I REALLY NEED HELP!!!

Hi all!

I have been experiencing an extraordinary problem for the last 2 days. I downloaded a cracked instalation of a Pocket PC software (I know I did a wrong thing by looking for a cracked software!), and then continued for installation. After a couple of seconds, a box appeared about Black Box Communication and finished its instalation before I could do anything. Then after a short while, a blue screen appeared. So, I restarted my laptop (Dell Inspiron 630m) and realized that the usb connection between my Pocket PC and the computer for synchronization is lost. Besides, my wireless internet connection was disconnected as well and I couldn’t connect it. When I tried to search for available networks to rebuild the connection, it showed me a message that you should use another application if you have defiend another program for this purpose. Besides, Intel Proset Wireless starts to poping up notofications about available networks which I hadn’t experienced before. I have never used this software. One more thing was about the low performance of my CPU as my Yahoo Widget was showing it 100% busy.

So, I went for system scan using my anti viruses, and realized that both NOD32 and Adaware 2008 I had were not accessible and recieved a message that they are not a valid system32 applications. Also, the McAfee firewall I had was disappeared from the both icon tray and my program files!!!

Therefore, as the Virus got the control of my system, I chose to remove the hardware from the laptop and use a HD Enclosure to connect it to another PC for system scan. I did this and used NOD32 and Adaware 2008 on another laptop to scan my HD. They both found a win32\bagle.qh worm on Srosa.sys file in system32\drivers. Adaware also find another malware in my system volume information with a risk of 10 out of 10. So, after I first used NOD32 and deleted the worm, I put the HD back and run the computer. But still I had the same problems without any change. So, I did the scanning process one more time using Adaware 2008, and after deleting all the worms and malwares run the computer again and still I had the problems. Eventually, I downloaded and installed avast pro and was hoping for scan boot. But it didn’t happen after restarting the computer and when I tried to do it manually, the same message as for other anti viruses appeared.

So, I don’t know what to do now. Please let me know if you have any idea or have experienced similar thing before. I am starting to freak out.

PLEASE HELP.

Best Regards,
Sepehr

I have responded in your other topic, check that out and respond in this one for further help.
http://forum.avast.com/index.php?topic=40196.msg338495#msg338495

Beagle many variants are designed to take out your security software, avast since 4.8 has a self-defence module that is quite effective, but there are some variants that can attack it too.

Hi lets see if my tools will work. Dependant on the variant I may have to add in an extra step to make this function… But lets cross that bridge once we get to it

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

Double click on Combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

If this fails let me know and we will go the extra step

Thanks for jumping in essexboy.

No probs David I need to earn my Avast keep somehow ;D

Hi,

Essexboy, thanks a lot for your consideration and help. I did as what you said and went through the following steps (I’m writing them to make sure they happened as you expected):

1. Installing Windows Recovery Console by ComFox
2. System reboot as ComFox detected the presence of rookit activity
3. ComFox asked me if I want to update which I chose no since I didn’t know if it would affect the process or not
4. Changing clock of the system and then restoring it done by ComFox
   5.Deleting some files and folders in couple of stages
5. Rebooting the system and creating the log file (I didn’t run any program as ComFox requested during this time. But, Yahoo Widget, Skype and Real Message Centre started automatically)
6. Before finishing the process, a line appeared on the blue screen of ComFox stating: “SED: Can’t read temp0D: No such file or directory”

Here is the Combofox.txt:

