Fun times with Windows Police Pro.

Hello Asezat and welcome to the thrills and spills that are WPP, unfortunetely I have been in this same position a couple weeks ago. I was able to get my system back to normal and im no computer specialist so don't panic.

The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.

In order for the people here to help you, you will need to explain every step you took to remove the processes so far. The first step is to post logs so we know whats going on but if your unable to gain acces to those we will need to know how to get you back to that state.

Best of luck, -R1p

The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all.. . . .

Are you able to access the internet and download files with the ill computer? I know you can't run programs, but can you download them?

I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.

There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.

Let me know where you stand.

If you are able to download to the ill machine, please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

-- I should note that, while we could probably make some progress with tools on a CD, a flash drive would allow us more flexibility. Yes, it runs the risk of getting infected, but we can run some tools from it.......

Cheers :)
PP

The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.

Hey, I'm glad you managed to sort your comp out, at least it gives me a bit of hope for fixing my own. So far, almost everything I've done was immediately after I was infected, before I rebooted. It's pretty simple stuff, all it was was going into the "Windows Police Pro" file in the program files and deleting the actual program in there. After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.

Are you able to access the internet and download files with the ill computer? I know you can't run programs, but can you download them?

There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.

Let me know where you stand.

If you are able to download to the ill machine, please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

-- I should note that, while we could probably make some progress with tools on a CD, a flash drive would allow us more flexibility. Yes, it runs the risk of getting infected, but we can run some tools from it.......

Cheers :)
PP

I can't get onto any of my browsers, so unfortunately downloading onto the infected PC directly is out of the question for now. What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.

I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.

Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, I'll do what has to be done.

Thank you both for your responses :).

Hey, I'm glad you managed to sort your comp out..... After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.

This baddie comes in different flavors and different degrees of difficulty. Most often, there is a rootkit component that makes removal a bear.....

What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.

Great! We can try that - You'll need three CDs. I'll post the list at the bottom of this post.

I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.

That's where the Flash Drive comes into play. Allows give and take from the ill machine. Plus, we can run combofix from the flash drive...

Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, I'll do what has to be done.

Well . . they are inexpensive for a few gigs which is all you'll need.
You'll have to do a little "cost/benefit analysis."

Truth be told, I generally recommend a reformat in these cases. 'Course that depends upon a number of factors, the biggest usually being whether a user has their Windows OS Disk.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

OK - Here are the tools you'll need - I'm assuming you'll pick up a Flash Drive:

FIRST: Download and Install ImgBurn if you do not already have it on your machine.

THEN: Download the Avira Rescue System.ISO and use ImgBurn to burn the ISO onto a CD.

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

FOR THE THIRD CD:
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://swandog46.geekstogo.com/avenger.zip
• http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the CD.
• FindWPP.zip
• DDS by sUBs and save it to your Desktop
• http://download.sysinternals.com/Files/Junction.zip
• http://www.raktor.net/exeHelper/exeHelper.com
• http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
• SysProt Anti-Rootkit

I know it seems like a lot, but I like to cover all bases..... :)

NEXT: Repeat the step for the third CD and put all those programs on your Flash Drive

Post back when you are all set (or if you have any questions).
I am usually around in the evenings (EST) working on other things but will keep an eye on this thread.

Cheers :)
PP

NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD

In re-acquainting myslef with TRK, I realize that I should've added that ideally this should be on a Re-Writable CD, if possible.

PP :)

Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.

I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. Two and a half to three years back, I had an issue with the PC refusing to start, and a friend advised me to pop the little battery out of the motherboard and then put it back in, which I duly did. It fixed that particular problem, but when I started the PC up again, the start-up sequence had totally changed. It now informs me each time that "BIOS is not installed". It's never been a problem, until now, Windows starts fine, etc, but I'm a little concerned. Will that be an issue?

Thanks!

Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.

Great! - Trinity offers 4 AV scanners, but only Clam is onboard. It needs to update and download and rewrite itself. This is a legit option that uses freeware as opposed to pirated software.
(I wish they would add an option for MBAM or combofix to be downloaded and run...)

I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. .....Will that be an issue?

I doubt it - that message is not referring to your "system BIOS" - probably looking for a drive controller. Not a big worry at this time.
-- With any luck your compy will detect the CD on startup and offer the option to boot from it. We'll cross that bridge when we come to it.
Those CDs are strictly a last option in the event that nothing else works - Hopefully we'll not have to use them. (they are good to have around, though - hold onto them)

Let's start with the CD with all the tools on it.
-- See if you are able to transfer FindWPP to the ill computer.
RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop. Hopefully you won't be blocked from doing that.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.

