Yeah I see them now (new HJT)

Are these the ones you see

C:\WINDOWS\TEMP\kcstb.exe
C:\WINDOWS\TEMP\xdnu.exe

I am composing more.

Answer above and wait 5 to 7 minutes.
------------------------------------------------------------ OK here you are!

Get Kaspersky_AVP_Tool http://www.majorgeeks.com/Kaspersky_AVP_Tool_d4515.html
IMHO the absolute best deepest most thorough virus cleaner on earth

The price you pay is a long time running. You may want to do it when you go to bed or work!

To make it even slower boot to safe mode and run it there.

Mike

the download link is not working... I have tried from my laptop which is nt infected and still the link doesnot work... I will try from my work comp 2morrow,

Please let me know if there is a different link that I can use

Your Combofix log shows alot of bad files.. Allow me to provide some advice with respect to combofix...

1. Open notepad and copy/paste the text in the code box below into it:
   
   
   Code:

   File::
   C:\editreg.exe
   C:\rtsdnif.exe
   C:\attrib.exe
   C:\dnif.exe
   c:\documents and settings\Friends\editreg.exe
   c:\documents and settings\Friends\rtsdnif.exe
   c:\documents and settings\Friends\attrib.exe
   c:\documents and settings\Friends\dnif.exe
   c:\documents and settings\editreg.exe
   c:\documents and settings\rtsdnif.exe
   c:\documents and settings\attrib.exe
   c:\documents and settings\dnif.exe
   c:\windows\system32\rrt_is.wav
   c:\windows\system32\rrt_vf.wav
   c:\windows\system32\rrt_tv.wav
   c:\windows\system32\rrt_tn.wav
   C:\windows32.exe
   c:\documents and settings\All Users\Application Data\uhuvadisy.com
   c:\documents and settings\Friends\Application Data\abon.reg
   c:\documents and settings\Friends\Application Data\epybotabo.exe
   c:\documents and settings\Friends\Application Data\tiroquhij.dll
   c:\documents and settings\All Users\Application Data\seke.vbs
   c:\documents and settings\Friends\Application Data\olifolozi.bat
   c:\windows\mipa.exe
   c:\documents and settings\Friends\Application Data\mukiji.vbs
   c:\documents and settings\Friends\Application Data\yqubo.bat
   c:\documents and settings\All Users\Application Data\topyfyqyc.vbs
   c:\windows\Twunk001.MTX
   c:\windows\Twain001.Mtx
   c:\windows\Twunk002.MTX
   c:\program files\bhboiu.txt
   c:\program files\edjebfsi.txt
   c:\program files\ijrzc.txt
   c:\program files\acqpzkiu.txt
   c:\program files\empcglju.txt
   c:\program files\ifvf.txt
   c:\windows\Internet Logs\xDB26.tmp
   c:\windows\Internet Logs\xDB25.tmp
   c:\windows\Internet Logs\xDB24.tmp
   c:\windows\Internet Logs\xDB23.tmp
   c:\windows\Internet Logs\xDB22.tmp
   c:\windows\Internet Logs\xDB21.tmp
   c:\windows\Internet Logs\xDB20.tmp
   c:\windows\Internet Logs\xDB1F.tmp
   c:\windows\Internet Logs\xDB1E.tmp
   c:\windows\Internet Logs\xDB1D.tmp
   Folder::
   C:\backups
   C:\backupreg
   c:\documents and settings\Friends\backups
   c:\documents and settings\Friends\backupreg
   c:\documents and settings\backups
   c:\documents and settings\backupreg
   c:\documents and settings\Friends\.blurb
   Registry::
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{485d6226-86fb-11da-be8b-000c4165416e}]

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.

I have tried the CFSCRIPT method, I am attaching both logs from combofix and HJT. I still see the trojan files in my Temp folder

And for Kaspersky, this is the weirdest thing. I cannot access any websit on google that has Kaspersky download on it. The homepage of it doesnot even load, and thelink from download.com doesnot work either and the lnk posted here is the same situation. This is also happenning from my laptop.

I checked this from my work computer this faternoon and all the links worked fine. I remotely logged on to my latop and then desktop and both still were having same problem of not loading the webiste.

Anycase I have downloaded Kaspersky from work will install and run it tonite. I think IHave got the worst trojans here

I have installed the kaspersky tool. But its not running. I double click on it and nothing happens just mbam and sas were. I have tried renaming it but it doesn't let me... what do i do

Attached Files

	combofix.txt (27.1 KB, 4 views)
	hijackthis.txt (11.7 KB, 5 views)

Hi faisal

Just arrived back and saw your post.

Will have more in 6 - 8 minutes.

Mike

ok thanks,
BTW i have been reading up about kaspersky... people complain that its a pain to uninstall and almost behave like a mlware itself??

You are about as stubborn as I am. Others would have given up and formatted by now.

I will not give up but please don't format until you check with me.

I think when we fix this one it will be of benefit to many.

OK disconnect any USB Flash drive and remove any CD that is in the drive and do not reconnect until fixed.