ComboFix 08-11-24.03 - Sepehr 2008-11-25 21:25:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1677 [GMT 1:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sepehr\Application Data\m
c:\documents and settings\Sepehr\Application Data\m\data.oct
c:\documents and settings\Sepehr\Application Data\m\flec006.exe
c:\documents and settings\Sepehr\Application Data\m\list.oct
c:\documents and settings\Sepehr\Application Data\m\shared\1st CD to Mp3 Maker 1.17.zip
c:\documents and settings\Sepehr\Application Data\m\shared\1st_Class_GradeBook_7.2c.zip
c:\documents and settings\Sepehr\Application Data\m\shared\350-001_Downloadable_Exam_Simulator_2.1_Serial.zip
c:\documents and settings\Sepehr\Application Data\m\shared\642-871_Free_Test_Exam_Questions_10.0_[Key].zip
c:\documents and settings\Sepehr\Application Data\m\shared\Active Multimedia SFX library (mp3) 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\AddPicker_E-mail_Collector_2.4.3.14.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Advanced Image Resizer 2.0.22.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ANIXIS_Password_Reset_1.2_Patch.zip
c:\documents and settings\Sepehr\Application Data\m\shared\API Component Pack 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ArcSoft Video Stabilizer 1.0.9.24.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ArtMoney_SE_7.26.zip
c:\documents and settings\Sepehr\Application Data\m\shared\AutoRunner_2.5.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Autumn Paradise 3D 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Aztec Encoder SDK ActiveX 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\BabyMouse and BabyBoard Pro 3.5.0.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Bid-n-Invoice_Office_Cleaning_2.2.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Black_Ice_TIFF_Printer_Driver_9.9.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Bloch_Wallpaper_Changer_2.0.5.zip
c:\documents and settings\Sepehr\Application Data\m\shared\BookMark Savant 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Camelot_Font_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Canvas GIS Mapping Edition 9.0.4.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Catch_the_Sperm_2.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Chase 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Christmas arrives in 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Classified97 2.0.2.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Crystalfontz 633 WinTest b1.9.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Database_Icon_Collection_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Deleted_File_Analysis_Utility_2.5.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Destiny_Media_Player_1.61.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Disspy_Lite_3.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\DocuMax_1.03e.zip
c:\documents and settings\Sepehr\Application Data\m\shared\DownUp2U_1.16.zip
c:\documents and settings\Sepehr\Application Data\m\shared\EasyStat 4.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\eLibrary_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\File Access Manager (FAM) Workstation 3.12.6.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Floppy_Image_2.4_With_Crack.zip
c:\documents and settings\Sepehr\Application Data\m\shared\FoldersReport_1.21.zip
c:\documents and settings\Sepehr\Application Data\m\shared\FontSeeker 01.12.2007.zip
c:\documents and settings\Sepehr\Application Data\m\shared\FontThing_1.4.4.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Friendster1234_toolbar_for_IE_4.5.128.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Frontlets_4.04_KeyGen.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Frutakia_1.41.zip
c:\documents and settings\Sepehr\Application Data\m\shared\FTP_Suite_for_REALbasic_4.2_[Key].zip
c:\documents and settings\Sepehr\Application Data\m\shared\GED-GEN 1.7.zip
c:\documents and settings\Sepehr\Application Data\m\shared\GetIcon 1.0.6.zip
c:\documents and settings\Sepehr\Application Data\m\shared\GFI Network Server Monitor 7.0 Build 20070803.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Glow_Ball_(System_Edition)_1.3.zip
c:\documents and settings\Sepehr\Application Data\m\shared\HealthChecK 1.51.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Hide & Protect any Drives 2.5 Build 453 KeyGen.zip
c:\documents and settings\Sepehr\Application Data\m\shared\i-Catcher_Console_2.3.9.zip
c:\documents and settings\Sepehr\Application Data\m\shared\IL TextEdit 1.9.2.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Impossible_Creatures_demo.zip
c:\documents and settings\Sepehr\Application Data\m\shared\InfoExtractor 2.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\International_Symbols.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Jk-ware_Theater_3.2.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Jupiter 3D Space Tour 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\K700_Remote_Profiler_1.0.8.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Kaspersky.Anti-Virus.v6.0.0.299.FINAL.WinAll-TWK.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Kaspersky.Anti-Virus.v6.0.0.303.Final.Eng.incl.keys.zip
c:\documents and settings\Sepehr\Application Data\m\shared\KeyState 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Likno Drop Down Menus Trees 1.1.132.zip
c:\documents and settings\Sepehr\Application Data\m\shared\LingvoSoft Picture Dictionary 2007 Polish - Chinese Mandarin Traditional 1.1.20.zip
c:\documents and settings\Sepehr\Application Data\m\shared\LiveCopy_1.8.3.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Lockit 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Lokad_Sales_Forecasting_for_ASP.Net_1.0.2_Key+Serial.zip
c:\documents and settings\Sepehr\Application Data\m\shared\LP-Calc_1.01.zip
c:\documents and settings\Sepehr\Application Data\m\shared\M2SYS-Biometrics_Suite_4.1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MailRed_3.31.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MainStreetVisibility 2.12.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Master_of_Orion_2.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MB5-199 Practice Exam Testing Engine Software 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MD5_Check_2.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MetaTagDummy!1.7.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Midget_1.36(Patch).zip
c:\documents and settings\Sepehr\Application Data\m\shared\MIDICOPY 1.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MP3 Tag Viewer 1.1.2.7.zip
c:\documents and settings\Sepehr\Application Data\m\shared\MuseBook Metronome 1.20 [With Crack].zip
c:\documents and settings\Sepehr\Application Data\m\shared\NetMarks Manager 3.0.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Newega_0.7.2.zip

