ C:\WINDOWS\system32\3E.tmp
2009-02-19 02:27 . 2009-02-19 02:28 168 --a------ C:\WINDOWS\system32\39.tmp
2009-02-19 02:24 . 2009-02-19 02:24 164,132 --a------ C:\WINDOWS\system32\3C.tmp
2009-02-19 02:24 . 2009-02-19 02:24 25,601 --a------ C:\WINDOWS\system32\37.tmp
2009-02-19 02:24 . 2009-02-19 02:24 7,168 --a------ C:\WINDOWS\system32\3A.tmp
2009-02-19 02:24 . 2009-02-19 02:24 168 --a------ C:\WINDOWS\system32\36.tmp
2009-02-19 02:04 . 2009-02-19 02:06 164,132 --a------ C:\WINDOWS\system32\38.tmp
2009-02-19 02:04 . 2009-02-19 02:04 24,577 --a------ C:\WINDOWS\system32\33.tmp
2009-02-19 02:04 . 2009-02-19 02:04 7,168 --a------ C:\WINDOWS\system32\34.tmp
2009-02-19 02:04 . 2009-02-19 02:04 168 --a------ C:\WINDOWS\system32\2E.tmp
2009-02-19 01:52 . 2009-02-19 01:52 163,748 --a------ C:\WINDOWS\system32\35.tmp
2009-02-19 01:52 . 2009-02-19 01:52 7,168 --a------ C:\WINDOWS\system32\31.tmp
2009-02-19 01:52 . 2009-02-19 01:52 168 --a------ C:\WINDOWS\system32\2D.tmp
2009-02-19 01:48 . 2009-02-19 01:48 163,748 --a------ C:\WINDOWS\system32\32.tmp
2009-02-19 01:48 . 2009-02-19 01:48 7,168 --a------ C:\WINDOWS\system32\30.tmp
2009-02-19 01:48 . 2009-02-19 01:48 168 --a------ C:\WINDOWS\system32\29.tmp
2009-02-19 01:18 . 2009-02-19 01:21 163,748 --a------ C:\WINDOWS\system32\2F.tmp
2009-02-19 01:18 . 2009-02-19 01:18 7,168 --a------ C:\WINDOWS\system32\2B.tmp
2009-02-19 01:18 . 2009-02-19 01:18 168 --a------ C:\WINDOWS\system32\27.tmp
2009-02-19 01:18 . 2009-02-20 02:02 128 --a------ C:\WINDOWS\adobe.bat
2009-02-19 01:18 . 2009-02-19 01:21 6 --a------ C:\WINDOWS\_id.dat
2009-02-19 00:50 . 2009-02-19 00:50 84,733 --a------ C:\WINDOWS\system32\2C.tmp
2009-02-19 00:50 . 2009-02-19 00:50 7,168 --a------ C:\WINDOWS\system32\2A.tmp
2009-02-19 00:50 . 2009-02-19 00:50 168 --a------ C:\WINDOWS\system32\26.tmp
2009-02-19 00:32 . 2009-02-19 00:39 211 --a------ C:\boot.yuk
2009-02-18 23:53 . 2009-02-18 23:56 164,132 --a------ C:\WINDOWS\system32\28.tmp
2009-02-18 23:53 . 2009-02-18 23:53 25,601 --a------ C:\WINDOWS\system32\23.tmp
2009-02-18 23:53 . 2009-02-18 23:53 7,168 --a------ C:\WINDOWS\system32\25.tmp
2009-02-18 23:53 . 2009-02-18 23:53 168 --a------ C:\WINDOWS\system32\1F.tmp
2009-02-18 23:34 . 2009-02-18 23:37 164,132 --a------ C:\WINDOWS\system32\24.tmp
2009-02-18 23:34 . 2009-02-18 23:34 25,601 --a------ C:\WINDOWS\system32\21.tmp
2009-02-18 23:34 . 2009-02-18 23:34 7,168 --a------ C:\WINDOWS\system32\22.tmp
2009-02-18 23:34 . 2009-02-18 23:34 168 --a------ C:\WINDOWS\system32\1C.tmp
2009-02-18 23:26 . 2009-02-18 23:26 0 --a------ C:\WINDOWS\system32\1B.tmp
