windows police,help

Question

mike34 0 Newbie Poster

15 Years Ago

I got hit with the windows police pro virus,and it has locked up everything,i cant get into control panel,task manager,hell not even the calculator,i have tried every command listed for restarting task manager or regedit,but cannt get access,i cant even log into safe mode,i dont know what else to try,now im posting on an old computer,I am completely stumped here,i was able to run a virus program that has deleted a lot of viruses,but I am still locked out please any help would be great,thanks

windows-virus

3 Contributors
34 Replies
322 Views
1 Week Discussion Span
Latest Post 15 Years Ago Latest Post by tsjaj

PhilliePhan 171 Central Scrutinizer

15 Years Ago

-- Do you have a flash drive to transfer tools and scanlogs between computers?

-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK

Let me know.

PP :)

PhilliePhan 171 Central Scrutinizer

15 Years Ago

yes to both questions

Allrightythen!

You'll need to put these tools on your flash drive:

• http://ad13.geekstogo.com/Win32kDiag.exe
• http://swandog46.geekstogo.com/avenger.zip
• http://www.bleepingcomputer.com/combofix/how-to-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the flash drive.
• FindWPP.zip
• DDS by sUBs
• http://download.sysinternals.com/Files/Junction.zip
• http://www.raktor.net/exeHelper/exeHelper.com
• http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe
• SysProt Anti-Rootkit

Then, see if you are able to copy these to the desktop:
-- FindWPP.zip
-- Win32kDiag.exe
-- Combo-fix.exe

Let me know how you fare.

PP :)

Edited 15 Years Ago by PhilliePhan because: The Usual. . . .

PhilliePhan 171 Central Scrutinizer

15 Years Ago

ok they are there,

With the three tools now on the Desktop, try this:

-- See if combofix will run. If not, try RightClick on it and Run As Administrator.

If it runs, let it finish and post the log.

If no combofix, then Extract the FindWPP folder from the FindWPP.ZIP
In the folder you'll find RunThis.bat
Run it and post me the log.

Let me know how you fare.

PP :)

PhilliePhan 171 Central Scrutinizer

15 Years Ago

with both i get a message saying registry edit is disabled by administrator,

Open a command prompt and type %userprofile%\desktop\combo-fix.exe /KillAll ENTER
Note ther is a space here --> .exe<space>/KillAll

EDIT: Try using command.com to open prompt if that fails.

Edited 15 Years Ago by PhilliePhan because: Added info

PhilliePhan 171 Central Scrutinizer

15 Years Ago

says combo-fix.exe is not a recognizeable command

Is combo-fix.exe on the desktop? You did rename it and it is not combofix (w/out dash)?

Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
combo-fix.exe /KillAll ENTER (or combofix.exe if not renamed)

It should run - let me know.

PP :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mike34 0 Newbie Poster · Answer 1 · 2009-10-22T03:57:30+00:00

-- Do you have a flash drive to transfer tools and scanlogs between computers?
-- Can you get a command prompt on ill machine?
START > RUN > type cmd > OK
or
START > RUN > type command.com > OK
Let me know.
PP :)

yes to both questions

mike34 0 Newbie Poster · Answer 2 · 2009-10-22T04:24:21+00:00

yes i can get the command promt and have a flash drive

mike34 0 Newbie Poster · Answer 3 · 2009-10-22T05:46:27+00:00

mike34 0 Newbie Poster

15 Years Ago

ok they are there,

mike34 0 Newbie Poster · Answer 4 · 2009-10-22T06:00:54+00:00

With the three tools now on the Desktop, try this:
-- See if combofix will run. If not, try RightClick on it and Run As Administrator.
If it runs, let it finish and post the log.
If no combofix, then Extract the FindWPP folder from the FindWPP.ZIP
In the folder you'll find RunThis.bat
Run it and post me the log.
Let me know how you fare.
PP :)

ok doing it now

mike34 0 Newbie Poster · Answer 5 · 2009-10-22T06:10:14+00:00

with both i get a message saying registry edit is disabled by administrator,

mike34 0 Newbie Poster · Answer 6 · 2009-10-22T06:25:53+00:00

says combo-fix.exe is not a recognizeable command

mike34 0 Newbie Poster · Answer 7 · 2009-10-22T06:33:31+00:00

mike34 0 Newbie Poster

15 Years Ago

yea its there,hang on ill try that

mike34 0 Newbie Poster · Answer 8 · 2009-10-22T07:04:08+00:00

now it says installation files for combofix are corrupted,i cannot get it to install at all

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 9 · 2009-10-22T07:08:09+00:00

now it says installation files for combofix are corrupted,i cannot get it to install at all

OK - let's try something else for the time being:
RightClick on FindWPP.ZIP and Extract the FindWPP folder from the ZIP to the desktop.
In the FindWPP folder you'll find RunThis.bat
Run it and post me the log.

