virus/spyware/trojan or malware

Hello.
Some of your legit files are patched, do you have your XP disc?

• Download combofix from here combofix.exe
  
• Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

WOW- I'm already amazed. The laptop did exactly as you said.

I haven't got the XP disc as it was pre-installed when purchased. I do have recovery disc.
I am reluctant to reboot as I have many family photos on the laptop.

It rebooted normally.
Here is the C:\combofix.txt log in two posts

ComboFix 09-02-07.01 - Ade 2009-02-08 19:42:57.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.762 [GMT 0:00]
Running from: C:\Documents and Settings\Ade\Desktop\Combo-Fix.exe
FW: eTrust EZ Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ade\Application Data\inst.exe
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\303374.exe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\zppavayf.dll
E:\autorun.inf
.
---- Previous Run -------
.
C:\WINDOWS\system32\uniq.tll
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\zlbw.dll

C:\WINDOWS\system32\userinit.exe . . . is infected!!

C:\WINDOWS\system32\svchost.exe . . . is infected!!

C:\WINDOWS\system32\spoolsv.exe . . . is infected!!

C:\WINDOWS\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_PROTECT
-------\Legacy_TDSSSERV.SYS
-------\Service_Passthru
-------\Service_protect
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 19:47 . 2009-02-08 19:47 67,585 --a------ C:\WINDOWS\system32\1C.tmp
2009-02-08 19:47 . 2009-02-08 19:47 168 --a------ C:\WINDOWS\system32\1B.tmp
2009-02-08 19:47 . 2009-02-08 19:48 0 --a------ C:\WINDOWS\system32\1D.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf16.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf15.tmp
2009-02-08 19:38 . 2009-02-08 19:38 64,512 --a------ C:\WINDOWS\system32\idag.exe
2009-02-08 19:38 . 2009-02-08 19:38 168 --a------ C:\WINDOWS\system32\2.tmp
2009-02-08 15:50 . 2009-02-08 15:51 78,613 --a------ C:\WINDOWS\system32\B8.tmp
2009-02-08 15:50 . 2009-02-08 15:50 67,585 --a------ C:\WINDOWS\system32\B7.tmp
2009-02-08 15:50 . 2009-02-08 15:50 168 --a------ C:\WINDOWS\system32\B6.tmp
2009-02-08 15:48 . 2009-02-08 15:48 67,585 --a------ C:\WINDOWS\system32\B4.tmp
2009-02-08 15:48 . 2009-02-08 15:48 5,613 --a------ C:\WINDOWS\system32\B5.tmp
2009-02-08 15:48 . 2009-02-08 15:48 168 --a------ C:\WINDOWS\system32\B3.tmp
2009-02-08 15:43 . 2009-02-08 15:43 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-08 15:43 . 2009-01-14 16:11 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-02-08 15:43 . 2009-01-14 16:11 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-02-07 09:49 . 2009-02-07 10:56 d-------- C:\WINDOWS\Internet Logs
2009-02-05 21:29 . 2009-02-05 21:29 d-------- C:\Program Files\CA
2009-02-05 07:13 . 2009-02-05 07:13 66,560 ---h----- C:\WINDOWS\system32\secupdat.dat
2009-02-05 07:13 . 2009-02-05 07:13 32,768 --ah----- C:\Documents and Settings\Ade\aajcv.exe
2009-02-05 07:12 . 2009-02-05 07:12 162,628 --a------ C:\WINDOWS\system32\20.tmp
2009-02-05 07:12 . 2009-02-05 07:12 88 --a------ C:\WINDOWS\system32\1F.tmp
2009-02-05 07:10 . 2009-02-05 07:10 616 --a------ C:\WINDOWS\system32\1E.tmp
2009-02-05 07:09 . 2009-02-05 07:09 162,628 --a------ C:\WINDOWS\system32\1A.tmp
2009-02-05 07:09 . 2009-02-05 07:09 88 --a------ C:\WINDOWS\system32\18.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf14.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf13.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf12.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf11.tmp
