1.11M Members

Windows Safemode Virus

 
0
 

Hi,
My computer has received a virus, which upon booting up, it comes up with boot error and goes into a fake 'safe mode'. I am unable to access anything from that screen accept a fake virus scanner that requires purchasing before use.

I have however found an unsafe way to access the desktop by plugging in my iPod and going onto it through a scanner wizard box that pops up after it is plugged in. I know this is dangerous as it poses a threat to my iPod but it is the only way I am able to accessy computer.
From there I have managed to run MBA-M which is able to detect the problem but fails upon fixing it and after restarting it returns to the virus screen.
I have looked at other posts and tried similar things with rkill etc but to no prevail.
I'd appreciate any help given (if you can!) :P

 
0
 

We have to see least a log from MBA-M. Using your iPod is doing nothing but putting it at risk. Personally I would never use it again on another computer until it is wiped clean.

 
0
 

Ok I will post the log but is there another way to gain access to my desktop without doing it with my iPod?

 
0
 

Try pressing F8 before windows begins to load then select safemode with networking. Your computer will need to be wired to your router as wireless will not work.

 
0
 

I hate to say it but I've already tried that and it freezes on the same screen as before, not allowing me any access.

Here is the log from rkill:

Rkill was running on 14/04/2011 at 9:21:38.
Operating system: Microsoft Windows XP

Processes terminated by rkill or while it was running:

C:\documents and settings\All users\Application data\450968.exe
C:\WINDOWS\system32\drwtsn32.exe
xe

Rkill completed on 14/04/2011 at 9:21:52.

 
0
 

It did remove the 'windows safemode' virus but after 30 seconds or so it came back, and the screen remained the same fake black background

 
0
 

Here is the MBA-M log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6352

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

14/04/2011 10:21:38
mbam-log-2011-04-14 (10-21-38).txt

Scan type: Full scan (A:\|C:\|)
Objects scanned: 195036
Time elapsed: 39 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\1794968.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\21250.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\450968.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

 
0
 

rkill doesn't remove viruses, it merely stops the virus processes from running so that other tools can then be run. That is why you don't reboot after running it.Reboots allows the process to begin again.
You run MBA-M and then run DDS scanner and post both logs by copy/pasting them.

 
0
 

I rebooted after running MBA-M not rkill as you said to do in another post. My computer doesn't have DDS installed, do you know where I can download it from?

 
0
 

I rebooted after running MBA-M not rkill as you said to do in another post. My computer doesn't have DDS installed, do you know where I can download it from?

Have you read the Read Me sticky as instructed at the top of the page before creating your thread? The required tools are there.
Read me before posting a request for assistance

 
0
 

No it's ok I found the proper download myself on mybleepingcomputer

here is the DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 16:00:29.09 on 14/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.54 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.exe
C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\All Users\Application Data\10672500.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\My Documents\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-1-25 29184]
.
=============== Created Last 30 ================
.
2011-04-14 14:27:42 672256 ----a-w- c:\docume~1\alluse~1\applic~1\10672500.exe
2011-04-14 10:58:30 672256 ----a-w- c:\docume~1\alluse~1\applic~1\21546.exe
.
==================== Find3M ====================
.
2011-03-09 18:59:17 695808 ----a-w- c:\docume~1\alluse~1\applic~1\tOUlQpxPNN.dll
2011-02-23 14:14:14 21504 ----a-w- c:\windows\jestertb.dll
2011-02-02 13:31:16 499712 ----a-w- c:\windows\system32\msvcp71.dll
1998-12-08 18:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-08 18:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-08 18:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-08 18:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-08 18:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-08 18:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 16:01:14.53 ===============

 
0
 

And the second log? Attach.txt. If you had followed our instructions as requested you would have seen that we need both logs and need both copy/pasted.