I have to put the rest of the log file in another file due to limitation of characters

Continue

c:\documents and settings\Sepehr\Application Data\m\shared\NFL_Ferret_2006_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\NoTrax_1.4.0.11_(With_Crack).zip
c:\documents and settings\Sepehr\Application Data\m\shared\NR0-013_Practice_Exam_Testing_Engine_Software_1.0_(Patch).zip
c:\documents and settings\Sepehr\Application Data\m\shared\NR0-015_Practice_Exam_Testing_Engine_Software_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\owDiskSpaceExplorer_1.0.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Panda-Arroz_Con_Leche-2000-NoGrp.zip
c:\documents and settings\Sepehr\Application Data\m\shared\PDF_Charts_2.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\PictureBetter 1.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Pixel_Patchwork_1.2_KeyGen.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ProChef_Plus_10.0.0_Key+Serial.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Puzzle_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\QRCode_2D_Barcode_ASP.Net_Component_3.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Rconfig_3.1.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ReadyNotes_1.0.0_build_95.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Recycle Bin Laden 2.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Runningman_Phone_List_Database_2.0.06.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Secrets Protector Pro 2006 3.09.zip
c:\documents and settings\Sepehr\Application Data\m\shared\SiteC 2.1 Build 316.zip
c:\documents and settings\Sepehr\Application Data\m\shared\SiteInFile_Compiler_2.03.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Soccer Newz 1.01.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Soldner_Secret_Wars_v28610_patch.zip
c:\documents and settings\Sepehr\Application Data\m\shared\St_Patrick_Leprechaun_Party_Demo_Screensaver_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Stackz Flashcard Organizer - Dictionary Edition 2005 3.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Stellar_Phoenix_Macintosh_-MAC_Data_Recovery_1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Strip Kittens Screensavers 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Super Mp3 Splitter 1.3.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Supercrypt 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\System Optimizer And Tweaker 1.2.0.0 [Serial].zip
c:\documents and settings\Sepehr\Application Data\m\shared\Tabby_Cats_Screensaver_1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\TagFetch 0.11.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Taj_Mahal_3D_1.0[KeyGen].zip
c:\documents and settings\Sepehr\Application Data\m\shared\THcalc 1.7.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Theme Calendar–Anything Goes Jokes 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\ThunderStor_2.7.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\TickerMyMail 3.01.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Together Trailer.zip
c:\documents and settings\Sepehr\Application Data\m\shared\TrayIt! 4.6.5.5.zip
c:\documents and settings\Sepehr\Application Data\m\shared\TuneUp_Utilities_2007_6.0.2311.0_(Crack).zip
c:\documents and settings\Sepehr\Application Data\m\shared\URR_2.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\VbSms 2.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Visual IP Trace 2007 3.0a Build 946.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Webit_1.9.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Whole DVD Converter 3.26.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Withes Tarot 1.0.zip
c:\documents and settings\Sepehr\Application Data\m\shared\WM_Converter_1.1.zip
c:\documents and settings\Sepehr\Application Data\m\shared\xlDEA 2.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Yakity-YakMail_1.7.zip
c:\documents and settings\Sepehr\Application Data\m\shared\Yanoff_1.5.zip
c:\documents and settings\Sepehr\Application Data\m\srvlist.oct
c:\program files\NetWaiting\netWaiting.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\ban_list.txt
c:\windows\system32\drivers\downld
c:\windows\system32\drivers\downld\178359.exe
c:\windows\system32\drivers\downld\182125.exe
c:\windows\system32\drivers\downld\233625.exe
c:\windows\system32\drivers\downld\242046.exe
c:\windows\system32\drivers\downld\276921.exe
c:\windows\system32\drivers\downld\289937.exe
c:\windows\system32\drivers\downld\327328.exe
c:\windows\system32\drivers\downld\334453.exe
c:\windows\system32\drivers\downld\393906.exe
c:\windows\system32\drivers\downld\432187.exe
c:\windows\system32\drivers\downld\473859.exe
c:\windows\system32\drivers\downld\514000.exe
c:\windows\system32\drivers\srosa.sys
c:\windows\system32\drivers\srosa2.sys
c:\windows\system32\drivers\winfilse.exe
c:\windows\system32\mdelk.exe
c:\windows\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA
-------\Legacy_SK9OU0S
-------\Service_sK9Ou0s

