BleepingComputer.com: Infected with XP Antivirus 2011 & IE opens random websites

System got infected with XP Antivirus 2011 and immediately I went to safe mode and surprised that the virus showed up in safe mode also and then went to safe mode with networking and somehow ran the Malware bytes program. It identified some files and removed but after logging into normal mode IE keeps opening random websites and the virus came back again. I ran the malware bytes again. After removal I couldn't log on to normal mode it just displays blue screen.

I ran combofix (Let me know if combofix log should be attached.) and thankfully I was able to login in normal mode after that. But still I can see some registry settings are infected and haven't connected to internet in normal mode. Please advise how I can remove the virus completely.

Thanks so much for your help.

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by prasad.kanika at 15:43:01.84 on Sat 04/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1498 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\prasad.kanika\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\prasad.kanika\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = ftp://10.200.70.43/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\prasad.kanika\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [DelOEShortcut] c:\windows\scripts\del_oe.vbe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [ceNQJDAVBWkpog] c:\documents and settings\all users\application data\ceNQJDAVBWkpog.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1014020
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: podh01
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/66.35/uploader2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188494398234
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256652175992
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {B6F04826-CF1C-11D2-AA79-0080C79B6CE1} - hxxp://inviewapp.cch.com/rpp/CCHPrintingApp.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://orapas01.aspenpubl.com:1533/forms/jinitiator/jinit.exe
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://tx95ra01.wkglobal.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E99D3E39-5D92-4360-BA86-2C563B3CFFEB} - hxxp://dev.kluwerlaw.com/MCMSTemplates/CMS/WebAuthor/Client/PlaceholderControlSupport/nrdhtml.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://tx95ra01.wkglobal.net/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\quest software\toad for oracle 10.6 freeware\RNetPin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\xobni\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\prasad~1.kan\applic~1\mozilla\firefox\profiles\cbwi7g33.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/cse?cx=partner-pub-3540673482024757:xbhdw8hkfz5&ie=ISO-8859-1&q=&sa=Search
FF - plugin: c:\documents and settings\prasad.kanika\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13122.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [2010-10-1 85288]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-10-19 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-10-19 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2010-10-19 1831024]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2009-8-14 202600]
S2 msftesql$LOCAL2005;SQL Server FullText Search (LOCAL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2006-8-28 92952]
S2 MSSQL$LOCAL2005;SQL Server (LOCAL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
S2 OracleReportServer-Rep60;Oracle Reports Server [Rep60];c:\orant\bin\RWMTS60.EXE [2002-11-26 110592]
S2 WKEndpoint;WK Endpoint;c:\program files\marimba\tuner\Tuner.exe [2007-6-7 36957]
S2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2009-3-24 45288]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-10-19 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-19 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110330.040\NAVENG.SYS [2011-3-31 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110330.040\NAVEX15.SYS [2011-3-31 1393144]
S3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [2007-7-26 92288]
S3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [2007-7-26 92288]
S3 OracleClientCache80;OracleClientCache80;c:\orant\bin\ONRSD80.EXE [2002-11-26 101136]
S3 OracleReportServer-Oracle;Oracle Reports Server [Oracle];c:\orant\bin\RWMTS60.EXE [2002-11-26 110592]
S3 OracleReportServer-OraRepServer;Oracle Reports Server [OraRepServer];c:\orant\bin\RWMTS60.EXE [2002-11-26 110592]
S3 SQLAgent$LOCAL2005;SQL Server Agent (LOCAL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2007-2-10 344944]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\wqc.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-04-02 19:16:42 -------- d-sha-r- C:\cmdcons
2011-04-02 19:15:12 4224 ---ha-w- c:\windows\system32\beep.sys
2011-04-02 19:15:12 118272 ----a-w- c:\windows\system32\drivers\8823E8.tmp
2011-04-02 19:14:54 544768 ----a-w- c:\docume~1\alluse~1\applic~1\ceNQJDAVBWkpog.exe
2011-04-02 19:09:19 98816 ----a-w- c:\windows\sed.exe
2011-04-02 19:09:19 89088 ----a-w- c:\windows\MBR.exe
2011-04-02 19:09:19 256512 ----a-w- c:\windows\PEV.exe
2011-04-02 19:09:19 161792 ----a-w- c:\windows\SWREG.exe
2011-04-02 18:52:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-02 16:38:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-02 16:38:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-02 04:58:27 789834 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-04-02 04:40:40 -------- d-----w- c:\docume~1\harith~1.tad\locals~1\applic~1\VS Revo Group
2011-04-02 04:35:07 -------- d-----w- c:\program files\VS Revo Group
2011-03-31 03:44:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 03:44:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 01:13:59 -------- d-----w- C:\Windows Repair
2011-03-30 15:54:57 -------- d-----w- c:\docume~1\harith~1.tad\applic~1\CoreFTP
2011-03-30 11:13:48 -------- d--h--w- c:\windows\PIF
2011-03-29 14:16:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-03-29 01:48:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-28 17:00:40 -------- d-----w- c:\program files\ESET
2011-03-26 12:41:41 0 ----a-w- c:\windows\Rwutifukin.bin
2011-03-26 12:39:54 149504 --sha-r- c:\windows\system32\CONFIGF.dll
2011-03-21 16:05:08 -------- d-----w- C:\Quest Software
2011-03-18 19:31:32 -------- d-----w- c:\documents and settings\prasad.kanika\Oracle
2011-03-18 19:29:02 -------- d-----w- c:\docume~1\harith~1.tad\applic~1\Quest Software
2011-03-14 16:44:14 -------- d-----w- c:\docume~1\harith~1.tad\locals~1\applic~1\Temp
2011-03-14 16:44:07 -------- d-----w- c:\docume~1\harith~1.tad\locals~1\applic~1\Google
2011-03-14 16:43:53 -------- d-----w- c:\docume~1\harith~1.tad\locals~1\applic~1\Deployment
2011-03-07 15:32:36 -------- d-----w- c:\docume~1\harith~1.tad\applic~1\CAD-KAS
2011-03-07 15:31:07 -------- d-----w- c:\docume~1\harith~1.tad\applic~1\GetRightToGo
.
==================== Find3M ====================
.
2011-03-07 15:32:16 75776 ---ha-w- c:\windows\cadkasdeinst01e.exe
2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ---ha-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ---ha-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ---ha-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 15:45:14.51 ===============

Attached is the combo fix log when I ran it.

It says c:\windows\regedit.exe . . . is infected!!

Please help me in removing the virus.

Thank you

EDIT: Posts merged ~BP

This post has been edited by Budapest: 03 April 2011 - 04:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• In the custom scan box paste the following:
  

  msconfig
  safebootminimal
  activex
  drivers32
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  wininit.exe
  hlp.dat
  /md5stop

  
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.