[Solved] Difficult, very deep virus infection on legitimate Win 7

Lokalaskurar · Apr 23, 2011

I cannot update Java right now - I currently only have a USB-modem access which does not work on the virus-infected PC for some reason... it used to before the infection.

Downloading Java on a USB-stick and trying to update it remotely also fails, due to: "Cannot update your Java version due to current Internet-settings."

Ordinary Wi-Fi Internet-access for this computer will be accessible on Sunday, I will retry then.

Broni · Apr 23, 2011

OK. Let me know....

Lokalaskurar · Apr 26, 2011

Right, Internet-access back online.

Visited Java.com, did NOT have the recommended Java version.
Downloaded latest Java version.

Installed successfully.

Unzipped JavaRa to seperate folder (on the desktop).
Ran JavaRa as administrator.

Removed older versions successfully, log was generated, not posting it as you did not request it.

Ran OTL, pasted custom scan/fix, ran OTL.
OTL ran successfully, prompted to reboot - rebooted PC.

Log appeared, OTL log:
(
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-2380782889-1397881930-1277805853-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{32b29df0-2237-4370-9a29-37cebb730e9b} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32b29df0-2237-4370-9a29-37cebb730e9b}\ not found.
Registry value HKEY_USERS\S-1-5-21-2380782889-1397881930-1277805853-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{51a86bb3-6602-4c85-92a5-130ee4864f13} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51a86bb3-6602-4c85-92a5-130ee4864f13}\ not found.
Registry value HKEY_USERS\S-1-5-21-2380782889-1397881930-1277805853-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{c44f9e21-d93f-490c-b41c-b3548bdd19fc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c44f9e21-d93f-490c-b41c-b3548bdd19fc}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2380782889-1397881930-1277805853-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32B29DF0-2237-4370-9A29-37CEBB730E9B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32B29DF0-2237-4370-9A29-37CEBB730E9B}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\W5E7SH31DG deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\W5E7SH31DG not found.
Registry value HKEY_USERS\S-1-5-21-2380782889-1397881930-1277805853-1000\Software\Microsoft\Windows\CurrentVersion\Run\\RESTART_STICKY_NOTES deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}\ not found.
File {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\https\0x00000001\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}\ not found.
File {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\0x00000001\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1D2BF42-A96B-11d1-9C6B-0000F875AC61}\ not found.
File {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0a1de0d6-52d6-11e0-8dc5-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0a1de0d6-52d6-11e0-8dc5-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0a1de0d6-52d6-11e0-8dc5-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0a1de0d6-52d6-11e0-8dc5-00266c76e510}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e1f1cf2-190a-11e0-92a9-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e1f1cf2-190a-11e0-92a9-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e1f1cf2-190a-11e0-92a9-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e1f1cf2-190a-11e0-92a9-00266c76e510}\ not found.
H:\LaunchU3.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65d5bcb8-152e-11e0-8941-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65d5bcb8-152e-11e0-8941-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65d5bcb8-152e-11e0-8941-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65d5bcb8-152e-11e0-8941-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c48f-f4a6-11df-a528-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c48f-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c48f-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c48f-f4a6-11df-a528-00266c76e510}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4a2-f4a6-11df-a528-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4a2-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4a2-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4a2-f4a6-11df-a528-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4be-f4a6-11df-a528-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4be-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4be-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4be-f4a6-11df-a528-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4f3-f4a6-11df-a528-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4f3-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd78c4f3-f4a6-11df-a528-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd78c4f3-f4a6-11df-a528-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517df7-5c89-11e0-9644-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517df7-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517df7-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517df7-5c89-11e0-9644-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e09-5c89-11e0-9644-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e09-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e09-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e09-5c89-11e0-9644-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e16-5c89-11e0-9644-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e16-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e16-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e16-5c89-11e0-9644-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e30-5c89-11e0-9644-00266c76e510}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e30-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f8517e30-5c89-11e0-9644-00266c76e510}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f8517e30-5c89-11e0-9644-00266c76e510}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H\ not found.
File H:\LaunchU3.exe -a not found.
File/Folder C:\Windows\SysWow64\*.tmp not found.
File move failed. C:\Windows\Tasks\bdlfhyt.job scheduled to be moved on reboot.
Folder C:\Users\CENSORED\AppData\Roaming\Panda Security\ not found.
ADS C:\ProgramData\Microsoft:zhjHYV3MiNCERxvzx0eQePC7Jui7 deleted successfully.
ADS C:\ProgramData\TEMP:9D1B94FD deleted successfully.
ADS C:\ProgramData\TEMP:888AFB86 deleted successfully.
ADS C:\Program Files (x86)\Common Files\microsoft shared:zBSDMHK5n0l2g3dkhshJ5q deleted successfully.
ADS C:\ProgramData\TEMP:C4F92751 deleted successfully.
ADS C:\ProgramData\Microsoft:jhBfLMSgddifzzzMb2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: CENSORED
->Temp folder emptied: 13182449 bytes
->Temporary Internet Files folder emptied: 240443 bytes
->Java cache emptied: 2027 bytes
->Opera cache emptied: 27995080 bytes
->Flash cache emptied: 1353 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2956071 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1424125816 bytes

