6 replies to this topic

[cgordon311]

I have been having problems with my labtop since June 2009. My kids have gone on inapropriate sites and some how got viruses. I am no longer recieving most of the unfortunate pop ups dealing with svc host files not working but still the computer is extremely slow. I also have AVG 8.5 and it is detecting two viruses. win32/Heur.

I have run malwarebytes 3 times and once at 9 infections once at 10 infections and once at 11 infections it froze. Each time it froze it froze in C:/windows/system32/config folder. I have to restart the computer each time (takes ten minutes but works). Slow start up and shut downs. Out of 56 Processes I can only see 9 in task manager. And I also see (my web search) like more then 50 times in my start up (Viewing that with Advanced System Care Pro)

This is my system information then AVG report and finaly HJT log Info in order that I just mentioned.

thanks to anyone who can help out!

AWC System Information Report

Computer System
Computer Name EKAPICA-PC
User Name Eka Pica ( Pee )
Organization
Operating System
OS Name Microsoft® Windows Vista™ Home Basic
OS Version 6.0.6002
ServicePack 2.0
Product ID 89572-OEM-7332166-00029
System Uptime 13/09/2009 1:54:47 AM
Internet Explorer Version 8.0.6001.18783
Microsoft DirectX Version 10.0
OpenGL Version 6.0.6000.16386 (vista_rtm.061101-2205)
Free Physical Memory 1872 MB
Free Page File 3075 MB
Free Virtual Memory 4942 MB
Registry
Maximum Size 682MB
Current Size 25MB
Status OK
Center Processor
CPU Name AMD Athlon™ Processor 2650e
Code Name Model 15, Stepping 2
Manufacturer AuthenticAMD
Current Clock Speed 1600Mhz
Max Clock Speed 1600Mhz
Voltage 1V
External Clock 200Mhz
Serial Number 078BFBFF00070FF2
CPU ID x64 Family 15 Model 127 Stepping 2
Socket Designation Socket M2/S1G1
L2 Cache 512KB

(I am confused about the virus defenitions date should be in June last but it says March 13 2009)

AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.268, engine 8.0.281
Virus Database: Version 270.11.13/1999 2009-03-13

C:\Boot\BCD Locked file. Not tested.
C:\Boot\BCD.LOG Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\086e0fda99562384c3da6ba1339df19c_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\27e27981304cb0906ab79336c67af7a8_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\49c6bb42b4031cba43fa527067ba7e7f_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\5a3b246ca8cb73540943bd28df03661e_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\7953f9c4b91032b4f9f3c8d13ead2293_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\All Users\Microsoft\Crypto\RSA\MachineKeys\acaca67da1c2986b2dbae57266f1e89b_5159205d-5a55-452a-9eeb-01370f9a4384 Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\AppData\Local\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\Desktop\Astrrology\Janus_4.1\Janus4.exe Runtime packed nspack
C:\Documents and Settings\Eka Pica ( Pee )\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\ntuser.dat.LOG1 Locked file. Not tested.
C:\Documents and Settings\Eka Pica ( Pee )\ntuser.dat.LOG2 Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF576D.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF5776.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9A55.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9B20.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9B69.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9BB1.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9E5D.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DF9E63.tmp Locked file. Not tested.
C:\Documents and Settings\JESSE AND IYRELL\AppData\Local\Temp\~DFD037.tmp Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\DivX\DivX Converter\AKGZIK.ddc Virus found Win32/Heur Object was moved to Virus Vault.
C:\Program Files\Janus4\Janus4.exe Runtime packed nspack
C:\System Volume Information\MountPointManagerRemoteDatabase Locked file. Not tested.
C:\System Volume Information\{23ef82f6-8525-11de-962d-001eecdbec26}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested.
C:\System Volume Information\{23ef8309-8525-11de-962d-001eecdbec26}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested.
C:\System Volume Information\{23ef8315-8525-11de-962d-001eecdbec26}{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested.
C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS.LOG1 Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS.LOG2 Locked file. Not tested.
C:\Windows\System32\config\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG1 Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG2 Locked file. Not tested.
C:\Windows\System32\config\RegBack\COMPONENTS Locked file. Not tested.
C:\Windows\System32\config\RegBack\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\RegBack\SAM Locked file. Not tested.
C:\Windows\System32\config\RegBack\SECURITY Locked file. Not tested.
C:\Windows\System32\config\RegBack\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\RegBack\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SAM Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SECURITY Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG2 Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Locked file. Not tested.
C:\Windows\System32\RMActivate.exe Virus found Win32/Heur
C:\Windows\System32\WUDFHost.exe Virus found Win32/Heur


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:02 AM, on 13/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\Monitor.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&a...p;m=aspire_5515
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http;//www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http;//www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www/google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {da21bd13-ca22-42e3-a071-98f08f1ca1e7} - (no file)
R3 - URLSearchHook: (no name) - {085FEAA9-36F6-4A6D-9EE7-11951AE89CFC} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
R3 - URLSearchHook: (no name) - {2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Application Layer Gateway] C:\Program Files\Common Files\alg.exe
O4 - HKLM\..\RunOnce: [ N@] N@
O4 - HKLM\..\RunOnce: [ÝN@] ÝN@
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\Monitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: *.arcsoft.com
O15 - Trusted Zone: http://*.myprintcreations.com
O15 - Trusted Zone: http://*.printcreations.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1246311245707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246087813403
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Desktop Manager 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\Windows\system32\sofatnet.exe

--
End of file - 9873 bytes

THanks again to anyone who can help!