2009-02-04 17:50 . 2004-08-04 13:00 96,256 --a------ C:\WINDOWS\system32\atkctr.dll
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\NtfF.tmp
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\Ntf10.tmp
2009-02-03 19:42 . 2009-02-03 20:13 1,333,698 --a------ C:\NtfD.tmp
2009-02-03 19:42 . 2009-02-03 19:42 67 --a------ C:\NtfE.tmp
2009-02-03 19:22 . 2009-02-03 19:41 1,135,405 --a------ C:\NtfB.tmp
2009-02-03 19:22 . 2009-02-03 19:22 67 --a------ C:\NtfC.tmp
2009-02-03 18:42 . 2009-02-03 19:21 1,030,621 --a------ C:\Ntf9.tmp
2009-02-03 18:42 . 2009-02-05 16:25 32,768 --a------ C:\WINDOWS\system32\drivers\ati7hkxx.sys
2009-02-03 18:42 . 2009-02-03 18:42 67 --a------ C:\NtfA.tmp
2009-02-03 16:57 . 2009-02-03 18:40 820,981 --a------ C:\Ntf7.tmp
2009-02-03 16:57 . 2009-02-03 16:57 67 --a------ C:\Ntf8.tmp
2009-02-03 16:57 . 2009-02-03 16:57 0 --a------ C:\WINDOWS\system32\10.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf6.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf5.tmp
2009-02-03 13:15 . 2009-02-03 13:15 88,790 --a------ C:\WINDOWS\system32\11.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf4.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf3.tmp
2009-02-03 12:58 . 2009-02-03 12:58 0 --a------ C:\WINDOWS\system32\19.tmp
2009-02-03 12:55 . 2009-02-03 12:56 136,990 --a------ C:\WINDOWS\system32\17.tmp
2009-02-03 12:54 . 2009-02-03 12:55 8,510 --a------ C:\WINDOWS\system32\13.tmp
2009-02-03 06:48 . 2009-02-03 17:36 32,768 --a------ C:\WINDOWS\system32\drivers\ati1chxx.sys
2009-02-02 22:04 . 2009-02-02 22:04 d-------- C:\Program Files\TomTom DesktopSuite
2009-02-02 21:36 . 2009-02-05 07:09 137,280 --a------ C:\WINDOWS\system32\drivers\ethacyss.sys
2009-02-02 21:31 . 2009-02-03 20:17 124 --a------ C:\WINDOWS\adobe.bat
2009-02-02 21:31 . 2009-02-02 21:31 5 --a------ C:\WINDOWS\_id.dat
2009-02-02 21:30 . 2009-02-02 21:30 64,512 --a------ C:\WINDOWS\system32\res2coff.exe
2009-02-02 19:32 . 2009-02-02 19:32 128,306 --a------ C:\WINDOWS\system32\126_av.exe
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\Ade\Application Data\Malwarebytes
2009-02-02 18:58 . 2009-02-02 18:58 0 --a------ C:\WINDOWS\system32\20B.tmp
2009-02-02 17:12 . 2009-02-02 17:12 22,016 --ahs---- C:\WINDOWS\system32\config\systemprofile\protect.dll
2009-02-02 17:11 . 2009-02-05 07:13 d--hs---- C:\WINDOWS\system32\twain32
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf2.tmp
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf1.tmp
2009-02-02 07:18 . 2009-02-02 07:18 d-------- C:\Program Files\Common Files\Download Manager
2009-02-01 22:43 . 2009-02-01 22:43 61,440 --a------ C:\WINDOWS\system32\chert13-303374.exe
2009-01-18 18:33 . 2009-01-18 18:33 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2009-01-18 18:32 . 2009-01-18 18:32 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2009-01-11 21:35 . 2009-01-11 21:35 d-------- C:\Documents and Settings\Ade\Application Data\HandBrake
2009-01-11 21:25 . 2009-01-11 21:25 d-------- C:\Program Files\HandBrake
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\Ade\Application Data\AVS4YOU
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\Common Files\AVSMedia
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\AVS4YOU
2009-01-11 21:05 . 2007-02-27 18:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll

Last edited by Ade3277 on 8th February 2009, 8:07 pm; edited 1 time in total

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 19:48 --------- d-----w C:\Documents and Settings\Ade\Application Data\DMCache
2009-02-08 19:47 18,944 ---ha-w C:\WINDOWS\system32\drivers\protect.sys
2009-02-05 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-02-02 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-02 19:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Norton
2009-01-18 18:31 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-16 20:56 --------- d-----w C:\Program Files\Google
2009-01-14 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-11 21:31 --------- d-----w C:\Program Files\DivX
2009-01-11 21:21 --------- d-----w C:\Documents and Settings\Ade\Application Data\Vso
2009-01-11 20:14 --------- d-----w C:\Program Files\DVDVideoSoft
2009-01-11 20:14 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2009-01-06 11:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-05 15:39 --------- d-----w C:\Program Files\Bonjour
2009-01-05 15:37 --------- d-----w C:\Program Files\iTunes
2009-01-05 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-05 15:36 --------- d-----w C:\Program Files\iPod
2009-01-05 15:36 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-05 15:27 --------- d-----w C:\Program Files\QuickTime
2009-01-05 15:09 --------- d-----w C:\Program Files\Safari
2009-01-05 13:12 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2009-01-05 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-01-04 12:05 --------- d-----w C:\Program Files\Ahead
2009-01-04 11:55 --------- d-----w C:\Program Files\Common Files\Nero
2009-01-04 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2009-01-03 17:47 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2009-01-03 11:05 --------- d-----w C:\Program Files\Common Files\Ahead
2008-12-27 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-12-27 10:33 --------- d-----w C:\Program Files\TomTom HOME 2
2008-12-27 10:33 --------- d-----w C:\Documents and Settings\Ade\Application Data\TomTom
2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-05-23 09:05 47,360 -c--a-w C:\Documents and Settings\Ade\Application Data\pcouffin.sys
2007-01-10 10:42 52,400 -c--a-w C:\Documents and Settings\Ade\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-04 13:00 31744 e9fd36c652215e4d22893485ed1c1573 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 31744 d62497f87012485acd7bc10bcfda6f57 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2009-02-05 07:12 14336 b6d2734935fc224edca6138f9f958bcd C:\WINDOWS\system32\svchost.exe

2008-04-14 00:12 1051136 0b5e0b75fea14ad060a6bf0eb1aebf9d C:\WINDOWS\explorer.exe
2007-06-13 11:26 1050624 4908b19a9c830a6145766f18471c0131 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1050624 0cd253ded4d3b3d95174bf17fa7cfdbc C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 13:00 1049600 3351a6e5b389a846b7c2a56e43a1119d C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1051136 5f303aac89951cafc6b753f74529275d C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 13:00 32768 1c511de92cf006f779c33f5b880662ea C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 32768 3eba43f2baf8902fba14264e2fa20eeb C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 32768 2fe8ef9cc99ed7d5b5fb686131562a7b C:\WINDOWS\system32\ctfmon.exe

2005-06-11 00:17 75264 b77a1fa98288e51383135052d3e7c8cd C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 75264 dd026ed8d08f17aaf21663ad5006be7b C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 13:00 75264 a80b51046367382a4a11a177fbce1065 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 00:12 75264 0e53f5810137eda413dee64cd11427ce C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 75264 fbf11f1eda44a70cc3001177212d7737 C:\WINDOWS\system32\spoolsv.exe

2004-08-04 13:00 41984 93432176a24edb23caecbe66f130ca4e C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 43520 a842a873acb1c915d7689ff273a50104 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2009-02-02 07:20 142848 e27a3a0d47f219ce34d3e1692fc7f333 C:\WINDOWS\system32\userinit.exe
2009-02-02 07:20 142848 d441ea8e9119938f356dbf1d960ad6ef C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D}]
2004-08-04 13:00 96256 --a------ C:\WINDOWS\system32\atkctr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12 32768]
"EPSON Stylus Photo RX685 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE" [2007-04-13 06:00 199680]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 10:12 234856]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-11-21 09:38 2553264]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 18:55 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12 1712640]
"L08AXLRD_4183064"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_3587278"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_24200738"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_2356017"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2004-09-06 05:28 442368]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-06 08:45 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-06 16:32 593920]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-05-10 03:50 126976]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-01 13:02 180224]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 07:40 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 180224]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2004-10-12 08:33 722192]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 09:55 888832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-11-04 10:30 434176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 180224]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 00:13 774168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 13:20 290088]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 09:27 52848]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 14:16 111936]
"SMcfg"="smcfg.exe" [2004-11-01 16:55 102400 C:\WINDOWS\SmCfg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 00:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 00:12 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotKeyDriver.lnk - C:\Program Files\HotKey_Driver\HotKeyDriver.exe [2005-04-27 12:07:03 2306048]

Hello.
Bad news.