Total Files Cleaned = 1 401,00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: CENSORED
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04262011_222739

Files\Folders moved on Reboot...
File move failed. C:\Windows\Tasks\bdlfhyt.job scheduled to be moved on reboot.
C:\Users\CENSORED\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\klsC12E.tmp not found!

Registry entries deleted on Reboot...

)

Broni · Apr 26, 2011

How is computer doing at the moment?

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

Lokalaskurar · May 1, 2011

How's the computer doing at the moment?

The BSOD's have completely disappeared.

Generic Windows programs like the connection diagnostics, Windows security centre, Windows defender, does not work. (Does not start/respond)

Although some programs/functions like the "Activity Handler" (Ctrl+Alt+Delete) does work.

Programs relying on generic Windows programs does not work either. Like the connection manager we use for the USB-modem (which relies on the windows dial-up function/program to work).

In a nutshell, so to speak.

Oh, and the Fn-button stopped working ever since the first BSOD.

Downloaded and ran SecurityCheck.exe
(
SecurityCheck report:
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is disabled!) Please note that having it turned on is a real pain in our backside...
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Kaspersky Anti-Virus 2011
Panda Antivirus Pro 2011 This is funny, since we tried to uninstall Panda when the PC went BSOD during the uninstall process.
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Out of date Java installed!
Adobe Flash Player 10.2.152.32
Adobe Reader 9.4.3 - Svenska
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Kaspersky Lab Kaspersky Anti-Virus 2011 avp.exe
``````````End of Log````````````
)

Downloaded and ran TFC.exe
It did its job. Rebooted.

Accessed eset.com/onlinescan.
(If I would have followed the checklist step-by-step, then things might have been strange, as "Click Start" appears twice)
Ran the online scanner in Internet Explorer 9.
Had to 'Install ActiveX Add-On: Online Scanner' - choosed to install.
Un-checked 'Remove found threats', checked 'Scan archives', clicked 'Start'.

ESET ran for about 3 hours.
ESETScan:
(
C:\Users\CENSORED\AppData\Local\Opera\Opera\temporary_downloads\Steam Cracked Build 06.10.09.rar a variant of Win32/TrojanDownloader.VB.OZA trojan
C:\Windows\$XNTUninstall643$\xgoir.dll probably a variant of Win32/BHO.EHIZGPZ trojan
)

Broni · May 1, 2011

As for Panda....probably some registry leftovers.
Let's try to remove couple of entries, I can see.

Run OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following
Code:
:OTL

:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{8F66842A-B63E-4B86-85F5-F9D37A3BDC10}" =-
"{E9637CBC-A784-4E9E-973C-47D05868B7FD}" =-

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
===================================================================

Is the word "Censored" here for real, or is it some bad word, which was replaced by this forum tool:
C:\Users\CENSORED\AppData\Roaming\Panda Security
In any case, remove "Panda Security" folder manually, from the above location (if still exists).

=====================================================================

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

====================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

=======================================================================

Post new Security check log, when done.

Lokalaskurar · May 6, 2011

Sorry for the delay, my PC has been a bit iffy lately.

See this:
http://www.techspot.com/vb/topic164636.html

Note that this is not the post infected PC, this is the PC which we use to access TechSpot. So, let's get back to business:

Ran OTL, pasted code into 'custom scans/fixes'.
OTL did its job, PC rebooted.

OTL log:
(
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\{8F66842A-B63E-4B86-85F5-F9D37A3BDC10} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F66842A-B63E-4B86-85F5-F9D37A3BDC10}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\{E9637CBC-A784-4E9E-973C-47D05868B7FD} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9637CBC-A784-4E9E-973C-47D05868B7FD}\ not found.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: CENSORED
->Temp folder emptied: 5691874 bytes
->Temporary Internet Files folder emptied: 9399616 bytes