((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.

2008-11-25 16:01 . 2008-11-25 16:01 d-------- c:\program files\Alwil Software
2008-11-20 17:28 . 2008-11-20 17:28 d-------- c:\program files\AvantGo Connect
2008-11-20 17:28 . 2008-11-20 17:28 2,464 --a------ c:\windows$_hpcst$.hpc
2008-11-20 17:27 . 2003-12-22 02:28 114,688 --a------ c:\windows\system32\MALSLIB.DLL
2008-11-20 17:27 . 2003-12-22 02:28 104,064 --a------ c:\windows\system32\drivers\wceusbsh.sys
2008-11-20 17:27 . 2003-12-22 02:28 104,064 --a------ c:\windows\system32\dllcache\wceusbsh.sys
2008-11-20 17:27 . 2004-02-03 06:41 77,903 --a------ c:\windows\system32\RAPI.DLL
2008-11-20 17:27 . 2003-12-22 02:28 69,632 --a------ c:\windows\system32\MBLLNK.CPL
2008-11-20 17:27 . 2004-02-03 06:43 65,619 --a------ c:\windows\system32\PMAILEXT.DLL
2008-11-20 17:27 . 2004-02-03 06:43 65,617 --a------ c:\windows\system32\PPVEXP.DLL
2008-11-20 17:27 . 2004-02-03 06:43 57,427 --a------ c:\windows\system32\MSGSTRPC.DLL
2008-11-20 17:27 . 2004-02-03 06:28 57,426 --a------ c:\windows\system32\MOBILEV.ACM
2008-11-20 17:27 . 2004-02-03 06:43 36,946 --a------ c:\windows\system32\PPCLOAD.DLL
2008-11-20 17:27 . 2004-02-03 06:41 24,657 --a------ c:\windows\system32\CEUTIL.DLL
2008-11-20 17:27 . 2004-02-03 06:41 24,656 --a------ c:\windows\system32\UICOM.DLL
2008-11-20 17:26 . 2008-11-20 17:28 2,510 --a------ c:\windows\Microsoft.MIF
2008-11-19 15:25 . 2008-11-19 15:25 d-------- c:\documents and settings\All Users\Application Data\2DBoy
2008-11-19 15:24 . 2008-11-19 15:25 d-------- c:\program files\WorldOfGoo
2008-11-16 13:25 . 2008-11-16 13:25 d-------- c:\program files\Microsoft Silverlight
2008-11-14 20:20 . 2008-11-25 02:43 d-------- c:\program files\LtUcx
2008-11-12 23:10 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 23:09 . 2008-09-04 18:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 03:09 . 2008-11-01 03:09 d-------- c:\documents and settings\Sepehr\Application Data\vlc
2008-10-28 23:45 . 2008-10-28 23:45 d-------- c:\program files\Microsoft
2008-10-28 23:41 . 2008-10-28 23:41 d-------- c:\program files\Common Files\Windows Live
2008-10-28 23:36 . 2008-10-28 23:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll
2008-10-28 23:36 . 2008-10-28 23:36 823,296 --a------ c:\windows\system32\divx_xx07.dll
2008-10-28 23:35 . 2008-10-28 23:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll
2008-10-28 23:35 . 2008-10-28 23:35 802,816 --a------ c:\windows\system32\divx_xx11.dll
2008-10-28 23:35 . 2008-10-28 23:35 684,032 --a------ c:\windows\system32\DivX.dll
2008-10-28 19:14 . 2008-10-28 19:14 d-------- c:\program files\Common Files\xing shared
2008-10-28 17:22 . 2008-11-12 02:07 52 --a------ C:\U&P.psafe3.plk
2008-10-28 16:54 . 2008-10-28 16:54 d-------- c:\program files\Winamp Toolbar
2008-10-25 14:14 . 2008-10-25 14:14 d-------- c:\windows\system32\scripting
2008-10-25 14:14 . 2008-10-25 14:14 d-------- c:\windows\system32\en
2008-10-25 14:14 . 2008-10-25 14:14 d-------- c:\windows\system32\bits
2008-10-25 14:14 . 2008-10-25 14:14 d-------- c:\windows\l2schemas
2008-10-25 14:11 . 2008-10-25 14:11 d-------- c:\windows\ServicePackFiles
2008-10-25 14:03 . 2008-10-25 14:03 d-------- c:\windows\EHome

