[Not curable - Virut] Need serious help

[domino23]

I used this thread . . . https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ to try by myself but keep running into constant problems.

Long story short, I knew I was infected when the speed of my comp slowed down so I found this and started at step one. I even skipped around a little cause I started without the internet working correctly so I ran Malwarebytes and AVG. Found many infections and disinfected them.

So I come back and I get to step 3... My computer will not let me update for ****. Autoupdates ... I tried that and It wont respond. I went and downloaded SP3 because I never got it and my regedit wont work anymore so I figured that would help... but when I tried THAT it stops midway and says its missing "VBC.EXE".

Please help, I dont know what else to do!

 

[Broni]

Please, complete all steps you can and post all logs you can.
Don't worry about SP3 for now.

 

[domino23]

Oh I thought that was a major thing needed... Ok, thanks

 

[Broni]

Yes, but major updates like service packs should be installed only on clean computers.
We clean your computer first, then you'll be free to install SP3.

 

[domino23]

Ok man, I skipped down to step 5 (GMER), downloaded the program and then when i click it i get the message "windows cannot access the specified device, path or file." so no log for that... moving on to the next step.

 

[Broni]

OK........

 

[domino23]

The reason I skipped the malware bytes step again is cause I already did that before all of this and it takes a long *** time to scan... do you think i you think I should do it again for the log?

 

[domino23]

and here' the DDS scan

DDS (Ver_10-03-17.01) - NTFSx86
Run by D at 16:34:08.32 on Sun 12/05/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
AV: AVG Internet Security *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============


============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [M-Audio Taskbar Icon] c:\windows\system32\DeltaIITray.exe
mRun: [DeltaIITaskbarApp] c:\windows\system32\DeltaIITray.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\d\startm~1\programs\startup\limewi~1.lnk - d:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291610191595
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\d\applic~1\mozilla\firefox\profiles\dsb3wgv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-12-06 04:37:14 80 -c--a-w- c:\windows\system32\asr_otqtja
2010-12-06 04:35:28 0 dc-h--w- C:\$AVG
2010-12-06 04:34:09 81 -c--a-w- c:\windows\system32\asr_baxcjb
2010-12-06 04:30:19 0 dc----w- c:\program files\AVG
2010-12-06 04:30:10 0 dc----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-12-06 04:29:33 0 dc----w- c:\docume~1\alluse~1.win\applic~1\avg9
2010-12-06 04:28:31 15880 -c--a-w- c:\windows\system32\lsdelete.exe
2010-12-06 04:27:52 64288 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2010-12-06 04:27:44 95024 -c--a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-06 04:22:41 425984 -c--a-w- c:\windows\system32\AscConTest.dll
2010-12-06 04:22:41 36864 -c--a-w- c:\windows\system32\ascbalon.dll
2010-12-06 04:22:41 307200 -c--a-w- c:\windows\system32\AscSQLite.dll
2010-12-06 04:21:34 0 dc----w- c:\program files\Ascentive
2010-12-06 04:15:21 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-06 04:15:11 80 -c--a-w- c:\windows\system32\asr_buxqwk
2010-12-06 04:15:04 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-12-06 04:12:41 73728 -c--a-w- c:\windows\system32\javacpl.cpl
2010-12-06 04:12:38 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2010-12-06 04:12:04 0 dc----w- c:\program files\CCleaner
2010-12-06 04:07:28 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-12-06 04:04:34 12464 -c--a-w- c:\windows\system32\avgrsstx.dll
2010-12-06 04:04:33 25608 -c--a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-12-06 04:04:32 161800 -c--a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-12-06 04:04:31 360584 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2010-12-06 04:04:22 0 dc----w- c:\docume~1\d\applic~1\Sammsoft
2010-12-06 04:03:44 333192 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2010-12-06 04:02:57 0 dc----w- c:\windows\system32\drivers\Avg
2010-12-06 04:01:21 50968 -c--a-w- c:\windows\system32\avgfwdx.dll
2010-12-06 04:01:21 30104 -c--a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-12-06 04:00:36 81 -c--a-w- c:\windows\system32\asr_hqqcbu
2010-12-06 03:55:37 0 dc----w- c:\docume~1\d\applic~1\Malwarebytes
2010-12-06 03:51:05 0 dc----w- c:\docume~1\d\applic~1\BitTorrent
2010-12-06 03:42:53 21728 -c--a-w- c:\windows\system32\wucltui.dll.mui
2010-12-06 03:42:50 17632 -c--a-w- c:\windows\system32\wuaueng.dll.mui
2010-12-06 03:42:45 15072 -c--a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-12-06 03:42:42 15064 -c--a-w- c:\windows\system32\wuapi.dll.mui
2010-12-06 00:24:32 0 dc----w- c:\windows\system32\CatRoot_bak
2010-12-06 00:23:50 80 -c--a-w- c:\windows\system32\asr_wkxmyu
2010-12-05 20:56:07 80 -c--a-w- c:\windows\system32\asr_zpxrab
2010-12-05 20:45:24 80 -c--a-w- c:\windows\system32\asr_zirrbj
2010-12-05 20:32:34 80 -c--a-w- c:\windows\system32\asr_itmwql
2010-12-05 20:18:18 80 -c--a-w- c:\windows\system32\asr_kfrrnz
2010-12-05 20:16:36 80 -c--a-w- c:\windows\system32\asr_ahgczv
2010-12-05 20:14:28 80 -c--a-w- c:\windows\system32\asr_gqpwbr
2010-12-05 20:09:34 80 -c--a-w- c:\windows\system32\asr_cezcsa
2010-12-05 20:07:11 80 -c--a-w- c:\windows\system32\asr_gmdytr