Your machine is infected with Virut.
Virut is a file infector, but it wasn't written properly and these infected files may become corrupt, there is nothing we can do now.
Your machine is also compromised, use a clean machine and change any passwords for any online banking, msn, etc.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

And I thought all was going well.
thankyou for your time.
Ade

Hi,
I have changed all my passwords via another pc.
The laptop will now not connect to the internet.
Any ideas?
I tried repair for wireless by right clicking the icon in right corner.
I then tried with ethernet connection and still nothing, other than i ran diagnostic from the screen that came up and there was something about winsock and also adapter stae not found in registry.
your help is appreciated.
thanks
Ade

Hello.
Until you format (DO NOT back anything up), I can't help you anymore.
Your files are patched and we can't do anything to change it back, only formatting will fix this.

Will formatting lose all my family photos?
You mention in brackets "do not back anything up". Can I not save photos and videos of family to disc or external drive?
What does it mean "files are patched"?
Can you explain, what has happened in easy terms for a novice like me.
At the moment I can view my photos and videos but not access the internet.
I played around with the pc and the wireless icon in bottom right hand corner is now connected but internet page or e-mail won't access/connect.
The ethernet connection with wire won't work either.
I know it's alot of questions but I'm confused.
thanks
Ade

I'll try to explain as easy as I can.

When an XP machine logons to a user account, userinit file and registry value are called upon, which allows you in.
Userinit is infected by the malware and as I said with it not being correctly written, the file may become corrupt. If that happens, you will not be able to logon anymore, and because of the infection, we cannot replace the file. Meaning you will lose EVERYTHING and not getting it back.

Photo pictures (bmp,jpg,gif, etc) and video files (avi,mpg,mp4, etc) should be okay, it's .exe files and .scr files that are patched.

Backup your pictures/video (DO NOT backup any .exe/.scr files otherwise you backup the infection too)

Then format.

Can we not re-write the userinit file and alter the registry back?
Or is that an impossible task!
Your are talking to someone who knows nothing about pc talk,
thanks
Ade

Nope, ALL these legit .exe files are patched and cannot be replaced.
Everything (besides formatting) is useless.

I mentioned in an earlier post that the card reader i was using to upload the logs appeared to put spyware protect 2009 onto this pc i'm using however I ran malwarebytse and I have had no further problems would this pc be ok.

Nope.
If Virut remains on the PC, you are basically giving the bad guys a new machine to host malware on.
You can never use this machine for stuff like Paypal because it will keylog your passwords.

It gets worse and worse. I hope I haven't got two pc's knackered.
I ran hijack this from my sons pc and the log is below.
Am I posting this correctly?
I would appreciate it if you can see if this ones ok. It's an older pc but good enough for my sons hoemwork, thanks Ade


Logfile of HijackThis v1.99.1
Scan saved at 19:52:00, on 10/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adrian\My Documents\AntiVirusStuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX685 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE /FU "C:\DOCUME~1\Adrian\LOCALS~1\Temp\E_S2.tmp" /EF "HKCU"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

His machine looks fine.
No HJT signs that you had from the other machine.

You are running an old version of Hijack This, and I ask that you use this new version if needed due to versions below 2.0.2 have a few bugs in them.

Please download the current version of HijackThis from HERE

Have downloaded new version.
Do you need to see a log created from the new version or not?

If not, just to let you know I will endeavour to save all family photos and vids from other pc to an external hard drive. Once I've done this I will come back to you if thats okay on this post to see what we can do with re-format of the laptop. Hopefully that'll be okay. This maybe a couple of days.
PS. you mentioned that .exe and .scr are the ones not to back up.Are these easy to spot. I believe i know what an .exe looks like as it has the extension as that, and they are files that load up programs, but I cannot recall ever seeing a .scr file. Can I save powerpoint presentations?

scr means screensaver, but it's also an executable file.
Powerpoints are .ppt, so they are safe.

Don't need a new log.

Thanks for all your help.
I'll certainly mention you to friends.
I'll be back in a couple of days or so,
thanks
Ade

Hi,
Before I back up my files, are all .exe files bad, or can I back up ones that run software that I have been using as long as I know what it is. The reason I ask is I have downloaded a garmin .exe file I bought for my gps. Will this now be safe to copy onto external hard drive and use again once laptop has been re-formatted,
thanks
Ade

Nope, it's infected.

Hi,
more questions.
I have purchased an external hard drive (Western digital USB type).
I have an issue before I back up my photos and vids. When the hardrive is plugged into laptop it launches software enabling me to sync my files from laptop to the drive.
This is launched by a .exe file.
If i can't run this external harddrive, by launching the program how can i copy my folders to it?
Or is the harddrive safe to run on the laptop?
your thoughts,
thanks
Ade

Hello.
The external drive should be okay, there drives indexing or autoplay isn't run an exe, it's run by an autorun.inf file that launches it for your machine.

