BleepingComputer.com: Backdoor trojans like crazy, am driven crazy

I'm ready to kill the person that invented this virus that has hit me three times in as many weeks. XP Total Security 2011, has caused me more loss of mind and m ental stablity then anything in my life. this is what it does before actually infecting my machine

It disables my firewall
It disables my automatic updates and locks AU to off/disabled, I have to use the run command to actually activate the dll to turn on Automatic Updates
It disables my current anytivirus protection, (Microsfot Secuirity Essentials)

Then when viewing DeviantART, my internet windows dies, all its tabs die as well. first thing I run is MSE, as I am running it a fake Windows Security Center pops up saying I am infected. Thankfully so far MSE has found and supposdely removed the things it has found. Even on start up it finds the EXACT same things as it found during the scan, two or three items. I have the DDS logs, but sadly when trying ot run the GMER scanner, I got hit with the Blue Screen of Death, this virus will not quit. and I've lots more braincells fighting a uphill battle with this thing. I even ran rkill, it says it found and killed a proxy connection, which I never set. It leaves a RK_Proxy reg key on my desktop when done, I merly deleted it, as I never set a proxy, so merging will do little good.

I want this machine cleaned, and the virus properly killed and all my backdoors sealed.

The DDS logs

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Value customer at 22:49:11.54 on 21-Apr-11
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.391 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Value customer\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://forum.gateworld.net/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302667142343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {f7a0ea3d-9d9d-4e85-84eb-91f804b2fdb9} -
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl73227667;MpKsl73227667;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{861f7a94-d6b8-48e5-b836-4e78b07d525f}\MpKsl73227667.sys [2011-4-21 28752]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-25 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-8 38224]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
.
=============== Created Last 30 ================
.
2011-04-21 22:02:57 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{861f7a94-d6b8-48e5-b836-4e78b07d525f}\MpKsl73227667.sys
2011-04-21 19:32:02 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{861f7a94-d6b8-48e5-b836-4e78b07d525f}\mpengine.dll
2011-04-18 23:51:53 -------- d-----w- c:\docume~1\valuec~1\locals~1\applic~1\PCHealth
2011-04-15 19:31:30 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-04-15 19:31:30 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-04-13 19:23:45 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-13 19:23:45 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-04-13 07:52:47 -------- d-----w- c:\docume~1\valuec~1\applic~1\Windows Search
2011-04-13 05:55:37 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-13 05:54:38 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-13 05:49:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-13 04:36:01 -------- d-----w- c:\windows\system32\winrm
2011-04-13 04:35:56 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-04-13 04:35:29 -------- d-----w- c:\docume~1\valuec~1\applic~1\Windows Desktop Search
2011-04-13 04:33:40 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-09 00:37:42 -------- d-----w- c:\docume~1\valuec~1\applic~1\Malwarebytes
2011-04-09 00:37:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 00:37:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 00:37:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 00:37:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 00:24:06 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-09 00:24:06 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 21:13:36 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
.
============= FINISH: 22:50:37.46 ===============

I will also post up the rkill logs when they are requested.

~
DG

PS: I wish to apologise first and formost for my anger, this virus has driven me through a concrete and steel reinforced bunker, and I'm actually ready to take this thing to the local computer chopshop for help, But I want to get help here, and try to avoid paying money to get this laptop cleaned

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
  
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
  
  
• Please tell us if you have your original Windows CD/DVD available.
  
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  
• If you have already posted a DDS log, please do so again, as your situation may have changed.
  
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks and again sorry for the delay.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.