.

I still have to put the rest of the log file in another file due to limitation of characters

Continue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 20:29 --------- d-----w c:\program files\NetWaiting
2008-11-25 14:58 --------- d-----w c:\documents and settings\Sepehr\Application Data\Skype
2008-11-25 14:56 --------- d-----w c:\program files\ESET
2008-11-25 02:41 --------- d-----w c:\documents and settings\Sepehr\Application Data\Babylon
2008-11-24 09:48 --------- d-----w c:\program files\eMule
2008-11-24 00:17 --------- d-----w c:\program files\Mimosa-Free
2008-11-23 11:53 --------- d-----w c:\documents and settings\Sepehr\Application Data\skypePM
2008-11-23 00:49 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-20 21:37 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-13 11:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-11 16:05 --------- d-----w c:\program files\Password Safe
2008-11-08 22:19 --------- d-----w c:\program files\DivX
2008-11-01 17:15 --------- d-----w c:\program files\BitComet
2008-10-28 22:50 --------- d-----w c:\program files\Windows Live
2008-10-28 18:14 --------- d-----w c:\program files\Common Files\Real
2008-10-28 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-28 15:55 --------- d-----w c:\program files\Winamp
2008-10-25 18:39 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-10-25 18:39 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-10-25 13:46 96,384 ----a-w c:\windows\system32\drivers\sptd5485.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 17:26 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2008-10-12 15:46 --------- d-----w c:\program files\zabkat
2008-10-12 15:26 --------- d-----w c:\program files\YouTube Downloader
2008-10-07 21:31 --------- d-----w c:\program files\VisualSubSync
2008-10-07 16:17 --------- d-----w c:\program files\QuickTime Alternative
2008-10-07 16:17 --------- d-----w c:\program files\Common Files\Apple
2008-10-07 16:16 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-07 16:15 --------- d-----w c:\program files\Apple Software Update
2008-10-07 16:15 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-03 16:29 --------- d-----w c:\program files\isoHunt
2008-10-03 16:29 --------- d-----w c:\program files\Conduit
2008-09-30 18:03 --------- d–h–w c:\program files\InstallShield Installation Information
2008-09-30 18:03 --------- d-----w c:\program files\VK mobile
2008-09-20 08:12 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-09-05 14:56 287,744 ----a-w c:\windows\WLXPGSS.SCR
2008-01-09 00:40 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{a6e4a4eb-d169-4e99-8988-250fcbafe767}”= “c:\program files\isoHunt\tbisoH.dll” [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid{a6e4a4eb-d169-4e99-8988-250fcbafe767}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{a6e4a4eb-d169-4e99-8988-250fcbafe767}]
2008-09-15 05:47 1784856 --a------ c:\program files\isoHunt\tbisoH.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
“{a6e4a4eb-d169-4e99-8988-250fcbafe767}”= “c:\program files\isoHunt\tbisoH.dll” [2008-09-15 1784856]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
“{A6E4A4EB-D169-4E99-8988-250FCBAFE767}”= “c:\program files\isoHunt\tbisoH.dll” [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid{a6e4a4eb-d169-4e99-8988-250fcbafe767}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“googletalk”=“c:\program files\Google\Google Talk\googletalk.exe” [2007-01-01 3739648]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-15 68856]
