SystemTool virus caused hard disk error? Can't start Windows Vista

Hi,
Have never posted on a site like this so here goes...

We have somehow got the SystemTool virus ("your're in danger etc etc") which appeared suddenly on our Dell Inspiron 1545 (running Windows Vista). We have McAfee but that obviously hasn't stopped it.

We have the wallpaper that others describe, etc, and it has disabled the McAfee and also my copy of MalWare MBAM which I still had on my desktop from a few months ago when we had a problem with malware.

It shut down the computer suddenly and when trying to reboot we got the black screen with white text saying "Windows cannot start..." etc etc.
I have tried to reboot in SafeMode (using F8) and we still get "Windows cannot start".

I selected StartUp Repair but I got "StartUp repair cannot repair this computer automatically".

I ran the Advanced Diagnostics, got to Symptom Tree and selected "cannot boot up OS" (or something equivalent to that) - passed most of the tests but in the end got an error message 0F00:1332 and 06 said CorruptVolume (I've noticed a lot of people on these forums seem to get CorruptFile at this point but mine was definitely Corrupt Volume).

I then tried Last Known Good Configuration and this did start the machine so I can see the desktop but I think i'm right in assuming that it's not SafeMode? it's still infected, showing the same wallpaper, fake SystemTool scanner, warnings that your computer is infected etc and I can't run any of the antivirus stuff or perform a scan etc (as I said above). I have been searching online for help and one site said to stop the virus (before removing it) I should right click on the fake client (I don't understand what this is?!) and find the .exe name, then go and rename it. Is this correct? How do I do this?

Basically I am out of my depth and don't know whether I caused more harm by going back into it in Last Known Good Configuration. I am also worried that my hard disk is damaged as googling the error codes I've got so far, it sounds bad!

Can anyone help?! I would really appreciate it. I'm finding that it's a bit mindblowing trying to search other people's posts who've had similar problems, as they are never quite the same as mine and I don't know enough about computers to determine what is relevant to me!
Thanks in advance!
joanne

PS forgot to say, I see that you recommend downloading the OTL program and running this to get an idea of what's going on - but I'm not sure the virus will let me open Internet Explorer - and I'm worried that I'll spread the virus if I open IE. Can I get the OTL onto the computer in another way?

Hello.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Hi there

STrange thing happened - when I turned on the computer ready to do what you suggested, it started normally. I didn't get the black screen with "Windows cannot start" message as I had the past several times since the virus appeared. It then opened normally and there is no sign of the pop up boxes and strange binary background wallpaper. Can these viruses lie low and then reappear?? I can't understand where it's "gone"? Is it because I removed my Internet connection?

Anyway I turned off McAfee then tried to run the commy.exe that you suggested. Despite several tries I kept getting an Advanced Search box saying Nothing found. I searched your forum for others having this problem and saw that you often recommend a full scan using MalWAreBytes. As I have this installed already from a previous problem, I thought I'd run it while I can (when the virus was apparent, it wouldn't let me open that icon or the McAfee).

Below is the result of that full scan, it said 5 items infected and I clicked "Remove them" - however 2 couldn't be removed.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4862

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

05/03/2011 22:35:06
mbam-log-2011-03-05 (22-35-06).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 308583
Time elapsed: 1 hour(s), 20 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gliboce (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfini (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Joanne\AppData\Local\Temp\0.6729536779214181.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Joanne\AppData\Local\coecon.dll (Trojan.Agent.U) -> Delete on reboot.
C:\Users\Joanne\AppData\Local\ezidevibeb.dll (Trojan.Agent.U) -> Delete on reboot.

As I type this I am running a full scan using McAfee as I thought I might as well (again, I am surprised I'm able to do this as the virus wouldn't let me the other day!).

Could you please give me an idea of where to go from here? Should I still be trying to run ComboFix or are there other programs I need to run?
Many thanks.

Yes please, run Combofix.

Hello

I still couldn't get Combofix to work in the way you instructed, ie by entering that

command into the search box, the Advanced search box just keeps coming up saying not found.
So I just double clicked on the icon and ran it anyway. I now have an error message dialog

box saying
Error loading C:\Users\Joanne\AppData\Local\coecon.dll
C:\Users\Joanne\AppData\Local\coecon.dll is not a valid Win32 application.

This box came up many many times. I clicked ok each time but they came up regularly - like

every 30secs.

I copied the log below. I see it mentions McAFee - I did try to turn it off but perhaps

some elements were still running. (My version didn't correspond to the instructions on the

link you posted.) Did this have an impact? Let me know if I need to try harder to turn

Mcafee off and run Combofix again or anything?

Many thanks.