==================== Find3M ====================

2010-12-06 00:58:54 60416 -c--a-w- C:\gendel32.exe
2010-12-06 00:20:58 24064 -c--a-w- c:\windows\system32\upnpcont.exe
2010-12-06 00:19:59 84480 -c--a-w- c:\windows\system32\rtcshare.exe
2010-12-06 00:18:59 15360 -c--a-w- c:\windows\system32\lpr.exe
2010-12-06 00:08:47 528384 -c--a-w- c:\windows\system32\DivXsm.exe
2010-12-06 00:07:58 153600 -c--a-w- c:\windows\regedit.exe
2010-12-06 00:07:48 76288 -c--a-w- c:\windows\NOTEPAD.EXE
2010-12-06 00:07:34 306688 -c--a-w- c:\windows\IsUninst.exe
2010-12-06 00:07:28 17920 -c--a-w- c:\windows\hh.exe
2010-12-06 00:07:26 155648 -c--a-w- C:\UNWISE.EXE
2010-12-06 00:07:18 708608 -c--a-w- C:\StubInstaller.exe

============= FINISH: 16:38:14.87 ===============

 

[Broni]

You should run "Quick Scan" only and it doesn't take that long. I need it and both DDS logs.

 

[domino23]

attatch.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.3
Advertising Center
ASIO4ALL
Ask Toolbar
AVG 9.0
AVS Audio Converter version 6.1
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.3
BitTorrent
CCleaner
CD - DVD Publishing Service
Delta
DolbyFiles
Express Burn
FL Studio 9
FLV to MP3 Converter 1.5
Freez FLV to MP3 Converter
FriendBlasterPro
IL Download Manager
ImagXpress
Java Auto Updater
Java(TM) 6 Update 20
LimeWire 5.4.6
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.9.0
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.5.8)
MySpace Views Increaser
Nero 9
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero Live
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
NeroLiveGadget
neroxml
PoiZone
Sawer
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Noise Reduction Plug-In 2.0h
Sony Sound Forge 9.0
SoundTrax
Syncrosoft's License Control
SyncroSoft Emu (Remove only)
Toxic Biohazard
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Winamp
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver

==== End Of File ===========================

 

[domino23]

alright, will do. running right now.

 

[Broni]

OK........

 

[domino23]

Still waiting... haha....

 

[domino23]

AVG keeps finding random infections though.

 

[Broni]

Keep going...

 

[domino23]

still waiting... scanned 10,000+ nothing yet....

 

[domino23]

...nevermind...

 

[domino23]

Malwarebytes Log....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/5/2010 4:01:25 PM
mbam-log-2010-12-05 (16-01-25).txt

Scan type: Quick scan
Objects scanned: 172702
Time elapsed: 1 hour(s), 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_HOSTS_CONTROLLER (Worm.Kolab) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Hosts Controller (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\fonts\unwise_.exe (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

Your log says "No action taken" after each line.
You either posted a log from before fixes, or you didn't apply any fixes.
Please correct it.

 

[domino23]

new log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/5/2010 4:10:41 PM
mbam-log-2010-12-05 (16-10-41).txt

Scan type: Quick scan
Objects scanned: 172702
Time elapsed: 1 hour(s), 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_Windows_HOSTS_CONTROLLER (Worm.Kolab) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Hosts Controller (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\waittokillservicet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\windows\fonts\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[domino23]

help anybody?

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[domino23]

how do I turn off AVG?

 

[domino23]

found it... give me a few

 

[domino23]

i just ran combo and my computer restarted... gonna try again now