“pdfSaver3”=“c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe” [2004-09-05 380928]
“mRouterConfig”=“c:\program files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe” [2006-03-02 290816]
“VoipRaider”=“c:\program files\VoipRaider.com\VoipRaider\VoipRaider.exe” [2008-07-29 8995120]
“Skype”=“c:\program files\Skype\Phone\Skype.exe” [2008-09-23 21755688]
“H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\WCESCOMM.EXE” [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ShowLOMControl”=“1 (0x1)”
“igfxtray”=“c:\windows\system32\igfxtray.exe” [2005-10-14 94208]
“igfxhkcmd”=“c:\windows\system32\hkcmd.exe” [2005-10-14 77824]
“igfxpers”=“c:\windows\system32\igfxpers.exe” [2005-10-14 114688]
“SunJavaUpdateSched”=“c:\program files\Java\jre1.6.0_07\bin\jusched.exe” [2008-06-10 144784]
“IntelWireless”=“c:\program files\Intel\Wireless\Bin\ifrmewrk.exe” [2004-10-30 385024]
“DMXLauncher”=“c:\program files\Dell\Media Experience\DMXLauncher.exe” [2005-11-01 94208]
“SynTPEnh”=“c:\program files\Synaptics\SynTP\SynTPEnh.exe” [2005-11-29 761947]
“Dell QuickSet”=“c:\program files\Dell\QuickSet\quickset.exe” [2005-12-15 839680]
“ISUSPM Startup”=“c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 221184]
“ISUSScheduler”=“c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 81920]
“Acrobat Assistant 7.0”=“c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe” [2008-04-23 483328]
“DAEMON Tools”=“c:\program files\DAEMON Tools\daemon.exe” [2005-12-10 133016]
“McAfeeUpdaterUI”=“c:\program files\Network Associates\Common Framework\UpdaterUI.exe” [2008-11-25 139320]
“Network Associates Error Reporting Service”=“c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe” [2008-11-25 147514]
“McAfeeFireTray”=“c:\program files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exe” [2008-11-25 655420]
“Babylon Client”=“c:\program files\Babylon\Babylon-Pro\Babylon.exe” [2006-04-23 2655272]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“WinampAgent”=“c:\program files\Winamp\winampa.exe” [2008-08-04 36352]
“PC Suite for Smartphones”=“c:\program files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe” [2007-06-13 528384]
“LogitechCommunicationsManager”=“c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe” [2007-10-25 563984]
“LogitechQuickCamRibbon”=“c:\program files\Logitech\QuickCam\Quickcam.exe” [2007-10-25 2178832]
“QuickTime Task”=“c:\program files\QuickTime Alternative\qttask.exe” [2008-09-06 413696]
“TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2008-10-28 185872]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2008-11-25 81000]
“SigmatelSysTrayApp”=“stsystra.exe” [2005-09-09 c:\windows\stsystra.exe]
“Kernel and Hardware Abstraction Layer”=“KHALMNPR.EXE” [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“Picasa Media Detector”=“c:\program files\Picasa2\PicasaMediaDetector.exe” [2008-08-21 443968]

c:\documents and settings\Sepehr\Start Menu\Programs\Startup
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-19 4742184]

c:\documents and settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-08-12 25214]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-01-14 479232]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-30 24576]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-16 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-16 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
“VIDC.VQC6”= V2210dec.dll
“Msacm.l3codec”= L3codecp.acm
“MSACM.CEGSM”= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=“”

I still have to put the rest of the log file in another file due to limitation of characters