----------------------------------------------------------------------------------------------------------------------------------
Download OTScanIt: http://download.bleepingcomputer.com...r/OTScanIt.exe
Close all Apps and Browsers

Download and save to Desktop and Dbl Click extract the files to an OTScanIt Folder.

If Firewall or other Security or Malware protections pop you should allow them to let OTScanit to run.

Enter the OTScanit folder and run OTScanit.exe.

In Additional Scans select BotCheck, Disabled MS Config Items and Eventviewer Errors/Warnings

Top Left click Run Scan.

The scan can take some time so allow it time.

Then finished a log will open, save log, attach contents back to here.
----------------------------------------------------------------------------------------------------------------------------------

Download: http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click and select: Save Target As

To use: right-click and select: Install (no need to restart - there is no on-screen action)

Note: This will remove all entries in the "Trusted Zone" and "Ranges" also. DelDomains was revised (01-16-05) to include the "Enhanced Security Configuration Zones" as some of these newer infections are targeting the "Enhanced" Zone.
----------------------------------------------------------------------------------------------------------------------------------

Drag mouse with left button down the lines below across then paste to an open CMD prompt and hit enter, ignore any errors for now.
Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.
----------------------------------------------------------------------------------------------------------------------------------
D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

Please make a note of what it found if any as it has no log.

----------------------------------------------------------------------------------------------------------------------------------
Get and run http://www.prevx.com/freescan.asp
----------------------------------------------------------------------------------------------------------------------------------
These next are preventatives that will both prevent it from entering from the outside and help us catch it in action.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Get http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot Scan and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

Mike

should i run fix for OTscan?

No that is for running scripts that are pasted in.

If needed later i will post a script for you to paste and run.

For now all i need is the log.

Mike

I have done most of the steps except last three, but I am sure they will not remove the trojan in temp files. File assassin kills them but they reappear. I wonder what file I have to delete to stop that.

I will post logs when I get home. I am thinking of finding a way to run kaspersky AVP. Even though there are horror stories of uninstall. Oh well I have already installed it but the AVP doesnot work and I can't change its name to make it work. Why I believe this will work is that this is the only site that doesnot work on my IE, Chrome or Firefox. And I can't even get to it from different sites or download any of its software from anywhere unless I bring it on usb.

If only I can find what process creates the temp files

Hello Faisal

This is an unknown or perhaps new malware. It is not the 2 files that are the problem but the unidentified program that is spawning them.

The last three are the most important now as they all block things from the Internet and some from attempting to get out.

So you did get Threatfire installed, Threatfire learns from your approvals an disapprovals watch closely what it prompts on good thing like IE or OE you want to approve and remember so it will not ask you again.

In settings kick sensitivity level to max. It will increase the prompts as it increases the security level approve the good obvious ones like FF Opera Word Excel and remember and you will not see them again. You can Google from TF's prompt for something you do not recognize.

What we want is for TF to notify us of what is creating these files.

Also TF has a Scan so do that also.

The very fact that the AVP tool wil not run confirms we have something that is set to specifically prevent the AVP tool from running.

AS for uninstalling it later if it does is job better to leave it than the Malware.

Besides I know exactly how to remove it!

Also the OTScanit log may help me identify it.

Mike

This is the OTscanit log.
I am seeing in my temp files that there ar about 15-20 trojan files. I am also having a hard time deleting them file assassin doesnt do much anymore
I am not sure what hostsman is are how to use it. Threatfire sometimes detects the temp files, quarantines and deletes them, but even that has stopped doing it now. There is simply no detection.

one of the virus deetction tools found a trojan file in adobe after fx support files by the name adobefx.exe. Which was a dummy file as it should not be in the support folder. I deleted it. The crazy trojans have started appearing after that.

Spyware blaster is not working

The temp/trojan files also appear in the processes when i press ctrl alt del, but ending these processes has no effect, and they keep running.

Sorry the OTscan txt file is over 200kb hence I had to zip it

Attached Files

OTScanIt.zip (23.8 KB, 8 views)

Good morning Faisil

Still going thu log may have found something but in meantime.

Do this..

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, attach the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and attach it also to a separate post.
These logs will contain an updated HighJackThis log also.

Still reading OTScanit logs.

Mike

my comp at home has crashed so I cannot remote login to install the above tool, but will do once I go home.

I think i prob have more anti malware tools than virus on my machine now.

BTW will installing any of Norton virus tool or mcafee would help?

Ok update MBAM and SAS Combofix and SDFix.

Then do this again I have added to it since you last ran it. But download and extract only, because I want you to run it in Safe Mode

http://www.techspot.com/vb/post684649-3.html

When it reboots, go back to Safe Mode (do not allow back to normal yet).

Use File Assassin copy/paste to remove the below. May report File does not exist on some or all.

c:\WINDOWS\TEMP\winkmpxqg.exe
c:\WINDOWS\TEMP\wintlkdeq.exe
c:\WINDOWS\TEMP\wintuaq.exe
c:\WINDOWS\TEMP\winoihano.exe
c:\WINDOWS\TEMP\xuncdn.exe
c:\\WINDOWS\TEMP\winoihano.exe
c:\\WINDOWS\TEMP\xuncdn.exe
c:\\WINDOWS\TEMP\jsvffq.exe
C:\WINDOWS\Temp\winjjcffe.exe
C:\WINDOWS\Temp\iowx.exe

The below line indicates MBAM needed a reboot to finish cleaning something and the file was missing.

Malwarebytes Anti-Malware (reboot) -> %ProgramFiles%\bam\mbam.exe ["C:\Program Files\bam\mbam.exe" /runcleanupscript] -> File not found

So run MBAM, SAS Combofix and SDFix now in safe mode. If reboots are needed always boot back to Safe mode.

After the above are all run in safe mode finally still in safe mode try the AVP Tool once more.

Then back to normal to test and get me the logs.

Mike

Edit: No, no Norton please.

I will get home in the next three hours and try your suggestions.

ok now the desktop is really screwed..... here is what happened
MBAM would not work like it would run the scan but would not be reading any files.... My usb stick from which I had been loading new files in to desktop is not accessible... like I cant open it I can see it but thats it
I couldnot log in safe mode. Ran sdfix and tried to press R to enter in to safe mode, that didnt work
so then I used msconfig and used boot.ini to set it up to start in safe mode
I did start in safe mode then ran mbam it found two trojans one in temp other in rootkit... Then I ran SAS it found about 11 things. then it crashed. I ran it again half way and then puased to delete what it found. Sas requested a restart and it is that time and now the comp doesnot boot.

Safe mode doesnot work normal mode doesnot... everytime it just goes up to windows logo and then crashes..... UGHHHH....

I am on my laptop now and guess what my regedit and taskmanager are locked out. I am guessing from the usb stick I had been using to move programs....

I have tried the regtools.vbs to open permissions but that doesnot work anymore... gpedit.msc wont work as this is home edition.

Please help.... I dont know what to do with desktop and now the laptop is going to give up too... BTW I checked the temp folder in laptop those weired files are not there yet.... Am i the first one in this world to be infected with this virus? trojan?

Seems like no one even knows about this one

PS: Juste checked the trojans have appeared on my latop temp as well..... I am done now...

Yeah it looks like you may be one of the first.

Lets try to nip this in the bud now!

On Laptop.

Get Flash Drive Disinfector from here http://experi3nc3.wordpress.com/2007...ector-by-subs/ run it after cleaning leave it in computer so the below can check it also.

Then do post #17 followed by MBAM reboot SAS reboot Combofix reboot SDFix.

Post all logs.

Now on the other computer see if in the Boot menu you can select "Last known good configuration".

If it does then boot to safe mode only on the way back up.

Let me know the results.

Mike

I am calling it quits, well not entirely... The desktop is not starting up in any form and the laptop is infected too. SAS and MBAM are useless at this point. Th rescans are getting me nowhere.

I am thinking of getting a new comp this evening, installing VMware on it so next time I don't have to deal with this. Access hardrives of my Desktop from the new comp to recover data and then formatting them.

I am thinking of setting up one VMware seesion just for internet browsing, as the viruses nowadays are infecting video codecs and what not. And the main system is where I will store my files.

Sorry to hear that Faisal. You sure tried your heart out.

I wish I could get my hands on your computer with my many special tools I know I could fix them for you.

But it is hard to do remotely. Especially if you get hit by a new one that nothing knows about yet or get a combo/mix of some really bad ones.

I know what you said about throwing in the towel but I will leave you with this.

Do a Repair/Overlay install. Keeps all programs and data just repairs Windows.

The repair may overwrite some malware but once up system needs checking again.

Boot from your Windows CD and proceed to install. You will get a prompt to Hit R to use Recovery console. Do not chose that one, continue until Windows finds an Existing Installation and offers R to Repair the existing installation. Chose this R. and from there it will look like a normal install.

The Repair of existing installation will fix only the Windows Folder and keep all your data. Everything should be normal when you get back up.

A link to follow: How to repair Windows XP/2000 if you are unable to boot into Windows

Another one for insight: http://pcsupport.about.com/od/operat...txprepair1.htm

The only issue is your HJT log shows you have SP2. You should use the same SP level you have on the HD or higher.

You can make an SP3 CD by slipstreaming or install SP3 from downloading the full SP3 or from Windows update.

I am going to assume you only have the SP1 or 2 disk.

So here is steps to slipstream, from a working computer with CD burner, this can be done from Vista
Download Autostreamer http://majorgeeks.com/download4444.html
then
Download the full SP3 package: http://www.microsoft.com/downloads/d...displaylang=en

Once you have both of the above it is simple.

With your older XP CD in the CD drive run AutoStreamer and it will ask for the location of the original Windows install CD any version SP1 Sp2

It will ask for the location of the SP3 file and offer to burn to CD.

Doing the Repair install while upgrading to SP3 may make Malware easier to handle.

Thank you for allowing me to help you.

Mike