 
0
 

If you looked before, you will be able to see the log from MBA-M. If you want me to repostit that's fine but its already there

 
0
 

If you looked before, you will be able to see the log from MBA-M. If you want me to repostit that's fine but its already there

And if YOU had read my instructions,

run DDS scanner and post both logs by copy/pasting them.

and also the instructions in the Read Me First sticky as requested you would have seen three times that the DDS scanner produces TWO logs and we want to see them both. You have only posted ONE. I need the other one.
Since you have refused to read my instructions and also the Read Me Sticky now at least twice, the first time when you created your thread and the second time when I asked you to read it, I will post exactly what it says about the use of the DDS scanner.

please submit a DDS ScanLog along with your post.[B] Be sure follow the instructions below carefully!
[/B]
    • If your AV has a script blocker, please disable it
    • DoubleClick on dds.scr to run the tool

    * A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
    * Upon completion, a Dialog Box should open instructing you to save and [B]post the TWO resulting logs (DDS.txt & Attach.txt).
[/B]
    • [B]Copy&Paste both the DDS.txt and the DDS Attach.txt into your post for assistance.
[/B]

What is it about the lines in red that you do not understand? The DDS Scanner produces TWO logs, one labeled DDS.txt and DDS Attach.txt. We need to see both logs. That is the second log I was referring to when I made my request.
I can give you no more instructions until I see that log, and I will tell you now, your computer is still grossly infected but I cannot give you any more tools to run until I see that Attach.txt log produced by the DDS scanner and Please copy/paste it DO NOT ATTACH it.

 
-1
 

I knew it produces two logs, I thought that the seccond log you spoke of was the one for MBA-M. I'm sorry that i'm so stupid not to have read the sticky carefully, nobody is perfect. Yeah I may not be a computer whizz like you, but your purpose it to help not insult. I will post the seccond log below:
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 29/01/2008 16:09:55
System Uptime: 14/04/2011 12:29:50 (4 hours ago)
.
Motherboard: Dell Computer Corp. | | 0R6019
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 14.264 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP54: 14/01/2011 20:47:28 - System Checkpoint
RP55: 15/01/2011 21:05:52 - System Checkpoint
RP56: 18/01/2011 17:12:08 - System Checkpoint
RP57: 20/01/2011 18:35:09 - System Checkpoint
RP58: 22/01/2011 19:49:31 - System Checkpoint
RP59: 23/01/2011 18:42:24 - Software Distribution Service 3.0
RP60: 25/01/2011 20:51:06 - System Checkpoint
RP61: 25/01/2011 22:34:35 - Software Distribution Service 3.0
RP62: 27/01/2011 07:55:39 - System Checkpoint
RP63: 28/01/2011 17:34:23 - System Checkpoint
RP64: 29/01/2011 18:01:35 - Installed Windows XP WgaNotify.
RP65: 29/01/2011 18:11:40 - Installed Windows Media Player 11
RP66: 30/01/2011 19:22:24 - System Checkpoint
RP67: 04/02/2011 20:07:09 - System Checkpoint
RP68: 05/02/2011 21:47:48 - System Checkpoint
RP69: 07/02/2011 21:19:37 - System Checkpoint
RP70: 08/02/2011 22:34:32 - Software Distribution Service 3.0
RP71: 09/02/2011 22:48:54 - System Checkpoint
RP72: 12/02/2011 16:58:07 - System Checkpoint
RP73: 16/02/2011 18:52:11 - System Checkpoint
RP74: 17/02/2011 21:45:27 - System Checkpoint
RP75: 18/02/2011 21:50:10 - System Checkpoint
RP76: 20/02/2011 22:21:21 - System Checkpoint
RP77: 24/02/2011 13:10:40 - System Checkpoint
RP78: 25/02/2011 16:53:35 - System Checkpoint
RP79: 27/02/2011 16:26:09 - System Checkpoint
RP80: 28/02/2011 17:28:57 - System Checkpoint
RP81: 28/02/2011 20:19:00 - Software Distribution Service 3.0
RP82: 05/03/2011 18:21:21 - System Checkpoint
RP83: 06/03/2011 20:02:35 - System Checkpoint
RP84: 09/03/2011 07:33:36 - System Checkpoint
RP85: 11/03/2011 19:14:37 - Software Distribution Service 3.0
RP86: 14/03/2011 07:33:46 - System Checkpoint
RP87: 15/03/2011 21:58:47 - System Checkpoint
RP88: 18/03/2011 18:36:14 - System Checkpoint
RP89: 19/03/2011 20:03:22 - System Checkpoint
RP90: 22/03/2011 07:12:49 - System Checkpoint
RP91: 27/03/2011 10:08:12 - System Checkpoint
RP92: 29/03/2011 07:47:41 - System Checkpoint
RP93: 01/04/2011 16:53:32 - System Checkpoint
RP94: 04/04/2011 07:19:19 - System Checkpoint
RP95: 05/04/2011 07:28:01 - System Checkpoint
RP96: 06/04/2011 18:24:44 - System Checkpoint
RP97: 07/04/2011 21:34:27 - System Checkpoint
RP98: 13/04/2011 17:35:33 - Software Distribution Service 3.0
RP99: 13/04/2011 17:39:08 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Action Replay DSi Code Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Belkin 54Mbps Wireless Network Adapter
Bonjour
Dungeon Keeper 2
Electronic Arts Product Registration
Google Toolbar for Internet Explorer
Google Update Helper
Harry Potter and the Prisoner of Azkaban(TM)
Harry Potter II
Harry Potter TM
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
InterActual Player
InterVideo WinDVD
iTunes
Java Auto Updater
Java(TM) 6 Update 21
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Logical Journey of the Zoombinis
Malwarebytes' Anti-Malware
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Office 2000 Premium
Microsoft Silverlight
Morrowind
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero Suite
QuickTime
Samsung Master
Samsung USB Driver
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Shockwave
SoundMAX
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
14/04/2011 09:38:48, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13/04/2011 18:51:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
.
==== End Of File ===========================