Continue

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\eMule\emule.exe”=
“c:\Program Files\Network Associates\Common Framework\FrameworkService.exe”=
“c:\Program Files\BitComet\BitComet.exe”=
“c:\Program Files\SmartFTP Client 2.0\SmartFTP.exe”=
“c:\Program Files\TVUPlayer\TVUPlayer.exe”=
“c:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe”=
“c:\Program Files\Google\Google Talk\googletalk.exe”=
“c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“c:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe”=
“c:\Program Files\Sony Ericsson\Update Service\ma3platform.exe”=
“c:\Program Files\JustVoip.com\JustVoip\JustVoip.exe”=
“c:\Program Files\VoipRaider.com\VoipRaider\VoipRaider.exe”=
“c:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=
“c:\Program Files\SmsDiscount.com\SmsDiscount\SmsDiscount.exe”=
“c:\Program Files\Real\RealPlayer\realplay.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”=
“c:\Program Files\Microsoft ActiveSync\WCESMGR.EXE”=
“c:\Program Files\Skype\Phone\Skype.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“14395:TCP”= 14395:TCP:BitComet 14395 TCP
“14395:UDP”= 14395:UDP:BitComet 14395 UDP

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\DRIVERS\zebrceb.sys [2008-02-20 62984]
S1 aswSP;avast! Self Protection;
S1 lusbaudio;Logitech USB Microphone;c:\windows\system32\drivers\OVSound2.sys [2006-10-14 25216]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys
S3 CM1083264;C-Media CM108 Like Sound UDAX Interface;c:\windows\system32\drivers\CM108.sys
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\DRIVERS\OVCE.sys [2006-10-14 31872]
S3 V2210VID;DigitalCam Pro;c:\windows\system32\DRIVERS\V2210vid.sys [2006-10-03 434368]
S3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\DRIVERS\zebrbus.sys [2008-02-20 83080]
S3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\DRIVERS\zebrmdfl.sys [2008-02-20 15112]
S3 zebrmdm;Sony Ericsson Port (WDM);c:\windows\system32\DRIVERS\zebrmdm.sys [2008-02-20 108296]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\DRIVERS\zebrmdmc.sys [2008-02-20 108424]
S3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\DRIVERS\zebrsce.sys [2008-02-20 90888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{86dc50d0-e567-11dc-96af-00166f68347e}]
\Shell\AutoRun\command - g:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{9e388c10-3146-11dc-95b3-001422a30050}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{ce869c67-8494-11dd-9760-00166f68347e}]
\Shell\AutoRun\command - G:\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d190091c-3e9d-11dc-95c5-001422a30050}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.

• • • • ORPHANS REMOVED - - - -

HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-Messenger (Yahoo!) - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-pdfSaver3 - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Sepehr\Application Data\Mozilla\Firefox\Profiles\up1kfb4x.default
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
FF -: plugin - c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-25 21:33:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files:

.
--------------------- DLLs Loaded Under Running Processes ---------------------

• • • • • • • ‘winlogon.exe’(916)
              c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
              c:\program files\common files\logishrd\bluetooth\LBTServ.dll
              c:\program files\Intel\Wireless\Bin\LgNotify.dll
              .
              ------------------------ Other Running Processes ------------------------
              .
              c:\program files\Intel\Wireless\Bin\EvtEng.exe
              c:\program files\Intel\Wireless\Bin\S24EvMon.exe
              c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
              c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
              c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
              c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
              c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
              c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
              c:\program files\Intel\Wireless\Bin\RegSrvc.exe
              c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
              c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
              c:\windows\system32\wscntfy.exe
              c:\windows\system32\igfxsrvc.exe
              c:\program files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
              c:\program files\Real\RealPlayer\realplay.exe
              c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
              c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
              c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
              c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
              c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
              c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
              c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
              .

.
Completion time: 2008-11-25 21:43:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-25 20:43:26

Pre-Run: 6,990,516,224 bytes free
Post-Run: 8,989,245,440 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=“Microsoft Windows XP Home Edition” /noexecute=optin /fastdetect

441 — E O F — 2008-11-13 11:30:40

About HijackThis.log, I don’t know where to find it. It is not located in C:. Let me know where to find it and I will sent it to you right away.

So, how do you see the log file? To be honest, I have no good understanding of such files.

Thank you again for your help and the time you are spending on this.