ComboFix 11-03-05.01 - Joanne 06/03/2011 21:49:56.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2010.759 [GMT 0:00]
Running from: c:\users\Joanne\Desktop\commy.exe.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*

{86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated*

{3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions

)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\hpeCCBA.dll
c:\users\Joanne\AppData\Local\{53E39238-3D35-4DCF-8C23-50505F393202}
c:\users\Joanne\AppData\Local\{53E39238-3D35-4DCF-8C23-50505F393202}\chrome.manifest
c:\users\Joanne\AppData\Local\{53E39238-3D35-4DCF-8C23-50505F393202}\chrome\content\_cfg.js
c:\users\Joanne\AppData\Local\{53E39238-3D35-4DCF-8C23-50505F393202}\chrome\content\overlay

.xul
c:\users\Joanne\AppData\Local\{53E39238-3D35-4DCF-8C23-50505F393202}\install.rdf
c:\windows\system32\drivers\tlpiwruh.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services

)))))))))))))))))))))))))))))))))))))))))))))))))
-------\Service_rrhcxik
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06

)))))))))))))))))))))))))))))))
.
.
2011-03-06 21:58 . 2011-03-06 22:02 -------- d-----w-

c:\users\Joanne\AppData\Local\temp
2011-03-06 21:58 . 2011-03-06 21:58 -------- d-----w-

c:\users\Default\AppData\Local\temp
2011-03-06 21:42 . 2011-03-06 21:43 -------- d-----w- C:\32788R22FWJFW
2011-02-27 00:19 . 2011-03-05 20:40 0 ----a-w-

c:\users\Joanne\AppData\Local\Tfumuwonezonuso.bin
2011-02-27 00:16 . 2011-03-05 20:33 -------- d-----w-

c:\programdata\oEfAhHk06300
2011-02-25 21:35 . 2011-02-26 22:14 -------- d-----w-

c:\users\Joanne\AppData\Roaming\Spotify
2011-02-25 21:35 . 2011-02-26 21:19 -------- d-----w-

c:\users\Joanne\AppData\Local\Spotify
2011-02-25 21:35 . 2011-02-25 21:35 -------- d-----w- c:\program

files\Spotify
2011-02-23 21:51 . 2011-02-23 21:51 -------- d-----w- C:\found.000
2011-02-09 15:52 . 2010-12-31 13:57 2039808 ----a-w-

c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report

))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-28 15:55 . 2011-01-12 13:47 413696 ----a-w-

c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 13:47 1169408 ----a-w-

c:\windows\system32\sdclt.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-10

39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC

Suite\SEPCSuite.exe" [2009-09-24 434176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07

178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe"

[2008-06-03 446635]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe"

[2009-11-13 1807600]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03

206064]
"PhilipsDM\SA1916"="c:\program files\Philips\SA19XX\Philips Device

Manager\Bin\LaunchDM.exe" [2008-05-11 47616]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe"

[2010-04-29 1090952]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
.
c:\users\Joanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
TellJack.lnk - c:\program files\TellJack\TellJack.exe [2010-7-6 95232]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\GoToAssist]
2009-06-03 13:57 10536 ----a-w- c:\program

files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18

130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe

[2010-08-03 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13

84264]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel

Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\DRIVERS\s0017bus.sys

[2008-10-21 86824]
R3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem

Filter;c:\windows\system32\DRIVERS\s0017mdfl.sys [2008-10-21 15016]
R3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem

Driver;c:\windows\system32\DRIVERS\s0017mdm.sys [2008-10-21 114600]
R3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers

(WDM);c:\windows\system32\DRIVERS\s0017mgmt.sys [2008-10-21 108328]
R3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017

(NDIS);c:\windows\system32\DRIVERS\s0017nd5.sys [2008-10-21 26024]
R3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX

Interface;c:\windows\system32\DRIVERS\s0017obex.sys [2008-10-21 104616]
R3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017

(WDM);c:\windows\system32\DRIVERS\s0017unic.sys [2008-10-21 109736]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

[2010-03-18 753504]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13

64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S2 AESTFilters;Andrea ST Filters

Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe

[2009-04-01 81920]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe

[2008-12-18 155648]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common

Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common

Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common

Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common

Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe

[2010-10-13 141792]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony

Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13

313288]
S3 OA009Ufd;Creative Camera OA009 Upper Filter

Driver;c:\windows\system32\DRIVERS\OA009Ufd.sys [2008-09-03 144672]
S3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\DRIVERS\OA009Vid.sys