If the log pops up, save it to the Desktop and then copy it to Flash Drive and post it for me.

Even if that step does not work, go ahead and try this as well:

Move Win32kDiag.exe from the CD to the Desktop.
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please copy to flash drive and post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!

-- Are you able to get a command prompt on ill computer?
Either START > Run >type cmd > OK
or
START > Run >type command.com > OK

-- I suspect we are in very different timezones which may slow us a bit. I am on Eastern Standard Time (GMT-4) and generally around in the evenings.

Anyhoo, let me know if those tools could be run and about command prompt.

Best Luck :)
PP

Ok, well, I stuck the thrid CD into the drive and fired it up, and it let me read the CD. Having said that, before I could start actually extracting and running the programs, it froze up, and I had to restart the computer. When I went to try again, to my surprise, the CD was empty. Apparently I used a re-writable CD, and whatever it is that's on the computer is either deleting whatever's on it, or making it appear as though it has. I haven't tried running them from the flash drive because I'm still worried about infecting my laptop, too.

I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.

Regarding timezones, I'm in the UK so I'm on GMT, and your afternoon is my evening. I would normally be around then, but due to work issues I haven't been recently, unfortunately. I should be tonight, though.

Thanks!

I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.

That should come in handy.

-- Do this: Open a command prompt and type exactly as I have here in red:
dir /s %windir%\eventlog.dll > "%userprofile%\desktop\logit.txt" & hit ENTER

Logit.txt will be on the desktop - I need to see that, however possible.
I just need the various paths to eventlog.dll and the exact size in bytes for each. You'll not need to copy everything.

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

But before that, give me the eventlog.dll info.

PP :)

I copied that exact command into the prompt, twice, and each time it said "The system cannot find the file specified". Logit.txt did appear, but it was empty.

-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.

Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.

I'll try whatever you think will work.

I'll try whatever you think will work.

We should probably try burning the tools onto a non-rewritable disk (not the ISOs, just the disk of tools). That way, we can use command line to copy them to desktop. Let me know if that is workable.

I am a little reluctant to try the flash drive just yet - I am fairly certain the malware has replaced the legit eventlog.dll and once we deal with that, we can make some headway with tools on the desktop. We just need to get them on there.

What happens when you type the following command at the prompt:

dir /s %windir%\eventlog.dll

Note it is dir <space> /s <space>%windir%\eventlog.dll

If error there, try:
sc stop "eventlog" ENTER

What happens?

If error there, try:
sc config "eventlog" start= disabled ENTER

What happens?

PP :)

I'm not sure if I have any non-rewritable CD's at the moment. I actually spent the best part of an hour looking earlier on, because I thought I did.

Of the three comands, the first gives the "system cannot find the file" response.

The second gives "[SC] ControlService FAILED 1052: The requested control is not valid for this service."

The third: "[SC] ChangeServiceConfig SUCCESS".

The third: "[SC] ChangeServiceConfig SUCCESS".

Good - that's what I thought. It can't be stopped, but it can be disabled.

At the prompt, type sc query "eventlog" and tell me what the State is.
If it is still running, we'll need to reboot and then repeat the query to make sure it is not running.
('course, I am assuming this is replaced file - usually it is, but there have been others)

Then, let's try to copy FindWPP and Win32kDiag.exe to the desktop again. If you can't copy and paste, try the copy command.

Assuming external drive is, say, G:\ the command would be:
copy G:\Win32kDiag.exe "%userprofile%\desktop"
copy G:\FindWPP.zip "%userprofile%\desktop"

Obviously, if not G:\ , you'll need to change accordingly.

Let's see how that works.

Sorry about the delay - doing 10 things at once here :)
PP

The state initially was "4 RUNNING", after a reboot it's "1 STOPPED".

I've just tried to copy the files off the CD normally again, the whole thing froze before I even could get into the CD, this time. When I cleared it, Explorer crashed and forced another reboot.

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

After that reboot, I tried to copy from the CD using the script, and it just says "Incorrect function."

Well . . . crap. It's not making things easy, is it?
-- You did change the source directory to the correct letter (probably D or E:\), right? (sorry - gotta check)

Try to copy them from the flash drive.

If that does not work, let's go ahead and try to run combofix from the flash drive. You'll not be able to update it, but run it anyway - If it runs, post the log.

PP :)

I did initially have the wrong source directory letter >.> but I fixed it before I made the post.

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

I managed to get the files off the flash drive with no apparent problems, but it won't let me run Win32kDiag. Same error, not the required permissions. I haven't touched FindWPP, though.

-- Can you RightClick on it and Run as Administrator?