Please download Flash_Disinfector from HERE

• First, download it to your desktop.
  
• Now double click it to run it and will tell it you what to do when you open it.
  
• It will temporarily kill explorer.exe and your desktop will go blank.
  
• Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  
• It will make a dummy autorun.inf in the root of every drive.
  
• You can now delete Flash_Disinfector.exe.
  

The drive should be okay now.

hi,

the above does not work. "The webpage cannot be found".
Was I to download it to my sons pc?, whilst the external drive is plugged into his usb port?
Or download via sons pc, copy it to card reader then upload to laptop onto desk top with external hard drive plugged into the laptop usb?
thanks
Ade

Hello.
Thank you for letting me know.
F_D has moved, new link here:
http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe

hi,
got it.
Saved the .exe file to sons pc, put it on card reader to my laptop.
I haven't run it yet, cos I don't know if I should save/back up all the photos now to hard drive or after running it.
Can you advise?
thanks
Ade

Run it first, then back up.
F_D will provide protection while you do this.

I have run it.
Connected external hard drive and card reader.
Got a box that said,"done".
Now copying photos to hard drive, this could take a while by the looks of things.
As soon as it's done, I'll get back to you,
thanks again,
Ade

Hi,
All photos and vids backed up to external hard drive
What can I do now with the nightmare of a laptop?
Thanks
Ade

Format it.
Put in your XP setup disc.
Reboot your machine and boot from the disc.

Then format.
Some links with info how to and other stuff here:

http://www.geekpolice.net/virus-spyware-malware-removal-f11/virus-spyware-trojan-or-malware-t6494.htm#40105

Hi,
Formatting done.
thanks everso for your help,
Ade

Hi again,
Well I thought things were fine.
I put the recovery disc in the PC, I re-started the laptop, I then got the message to boot from disc and press enter.
I did all this it took about an hour.
When I start the pc now, I get a black screen with the following.

Microsoft Windows XP Home Edition
Microsoft Recovery Console
Microsoft Windows XP Home Edition

I have to tab up or down and choose one.
If I choose the top one, things appear to run ok( basic software at factory install), however when I go into my computer, c drive, then ades folder, i get message access is denied.

If I choose the second "Microsoft Windows XP Home Edition", I get all the stuff, software, folders, everything as it was but it takes about a minute and then it crashes and goes to a blue screen.
When I restart it the next time, it says the pc has recovered from a serious error.
The laptop used to start on it's own and I didn't have to choose anything.
Any ideas?
thanks
Ade

I think you got the wrong disc.
Recovery disc is the basic recovery console, it has to be a setup disc, or has the setup files on that disc you have now.

I'm sure it's the right disc.
You get all the warning signs that all data will be lost if you go ahead.

Just so as I have this right.
Your previous post says format it, then put in the disc then reboot from disc.

Do i just put the disc in the drive restart the computer then when it says " to boot from disc press any key", I press any key.
There is nothing else to do before this or after.
Format means put the disc in- Correct?
thanks
Ade

My bad.
Yes, it's probably the right disc then.

The account that this logs onto, is it the admin account?

Ahh,
I think I'm getting there.
I could be at this for years to come.

First,
I backed up photos.
How do I back up microsoft outlook names address, e-mails?
It's all blank in safe mode and the pc crashes in normal startup.
thanks
Ade

Hmm.
To restore backups you mean?

I assume you can just drag/drop files onto the C (or D) drive, but email backups may not appear in outlook, but if you can still read the messages, just keep them on your hardrive (C drive) along with whatever else you have put back.

Hi,
I'm an idiot.
I have now re-installed XP.
What i did first time was install a second copy of XP and had a partition.
All gone now, back to factory state.
Anything i should install, tweak or do now?
thanks
Ade

Yep.
Turn autoplay off again. You don't need the stick plugged in this time.

Please download Flash_Disinfector from HERE

• First, download it to your desktop.
  
• Now double click it to run it and will tell it you what to do when you open it.
  
• It will temporarily kill explorer.exe and your desktop will go blank.
  
• Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  
• It will make a dummy autorun.inf in the root of every drive.
  
• You can now delete Flash_Disinfector.exe.
  

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

I have taken all the advice. I am so pleased with the result. Feedback form has been completed, thanks so much,
Ade

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.