With any luck, that will work ok...

mike34 0 Newbie Poster · Answer 10 · 2009-10-22T07:15:51+00:00

nope get a message saying registry editinf has been disabled by the administrator,this is making me feel dumb

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 11 · 2009-10-22T07:28:44+00:00

nope get a message saying registry editinf has been disabled by the administrator,this is making me feel dumb

This is the worst malware I've seen in 6+ years of volunteering in forums . . . and I've seen some doozies!

-- Were you able to extract the FindWPP folder from the ZIP?
If so:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop\FindWPP ENTER
then type
RunThis.bat ENTER

If that doesn't work:
Click START > Run > type command.com to open the command prompt and then type:

cd %userprofile%\desktop ENTER
then type
Win32kDiag.exe ENTER

If that runs, allow it to run until it finishes (it will say "finished")
Post the log.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

If no joy with any of the above, move Inherit.exe from your flash drive to the Desktop.
Then, drag and drop Win32kDiag.exe onto Inhereit.exe on the desktop. After a few seconds, a dialog box should pop up saying "OK"
If that works, try to run Win32kDiag.exe again.

PP :)

mike34 0 Newbie Poster · Answer 12 · 2009-10-22T07:31:54+00:00

mike34 0 Newbie Poster

15 Years Ago

ok ill try that,lol told ya this was bad

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 13 · 2009-10-22T07:34:53+00:00

ok ill try that,lol told ya this was bad

I've seen a lot of this baddie - It comes in different flavors and different degrees of difficulty.
Most of the compys I see this on have a lot of P2P apps.....

mike34 0 Newbie Poster · Answer 14 · 2009-10-22T07:55:34+00:00

Win32kDiag ran,but didnt list anything,just said warning could not get backup privileges and dragging and dropping onto inhereit did nothing at all

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 15 · 2009-10-22T08:06:15+00:00

Win32kDiag ran,but didnt list anything,just said warning could not get backup privileges and dragging and dropping onto inhereit did nothing at all

It takes a while to run - Try it again.

Let it run until it says "Finished. Press any key . . . ."
The log will be on the desktop.

PP :)

mike34 0 Newbie Poster · Answer 16 · 2009-10-22T08:07:54+00:00

thats what the log said,ill try to post it for you

mike34 0 Newbie Poster · Answer 17 · 2009-10-22T08:08:44+00:00

have to go pick up the ole lady from work,ill be back in a while

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 18 · 2009-10-22T08:13:25+00:00

have to go pick up the ole lady from work,ill be back in a while

No worries - heading out for a bit myself.

-- The win32kdiag log will say "Finished!" at the bottom if it completed.
If not, run it again - let it run while you are away. Should be plenty of time.

PP :)

mike34 0 Newbie Poster · Answer 19 · 2009-10-22T11:04:55+00:00

heres is the entire log from the Win32Diag dont laugh,lol

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

thats it

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 20 · 2009-10-23T03:38:54+00:00

heres is the entire log from the Win32Diag dont laugh,lol

Not laughing - that is actually good.

Delete your copy of combofix and download a fresh one and see if it runs. Maybe the last DL really was corrrupted?

PP :)

mike34 0 Newbie Poster · Answer 21 · 2009-10-24T03:23:33+00:00

combo-fix finally ran,here is the log,let me know if i'm ok,or if there is still a problem,I am posting this from the infected comp,lol so i have made some progress