-- Did you try command prompt?
type %userprofile%\desktop\win32kdiag.exe ENTER

-- Can you RightClick and extract the FindWPP folder from the ZIP to the desktop?

PP :)

I can run Win32Diag as admin, but it first says that it can't get the desktop directory, and then "error: could not create log file <13>". Then it shuts itself down.

Yep, it let me extract FindWPP.

Yep, it let me extract FindWPP.

OK - Run RunThis.bat in the FindWPP folder and see if it runs. If the log pops up, save it to the desktop. Put it on the re-writable disc to transfer it, if possible.

PP :)

It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.

It won't run. It doesn't give me an error message or anything, it just doesn't do anything after I double click it :/.

-- What about command prompt:
type %userprofile%\desktop\FindWPP\RunThis.bat ENTER

-- See if you are now able to copy combofix to the desktop. Do that, if possible.

PP :)

The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.

Microsoft Windows XP [Version 5.1.2600]
21/10/2009
02:02

FindWPP is running from C:\DOCUME~1\GREGRO~1

RUNNING PROCESSES

EXE KEY MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"

CHECKING SELECT POLICIES KEYS

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

LOOKING FOR REPLACED FILES

Looking for cngaudit.dll

Looking for eventlog.dll

Looking for imm32.dll

Looking for logevent.dll

Looking for netlogon.dll

Looking for ntelogon.dll

Looking for qmgr.dll

Looking for rasauto.dll

Looking for scecli.dll

Looking for sceclt.dll

Looking for sfcfiles.dll

LOOKING FOR SUSPICIOUS FILES

SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

No matches found.
Looking for Windows Antivirus Pro.exe

No matches found.
Looking for ~.exe

No matches found.
Looking for bennuar.old

No matches found.
Looking for bincd32.dat

No matches found.
Looking for braviax.exe

No matches found.

No matches found.
Looking for cru629.dat

No matches found.

No matches found.
Looking for dbsinit.exe

No matches found.
Looking for dddesot.dll

No matches found.
Looking for desot.exe

No matches found.
Looking for desote.exe

No matches found.
Looking for ppp3.dat

No matches found.
Looking for ppp4.dat

No matches found.
Looking for qcfbc.wbg

No matches found.
Looking for _scui.cpl

No matches found.
Looking for sysnet.dat

No matches found.
Looking for svchast.exe

No matches found.
Looking for svchasts.exe

No matches found.
Looking for wisdstr.exe

No matches found.
Looking for wispex.html

No matches found.
Looking for wiwow64.exe

No matches found.

EXE KEY STILL MODIFIED?

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

SUSPECT REG KEYS

Nothing Found By This Tool!

CHECKING MBAM

No matches found.

ComboFix is on my desktop, too.

The command prompt certainly is useful. I gotta learn a bit more about how to play with it, I think.

Oh yeah - very useful to learn the various commands available to you!

That said, this is odd - that log looks as though my batch only partially ran properly - odd.

At least it was able to change this:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\pump.exe \"%1\" %*"

Back to what it is supposed to be:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

The rest is odd...

---- Try running Win32kDiag.exe again and see if same error.
If it won't run, try combofix below.
If it does run, post me the log.

ComboFix is on my desktop, too.

See if you can Run Combofix now - let me know.
type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
You may not be able to update it - no worries.

PP :)

Here's my Win32kDiag log:

Running from: C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Greg Rolls\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\plugie.dll

[1] 2009-10-15 07:02:22 655360 C:\WINDOWS\system32\plugie.dll ()

Cannot access: C:\WINDOWS\system32\pump.exe

[1] 2009-10-15 07:05:09 541696 C:\WINDOWS\system32\pump.exe ()

Finished!

ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!

Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.

ComboFix is currently running atm, it's just made me reboot because it found the rootkit, which can only be good!

Having said that.... apparently I don't have Microsoft's system restore kit or something installed, so it says it won't attempt the fix of "some serious infections". Hopefully that won't be a problem.

That's the least of your worries . . LOL!

Actually, the Trinity Rescue Kit and Avira Tool operate much in the same way as the Recovery Console except TRK is Linux.

-- I realized why FindWPP didn't work properly - LOL - command.com prompt. I had a minor "brain cramp."