2009-02-18 20:28 . 2009-02-18 20:28 89,053 --a------ C:\WINDOWS\system32\1E.tmp
2009-02-18 20:28 . 2009-02-18 20:28 25,601 --a------ C:\WINDOWS\system32\19.tmp
2009-02-18 20:28 . 2009-02-18 20:28 7,168 --a------ C:\WINDOWS\system32\1A.tmp
2009-02-18 20:28 . 2009-02-18 20:28 168 --a------ C:\WINDOWS\system32\17.tmp
2009-02-18 18:42 . 2009-02-18 18:42 <DIR> d--hs---- C:\Documents and Settings\NetworkService\PrivacIE
2009-02-18 18:41 . 2009-02-18 18:41 0 --a------ C:\WINDOWS\system32\16.tmp
2009-02-18 18:40 . 2009-02-19 23:06 138,432 --a------ C:\WINDOWS\system32\drivers\ethylgmp.sys
2009-02-18 18:38 . 2008-04-13 11:39 142,592 --a------ C:\WINDOWS\system32\drivers\aec.sys.bak
2009-02-18 18:36 . 2009-02-18 18:38 164,036 --a------ C:\WINDOWS\system32\20.tmp
2009-02-18 18:36 . 2009-02-18 18:36 3,072 --a------ C:\WINDOWS\system32\1D.tmp
2009-02-18 18:35 . 2009-02-18 18:35 182,656 --a--c--- C:\WINDOWS\system32\dllcache\ndis.sys
2009-02-18 18:35 . 2009-02-18 18:35 168 --a------ C:\WINDOWS\system32\D.tmp
2009-02-18 18:14 . 2009-02-18 18:16 8,413 --a------ C:\WINDOWS\system32\18.tmp
2009-02-18 18:14 . 2009-02-18 18:14 168 --a------ C:\WINDOWS\system32\C.tmp
2009-02-18 17:45 . 2009-02-18 17:45 <DIR> d--h----- C:\WINDOWS\PIF
2009-02-18 17:38 . 2009-02-18 17:38 0 --a------ C:\WINDOWS\system32\B.tmp
2009-02-18 17:28 . 2009-02-18 17:28 0 --a------ C:\WINDOWS\system32\F.tmp
2009-02-18 17:27 . 2009-02-18 17:27 168 --a------ C:\WINDOWS\system32\7.tmp
2009-02-18 14:19 . 2009-02-18 14:19 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2009-02-17 16:53 . 2009-02-17 16:53 81,931 --a------ C:\WINDOWS\system32\6.tmp
2009-02-17 16:53 . 2009-02-17 16:53 48 --a------ C:\WINDOWS\system32\5.tmp
2009-02-17 14:01 . 2009-02-17 14:01 81,931 --a------ C:\WINDOWS\system32\4.tmp
2009-02-17 14:01 . 2009-02-17 14:01 48 --a------ C:\WINDOWS\system32\3.tmp
2009-02-17 01:54 . 2009-02-17 01:54 81,931 --a------ C:\WINDOWS\system32\15.tmp
2009-02-17 01:54 . 2009-02-17 01:54 88 --a------ C:\WINDOWS\system32\13.tmp
2009-02-17 01:54 . 2009-02-17 01:54 1 --a------ C:\WINDOWS\system32\14.tmp
2009-02-17 00:50 . 2009-02-17 00:50 81,931 --a------ C:\WINDOWS\system32\12.tmp
2009-02-17 00:50 . 2009-02-17 00:50 1 --a------ C:\WINDOWS\system32\11.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2009-02-19 15:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-19 08:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-02-18 23:35 182,656 ----a-w C:\windows\system32\drivers\ndis.sys
2009-02-17 15:54 --------- d-----w C:\Program Files\Yahoo!
2009-02-17 04:57 --------- d-----w C:\Program Files\mIRC