->Java cache emptied: 2027 bytes
->Opera cache emptied: 53729324 bytes
->Flash cache emptied: 1412 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 192912 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3241745880 bytes

Total Files Cleaned = 3*157,00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: CENSORED
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05062011_074208

Files\Folders moved on Reboot...
C:\Users\CENSORED\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\kls8A9C.tmp not found!

Registry entries deleted on Reboot...

)

============

The word CENSORED is an alibi, yes. My brother was very keen on that he did not want his name to appear on sites he doesn't visit regularly.
Just treat it like it's his name.

Removed Panda security folder.
(Success.)

============

Successfully updated Java to the latest version.
Ran JavaRa, removed older versions successfully.

Successfully updated Adobe Reader to the latest version.

Alright, Doc. Broni; what's our next move?

Broni · May 6, 2011

Since I don't know what's the replacement for the word "Censored" remove these two items manually:
- C:\Users\CENSORED\AppData\Local\Opera\Opera\temporary_downloads\Steam Cracked Build 06.10.09.rar
- C:\Windows\$XNTUninstall643$\xgoir.dll

===================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

Lokalaskurar · May 7, 2011

I'll just keep this post clean and simple, then

The first file was removed without a hitch. But the .dll-file did not respond - explorer.exe crashed (locked up for 5 min at first) when 'del' was pressed!

So I simply removed xgoir.dll using CMD, done and done!

================

Ran OTL, don't know if it was successful though.
OTL log:
(
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: CENSORED
->Temp folder emptied: 3932160 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Opera cache emptied: 539287 bytes
->Flash cache emptied: 611 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 479240 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 2359350 bytes

Total Files Cleaned = 7,00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: CENSORED
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb

Error creating restore point.

OTL by OldTimer - Version 3.2.22.3 log created on 05072011_094803

Files\Folders moved on Reboot...
C:\Users\CENSORED\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Windows\temp\kls8DA9.tmp not found!

Registry entries deleted on Reboot...

)

Steps 3-11 completed.

How the PC is doing:

The BSOD's have completely disappeared.

Generic Windows programs like the connection diagnostics, Windows security centre, Windows defender, does not work. (Does not start/respond)

Although some programs/functions like the "Activity Handler" (Ctrl+Alt+Delete) does work.

Programs relying on generic Windows programs does not work either. Like the connection manager we use for the USB-modem (which relies on the windows dial-up function/program to work).

In a nutshell, so to speak.

Oh, and the Fn-button stopped working ever since the first BSOD.

Also,
Windows Update does not work either. It simply produces an error when trying to update; "There has been an internal error in Windows update!"

Kaspersky's autorun does not work either - we have to manually start it at every bootup. I think it may be related to the "Generic Windows program no-go".

Broni · May 7, 2011

Well, at this point....

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

I'd probably suggest Windows repair installation. It looks like some system files are messed up.

Lokalaskurar · May 8, 2011

Sure! I'll go into the Windows-section.

We thank you with our greatest of gratitude!

There is no telling what would've happened should we not have come here looking for help. All in all, we do contribute to a better world, a world without poverty, war and malware.And for that, we both thank you a lot for taking your time.

:grinthumb

Broni · May 8, 2011

You're very welcome

TechSpot

[Solved] Difficult, very deep virus infection on legitimate Win 7

Lokalaskurar Newcomer, in training

Broni Malware Annihilator

Lokalaskurar Newcomer, in training

Broni Malware Annihilator

Lokalaskurar Newcomer, in training

Broni Malware Annihilator

Lokalaskurar Newcomer, in training

Broni Malware Annihilator

Lokalaskurar Newcomer, in training

Broni Malware Annihilator

Lokalaskurar Newcomer, in training

Broni Malware Annihilator