Let me know how combofix shakes out - keeping my fingers crossed it completes properly..... :)

PP

One ComboFix log:

ComboFix 09-10-19.04 - Greg Rolls 21/10/2009 2:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1554 [GMT 1:00]
Running from: c:\documents and settings\Greg Rolls\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1229 [VPS 090103-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Greg Rolls\Application Data\.#
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@1088@374208.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741A8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@3741D8.###
c:\documents and settings\Greg Rolls\Application Data\.#\MBX@F74@374208.###
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6C.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6O.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6P.manifest
c:\documents and settings\Greg Rolls\Application Data\0200000063cdd2e6S.manifest
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Greg Rolls\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\Mail.Ru\Agent\Mra\dll\newmrasearch.dll
C:\temp.temp
c:\windows\isicawaj.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\0.3258360179300799.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\nuar.old
c:\windows\system32\plUGie.dll
c:\windows\system32\pump.exe
c:\windows\system32\skynet.dat
c:\windows\system32\wispex.html
c:\windows\wf3.dat
c:\windows\wf4.dat
C:\xcrashdump.dat

Infected copy of c:\windows\system32\drivers\vaxscsi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPOL
-------\Legacy_aawserviceAlerter
-------\Service_aawserviceAlerter

((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-15 06:32 . 2009-10-08 10:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-15 06:32 . 2009-10-08 10:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-15 06:32 . 2009-10-08 10:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-15 06:32 . 2009-10-08 10:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-15 06:32 . 2009-10-02 13:19 1152470 ----a-w- c:\windows\UDB.zip
2009-10-15 06:32 . 2008-11-26 11:08 131 ----a-w- c:\windows\IDB.zip
2009-10-15 06:29 . 2009-09-24 07:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-15 06:29 . 2009-10-06 15:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-15 06:29 . 2009-09-23 15:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-15 06:29 . 2009-09-03 08:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-15 06:29 . 2009-10-21 02:09 -------- d-----w- c:\program files\Spyware Doctor
2009-10-15 06:29 . 2009-10-15 06:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-15 06:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-15 06:29 . 2009-10-21 02:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 06:09 . 2009-10-15 06:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-15 06:03 . 2009-10-20 23:34 0 ----a-w- c:\windows\Ohamozu.bin
2009-10-15 06:03 . 2009-10-15 06:03 120 ----a-w- c:\windows\Sboqomatumoye.dat
2009-10-15 06:03 . 2009-10-15 06:03 -------- d-----w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
2009-10-15 06:01 . 2009-10-15 06:03 131731 ----a-w- c:\windows\system32\dbsinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 02:12 . 2005-04-30 11:27 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 02:10 . 2005-01-13 15:40 384 ----a-w- c:\windows\system32\DVCState-{00000000-00000000-00000006-00001102-00000004-20021102}.dat
2009-10-21 01:50 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\DNA
2009-10-20 23:51 . 2009-04-03 17:16 -------- d-----w- c:\program files\DNA
2009-10-13 20:00 . 2005-07-06 22:17 -------- d-----w- c:\program files\World of Warcraft
2009-10-12 18:33 . 2009-04-03 17:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\BitTorrent
2009-10-10 00:28 . 2005-05-15 13:16 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Skype
2009-10-06 13:45 . 2005-01-27 22:34 -------- d-----w- c:\program files\mIRC
2009-09-16 02:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 22:05 . 2005-02-05 04:51 28160 ----a-w- c:\documents and settings\Greg Rolls\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Microsoft
2009-09-15 22:04 . 2009-09-15 22:03 -------- d-----w- c:\program files\Windows Live
2009-09-15 22:04 . 2009-09-15 22:04 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-15 22:02 . 2009-09-15 22:02 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-15 05:20 . 2009-10-15 06:29 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 01:12 . 2009-10-15 06:29 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 00:01 . 2009-10-15 06:29 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-08-31 17:32 . 2009-08-31 17:29 -------- d-----w- c:\documents and settings\Greg Rolls\Application Data\Mra
2009-08-31 17:29 . 2009-08-31 17:29 -------- d-----w- c:\program files\Mail.Ru
2009-08-28 09:26 . 2009-08-28 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2002-11-19 15:01 . 2005-03-02 02:29 28672 ----a-w- c:\program files\opera\program\plugins\PlugDef.dll
2004-08-04 12:00 . 2004-08-04 12:00 165988 --sha-r- c:\windows\system32\ptdtaqc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"AIM"="c:\program files\AIM\aim.exe" [2004-08-10 61440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-08-25 23090984]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-03 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-05-26 100056]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2004-12-20 33792]
"DeadAIM"="c:\program files\AIM\\DeadAIM.ocm" [2004-02-23 144896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_02\bin\jusched.exe" [2005-03-04 36975]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-02-10 473920]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"Motive SmartBridge"="c:\progra~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-01-29 696422]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"MAgent"="c:\program files\Mail.Ru\Agent\MAgent.exe" [2009-08-31 7975608]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-01-15 24576]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-06-08 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-1-13 581632]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-6-22 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wiplrax.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^broadband medic.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\broadband medic.lnk
backup=c:\windows\pss\broadband medic.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\KCeasy\\giFT\\giFTl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1134:TCP"= 1134:TCP:fwoyzic