/Sepehr

Not bad I could read the sections as you were posting ;D

They look good. I would like to run one more analysis programme to ensure all is gone. This will be a large log so I will give you an upload link for mediafire. Avast sometimes moans about this when the GMER section runs

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio button for Rootkit check YES
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]Reg - BotCheck
[*]File - Additional Folder Scans
[*]File - Purity Scan
[*]Evnt - EventViewer Errors/Warnings (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Hi,

I did as you said and here is the link to the file:
http://www.mediafire.com/?sharekey=7e6291957ed157dbd2db6fb9a8902bda

I hope you find the result good. In that case, can I install NOD32 and Adaware again with my McAfee firewall or not?

What about going for Avast Home or even Pro? I will appreciate your suggestions.

/Sepehr

Hi,

I forgot to ask you a question. Sine all this happened when I was trying to synchronize a software installation to my Pocket PC, do you think if my Pocket PC could get the Virus? If yes, how do you suggest me to scan it before any other synchronization?

Please accept my apology if my qustions are quite a lot.

/Sepehr

Whilst I look at your log lets disinfect all your cards and USB drives

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

OK the last remnants I believe

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ShowLOMControl -> []
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{56CF4856-ECB4-4E46-A897-A378821F97B9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{56CF4856-ECB4-4E46-A897-A378821F97B9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{56CF4856-ECB4-4E46-A897-A378821F97B9} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Hi,

I did as you said both about the flash dirves and also the fixing action.

Here is copy of actions taken:

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShowLOMControl deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{56CF4856-ECB4-4E46-A897-A378821F97B9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{56CF4856-ECB4-4E46-A897-A378821F97B9}\ not found.
Registry value HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{56CF4856-ECB4-4E46-A897-A378821F97B9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{56CF4856-ECB4-4E46-A897-A378821F97B9}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{56CF4856-ECB4-4E46-A897-A378821F97B9} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{56CF4856-ECB4-4E46-A897-A378821F97B9}\ not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Sepehr\Local Settings\temp\Perflib_Perfdata_80c.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Sepehr\Local Settings\temp~DF950B.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin → emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11262008_002834

Files moved on Reboot…
File C:\Documents and Settings\Sepehr\Local Settings\temp\Perflib_Perfdata_80c.dat not found!
C:\Documents and Settings\Sepehr\Local Settings\temp~DF950B.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

And about the Hijackthis log, as I said I don’t know where to find it. Can you explain me where it is and then I sent it for you here.

About other observations, I just have this red shield as I do not have any Antivirus installed on my pc right now. So, as I asked before, can I now install my previous Antivirus, Antispyware and firewall? (NOD32, Adaware 2008, McAfee).

Besides, after looking for possible wireless networks through the wireless network connection, I get this message that:

“Windows can not configure this wireless connection. IF you have enabled another program to manage this wireless connection, use that software. If you want windows to configure this wireless connection, start the Wireless Zero Configuration (WZC) service.” So, I can use Intel PROSet/Wireless.

Actually since I do not have any Antivirus active on my pc, I haven’t riked using different applications. So, I can say that I haven’t had that vast observations on the performance of the PC. But, as long as I can see, every thing looks fine and the CPU performance is as good as before.

I have to thank you for your big help and appreciate the time you spent.

I look forwart to your comments on the result, the location of HijackThis log and possibility of installing antiviruses.

/Sepehr

The Hijackthis log should be at c:\program files\trend micro\hijackthis

And yes re-install your AV

Hi again,

Unfortunately I couldn’t find any file or forlder by this name, since there was no trend micro folder. Even more, I used the search tool and it didn’t find any thing by the name of hijackthis.

Can I trust my computer to be clean now?

/Sepehr

OOps sorry I forgot you didn’t run that

I would recommend that you now run Malwarebytes to clear any errant registry items

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

I do not expect that to show much, if it does post back

Otherwise

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

VISTA
To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
You are now done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[]Secunia Software inspector To check your programme update status
[]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

Hi,

Thanks agian for your complete and step by step explanation. I owe you big time man.

Just before going through all these steps, I want to know if these actions may affect my installed NOD32 and Mcafee Desktop Firewall or not.

I will start the process as soon as you reply.

Cheers to you.

No they will have no effect at all apart from finishing off the cleaning