[Not curable - Virut] unable to update antivirus software

Wellies · 2nd August 2009

Hi , Well I got a bit o trouble here and wondering if you can help. 2 days ago my pc showed a few new processes running that i had no idea about, with help from a friend we managed to seemingly get rid of them through superantispyware and malwarebytes , it seemed that a virus had got into my pc somehow, dropped my firewall and then ripped apart nod32. fun huh ? the problem is that i cannot access any antivirus websites to update the antivirus software i have now ( superantispyware ) or any other for that fact. i will enclose the 2 documents you required.

Thankyou for any help..

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20/03/2007 20:53:02
System Uptime: 08/02/2009 22:33:11 (4201 hours ago)

Motherboard: | | 939NF4G-SATA2
Processor: AMD Athlon(tm) 64 Processor 3500+ | CPUSocket | 2210/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 214.637 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&12C619AD&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&12C619AD&0&0
Service: flpydisk

==== System Restore Points ===================

RP1: 02/08/2009 12:21:35 - System Checkpoint
RP2: 02/08/2009 13:22:39 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP3: 02/08/2009 14:10:44 - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP4: 02/08/2009 14:11:08 - Removed Skype™ 3.8
RP5: 02/08/2009 14:11:51 - Removed Call of Duty(R) 4 - Modern Warfare(TM)
RP6: 02/08/2009 21:35:52 - Installed Panda Antivirus 2007
RP7: 02/08/2009 21:48:35 - Removed Test Drive Unlimited
RP8: 02/08/2009 21:49:32 - Removed Sweex Motion Tracking Webcam
RP9: 02/08/2009 21:49:55 - Removed Samsung New PC Studio
RP10: 02/08/2009 21:55:09 - Removed AGEIA PhysX v7.05.17

==== Installed Programs ======================

Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player
Apple Software Update
Athlon 64 Processor Driver
Attribute Changer 5.23
AutoUpdate
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Belarc Advisor 7.2
BT Broadband Help
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
Eusing Free Registry Cleaner
EVE-ONLINE (remove only)
Free Download Manager 2.5
Gadwin PrintScreen
Google Toolbar for Firefox
GSC
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 5
Logitech GamePanel Software 2.00
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
MozBackup 1.4.3
Mozilla Firefox (3.0.12)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
QuickTime
Real Alternative 1.45
Realtek AC'97 Audio
RegShot 1.7
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SUPERAntiSpyware Free Edition
Switch Sound File Converter
System Requirements Lab
TaskSwitchXP
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Ventrilo Client
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
WinRAR archiver
Xfire (remove only)
Yahoo! Browser Services

==== Event Viewer Messages From Past Week ========

31/07/2009 18:54:57, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
31/07/2009 18:54:57, error: SideBySide [59] - Generate Activation Context failed for C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t1sxdg5m.default\extensions\{35a52c64-8cc6-46c7-a38b-7653c5743163}\components\FFAlert.dll. Reference error message: The operation completed successfully. .
31/07/2009 18:54:57, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
02/08/2009 17:44:43, error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
02/08/2009 17:21:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
02/08/2009 15:19:29, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 BANTExt Fips IPSec MRxSmb NetBIOS NetBT prodrv06 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
02/08/2009 15:19:29, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
02/08/2009 15:19:29, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/08/2009 15:19:29, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
02/08/2009 15:18:33, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
02/08/2009 14:10:09, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
02/08/2009 13:14:06, error: Sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
02/08/2009 09:39:28, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00138F5EE07C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
01/08/2009 21:57:51, error: Service Control Manager [7000] - The USB-USB Network Bridge service failed to start due to the following error: The system cannot find the file specified.
01/08/2009 21:47:37, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00138F5EE07C has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
01/08/2009 20:43:37, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service usnjsvc with arguments "" in order to run the server: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

==== End Of File ===========================

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 23:10:19.53 on 02/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.586 [GMT 1:00]