 
0
 

I didn't mean my comments as an insult. But we ask that our instructions be read and when those instructions aren't read and followed then it makes cleaning doubly difficult. Our DDS instructions clearly say to post both logs as do the instructions found on the download page from bleepingcomputer.

Now please do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 
0
 

Have you been able to run combofix?

 
0
 

Yes I have managed to run it eventually! I think it has done what its supposed to but i'm no expert. What would you like me to do now?
Sorry about the delay, been away from home for a couple of days.

I'll post the log below:

ComboFix 11-04-18.03 - Administrator 19/04/2011 14:07:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.293 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Yvaxny
c:\documents and settings\Administrator\Application Data\Yvaxny\ikzoi.gex
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Proposal.rtf
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\10672500.exe
c:\documents and settings\All Users\Application Data\21546.exe
c:\documents and settings\All Users\Application Data\tOUlQpxPNN.dll
c:\windows\jestertb.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 13:31 . 2011-02-02 13:31 499712 ----a-w- c:\windows\system32\msvcp71.dll
1998-12-08 18:53 . 1998-12-08 18:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-08 18:53 . 1998-12-08 18:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 18:53 . 1998-12-08 18:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-08 18:53 . 1998-12-08 18:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 18:53 . 1998-12-08 18:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-08 18:53 . 1998-12-08 18:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bullfrog\\Dungeon Keeper 2\\DKII.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bullfrog\\Dungeon Keeper 2\\DKII.icd"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/05/2010 13:33 136176]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [25/01/2010 15:09 29184]
.
Contents of the 'Scheduled Tasks' folder
.
2010-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 11:50]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-15 12:33]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-15 12:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 14:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-448539723-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,3e,3e,1e,b5,58,a8,49,ba,9b,10,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,00,3e,3e,1e,b5,58,a8,49,ba,9b,10,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-19 14:16:05
ComboFix-quarantined-files.txt 2011-04-19 13:16
.
Pre-Run: 15,183,388,672 bytes free
Post-Run: 16,312,971,264 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4251CFE7582E72B023103774FE9B52AD

 
0
 

Good! Now Update Malwarebytes' Anti-Malware (MBA-M) and run a Full Scan with it. Have it Remove everything found and Reboot the computer. A Reboot is very important as the removals are completed early in the boot process.
Once this is completed then post back here with the new MBA-M log.
Judy

 
0
 

Ok I updated and ran Malwarebytes, the log is below.
After re-starting, my computer started up properly for the first time since the virus and all to do with the virus has gone! I don't know if i need to do anything else but thank you so much for your help, everything is working normally! My internet is a little slower than before but I don't think its because of my computer

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6399

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

19/04/2011 15:28:57
mbam-log-2011-04-19 (15-28-56).txt

Scan type: Full scan (A:\|C:\|)
Objects scanned: 182240
Time elapsed: 32 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

You
This article has been dead for over six months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: