Solved Hacktool.rootkit!inf

[Ved]

I have been having trouble with the virus Hacktool.rootkit!inf. My AV is Norton Security Suite. Every time I run the scan the AV detects this virus but unfortunately cannot take any action, with the note that the virus requiers manual removal.
For the File Insight my Av shows following:
Location:
cdrom.sys
Activity:
Infected file: C-Windows.old-Windows-system32-drivers-cdrom.sys (Manual removal requierd)
Infected file: C-Windows.old-Windows-system32-drivers-wcscd.sys (No fix attempt)
Infected file: C-Windows.old-Windows-system32-dllcache-cdrom.sys (No fix attempt)
Infected file: C-Windows.old-Windows-Temp - cdfss (No fix attempt)
Please suggest if there is anything I can do to completely remove these malwares without hurting my system.
Thanks
Ved

 

[Bobbye]

Please follow these steps in the Preliminary Virus and Malware Removal thread HERE
When you have finished include all of the logs in your next reply for our review.

Please do not use ant other cleaning program or scans while I am helping you unless I instruct you to. Do not use a registry cleaner or make any changes in the Registry.

 

[Ved]

I’ve followed the 8 steps and am posting back the results.
Waiting for your further instructions.
Thank You much!

 

[Bobbye]

Questions:

1. Did you turn off System Restore? There are no System Restore points. This error is related to that:
5/21/2010 1:55:11 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

2. Have you set up any restrictions through the group Policy?

3. Did you select ask.com for your home page on IE and install the AskCom toolbar intentionally? There are several entries for this>
uStart Page = hxxp://eu.ask.com?o=15446&l=dis
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

We discourage the use of ask.com because of adware. I can remove this if you'd like in the script you'll run later

4. Does your CD player work? Have you preciously reinstalled it and/or renamed the .exe file for it?

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix...

 

[Ved]

1. System restores:
When I originally ran Norton Scan and when it found this virus, I was asked to turn off System Restore points prior to new scan. I did that, and after it I thought I switched the restore points back on. I just checked and Restore point for C: is on, but restore point for D: is off. Should I turn the restore point for D: back on?

2. Restriction through the group policy:
To the best of my knowledge I have never set up any restriction through the group policy, furthermore, nor do I exactly know what the group policy is in this context, and thus I do not know how to check the status of same. If crucial would you please let me know hoe to check the same?

3. AskCom:
I use Firefox instead of IE. And the home page on Firefox is set to Gmail. I checked in Control Panel the programs and there is no AskCom. Further I have opened the IE, and yes the home page in deed was set to ask.com, and I have removed the Askcom homepage and set the gmail one.

4.CD:
I use CDplayer frequently to write the files, just checked the play function and it works fine.
I have no recollection of reinstalling the cdplayer recently nor changing anything about it, .exe files including.
How can I check the same if needed?

Before I run Combofix, as you suggested, I will wait for your response regarding the first 3 steps including the CD issue. Please let me know if I need to do anything more regarding the steps above before I install and run Combofix.
Thank You much,
Ved

 

[Bobbye]

Thank you for the clear explanations. Sometimes we really have to pull info out. You made my job easier!

About System Restore: Years ago, it was thought best to turn off SR if malware was suspected. The reason being to keep malware out of the restore points. As time went on and we had more tools and learned more about getting into a system, we found that occasionally the only way to get in was through System Restore. It because better to have a bad restore point than none at all.

System Restore is the least understood system function that I know of and one of the most important. Unfortunately, there is inconsistency in the directions for this, as you found. But it is best to keep SR turned on and then when a system is clean, we have you set a new, clean restore point and drop the old ones.

System Restore should run on the Local System Drive which is usually C. It depends on what the D drive is, how much 'room' there is to store the restore points.

About Group Policy: Simply put, Group Policy gives you administrative control over users and computers in your network. It's a "a set of rules which control the working environment of user accounts and computer accounts." There is information for setting this in Windows 7 and screen short to help you HERE. You should become familiar with it.

About Ask.com: It was showing as the IE Search page, a BHO> Browser Helper Object and also with a Toolbar. It is very pervasive and I suggest you completely remove it. I will have you run HijackThis later and if there are any entries left, I will have you check them for removal.

About the CD Drive: I asked about it because GMER has an entry> C:\Windows.old\Windows\system32\cdplayer.exe.manifest > (size mismatch) 2091520/749 bytes executable The Directory isn't right with the Windows.old so I may have to look into that.

Go ahead and run Combofix- I'll add the script after that.

 

[Ved]

ComboFix 10-05-24.03 - Buba 05/25/2010 9:13.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.504.125 [GMT 2:00]
Running from: c:\users\Buba\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 07:29 . 2010-05-25 07:30 -------- d-----w- c:\users\Buba\AppData\Local\temp
2010-05-25 07:29 . 2010-05-25 07:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-20 19:02 . 2010-05-20 19:02 -------- d-----w- c:\users\Buba\AppData\Roaming\Malwarebytes
2010-05-20 19:01 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 19:01 . 2010-05-20 19:01 -------- d-----w- c:\programdata\Malwarebytes
2010-05-20 19:01 . 2010-05-20 19:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 19:01 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 18:56 . 2010-05-20 18:56 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 18:55 . 2010-05-20 18:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 18:54 . 2010-05-20 18:54 -------- d-----w- c:\program files\Java
2010-05-20 18:48 . 2010-05-20 18:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-20 09:07 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-05-20 09:07 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-05-20 09:07 . 2010-05-20 09:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-20 09:07 . 2010-05-20 09:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-20 09:07 . 2010-05-20 09:07 -------- d-----w- c:\program files\Symantec
2010-05-20 09:05 . 2010-05-20 11:22 -------- d-----w- c:\windows\system32\drivers\N360
2010-05-20 09:05 . 2010-05-20 09:05 -------- d-----w- c:\program files\Norton Security Suite
2010-05-20 09:04 . 2010-05-20 09:04 -------- d-----w- c:\programdata\NortonInstaller
2010-05-20 09:04 . 2010-05-20 09:04 -------- d-----w- c:\program files\NortonInstaller
2010-05-20 08:51 . 2010-05-20 09:05 -------- d-----w- c:\programdata\Norton
2010-05-17 20:17 . 2010-05-17 20:17 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-05-17 16:00 . 2010-02-04 08:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-05-17 16:00 . 2010-02-04 08:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-05-17 16:00 . 2010-02-04 08:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-05-17 16:00 . 2010-02-04 08:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-05-17 16:00 . 2009-09-04 15:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-05-17 16:00 . 2009-09-04 15:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-05-17 16:00 . 2009-09-04 15:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-05-17 16:00 . 2009-09-04 15:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-05-17 16:00 . 2009-09-04 15:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-05-17 08:25 . 2006-10-26 17:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-05-17 08:25 . 2006-10-26 17:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-05-17 08:23 . 2010-05-17 08:23 -------- d-----w- c:\program files\Microsoft Works
2010-05-17 08:21 . 2010-05-17 08:21 -------- d-----w- c:\windows\PCHEALTH
2010-05-17 08:21 . 2010-05-17 08:21 -------- d-----w- c:\program files\Microsoft.NET
2010-05-17 08:15 . 2010-05-17 08:15 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-05-17 08:14 . 2010-05-17 08:14 -------- d-----w- c:\users\Buba\AppData\Local\Microsoft Help
2010-05-17 08:14 . 2010-05-17 20:19 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 11:42 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-11 14:19 . 2010-05-11 14:19 -------- d-----w- c:\programdata\eMule
2010-05-11 14:18 . 2010-05-11 14:18 -------- d-----w- C:\Emule
2010-05-11 14:18 . 2010-05-11 14:20 -------- d-----w- c:\users\Buba\AppData\Local\eMule
2010-05-11 14:18 . 2010-05-11 14:18 -------- d-----w- c:\program files\eMule
2010-05-11 13:38 . 2010-05-11 13:38 -------- d-----w- c:\program files\iPod
2010-05-11 13:38 . 2010-05-11 13:39 -------- d-----w- c:\program files\iTunes
2010-05-11 13:34 . 2010-05-11 13:34 -------- d-----w- c:\program files\Bonjour
2010-04-29 07:22 . 2010-05-20 18:50 -------- d-----w- c:\users\Buba\AppData\Local\Adobe
2010-04-28 08:47 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 08:47 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 08:47 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 06:55 . 2010-03-25 17:25 -------- d-----w- c:\users\Buba\AppData\Roaming\Skype
2010-05-25 06:54 . 2010-03-25 17:25 -------- d-----w- c:\users\Buba\AppData\Roaming\skypePM
2010-05-20 09:07 . 2010-05-20 09:07 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-20 09:07 . 2010-05-20 09:07 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-19 16:05 . 2010-03-26 16:19 -------- d-----w- c:\users\Buba\AppData\Roaming\BitTorrent
2010-05-17 10:00 . 2010-03-25 18:03 108824 ----a-w- c:\users\Buba\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-17 08:22 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-05-12 18:40 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-11 13:38 . 2010-04-15 12:33 -------- d-----w- c:\program files\Common Files\Apple
2010-05-11 13:38 . 2010-04-15 12:35 -------- d-----w- c:\programdata\Apple Computer
2010-05-11 13:28 . 2010-05-11 13:28 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-06 08:36 . 2010-03-25 17:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-16 09:13 . 2010-04-15 12:40 -------- d-----w- c:\users\Buba\AppData\Roaming\Apple Computer
2010-04-15 12:39 . 2010-04-15 12:38 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-15 12:36 . 2010-04-15 12:35 -------- d-----w- c:\program files\QuickTime
2010-04-15 12:34 . 2010-04-15 12:34 -------- d-----w- c:\program files\Apple Software Update
2010-04-15 12:33 . 2010-04-15 12:33 -------- d-----w- c:\programdata\Apple
2010-04-08 11:20 . 2010-04-08 11:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 11:20 . 2010-04-08 11:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-30 20:41 . 2010-03-30 20:31 -------- d-----w- c:\users\Buba\AppData\Roaming\Winamp
2010-03-30 20:33 . 2010-03-30 20:31 -------- d-----w- c:\program files\Winamp
2010-03-30 20:32 . 2010-03-30 20:32 -------- d-----w- c:\program files\Winamp Detect
2010-03-30 20:32 . 2010-03-30 20:32 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-03-30 19:46 . 2010-03-30 19:44 -------- d-----r- c:\program files\Skype
2010-03-30 19:44 . 2010-03-30 19:44 -------- d-----w- c:\program files\Common Files\Skype
2010-03-30 19:44 . 2010-03-25 17:25 -------- d-----w- c:\programdata\Skype
2010-03-27 20:11 . 2010-03-27 20:09 -------- d--h--w- c:\program files\Temp
2010-03-27 20:09 . 2010-03-27 20:09 -------- d-----w- c:\program files\Realtek
2010-03-27 20:09 . 2010-03-27 20:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 20:09 . 2010-03-27 20:09 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-27 19:49 . 2010-03-27 19:49 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-03-26 19:22 . 2010-03-26 19:22 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-26 16:19 . 2010-03-26 16:19 -------- d-----w- c:\program files\BitTorrent
2010-03-25 17:25 . 2010-03-25 17:25 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-03-08 21:33 . 2010-04-14 07:36 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 12:07 . 2010-04-14 07:36 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07 . 2010-04-14 07:36 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 07:32 . 2010-04-14 07:36 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-27 07:32 . 2010-04-14 07:36 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-27 07:32 . 2010-04-14 07:36 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-11-17 8092192]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 133104]
R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [2010-03-27 23456]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100518.002\IDSvix86.sys [2010-05-18 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0401000.020\SYMTDIV.SYS [2009-11-22 340016]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-18 102448]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 17:48]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-25 17:48]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/accounts/Ser...eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Buba\AppData\Roaming\Mozilla\Firefox\Profiles\vq2a0iwb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\cryptnet.dll
.
Completion time: 2010-05-25 09:38:04
ComboFix-quarantined-files.txt 2010-05-25 07:38

Pre-Run: 13,990,621,184 bytes free
Post-Run: 14,000,164,864 bytes free

- - End Of File - - EE2AF1F94AC446377021493A43C073EA

 

[Bobbye]

Okay, that one is gone.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  cdplayer.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
==================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::
DDS:
uStart Page = hxxp://eu.ask.com?o=15446&l=dis
c:\program files\ask.com\GenericAskToolbar.dll
c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

Registry::
Driver::
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===================================
P2P or 'file sharing' Warning:
I would like to make you aware of the following:
You have both Bit Torrent and eMule on the system: These are bot files sharing programs

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bit Torrent and eMule for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

There is much discussion and controversy about downloading or uploading copyrighted material using eMule. If this is monitored by your ISP, it is a possibility that they could close your account. If you decided not to uninstall these programs,please do not use them while I am helping clean the system.

 

[Ved]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:53 on 26/05/2010 by Buba (Administrator - Elevation successful)

========== filefind ==========

Searching for "cdplayer.*"
C:\Windows.old\Windows\system32\cdplayer.exe.manifest -rah-- 749 bytes [21:53 04/12/2009] [21:53 04/12/2009] 5A5CFF37F1BD0F86B9BDAAD7A9445882

-=End Of File=-

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f8ba2dca31b4429e1d3d1a801dafcf
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-26 01:28:12
# local_time=2010-05-26 03:28:12 (+0100, Central Europe Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=768 16777215 100 0 5338534 5338534 0 0
# compatibility_mode=3589 16777213 80 86 519677 38242497 0 0
# compatibility_mode=5893 16776574 100 94 692434 27326793 0 0
# compatibility_mode=8192 67108863 100 0 305 305 0 0
# scanned=118396
# found=7
# cleaned=0
# scan_time=6289
C:\Windows.old\Windows\system32\dllcache\cdrom.sys Win32/Protector.I virus 00000000000000000000000000000000 I
C:\Windows.old\Windows\system32\drivers\cdrom.sys Win32/Protector.I virus 00000000000000000000000000000000 I
C:\Windows.old\Windows\system32\drivers\wcscd.sys Win32/Protector.I virus 00000000000000000000000000000000 I
C:\Windows.old\Windows\Temp\cdfss Win32/Protector.I virus 00000000000000000000000000000000 I
F:\System Volume Information\_restore{73A8B94A-004F-409C-8D7F-CAC68CD91880}\RP111\A0018885.exe a variant of Win32/Kryptik.DCT trojan 00000000000000000000000000000000 I
F:\System Volume Information\_restore{73A8B94A-004F-409C-8D7F-CAC68CD91880}\RP111\A0018886.inf INF/Autorun virus 00000000000000000000000000000000 I
F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I

 

[Bobbye]

Well, now you've come full circle! Let's see if this keeps it gone:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Windows.old\Windows\system32\dllcache\cdrom.sys 
  C:\Windows.old\Windows\system32\drivers\cdrom.sys 
  C:\Windows.old\Windows\system32\drivers\wcscd.sys 
  C:\Windows.old\Windows\Temp\cdfss 
  F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==========================================
When you attempted to download the mp3 from LimeWire, you were told you needed to get a Codec to play it. When you got that codec, you also got TrojanDownloader.
F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
And it's on the D Drive. If this is a flash drive, you will need to disinfect that also

You probably saw a screen something like this:

Courtesy BitDefender
==============================
Win32/Protector.* is a virus that is encrypted to infect a computer without being notice. Source code is written by a programmer in a high-level language and readable by people but not computers.Win32/Protector can block Internet access and can connect to a remote computer also download other malware.
============================
After you have run OTMoveIt, I'd like you to do the following, then post the results:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Before I have you do any more, I need to see the result of this scan.

 

[Ved]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows.old\Windows\system32\dllcache\cdrom.sys moved successfully.
C:\Windows.old\Windows\system32\drivers\cdrom.sys moved successfully.
C:\Windows.old\Windows\system32\drivers\wcscd.sys moved successfully.
C:\Windows.old\Windows\Temp\cdfss moved successfully.
F:\Limewire 1\[iTunes] moonlightning theme(long edition).mp3 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Buba
->Temp folder emptied: 1290 bytes
->Temporary Internet Files folder emptied: 33639 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 37712331 bytes
->Google Chrome cache emptied: 5876372 bytes
->Flash cache emptied: 5321 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 42.00 mb


OTM by OldTimer - Version 3.1.12.0 log created on 05272010_091945

- - - - - - -
Question:
Your comment: “…And it's on the D Drive. If this is a flash drive, you will need to disinfect that also…”
To the best of my knowledge D Drive is not a flash drive but local if I can call it so. F Drive (Transcend) is a flash drive. Will you guide me through disinfecting those as well?
- - - - - - - -

VirSCAN.org Scanned Report :
Scanned time : 2010/05/27 15:37:54 (CST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6de80f60d7de9ce6b8c2ddfdf79ef175
SHA1 : 8d439a6186ff526403989ac217dfe8e3a2d8bc2c
Online report : http://virscan.org/report/4864d9d2a93cc173b28fa6e04caf3703.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.8 20100527023509 2010-05-27 0.41 -
AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.21 -
AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.27 -
Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
Arcavir 2009 201005261728 2010-05-26 0.03 -
Authentium 5.1.1 201005270049 2010-05-27 1.44 -
AVAST! 4.7.4 100526-1 2010-05-26 0.01 -
AVG 8.5.793 271.1.1/2898 2010-05-27 0.25 -
BitDefender 7.90123.6098002 7.31855 2010-05-27 4.14 -
ClamAV 0.96.1 11085 2010-05-27 0.01 -
Comodo 3.13.579 4942 2010-05-25 0.88 -
CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.04 -
Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.62 -
F-Prot 4.4.4.56 20100526 2010-05-26 1.37 -
F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.05 -
Fortinet 4.1.133 11.984 2010-05-26 0.16 -
GData 21.237/21.79 20100527 2010-05-27 6.92 -
ViRobot 20100525 2010.05.25 2010-05-25 0.36 -
Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 6.51 -
JiangMin 13.0.900 2010.05.24 2010-05-24 1.20 -
Kaspersky 5.5.10 2010.05.26 2010-05-26 0.09 -
KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.68 -
McAfee 5400.1158 5994 2010-05-26 16.89 -
Microsoft 1.5802 2010.05.27 2010-05-27 8.55 -
Norman 6.04.12 6.04.00 2010-05-26 8.07 begin_of_the_skype_highlighting**************00 2010-05-26 8.07******end_of_the_skype_highlighting -
Panda 9.05.01 2010.05.26 2010-05-26 2.00 -
Trend Micro 9.120-1004 7.202.03 2010-05-26 0.03 -
Quick Heal 10.00 2010.05.27 2010-05-27 1.68 -
Rising 20.0 22.49.03.01 2010-05-27 1.35 -
Sophos 3.07.1 4.53 2010-05-27 3.92 -
Sunbelt 3.9.2424.2 6362 2010-05-26 7.30 -
Symantec 1.3.0.24 20100526.006 2010-05-26 0.06 -
nProtect 20100526.01 8495632 2010-05-26 7.88 -
The Hacker 6.5.2.0 v00287 2010-05-25 0.34 -
VBA32 3.12.12.5 20100526.0824 2010-05-26 2.72 -
VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 2.48 -


VirSCAN.org Scanned Report :
Scanned time : 2010/05/27 15:45:40 (CST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2614272 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2626fc9755be22f805d3cfa0ce3ee727
SHA1 : d76db4dcd710be9c3314cff94824933847565372
Online report : http://virscan.org/report/c378b27e6b2fe606c8a3a439e3f4d051.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.8 20100527023509 2010-05-27 0.40 -
AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.15 -
AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.31 -
Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
Arcavir 2009 201005261728 2010-05-26 0.14 -
Authentium 5.1.1 201005270049 2010-05-27 3.13 -
AVAST! 4.7.4 100526-1 2010-05-26 0.12 -
AVG 8.5.793 271.1.1/2898 2010-05-27 0.33 -
BitDefender 7.90123.6098002 7.31855 2010-05-27 3.89 -
ClamAV 0.96.1 11085 2010-05-27 0.70 -
Comodo 3.13.579 4942 2010-05-25 1.31 -
CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.49 -
Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.84 -
F-Prot 4.4.4.56 20100526 2010-05-26 2.80 -
F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.12 -
Fortinet 4.1.133 11.984 2010-05-26 0.21 -
GData 21.237/21.79 20100527 2010-05-27 7.09 -
ViRobot 20100525 2010.05.25 2010-05-25 0.37 -
Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 6.88 -
JiangMin 13.0.900 2010.05.24 2010-05-24 1.19 -
Kaspersky 5.5.10 2010.05.26 2010-05-26 0.09 -
KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.65 -
McAfee 5400.1158 5994 2010-05-26 16.18 -
Microsoft 1.5802 2010.05.27 2010-05-27 6.43 -
Norman 6.04.12 6.04.00 2010-05-26 8.01 -
Panda 9.05.01 2010.05.26 2010-05-26 2.21 -
Trend Micro 9.120-1004 7.202.03 2010-05-26 0.04 -
Quick Heal 10.00 2010.05.27 2010-05-27 2.52 -
Rising 20.0 22.49.03.01 2010-05-27 1.48 -
Sophos 3.07.1 4.53 2010-05-27 3.97 -
Sunbelt 3.9.2424.2 6362 2010-05-26 8.73 -
Symantec 1.3.0.24 20100526.006 2010-05-26 0.14 -
nProtect 20100526.01 8495632 2010-05-26 7.85 -
The Hacker 6.5.2.0 v00287 2010-05-25 0.43 -
VBA32 3.12.12.5 20100526.0824 2010-05-26 3.00 -
VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 3.51 -


VirSCAN.org Scanned Report :
Scanned time : 2010/05/27 15:48:49 (CST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 20992 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 54a47f6b5e09a77e61649109c6a08866
SHA1 : 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
Online report : http://virscan.org/report/1cd9b770b8b29ac9982e0858c0d173c1.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.8 20100527023509 2010-05-27 0.49 -
AhnLab V3 2010.05.27.01 2010.05.27 2010-05-27 1.29 -
AntiVir 8.2.1.242 7.10.7.181 2010-05-26 0.26 -
Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
Arcavir 2009 201005261728 2010-05-26 0.03 -
Authentium 5.1.1 201005270049 2010-05-27 1.42 -
AVAST! 4.7.4 100526-1 2010-05-26 0.01 -
AVG 8.5.793 271.1.1/2898 2010-05-27 0.29 -
BitDefender 7.90123.6098002 7.31855 2010-05-27 4.13 -
ClamAV 0.96.1 11085 2010-05-27 0.01 -
Comodo 3.13.579 4942 2010-05-25 2.34 -
CP Secure 1.3.0.5 2010.05.27 2010-05-27 0.04 -
Dr.Web 5.0.2.3300 2010.05.27 2010-05-27 7.87 -
F-Prot 4.4.4.56 20100526 2010-05-26 2.00 -
F-Secure 7.02.73807 2010.05.27.01 2010-05-27 0.05 -
Fortinet 4.1.133 11.984 2010-05-26 0.36 -
GData 21.237/21.79 20100527 2010-05-27 7.97 -
ViRobot 20100525 2010.05.25 2010-05-25 0.38 -
Ikarus T3.1.01.84 2010.05.27.75944 2010-05-27 7.00 -
JiangMin 13.0.900 2010.05.24 2010-05-24 1.20 -
Kaspersky 5.5.10 2010.05.26 2010-05-26 0.10 -
KingSoft 2009.2.5.15 2010.5.27.7 2010-05-27 0.64 -
McAfee 5400.1158 5994 2010-05-26 17.49 -
Microsoft 1.5802 2010.05.27 2010-05-27 6.80 -
Norman 6.04.12 6.04.00 2010-05-26 8.01 -
Panda 9.05.01 2010.05.26 2010-05-26 4.03 -
Trend Micro 9.120-1004 7.202.03 2010-05-26 0.04 -
Quick Heal 10.00 2010.05.27 2010-05-27 2.75 -
Rising 20.0 22.49.03.01 2010-05-27 1.27 -
Sophos 3.07.1 4.53 2010-05-27 4.20 -
Sunbelt 3.9.2424.2 6362 2010-05-26 7.12 -
Symantec 1.3.0.24 20100526.006 2010-05-26 0.06 -
nProtect 20100526.01 8495632 2010-05-26 7.95 -
The Hacker 6.5.2.0 v00287 2010-05-25 0.32 -
VBA32 3.12.12.5 20100526.0824 2010-05-26 2.68 -
VirusBuster 4.5.11.10 10.126.51/2030399 2010-05-26 2.35 -

 

[Bobbye]

Good. That scan let's us know if there is a Virut infection. It's always a good thing to see 'no malware found' in this scan!

We have resolved the problem in your Post #1. Looks like you used the flash drive (F) for the LimeWire download so you know it's infected!

Threat Removal Procedure:

• 
  [1]. Download Flash_Disinfector and save it to your Desktop.
  [2]. After downloading, double-click on Flash_Disinfector to run it.
  [3]. Just follow the prompts and continue until it begin scanning.
  
  
  
  [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
  [5]. It will scan removable drives, wait for the scan to finish. Done.

Please download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Then repeat the Eset scan. Leave both log in next reply.

 

[Ved]

It looks like as if I am having some problem running the Flash Disinfector.
I save Flash_Disinfector.exe file from the link you have provided.
After downloading I double-click on Flash_Disinfector in Downloads window
From User Account Control window I allow the installed program to make changes
Then looks like nothing is happening
In search for Flash_Disinfector and find Flash_Disinfector.exe
I click on it and still nothing.
I have tried it few times with flash drive connected and not connected, the only visible difference is that when flash or memory stick is connected Program Compatibility Assistant window shows up with the message: This program might not have installed correctly, giving an option of Reinstall using recommended settings or This program installed correctly. Tried the two with visible same effect.
I do not know if the scan starts at all.

 

[Bobbye]

Try running it under the Administrative Account.

 

[Ved]

About the same thing is happening when I try to activate Flash_Disinfector from the Administrative Account…after downloading and double-click to run it. Open File – Security Warning window appears…with the message that the publisher could not be verified… and options to run or cancel.
After again clicking on run in this window a new window appears, again with the message that: the program might not have installed correctly and options to: reinstall using recommended settings or: this program installed correctly.
I tried option reinstall using recommended settings, and still the same effect.
I have also right click on the Flash Disinfector desktop icon and chose troubleshoot compatibility:
Where I am given two options: Try recommended settings: with following result:
Windows compatibility mode: Windows XP (SP2)…with the option to start the program to make sure that these new settings have fixed the problem, but still does not want to start.
I am using Windows 7
Or an option troubleshoot program, with the problem list of different options such as:
Program worked in earlier windows
Program opens but doesn’t display
Requires additional permission
Don’t see my problem listed – when I click on this it gives different versions of Windows but not 7, and asks on which program it ran earlier.
I don’t know if this is compatible with 7 or is there some other issue why I can’t start this.

 

[Bobbye]

Program worked in earlier windows

Select the Compatibility tab> enter Windows XP for earlier version.

I'll check later on and see if this program won't work on W7.

 

[Ved]

In Administrator – Flash Disinfector Properties - Compatibility Tab
I entered Windows XP (Service Pack 2 & 3) as well as Vista but still program wont run.

 

[Bobbye]

I can't find any OS limit on this program. Did it scan at all?

 

[Ved]

I don’t know if it scan at all, but I do not think so.
No scanning window or scanning message of any kind appeared at all.
As I don’t know if any scanning window or message appears usually with Flash Disinfector at all, few times I tried to run Flash Disinfector with and without flash drive, or other removable device connected.
And there was no difference what so ever, including no appearance of the messages… please plug in / insert…
I did not proceed yet with the HJT, thinking that Flash Disinfector should be complete first.
As I use this flash in question also with some other computers I don’t want to infect them as well.

 

[Bobbye]

I have checked many forums for comments on this program. It is safe and legitimate:

I've used this program a few months ago to fix the worm auto-run issue when I had tried to open my participation drives but couldn't so running this fix the issue allowing me to open them after attack. Still suppose to work on USB drives too. It's not malware but you would think it was after you run it though. You screen goes blank then returns and the problem is gone.

It appears that some security programs complain about it! It is possible for you to run your antivirus program on the flash drive?

 

[Ved]

Yes I was able to run Norton Security Suite Virus scan on F:.
I scaned it from Administrator.
If this tells you anything:
Result: No viruses or spyware detected.
Detailes:
Files & Directories: 22,625
Registry Entries: 0
Processes & Start-Up Items: 0
Network & Browser Items: 0
Other: 0
Trusted Files: 0
Skipped Files: 2
I ran scan second time, as I forgot to save the log, and second time it scaned 15,651 Files & Directories and skiped 14,692.
I am including this log here:
Category: Scan Results
Date & Time,Risk,Activity,Status,Task Name,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
5/30/2010 12:28 PM,Info,Custom scan results,Completed,Custom scan,0:00:00:57,"15,651","15,651",0,0,0,0,0,"14,692",0,0,0

 

[Bobbye]

Were there any numbers for these sections?

Total Security Risks Detected,
Total Security Risks Resolved
Total Security Risks Requiring Attention

 

[Ved]

they were all 0

 

[Bobbye]

Are you noting any symptoms of the malware remaining? I'm thinking that I removed the file on the F Drive and the flash is clean.

I'll check HijackThis to see if there are any bad entries remaining:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

If there are any remaining problems, please let me know now.

 

[Ved]

“…Are you noting any symptoms of the malware remaining? I'm thinking that I removed the file on the F Drive and the flash is clean….”
The Norton Security Suite run automatic scan, with no flash attached, and came across Hacktool.Rootkit!Inf again.
Here are some details that I found from AV File Insight, if it tells you somthing:
Wcscd.sys
Infected file: c:\_OTM\movedfiles\05272010_091945\c_windows.old\Windows\system31\drivers\wcscd.sys

Also the computer is tremendously slow, much more then before, with a lot of programs freezing (non responding) …I do not know if this is also due to Skype (I turned off automatic start up, and will se the progress) or Norton Security Suite, as someone complained that this slows down the system, or because of virus.
In addition on my desk top, some two icons both titled: desktop.ini showed up.
--------
First time I run HijackThis, I got following message:
For some reason your system denied write access to the Host file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
If this happens, you need to edit the file yourself. To do this, click Start, Run and type:
Notepad C:\Windows\System32\drivers\etc\hosts
And press Enter. Fine the line(s) Hijcak This reports and delete them.
Save the file as ‘hosts’. (with quotes), and reboot.
---------
Then I logged off and logged back in as administrator, where computer runs better.
I downloaded HijackThis again.
This time HijackThis worked fine and well.
Here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:35:43 PM, on 5/31/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.1.0.32\ccSvcHst.exe

--
End of file - 4518 bytes