Hi, I was trying to fix my girlfriends computer when i found this site. Her computer has been running very slowly for the past few months and she has been getting a lot of pop-ups and ads along with redirects to ad sites. 2 days ago an alert came up on her taskbar saying "Warning your computer is infected!Click here etc.etc." it had a red circle with an X in it like the symbol Norton uses but she does not have Norton on her computer. We figured it was some kind of fake spyware thing but we clicked on it to see if maybe it wasn't. It took us to a website to download AntivirusProXp2009 but we did not download it as I'm pretty sure it is fake, as soon as this happened the computer started acting very weird so we disconnected it from the internet and i have been trying to find out whats wrong since. The alert still keeps popping up, the desktop wallpaper is gone, sometimes the desktop wallpaper is an ad saying i need to click on it to fix the virus, and ads try to pop-up using both internet explorer and firefox. A new administrator account has been created that was never there before and i am unable to view hidden files or use the task manager i was able to get the task manager back using "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f" in run. When i start the computer up a lot of error windows open, one says init.exe has encountered a problem and needs to close, one says AppleSyncNotifier.exe has failed to start because CoreFoundation.dll was not found, one says there was an error loading nnxlothg.dll, and another says that Data Execution Prevention has closed Windows Logon UI for my protection. I ran AVG in safe mode and it found and deleted a file called "Win32/Rustock.C" and it said that the boot sector of C, Kernel32.dll, wsock32.dll, user32.dll shell32.dll, and ntoskcnl.exe had been changed. I hope this is enough information to help identify what the problem is. Thanks for your time. Here is the Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:41 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\inf\rundll33.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\Program Files\FarStone\GameDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
F:\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\msrstart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\i89xts49yn2v.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\lxi4e5ql3z7.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\cp71an5iniczf.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\a61w9j4.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\b1sqlm2wcioo2.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\kfmkybysw.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\p9kgtqqkkgj10.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Qwest\QuickCare\agentui\quickcare.exe
C:\Program Files\Qwest\QuickCare\agentui\quickcare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus Removal\Hijack(GP)This.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:41 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\inf\rundll33.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\Program Files\FarStone\GameDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
F:\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\msrstart.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\i89xts49yn2v.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\lxi4e5ql3z7.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\cp71an5iniczf.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\a61w9j4.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\b1sqlm2wcioo2.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\kfmkybysw.exe
C:\DOCUME~1\Becky\LOCALS~1\Temp\p9kgtqqkkgj10.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Qwest\QuickCare\agentui\quickcare.exe
C:\Program Files\Qwest\QuickCare\agentui\quickcare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Virus Removal\Hijack(GP)This.exe