ComboFix 09-10-22.01 - Owner 10/23/2009 15:54.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1034 [GMT -5:00]
Running from: K:\Combo-Fix.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Police Pro
c:\recycler\S-1-5-21-1410423812-864733819-4253876692-1003
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\schtml
c:\windows\system32\skynet.dat
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yajqpcnyz.dll
c:\windows\TEMP\mta13187.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 19:51 . 2009-10-23 20:01 -------- d-----w- C:\Combo-Fix
2009-10-23 19:28 . 2009-10-23 20:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 00:07 . 2009-10-22 00:07 -------- d-----w- C:\PKBTEMP
2009-10-21 04:50 . 2009-10-21 04:50 -------- d-----w- C:\Virus Removal Tool3
2009-10-21 04:50 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\82378402.sys
2009-10-21 04:25 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\74731399.sys
2009-10-21 04:08 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\53482418.sys
2009-10-20 22:52 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\66422679.sys
2009-10-20 20:25 . 2009-10-23 21:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\program files\MemTurbo 4
2009-10-20 19:56 . 2009-10-20 19:56 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-20 19:36 . 2009-10-20 19:36 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-20 19:36 . 2009-10-20 19:39 -------- d-----w- c:\program files\SpyNoMore
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- C:\temp
2009-10-19 22:11 . 2009-10-23 17:57 0 ----a-w- c:\windows\Egituvovepurifum.bin
2009-10-19 22:11 . 2009-10-19 22:11 120 ----a-w- c:\windows\Xfikocif.dat
2009-10-19 22:11 . 2009-10-19 22:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F3FC9B77-9787-4438-A46D-310B483E5F58}
2009-10-19 22:08 . 2009-10-20 04:14 58 ----a-w- c:\windows\wp4.dat
2009-10-19 22:08 . 2009-10-20 04:14 3 ----a-w- c:\windows\wp3.dat
2009-10-19 22:08 . 2009-10-20 03:57 577024 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 22:07 . 2009-10-19 22:07 248320 ----a-w- C:\dtacmawh.exe
2009-10-19 22:07 . 2009-10-19 22:07 50688 ----a-w- C:\buxuhto.exe
2009-10-14 17:33 . 2009-10-14 17:33 -------- d-----w- C:\users
2009-10-05 19:49 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Acreon
2009-10-05 19:49 . 2009-10-05 20:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 21:01 . 2009-10-20 20:26 -------- d-----w- c:\program files\Spyware Doctor
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 14:45 . 2009-10-20 20:26 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-29 07:36 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:53 . 2009-08-25 18:53 -------- d-----w- c:\program files\Curse
2009-08-25 07:02 . 2009-08-25 07:02 138784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-25 06:46 . 2009-08-25 06:46 -------- d-----w- c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-26 16:12 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-03 184320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-18 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-18 245760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-10-19 114688]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2009-10-08 1067472]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
is-EG980.lnk - c:\virus removal tool3\is-EG980\startup.exe [2009-10-20 65536]
is-PF3E8.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool\is-PF3E8\startup.exe [2009-10-20 65536]
is-T85FS.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool2\is-T85FS\startup.exe [2009-10-20 65536]
is-VGQHM.lnk - c:\documents and settings\Owner\Desktop\Virus Removal Tool1\is-VGQHM\startup.exe [2009-10-20 65536]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2009-10-20 3121760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2006-12-17 1742384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-10-19 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli inexmprx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=
"c:\\Program Files\\Norton AntiVirus\\navapsvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Norton AntiVirus\\IWP\\NPFMntor.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4453:TCP"= 4453:TCP:Ventrilo

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/20/2009 3:26 PM 207280]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [10/20/2009 3:26 PM 112592]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/26/2004 11:12 AM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 2:00 PM 94720]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2009 3:26 PM 358600]
S3 bfastfao;bfastfao;\??\c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\Owner\LOCALS~1\Temp\bfastfao.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2/10/2009 9:09 PM 17149]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/8/2009 1:38 AM 152576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*Deregistered* - PCTSDInjDriver32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-10-19 09:00]

2009-10-23 c:\windows\Tasks\McAfee.com Update Check (YOUR-9BF74649F1-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2006-12-18 00:34]

2006-12-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-12-18 01:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - c:\documents and settings\Owner\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\yajqpcnyz.dll
BHO-{da2da561-7dfe-421f-92d5-fb719a21110c} - lazenuhu.dll
HKLM-Run-Svetokuyepebeham - c:\windows\eqinuhec.dll
HKLM-Run-fesikiyuz - c:\windows\system32\nawafivo.dll
HKLM-Run-behizamelo - dahowoze.dll
SharedTaskScheduler-{183d6915-328c-4dde-99dc-e6cf19b8436c} - c:\windows\system32\nawafivo.dll
SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\yajqpcnyz.dll
SSODL-labenikuz-{183d6915-328c-4dde-99dc-e6cf19b8436c} - c:\windows\system32\nawafivo.dll
SafeBoot-AloPar.sys
AddRemove-AOL Toolbar - c:\program files\AOL Toolbar\UNWISE.EXE
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE
AddRemove-Gamevance - c:\program files\Gamevance\gvun.exe
AddRemove-SystemRequirementsLab - c:\program files\SystemRequirementsLab\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\*! V*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:b6,c5,bd,39,ba,c4,8d,00

[HKEY_USERS\S-1-5-21-115497888-4204467973-748799179-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:59,ed,15,8f,78,72,f9,ba,ea,90,b5,d6,e5,59,5c,8b,35,a6,fe,80,4a,c3,07,
27,9b,2c,08,9e,59,10,23,48,2e,39,27,ff,40,ea,ac,10,87,9a,76,1e,41,37,a0,70,\
"??"=hex:eb,1f,2d,b0,11,61,84,98,d8,d0,2d,fb,cd,d2,c6,97
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)
c:\windows\inexmprx.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1840)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\inexmprx.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\combo-fix10925c\CF30493.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
c:\program files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
c:\program files\Logitech\G-series Software\Applets\LCDMedia.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\virus removal tool3\is-EG980\is-EG980.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\lsm32.sys
c:\combo-fix10925c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 21:10

Pre-Run: 136,423,444,480 bytes free
Post-Run: 136,324,411,392 bytes free

- - End Of File - - DCF65DC9F77F0F8BFEAF3074F7C47532

PhilliePhan 171 Central Scrutinizer Team Colleague · Answer 22 · 2009-10-24T04:30:09+00:00

combo-fix finally ran,here is the log,let me know if i'm ok,or if there is still a problem,I am posting this from the infected comp,lol so i have made some progress
Running from: K:\Combo-Fix.exe

The is still a lot to be done - You made some good progress, though.