[2008-09-03 269216]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys

[2008-01-09 27632]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-03 19:12]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-03 19:12]
.
2011-03-06

c:\windows\Tasks\User_Feed_Synchronization-{00F8C4CF-C21D-4EDD-B62D-03385217C366}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/news
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Wfini - c:\users\Joanne\AppData\Local\ezidevibeb.dll
HKCU-Run-Gliboce - c:\users\Joanne\AppData\Local\coecon.dll
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,1e,f1,7c,6a,62,90,47,af,a7,c7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a3,1e,f1,7c,6a,62,90,47,af,a7,c7,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation

]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServ

er32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\Proxy

StubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeL

ib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE1031

8}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE1031

8}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2196)
c:\progra~1\mcafee\sitead~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-03-06 22:09:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 22:09
.
Pre-Run: 148,525,916,160 bytes free
Post-Run: 148,779,143,168 bytes free
.
- - End Of File - - 921F63ADCC14F25012D8388E4175D96F

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
File::
c:\users\Joanne\AppData\Local\Tfumuwonezonuso.bin

Folder::
c:\programdata\oEfAhHk06300

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Hi,
I have a big problem now - as you suggested I disabled everything that I could in MalWareBytes and in McAfee, but then discovered that almost nothing works now on the laptop because of whatever Combofix did previously.
Everything I try and do (for example, tried to open Notepad to paste your code), or even dragging the txt file onto Combofix as you instructed, I get an error sound and a dialog box with a big red cross, saying
"Illegal operation attempted on a registry key that has been marked for deletion"
So I had to create the text file on another computer and transfer using a memory stick, but still couldn't drag onto Combofix as I got that same error. Can't open any Windows Office programs, etc etc.
Help! What have I done wrong?! Can this be reversed?! Or is this correct? It means I can't do what you instructed and I'm in a worse situation than before in some ways as nothing now works.
Please let me know how I should proceed...

It's possible the malware has caused some damage before you came here, usually that result end in formatting as the damage can't always be reversed.

Can you do a last known good config boot again?

Well the thing is, I thnk it was only after I ran Combofix that this happened. For example I could get into McAfee and Malwarebytes to switch them off with no problem. Since I ran ComboFix I can only get into McAfee by selecting "Open as Administrator" for instance. Otherwise I get a similar error.
When I get home later (I am at work right now) I will do a Last Known Good config and see what happens.

OK i have booted in Last known Good config and things look better. I can open up programs etc.
Do you now want me to run Combo Fix again, or to drag the CFScript.txt onto the Combofix icon, or something else?

Hello.

Please download the OTM by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\users\Joanne\AppData\Local\Tfumuwonezonuso.bin
  c:\programdata\oEfAhHk06300
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Hi

Have done this, it didn't produce a long log - just this. Hope this is what you were expecting.

========== FILES ==========
c:\users\Joanne\AppData\Local\Tfumuwonezonuso.bin moved successfully.
c:\programdata\oEfAhHk06300 folder moved successfully.

OTM by OldTimer - Version 3.1.17.2 log created on 03092011_220516

Thanks for your continuing help.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Check (tick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

Hi

My only concern is that since I got this virus I have kept the laptop disconnected from the Internet. I have an old machine I've been downloading the applications onto and then transferring them using a memory stick.
When I was trying to run Combofix you told me to disable all the anti malware and anti virus etc. Are you saying I should re-enable all the antivirus stuff and then connect to the Internet in order to download and run this program? Just want to check before I do it as I am worried about exposing the computer to the Internet again, before it's "fixed".
Thanks.

Yes, re-enable all disabled security programs, then run ESET online.

The logs look good now so hopefully it shouldn't be too bad, but lets see what the online scan says.

Hello

I have managed to get onto the Internet (it's the first time I've attempted it since I first got the virus and it stopped me scrolling down on a webpage then shut down suddenly...).

However a few things are different. Firstly I got a message saying IE is not your default browser, do I want to make it the default. It always has been before, so either the virus, or one of the programs we've run since, has changed this.
Secondly a whole list of problems came up when the Internet window failed to open on the first couple of attempts.
Window is entitled Problem Reports and Solutions.
I don't know how to post a screen print but some examples of things mentioned are:
epson323504eu[1].exe : Program compatibility problem
Host Process for Windows services:Windows Update Installation problem (x2)
Internet Explorer: Stopped working (x6)
Microsoft Windows Search Filter Host: Stopped working
Windows: Video hardware error

Can you diagnose why all these have happened and how to reverse?
I'm now going to run the scan you recommended.

Another indicator that something is wrong with my browser (though I should make clear that it still looks exactly like Internet EXplorer). When I tried to download ESET online scan (by the way your link didn't work but I found my way to it) I got this message:

You are trying to launch ESET Online Scanner in a different browser than Internet Explorer. Please agree to the download of ESET Smart Installer - an application which installs and launches ESET Online Scanner in a separate window. At the end of the scan, there will be an option to uninstall ESET Online Scanner and all its components.