Correy

Attached Files

•  avgrep.txt   6.29K   51 downloads
•  System_Information_Report.txt   15.43K   43 downloads
•  hijackthisElisha13092009.txt   9.64K   17 downloads
•  Hijack_Analysis_Report.txt   6.92K   20 downloads

[Maurice Naggar]

Hello cgordon311.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member cgordon311 only. If you are a casual viewer, do NOT try this on your system!
If you are not cgordon311 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.

Download and Save to the DESKTOP Win32kDiag from any of the following locations.

• Download Win32kDiag (Win32kDiag.exe) - #1
  
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
  
• Download Win32kDiag (Win32kDiag.exe) - #3

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

I do not need the win32kdiag log.

=

Next 1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Next, Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O4 - HKLM\..\RunOnce: [ N@] N@
O4 - HKLM\..\RunOnce: [ÝN@] ÝN@
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!


Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
• RIGHT click on avenger.exe and select Run as Administrator to start The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to delete:
  C:\Windows\TEMP\msxm192z.dll
  
  Drivers to delete:
  ter8m
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler

• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Next, Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=


Next: If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".

• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.
=
Start HijackThis. Do a Scan and Save.

Reply with copies of the C:\Combofix.txt, and the new HJT report.

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[cgordon311]

Thank you Maurice!

I realy appreciate the help. I have done everythiing you asked step by step until the avenger part. Unfortunateley I cannot boot properly. The first reboot stopped and shut down before loggin. then it wen't a little further but still shuts down before loggin. I tried safe mode once and got as far as seeing all Icons but then again shut down. Fortunatley it is not my home PC I am having this problem with it is my Labtop. I don not blame you or think it is your fault I am comfortable with troubleshooting and I know that there is always a chance for the unexpected. I do however hope that you can continue adviseing me on what to do about my new problem. I would like to have the computer up and running this week so my daughter can use it for school.

Thanks again for your time and patience

Correy

[cgordon311]

Hi Maurice,

I started my labtop today and it actually started with a log file from Avenger.


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sun Sep 13 18:25:53 2009

18:25:53: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\Temp\msxm192z.dll" not found!
Deletion of file "c:\windows\Temp\msxm192z.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ter8m" not found!
Deletion of driver "ter8m" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "c:\recycler" not found!
Deletion of folder "c:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "d:\recycler" not found!
Deletion of folder "d:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "e:\recycler" not found!
Deletion of folder "e:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.


After that I went to proceed with the combo fix instructions unfortuanately it would not work. The error message reads:

!!Alert!! It is NOT SAFE to continue!


The contents of the ComboFix Package has been compromised.
Please download a freshh copy from :

Bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infested with a file patching virus "VIRUT"

End of Message




Through a little bit of research I found out that the win32/heur virus is what AVG detects as another name for VIRUT. I also found people saying there is no fix for this virus you must format.


Was wondering if you could give me some feed back on this!


Thanks again for your time and patience

Correy

[Maurice Naggar]

Hello Correy,

To be very frank, if this system has Virut infection, the only sane & safe thing is a wipe (wiping the system in total) and reloading Windows fresh. You will lose all your files, folders, documents, etc
There's no fix for Virut.

Try only one time: Delete the Combofix.exe that you have saved.

Redownload a fresh copy (using another system that is Clean) and put on the desktop.
Then follow my directions as outlined before.

Let us see what Combofix says this time.

[cgordon311]

Thanks Maurice.

Ihave tried downloading on a safe pc and I still got the same errror message. I had already suspected the Virut Virus. Can I ask will this virus still affect the computer if I format it with a new vista cd. Also I have not formated and installed an operating system since the firsgt windows xp. Is there anything I should know about installing that you can tell me. I can only assume it will basicaly be the same. I will try in the mourning.

Thanks again for your time and Patience.

Correy

[Maurice Naggar]

Hello Correy,

Sorry to read that the pc has Virut. It seems you are well aware of the consequences.
Do read this blog post of Miekimoes' about Virut:
http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

I highly commend you about deciding to wipe, and then do a clean install of Windows.
Have your Windows o.s. CD/DVD handy, as well as the setup program for your antivirus program.

The windows setup will allow you to delete existing partitions on your HD, repartition and format the drive prior to install. You need to set your pc BIOS to boot from CD/DVD drive, place the Windows setup CD in, and reboot the system to get started.

References for you on clean (new) install of Vista (do NOT even try repair install as that will not clear the infections)
http://www.theeldergeekvista.com/vista_cle...nstallation.htm

5 steps to help protect your new computer before you go online
http://www.microsoft...anced/xppc.mspx

An antivirus program is a must. And always keep it up-to-date.

Insuring either Windows built-in firewall is on (if you don't use a 3rd-party one, like Online Armor by Tallemu) or a 3rd party firewall is also a must.

Other suggestions (after you have new Windows in place):
Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.

Most important though:
On a regular basis, Make regular backups of your system to removable media: DVD, USB external hard drive, etc.

Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp

And needless to say, always stay current with Windows Update.
HTH