2009-02-17 03:05 --------- d-----w C:\Program Files\AIMTunes
2009-02-17 00:18 --------- d-----w C:\Documents and Settings\Dudeeli\Application Data\LimeWire
2009-02-17 00:07 --------- d-----w C:\Program Files\LimeWire
2009-02-16 23:51 --------- d-----w C:\Program Files\MSN Messenger
2009-02-16 23:17 --------- d-----w C:\Program Files\Microsoft SQL Server
2009-02-16 18:24 --------- d-----w C:\Program Files\Common Files\HP
2009-02-16 17:03 --------- d-----w C:\Program Files\Viewpoint
2009-02-16 17:03 --------- d-----w C:\Program Files\AIM6
2009-02-16 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2009-02-16 04:20 --------- d-----w C:\Program Files\Java
2009-02-15 21:35 34 ----a-w C:\Documents and Settings\Dudeeli\jagex_runescape_preferences.dat
2009-02-15 19:16 --------- d-----w C:\Program Files\Screenshot Utility
2009-02-15 18:22 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w C:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w C:\windows\system32\drivers\mbam.sys
2009-02-09 18:18 6,307,328 ----a-w C:\windows\system32\drivers\nv4_mini.sys
2009-01-17 03:28 --------- d-----w C:\Program Files\Vidalia
2009-01-17 03:17 --------- d-----w C:\Program Files\BigFix
2009-01-16 21:08 --------- d-----w C:\Documents and Settings\Dudeeli\Application Data\Vidalia
2009-01-14 02:17 --------- d-----w C:\Program Files\GameSpy Arcade
2009-01-14 02:15 --------- d-----w C:\Program Files\Microsoft Games
2009-01-11 21:58 --------- d-----w C:\Documents and Settings\Dudeeli\Application Data\teamspeak2
2009-01-06 03:29 --------- d-----w C:\Program Files\iTunes
2009-01-06 03:29 --------- d-----w C:\Program Files\iPod
2009-01-06 03:29 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-06 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-06 03:27 --------- d-----w C:\Program Files\QuickTime
2009-01-06 03:27 --------- d-----w C:\Program Files\Bonjour
2004-08-10 19:00 94,784 --sh--w C:\windows\twain.dll
2008-04-14 00:12 50,688 --sh--w C:\windows\twain_32.dll
2004-07-30 04:04 1,216 --sh--w C:\windows\Twunk_16.dll
2004-07-30 04:04 1,216 --sh--w C:\windows\Twunk_32.dll
2008-04-14 00:11 1,028,096 --sha-w C:\windows\system32\mfc42.dll
2008-04-14 00:12 57,344 --sh--w C:\windows\system32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w C:\windows\system32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w C:\windows\system32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w C:\windows\system32\oleaut32.dll
2008-04-14 00:12 84,992 --sha-w C:\windows\system32\olepro32.dll
2008-04-14 00:12 28,672 --sh--w C:\windows\system32\regsvr32.exe
.

------- Sigcheck -------

2004-08-10 14:00 31232 9d254180cfb629da474570f3b6efc39a C:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 31232 f5392de6eb62b080f04aec32fe7fcf8c C:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 31744 96af315462b1b55358e4799fdc61a712 C:\windows\system32\svchost.exe

2005-05-25 14:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 12:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e C:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 C:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-10 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\windows\$NtUninstallKB893066$\tcpip.sys
2005-05-25 14:04 359808 88763a98a4c26c409741b4aa162720c9 C:\windows\$NtUninstallKB913446$\tcpip.sys
2006-01-12 21:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 C:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 C:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 06:51 361600 9425b72f40257b45d45d24773273dad0 C:\windows\system32\dllcache\tcpip.sys
2008-06-20 06:51 361600 9425b72f40257b45d45d24773273dad0 C:\windows\system32\drivers\tcpip.sys

2004-08-10 14:00 182912 1df7f42665c94b825322fae71721130d C:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d C:\windows\ServicePackFiles\i386\ndis.sys
2009-02-18 18:35 213120 1df7f42665c94b825322fae71721130d C:\windows\system32\dllcache\ndis.sys
2009-02-18 18:35 213120 1df7f42665c94b825322fae71721130d C:\windows\system32\drivers\ndis.sys

2008-04-13 19:12 1051136 865e9c942e1cff6f4c34a76d091eccb1 C:\windows\explorer.exe
2007-06-13 06:26 1050112 5f10e89e65848d0d379e0cc64c3ff171 C:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 43eca7054855dfb29f2acdf87227d866 C:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-10 14:00 1049600 370ab819a79c3ac0ca9268cf9bfbe642 C:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1051136 701e09ef0b3866278023f00086e3968e C:\windows\ServicePackFiles\i386\explorer.exe

2004-08-10 14:00 32768 79d08d81716e91aa3db9d6f0f367aa1f C:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32256 bc6a0c9b88f74888ca747234dc8ed1cb C:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 72d712dd53409ce44a72812325ce166e C:\windows\system32\ctfmon.exe

2005-06-10 19:17 74752 13de8ea2b9b026a762bc0154b4e46f6b C:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 74752 49223c5ace2980b86dfab0705643bb03 C:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-10 14:00 74752 b26eb32bbedc6a878d739629590cc4f8 C:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 74752 8cac0e7dd763d813d86afd0c9448095b C:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 75264 b6c889a36558c062765140d59f591e96 C:\windows\system32\spoolsv.exe

2004-08-10 14:00 41984 be4f2d62a7a717c453520b9dd39ff3ee C:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43008 47384634a5ec26f551960871c4735724 C:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43008 f54550e7d248d5e345e414c4159250fb C:\windows\system32\userinit.exe

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 C:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 C:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d C:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-10 14:00 983552 888190e31455fad793312f8d087146eb C:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 C:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d C:\windows\ServicePackFiles\i386\kernel32.dll
2009-02-15 12:47 989696 1dd4f13d20a14655f7e6b48e9ed97007 C:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[jsmitchell]

Update: I left the computer alone for a while, off the internet, only to find that the cpu speed again was pegged at 100%. There were no random files being generated this time, likely because I was not connected to the net. Instead, services.exe was spawned a zillions times, as was svchost.exe. I rebooted into safe mode and tried to run sdfix, but got the same result as last time (system rebooted itself almost immediately). After the reboot, I'm running the only program I have that can run without crashing: Spybot, just to see what it finds overnight.

[Transience]

Well I'm not going to beat around the bush here... your PC is very very badly infected. Depending on the results of this scan we'll know whether its feasible to attempt to continue to clean it.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

Just need that log in your next reply.

Cheers,
Dave

[jsmitchell]

"If it says it cannot be Neutralized then chooose The delete option when prompted."

Kaspersky is only 1% done -- and it's been over an hour -- and it has already said 185 important files are infected with the win32.virut.ce virus: notepad, explorer, regedit, clipboard, etc. I assume the reason it says none have been neutralized is because it will prompt me at the end. I'm obviously quite hesitant to delete any of these files. In the mean time, the tool says the estimated finish time is six days from now! I thought that would change once the system files are finished being analyzed but it's past that now.

In the mean time, I found another person with XP SP3 that had the same problem but was able, by persistence, to kill it without reformatting everything and starting over. http://www.bleepingc...hp/t203172.html

However, being that this is the kids computer, there's nothing of any value on it (their music can be resynched from thier ipod, all tools can be redownloaded). Maybe that's the easiest route to go now?

Other important information: The one file that stood out to me was xbl_gen.exe in the documents folder. Apparently that's an XBox Live Points Generator scam program where kids see Youtube videos of it "actually working", so they must then click on something that downloads it. In reality, its a backdoor trojan that takes control of your computer. People should scan for that file and save themselves lots of trouble. Kaspersky labeled it as backdoor.win32.vb.gtf. Obviously that computer is disconnected from the net.

Now what?

[jsmitchell]

My younger son apparently was befriended by someone on a Youtube channel over time who then told him to check out the XBox Live Points Generator program that he assured him worked. The fact that they had developed a "relationship" over time must have blinded him to try it. So that's apparently how the backdoor.win32.vb.gtf software got installed causing the win32.virut.ce aka w32/scribble-A infection to spread, also turning the computer into a spambot.

[Transience]

Well that's unfortunately the confirmation that I wasn't hoping for.

Here's the deal: win32.virut.ce is what's known as a polymorphic file infector, and if that sounds scary that's because, frankly, it is. The way this rootkit works is by infecting massive numbers of files - critical system files but also largely unimportant files. It injects all of your running processes with the malicious code, including the tools we use to try to remove it, which is what makes it so difficult to catch. The code isn't perfect either, so sometimes it doesn't manage to successfully infect a file, and corrupts it by accident, making it unusable, especially a problem with system files. This infection is the security community's worst nightmare at the moment. There have been some instances such as in that link you posted where when it was caught early enough, with prolonged effort, endless scans, and painstaking attention to detail, the infection was successfully removed from machines. By no means are these cases the majority though.

You can read a little more here at malware expert miekiemoes' blog: Virut and other File infectors - Throwing in the Towel?

From your last post, it sounds like this computer is not indispensable to you. It seems the infection has already had a good length of time to take hold judging by the look of your logs and the ongoing state of that Kaspersky scan, so I think your best bet at this point would be to opt for a reformat. It's the quickest, easiest, safest solution to the infection, rather than spending hours upon hours trying to clean it and still not knowing for sure that you're safe at the end.

I suggest you start to backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.asp/.php/.xml/.zip/.rar files, because these files are likely to be infected. If you back them up and replace them afterwards, they will infect your computer again.

When you're ready, read this link for instructions on how to reformat windows.

Sorry again to be the bearer of bad news, let me know if you have any question and I will answer them to the best of my ability.

- Dave

[jsmitchell]

I'm told the only way to recover from this effectively is to buy a removable hard drive and bit imaging software (e.g. Acronis). This way you can go back in time to before the infection took place. If you have a post about what is recommended, or a link to an article you trust on this, could you post it here? Your own personal choice for what to buy would be appreciated.

Lastly, you might consider relabeling this topic so others can more esaily learn from this experience as, according to the miekiemoes blog post of a few days ago, this is the fate of many to come... sadly.

[jsmitchell]

Dave, I have an even worse problem, possibly, for my work computer, running Vista, that won't even boot. I have NO reason to think there's any relationship between the two, but figured I'd run it by you just in case: http://www.geekstogo...de-t229805.html

[Transience]

I'm told the only way to recover from this effectively is to buy a removable hard drive and bit imaging software (e.g. Acronis). This way you can go back in time to before the infection took place

My expertise is really only in the malware section of dealing with things, I know a limited amount about hardware but there are a great many at this forum better equipped to help you out with that question than myself. I can, however, link you to an excellent post written in the Geeks to Go homepage blog that covers backup solutions, click here to give it a read.

according to the miekiemoes blog post of a few days ago, this is the fate of many to come... sadly.

Most unfortunately, that is the case. Hopefully within a few weeks the major AV vendors will have added detections for this and the panic will be over.

If you have any more questions about reformatting/backing up etc. let me know, and if I don't have answers for you I'll pass them on to the techs, who will be able to give you more knowledge about them then you could ever want.

- Dave

[jsmitchell]

Dave, I haven't stopped Kaspersky from running. It's 47% done with close to 2000 infected files. What I don't want to risk is doing something that will cause it not to boot at all. Even while infected I can pick out the data files. If I say neutralize to all of this, is the program smart enough to know a file can't be neutralized without being corrupted? Because if I corrupt any of the system files, I may be dead, which is worse than infected for the time being. Please advise.