-- Looks like you ran combofix from the flash drive. That's fine, but now we need to download a fresh copy to the Desktop of ill machine. I'm just going to copy&paste my standard instructions:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Post me that log and we'll go from there.

PP :)

mike34 0 Newbie Poster · Answer 23 · 2009-10-24T22:04:48+00:00

ok daownloaded it to the infected computer and ran it again,i have ful access to everything but wanna be sure that the virus is gone,here is the second log you asked for

ComboFix 09-10-23.01 - Owner 10/24/2009 10:49.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.992 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\TEMP\mta13187.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-23 21:08 . 2009-10-23 21:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{F3FC9B77-9787-4438-A46D-310B483E5F58}
2009-10-23 20:53 . 2009-10-23 21:11 -------- d-----w- C:\Combo-Fix10925C
2009-10-23 19:51 . 2009-10-23 20:01 -------- d-----w- C:\Combo-Fix
2009-10-23 19:28 . 2009-10-23 20:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-22 00:07 . 2009-10-22 00:07 -------- d-----w- C:\PKBTEMP
2009-10-21 04:50 . 2009-10-21 04:50 -------- d-----w- C:\Virus Removal Tool3
2009-10-21 04:50 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\82378402.sys
2009-10-21 04:25 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\74731399.sys
2009-10-21 04:08 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\53482418.sys
2009-10-20 22:52 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\66422679.sys
2009-10-20 20:25 . 2009-10-24 06:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2009-10-20 19:57 . 2009-10-20 19:57 -------- d-----w- c:\program files\MemTurbo 4
2009-10-20 19:56 . 2009-10-20 19:56 -------- d-----w- c:\program files\Advanced Registry Optimizer
2009-10-20 19:36 . 2009-10-20 19:36 1152 ----a-w- c:\windows\system32\windrv.sys
2009-10-20 05:13 . 2009-10-20 05:13 -------- d-----w- C:\temp
2009-10-19 22:11 . 2009-10-23 17:57 0 ----a-w- c:\windows\Egituvovepurifum.bin
2009-10-19 22:11 . 2009-10-23 21:08 120 ----a-w- c:\windows\Xfikocif.dat
2009-10-19 22:08 . 2009-10-20 04:14 58 ----a-w- c:\windows\wp4.dat
2009-10-19 22:08 . 2009-10-20 04:14 3 ----a-w- c:\windows\wp3.dat
2009-10-19 22:08 . 2009-10-20 03:57 577024 ----a-w- c:\windows\system32\plugie.dll
2009-10-19 22:07 . 2009-10-19 22:07 248320 ----a-w- C:\dtacmawh.exe
2009-10-19 22:07 . 2009-10-19 22:07 50688 ----a-w- C:\buxuhto.exe
2009-10-14 17:33 . 2009-10-14 17:33 -------- d-----w- C:\users
2009-10-05 19:49 . 2009-10-05 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Acreon
2009-10-05 19:49 . 2009-10-05 20:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 05:10 . 2008-05-01 01:56 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-13 03:26 . 2006-08-25 01:32 -------- d-----w- c:\program files\World of Warcraft
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-26 16:12 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:53 . 2009-08-25 18:53 -------- d-----w- c:\program files\Curse
2009-08-25 07:02 . 2009-08-25 07:02 138784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-26 16:12 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-23_21.03.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-24 15:57 . 2009-10-24 15:57 16384 c:\windows\temp\Perflib_Perfdata_dec.dat
+ 2009-10-24 15:56 . 2009-10-24 15:56 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2004-08-04 19:00 . 2004-08-04 19:00 93696 c:\windows\system32\FastNetSrv.exe
+ 2004-08-04 19:00 . 2004-08-04 19:00 46592 c:\windows\system32\BtwSrv.dll
+ 2004-08-04 19:00 . 2004-08-04 19:00 131072 c:\windows\system32\wmdtc.exe
+ 2004-08-04 19:00 . 2004-08-04 19:00 131072 c:\windows\system32\opeia.exe
+ 2004-08-26 16:12 . 2008-04-14 00:12 162304 c:\windows\onokeyib.dll
+ 2009-10-24 15:57 . 2009-08-29 07:36 1168384 c:\windows\temp\x1c27014.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-06-08 1934336]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-03 184320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-18 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2004-08-18 245760]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-10-19 114688]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]