To download ESET Smart Installer click the link below.

esetsmartinstaller_enu.exe
After successful installation of ESET Smart Installer is ESET Online Scanner launched in a new window.

Hello.
Aside from this online scan, I recommend dropping IE, it's so unstable and unsafe.

At the end I'll recommend some much better and faster browsers.

Did you get a logfile?

I had to go to bed and leave it running, it was taking so long. when I got up it had restarted the machine. This is the log I found in the location you specified.

I agree that IE seems unstable and unsafe but what about the other problems identified eg the video hardware problem - is this significant and can it be solved?


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=a2a8e93d4bb21b45a2ff1294e4245095
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-11 10:26:59
# local_time=2011-03-11 10:26:59 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 2981399 28557690 0 0
# compatibility_mode=5892 16776574 100 100 15299219 137411528 0 0
# compatibility_mode=8192 67108863 100 0 3718 3718 0 0
# scanned=160654
# found=0
# cleaned=0
# scan_time=3618
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=a2a8e93d4bb21b45a2ff1294e4245095
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-11 11:52:30
# local_time=2011-03-11 11:52:30 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 16777213 100 75 2985242 28561533 0 0
# compatibility_mode=5892 16776574 100 100 15303062 137415371 0 0
# compatibility_mode=8192 67108863 100 0 7561 7561 0 0
# scanned=187893
# found=4
# cleaned=4
# scan_time=4907
C:\Users\Joanne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\3bb02790-15217a56 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Joanne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\45036059-462c4a70 a variant of Java/TrojanDownloader.OpenStream.NBI trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Joanne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\2a6aca2-41bdcc7a multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\Joanne\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\578e1089-741fa0b1 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

Hello.

Okay, nearly done now.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Hi there,

The log is below.
One other question, as I paid for McAfee and it still let through this virus, could you recommend another, superior antivirus software?
Thanks!


Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Advanced Audio FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Camera RAW Plug-In for EPSON Creativity Suite
Choice Guard
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Citrix ICA Web Client
Compatibility Pack for the 2007 Office system
Dell DataSafe Online
Dell Dock
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Dell Video Chat
Dell Webcam Central
Dell Wireless WLAN Card Utility
Dell-eBay
EPSON Attach To Email
EPSON File Manager
EPSON S21 Series Printer Uninstall
EPSON Scan Assistant
EPSON Stylus S20 Series Printer Uninstall
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.514
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Integrated Webcam Driver (1.00.02.0825)
Intel(R) TV Wizard
Intel® Matrix Storage Manager
iTunes
Java(TM) 6 Update 11
Junk Mail filter update
LimeWire 5.1.3
Live! Cam Avatar Creator
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Virtual Technician
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
MSVCRT
Philips SA19XX Device Manager
PowerDVD DX
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Skype Toolbars
Skype™ 5.0
Sony Ericsson PC Suite 6.009.00
Spotify
TellJack
TellJack
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer

Hello.
No antivirus is perfect, and no antivirus can say a file is a virus and block it fully, malware can hide like a perfectly harmless file that someone runs and then finds out it's not what they though it was.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Java(TM) 6 Update 11
LimeWire 5.1.3

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 24.
  
• Click the "Download JRE" button to the right.
  
• In the Window that opens, select your platform, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Then from your desktop double-click on jre-6u24-windows-i586.exe that you downloaded to install the newest version.
  

How is the machine running now?

Hi there

OK, I've done that.

The machine seems fine. I haven't had any more error messages like the other day (the video hardware issue etc).
One thing though, the machine is a Dell laptop and I now have a pop up asking if I want to upgrade to a new version of Dell Support Center as version 2.0 is no longer available. Also whether I want to download a free copy of Dell DataSafe Local, and an updated Touchpad Driver. Should I? They sound like a good idea but just wanted to check.
Thanks!

Last edited by not_tech_literate on 14th March 2011, 8:26 pm; edited 1 time in total (Reason for editing : I left out a word!)

Yeah, they are just drivers for the machine.

So, what now? Is the computer "cured" do you think? I can't see any signs of the virus in my everyday usage of the machine but is there anywhere else I should check or any other scans I should do?
Many thanks for your help.

Also you were going to recommend another browser?

If the machine is running as normal, then I'd say your good to go.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  
• Google Chrome is available here: Google Chrome
  
• SRWare Iron is available here: SRWare Iron
  

Thank you for choosing GeekPolice. Please leave feedback!

Beelazhur, thank you so much for your help. I am so grateful and pleased that you have "salvaged" my computer from the virus, this site is fantastic and I will be donating.
Keep it up - you are doing amazing work!
Thanks again.