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uStart Page = hxxp://track.moreniche.com/hit.php?w=155970&s=147
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mStart Page = hxxp://www.ngohq.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-system: DisableCAD = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: DisableCAD = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\t1sxdg5m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/weather/forecast/20?&search=machynlleth&itemsPerPage=10&region=uk&area=Machynlleth
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\t1sxdg5m.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-28 72944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-28 7408]
S2 PCLinkBridge;USB-USB Network Bridge;c:\windows\system32\drivers\pro2000.sys --> c:\windows\system32\drivers\pro2000.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-7-14 36608]
S3 NIC2000;USB-USB Network Bridge Adapter;c:\windows\system32\drivers\nic2000.sys --> c:\windows\system32\drivers\NIC2000.sys [?]
S3 SQTECH930B;Sweex Motion Tracking Webcam;c:\windows\system32\drivers\capt930b.sys --> c:\windows\system32\drivers\Capt930b.sys [?]
S3 UCORESYS;UCORESYS;\??\c:\documents and settings\administrator\desktop\afuwin939nf4g-sata2_1.30\ucoresys.sys --> c:\documents and settings\administrator\desktop\afuwin939nf4g-sata2_1.30\UCORESYS.SYS [?]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2007-6-18 37484]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2009-08-02 22:14 0 a------- c:\windows\system32\7.tmp
2009-08-02 22:03 40 a------- c:\windows\system32\2.tmp
2009-08-02 21:35 <DIR> --d----- c:\program files\Panda Software
2009-08-02 17:22 <DIR> --d----- c:\windows\ERUNT
2009-08-02 17:17 <DIR> --d----- C:\SDFix
2009-08-02 13:27 504 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-02 13:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-02 13:22 <DIR> --d----- c:\program files\common files\iS3
2009-08-02 13:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-02 12:50 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-02 12:50 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-02 12:50 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-02 12:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-02 12:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 23:55 0 a------- c:\windows\SC.INS
2009-08-01 23:55 360,576 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-01 23:16 8,256 a------- c:\windows\n
2009-08-01 22:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-01 22:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-01 22:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-08-01 22:35 <DIR> --d----- c:\docume~1\admini~1\applic~1\Uniblue
2009-08-01 22:23 <DIR> --d----- c:\docume~1\admini~1\applic~1\AVG8
2009-07-30 20:33 <DIR> --d----- c:\program files\NCH Software
2009-07-30 20:32 <DIR> --d----- c:\program files\NCH Swift Sound
2009-07-24 02:57 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-14 17:43 109,704 a------- c:\windows\system32\drivers\ss_mdm.sys
2009-07-14 17:43 83,592 a------- c:\windows\system32\drivers\ss_bus.sys
2009-07-14 17:43 15,112 a------- c:\windows\system32\drivers\ss_mdfl.sys
2009-07-14 17:43 12,424 a------- c:\windows\system32\drivers\ss_whnt.sys
2009-07-14 17:43 12,424 a------- c:\windows\system32\drivers\ss_wh.sys
2009-07-14 17:43 12,424 a------- c:\windows\system32\drivers\ss_cmnt.sys
2009-07-14 17:43 12,424 a------- c:\windows\system32\drivers\ss_cm.sys
2009-07-14 17:43 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-07-14 17:42 253,952 a------- c:\windows\system32\FsUsbExService.Exe
2009-07-14 17:42 110,592 a------- c:\windows\system32\FsUsbExDevice.Dll
2009-07-14 17:42 36,608 a------- c:\windows\system32\FsUsbExDisk.Sys
2009-07-14 17:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Samsung
2009-07-14 17:42 <DIR> --d----- c:\program files\Samsung
2009-07-13 16:38 <DIR> --d----- c:\program files\Atari
2009-07-09 22:21 1,206,272 a------- c:\windows\system32\PTxSCP.ocx
2009-07-09 22:21 647,168 a------- c:\windows\system32\CDWriterXP.ocx
2009-07-09 22:21 626,688 a------- c:\windows\system32\DVDProX2.dll
2009-07-09 22:21 608,448 a------- c:\windows\system32\comctl32.ocx
2009-07-09 22:21 415,176 a------- c:\windows\system32\COMCT332.OCX
2009-07-09 22:21 380,928 a------- c:\windows\system32\CDRipperX.ocx
2009-07-09 22:21 339,968 a------- c:\windows\system32\MP3EncX.dll
2009-07-09 22:21 233,472 a------- c:\windows\system32\SmartMenuXP.ocx
2009-07-09 22:21 139,264 a------- c:\windows\system32\voltoCDX.dll
2009-07-09 22:21 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-07-09 22:21 40,960 a------- c:\windows\system32\CapacityMeter.ocx
2009-07-09 22:21 28,672 a------- c:\windows\system32\SmartMenuXP.dll

==================== Find3M ====================

2009-08-01 23:55 360,576 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-01 22:07 420,352 a------- c:\windows\system32\mstsc.exe
2009-06-02 20:42 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-06-02 20:37 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-06-02 20:33 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys

============= FINISH: 23:10:30.67 ===============

**broni** · 3rd August 2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

Wellies · 3rd August 2009

combofix wont run, reports that it has been compromised and i have the patching virus " virut " ???

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:58, on 03/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\windows\system32\svchost.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\windows\system32\ms18_word.exe
C:\windows\System32\svchost.exe
C:\windows\System32\reader_s.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://track.moreniche.com/hit.php?w=155970&s=147
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ngohq.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [ms18_word] C:\windows\system32\ms18_word.exe
O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\windows\system32\shdocvw.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6958 bytes

**broni** · 3rd August 2009

Quote:

reports that it has been compromised and i have the patching virus " virut "

Oh boy...

Upload following files to http://www.virustotal.com/ for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
Post scans results.

Wellies · 3rd August 2009

Quote:

Originally Posted by broni

Oh boy...

Yup......... Going to reinstall I think,, it seems to be working on its own at the moment lol... Thanks guys your site helped me loads with working out whats up.

**broni** · 3rd August 2009

Did you scan those files?

Wellies · 3rd August 2009

cant access that webpage . and i'm not taking them over to my other pc. so what do i do now?

also scanning with superantispyware reboots my pc..lol what on earth is going on here!!!!!!

**broni** · 4th August 2009

Well, don't worry about other scans, because, if you're infected with Virut, the game is over.
The only thing, I need to know, if this IS Virut.
Seeing this entry:
- O4 - HKLM\..\Run: [reader_s] C:\windows\System32\reader_s.exe
I'm 99.9% sure it's Virut.
Said that, I can only say with 99.9% being sure...

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

* Backup all your documents and important items only.
* DO NOT backup any executable files (,exe .scr .html or .htm)
* Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.