Please help, got stuck with a Trojan and a rootkit

Seeking your professional assistance.
I have a computer run by windows xp SP2 which used to be sluggish recently.
I installed avast free two days ago, ran a full system scan and
came up with the following viruses:
C:/RECYCLER/…/80000000.@ [trj]
C:/RECYCLER/…/800000cb.@ [rtk]
…/spywarestrike.exe

I deleted them all and spywarestrike.exe never showed up again,
yet avast keeps poping up a small window every couple of minutes
( specially when computer is online) saying it’s re-blocked 80000000.@
and 800000cb.@ on a process called svchost.exe and no further action
is required. Only a couple of minutes and everything recurs.

I’ve done a lot of search and found numerous solutions but 've tried none yet.
Finally, I decided to take step by step advice from here under your supervision.

For whoever who would kindly help me, I’d like him to know that
I’ve come by this article about zeroaccess removal at http://malwaretips.com/blogs/zeroaccess-sirefef-virus/
and I was about to procede through the steps ( which seemed very simillar to me to the procedure offered everywhere) as it requires no removable media or booting CDs.
I’ve also checked your procedure for simillar problems and have two problems with it:
At the moment, I’ve run out of removable flash drives( required for farbar recovery scan tool)
Also I’m having a problem with the lens on my cd- rom ( so won’t be able to burn a CD with OTLPENet.exe)
My computer is running an OEM version of windows ( so apparently I don’t have any boot CDs)

That being said, I wonder if someone would help me with the procedure in that article I’ve found or modify the procedure stated here to suit me for the moment.
I’d gratefully appreciate any help offered and I’m sorry for such a long post.

If you are able to boot the computer then there is no need for removable media

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Thank you essexboy for your reply.
Please forgive my computer illiteracy but what do you mean by being able to boot the computer?
Does it mean removing and reinstalling windows? As I won’t be able to do so for I don’t have a windows CD at all. or you mean rebooting ( restarting)?
Also shall I begin with OTL directly or go through the whole procedure at
http://forum.avast.com/index.php?topic=53253.0
One last thing, I’d like to know your opinion of the procedure stated in the link I posted. Shall I go through it?

Many thanks

One last thing, I'd like to know your opinion of the procedure stated in the link I posted. Shall I go through it?
No as the malware has changed since that was written

By boot the computer I mean are you able to run windows normally (apart from the alerts that is) If so then download OTL from the link I provided and follow the instructions to generate the analysis log. Attach the log to this thread and we will then kill the blighter together :slight_smile:

Thank you Essexboy for your patience and instructions.
I’ve run OTL as you told me to.But it saved only one log named OTL.txt.
You’ll find it attached.

I’ve also noticed a few wierd things during the scan:

I’ve set all the parameters as shown in the picture in your first post, yet I noticed the “standard registry” option altered to “all” while scanning and then returned to “safelist”.

Also towards the end of the scan, suddenly everything stopped and a black pop-up window opened ( seems like a command window) saying C:/ documents and settings/… and dissapeared after a few seconds
Is all of this normal?

once more thank you :slight_smile:

OK killing time

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\WW91c3RpbmEgU29saW1hbg\command.exe -- (cmdService)
SRV - [2011/08/09 14:29:52 | 002,051,472 | ---- | M] (Bandoo Media Inc.) [Auto | Running] -- C:\Program Files\Bandoo\Bandoo.exe -- (Bandoo Coordinator)
IE - HKU\S-1-5-21-3433162778-3685698554-67682326-1006\..\SearchScopes\{A2B2E73C-A6EF-4016-A791-ABFEB7E61784}: "URL" = http://www.mysearchresults.com/search?c=2402&t=01&q={searchTerms}
O2 - BHO: (no name) - {7825CFB6-490A-436B-9F26-4A7B5CFC01A9} - No CLSID value found.
O2 - BHO: (BandooIEPlugin Class) - {EB5CEE80-030A-4ED8-8E20-454E9C68380F} - C:\Program Files\Bandoo\Plugins\IE\ieplugin.dll (Bandoo Media Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\S-1-5-21-3433162778-3685698554-67682326-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3433162778-3685698554-67682326-1006\..\Toolbar\WebBrowser: (no name) - {736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe File not found
O4 - HKU\.DEFAULT..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe File not found
O4 - HKU\S-1-5-18..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe File not found
O4 - HKU\S-1-5-18..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe File not found
O4 - HKU\S-1-5-21-3433162778-3685698554-67682326-1006..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe File not found
O4 - HKU\S-1-5-21-3433162778-3685698554-67682326-1006..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe File not found
O4 - HKU\S-1-5-21-3433162778-3685698554-67682326-1006..\Run: [Internet Security] C:\Documents and Settings\All Users\Application Data\amsecure.exe File not found
O18 - Protocol\Filter\text/html {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll File not found
O20 - AppInit_DLLs: (c:\progra~1\bandoo\bndhook.dll) - c:\Program Files\Bandoo\BndHook.dll (Discordia Limited)
[2012/01/11 06:26:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bandoo
[2012/01/11 05:12:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bandoo(2)
[2008/06/28 08:33:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA

:Files
C:\Program Files\Bandoo
C:\RECYCLER\S-1-5-18

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Fine, I’ll follow your instructions.
Just a few questions:
Would I lose any data or files during or after running this fix? Even if infected?

  1. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

What reboot do you mean? Will I reboot after combofix finishes?

No all your files will remain intact. Once combofix has finished it’s work it will reboot the computer for you automatically. If you receive errors about programmes being marked for deletion then reboot the computer to clear that

Ok, thanks. I’ll begin in a few minutes.
I feel lucky to have found someone this helpful.

If you have any questions or are not sure then just ask :slight_smile:

sorry for bothering you every now and then, just wanted to make sure about a few things: :-\

You’ve willingly unchecked “all users”, “LOP check”, “Purity check” before running the fix? right?
Also will I uncheck them for the quick scan too, or keep them checked as the very first scan?

One more thing, after running the quick OTL scan. Will it be safe to log onto the internet to download combofix?
that’s because I feel that the trojan becomes activated or maybe what’s called " trying to connect to a certain remote server" whenever I’m online, just wondering?

HELPPP
I got a frozen screen of my desktop while running combo fix.
It downloaded the recovery cosole,created a restore point and said that it was scanning for viruses which would take no more than 10 minutes.
I left it overnight, slept besides it and woke up to find it all froxen. Even the blinking “-” at the bottom of the command box won’t blink anymore .
I tried the MOVE the mouse cursor but it didn’t ever respond, yet I made sure that I didn’t CLICK on anything.
I’ve read that combofix would result in unexpected results if run wrongly, so is this the case here?
What shall I do?

Anybody there? Please help me.
It’s almost 12 hours since running combofix and getting everything frozen like a still picture.
I don’t want to take any action with cmbofix without supervision. So please help me as soon as you get to see my posts.

Please have patience, essexboy should be on the forum in a few hours.

I’m waiting and I have no other choice.
I just hope it doesn’t get worse like that.

Can anyone help me?
It’s been 20 hours, yet nobody suggests any sort of solution.
Is it unrepairable? Will I be hanged this way forever?
I’ve no means of contact with Essexboy, and all I could reach is that he’s been offline all the time.
I wonder if any administrator could reach for him…could anybody respond…?

As Craig said, please be patient.

Alright, I’ll try to be. Thanks for responding anyway.

NP. It shouldn’t take too long.

Hi reboot the computer using the power button

Then run a fresh OTL scan so that I can see what remains