I've Been Attacked By The Internet Security 2010 Virus

Hello,

I was checking my e-mail two days ago(Jan 26, 2010), and I started getting pop-ups saying that my system may be at risk from a malicious virus, and a systray icon that I couldn't right-click on. I would close the pop-up window and it would re-appear in about three minutes with the same pop-up. It wouldn't let me access my taskmanager, or any systems opperations. After doing some searching I downloaded, "Hijackthis", and was able to close, and delete the virus, or so I thought! I deleted it with the "delete on re-boot" option. When I restarted my system, it would log on, and then immediately log off. I contacted Dell and they said that it seemed to have deleted my "logon file" when I deleted the virus, but dell tecs would not offer anymore help unless I brought it to them for $129. So I tried re-installing my Windows XP home edition, and it wouldn't work. It said that there was a missing file. I tried it again yesterday and it did work but I use a screen reader because I'm blind and when it got to the registration section I had to stop and wait until someone came over to help me. About eight hours later the computer had shut down and when I cut the computer back on, it went to the original windows program, but now it will logon. When it came on my screen reader(Zoomtext 8) would not launch because of an "OSC" problem. I re installed Zoomtext, and it worked. Now Internet Explorer won't work from the desktop, and I can access the desktop properties but I can't change my background image. I have a background that says "YOUR SYSTEM IS INFECTED","System has been stopped due to serious malfunction spyware activity has been detected","It is recommended to use spyware removal tool to prevent data loss do not use computer before all spyware removed". Please help me fix this, and thank you for your time.

Here is a copy of my log


DDS (Ver_09-12-01.01) - NTFSx86
Run by Schmann Thompson at 9:02:03.56 on Thu 01/28/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.152 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Broadcom\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ZoomText 8.1\Zt8.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Schmann Thompson\Local Settings\Temporary Internet Files\Content.IE5\2SOSWCM8\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\winlogon32.exe
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: AhIeBho Class: {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - c:\program files\zoomtext 8.1\ahoi\ah_ie_bho.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Gamevance Text: {beac7dc8-e106-4c6a-931e-5a42e7362883} - c:\program files\gamevance\gvtl.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_C5284CC30AB3000E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [IfxSecurePlatformIndication] c:\program files\broadcom\security platform software\SpTNA.exe
mRun: [PSDruntime] c:\program files\broadcom\security platform software\PSDrt.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Gamevance] c:\program files\gamevance\gamevance32.exe a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [smss32.exe] c:\windows\system32\smss32.exe
mRun: [Xzugi] rundll32.exe "c:\windows\ozumiyap.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_803138DCE93649E4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
LSP: c:\windows\system32\helper32.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_C5284CC30AB3000E.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: PSDNtfy - c:\program files\broadcom\security platform software\PSDNtfy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli rus3d40.dll

============= SERVICES / DRIVERS ===============

R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2009-9-21 7168]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-21 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-21 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-21 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-3-11 29283]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-21 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-21 297752]
R2 dmsmbios;dmsmbios;c:\windows\system32\dmsmbios.sys [2001-5-30 16480]

=============== Created Last 30 ================

2010-01-28 12:12:31 0 d-----w- c:\windows\system32\CatRoot_bak
2010-01-27 14:45:05 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-01-27 14:43:58 36927 -c--a-w- c:\windows\system32\dllcache\padrs411.dll
2010-01-27 14:42:55 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll
2010-01-27 14:41:53 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-01-27 14:39:44 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-01-27 14:39:37 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-01-27 14:39:37 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-01-27 14:39:37 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-01-27 14:39:37 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-01-27 14:39:26 0 d-----w- c:\program files\Online Services
2010-01-27 14:39:16 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-27 14:38:37 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-26 17:32:07 0 d-----w- c:\program files\Trend Micro
2010-01-26 15:15:20 0 ----a-w- c:\windows\system32\15724.exe
2010-01-26 14:55:15 0 ----a-w- c:\windows\system32\19169.exe
2010-01-26 14:35:07 38912 ----a-w- c:\windows\system32\26500.exe
2010-01-26 14:15:06 0 ----a-w- c:\windows\system32\6334.exe
2010-01-26 13:55:04 38912 ----a-w- c:\windows\system32\18467.exe
2010-01-26 13:51:16 0 d-----w- c:\program files\InternetSecurity2010
2010-01-26 13:38:51 0 ----a-w- c:\windows\Mfucanimifi.bin
2010-01-26 13:38:50 120 ----a-w- c:\windows\Lpaqumezimimi.dat
2010-01-26 13:35:02 38912 ----a-w- c:\windows\system32\41.exe
2010-01-26 13:34:37 25088 ----a-w- c:\windows\system32\helper32.dll
2010-01-26 13:34:18 2931 ----a-w- c:\windows\system32\warning.html
2010-01-26 13:30:17 1 ----a-w- C:\s
2010-01-21 17:18:54 33846 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.bmp
2010-01-21 17:18:54 3018 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2010-01-20 15:48:29 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-20 15:45:42 0 d-----w- c:\windows\system32\LogFiles

==================== Find3M ====================

2010-01-27 14:38:07 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-21 17:17:56 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe

============= FINISH: 9:02:57.25 ===============

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

I'm here Mole, and thank in advance

Hi slthompson,

Let's try and remove what we can, stop what we can and then hit what we can.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• Please post the resulting log in your next reply.

Then let's run a powerful remover called Combofix

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware
• GeeksToGo

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

exehelperlog.txt

exeHelper by Raktor
Build 20091220
Run at 06:52:03 on 02/10/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

rkill.log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Schmann Thompson on 02/10/2010 at 9:37:46.


Processes terminated by Rkill or while it was running:


C:\Program Files\ZoomText 8.1\Zt8.exe
C:\Documents and Settings\Schmann Thompson\Desktop\rkill.pif


Rkill completed on 02/10/2010 at 9:37:49.

Still waiting for Combofix, slthompson.

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le

Since this issue appears to be resolved ... this topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.