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/10/2009 07:29 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [04/11/2008 21:33 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/11/2008 21:33 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [15/10/2009 07:32 112592]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\PfModNT.sys [13/01/2005 16:33 15840]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/10/2009 07:29 358600]
S2 sekvhtb;Security System;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\GREGRO~1\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 rzwrcfbg;rzwrcfbg;\??\c:\windows\system32\02.tmp --> c:\windows\system32\02.tmp [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
sekvhtb
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Greg Rolls.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-08-30 11:20]

2009-10-20 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-01-13 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/broadband
IE: {{7558B7E5-7B26-4201-BEDB-00D5FF534523} - c:\program files\Mail.Ru\Agent\magent.exe
LSP: c:\program files\Secure Surfing Engine\sselsp.dll
FF - ProfilePath - c:\documents and settings\Greg Rolls\Application Data\Mozilla\Firefox\Profiles\gzs7vvqp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Opera\Program\Plugins\np32dsw.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera\Program\Plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: XULRunner: {BA329704-D034-4EA0-8960-07CA256C9EA2} - c:\documents and settings\Greg Rolls\Local Settings\Application Data\{BA329704-D034-4EA0-8960-07CA256C9EA2}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
HKLM-Run-Gtigu - c:\windows\isicawaj.dll
HKU-Default-RunOnce-SIAPRO7 - c:\program files\Steganos Internet Anonym Pro 7\SIAPRO7.exe
Notify-20a6ac88448 - c:\windows\System32\hal32.dll
Notify-__c0037439 - c:\windows\system32\__c0037439.dat
AddRemove-Warhammer Online: Age of Reckoning_is1 - c:\warhammer online - age of reckoning\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 03:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rzwrcfbg]
"ImagePath"="\??\c:\windows\system32\02.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sekvhtb]
"ServiceDll"="c:\windows\system32\ptdtaqc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\wiplrax.dll
c:\program files\Secure Surfing Engine\sselsp.dll

- - - - - - - > 'explorer.exe'(4344)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\progra~1\ntl\BROADB~1\SMARTB~1\SBHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\wiplrax.dll
c:\windows\system32\ctagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\combo-fix\CF14267.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\combo-fix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 3:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 02:26

Pre-Run: 8,806,871,040 bytes free
Post-Run: 9,052,086,272 bytes free

- - End Of File - - E4F8CE2968366562121878589EB55D56

:)

The machine still doesn't seem right, though :/.

One ComboFix log:

:)

The machine still doesn't seem right, though :/.

That's not surprising - we are nowhere near finished.... :)

But - you are starting to make good progress!

-- Let's restart eventlog.
Command prompt: type sc config "eventlog" start= auto ENTER
Don't reboot - just leave it for now.

-- Are you able to now download programs to the ill compy?
If so, please do this:
--- Download and run MBAM as per Step #8 in the linky below:
http://www.daniweb.com/forums/thread134865.html
Make sure to remove all it finds and post me the log.

THEN:
--- DELETE your current copy of combofix.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You should not need to rename it this time and it should be able to install Recovery Console.

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log as well and we'll see where that leaves us.

Cheers :)
PP

Ok, I've restarted eventlog. But I've got a problem. Currently I'm using the same cable modem for internet on both the laptop and the ill tower PC, just switching the cables and rebooting the modem. At the moment, though, it doesn't want to work and give me internet on the tower. I've got a suspicion that I'll have to reboot for it to work.

I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.

I haven't done anything yet, haven't restarted. I could download MBAM on this laptop and transfer it via flash drive, I guess, but I'll just leave the tower ticking over for now.

That's a good idea. Do that for MBA-M and run it.
Be sure to have it remove all it finds.

Then, Reboot.

Then see if you can access internet and DL a fresh combofix on ill compy and install recovery console and run combofix.
If no joy, then we'll install recovery console manually. No worries.

How are you holding up? Not too frustrated, I hope....

I will say this - If you have your Windows disk, I would still recommend a reformat after we clean the machine and you are able to pull your important data off somewhat safely. We can probably get it back and running in pretty good shape, but infestations such as this one can leave a system a bit unstable and you can never really trust that the machine is secure.
I do enjoy the challenge posed by a particularly nasty piece of malware, but if it were my machine, that is what I'd do........

Post me that MBAM log and let me know how you fare with the rest.

I'll be home in about 4 hours to check back in.

PP:)