Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - MS Removal Tool Virus - cannot remove


  • Please log in to reply
No replies to this topic

#1 1927city

1927city

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 13 April 2011 - 12:44 PM

Hi All

I think I have the MS Removal Tool Virus on 2 pc's - my main pc runs Vista.

I've tried almost everything including:

> Rkill - which now doesn't find anything - although it did initially.
> Malwarebites - which now doesn't find anything - although it did initially.
> CCleaner, Adaware, Spybot & Avast - don't find anything
> I've tried to delete the taskmanager

I can access the internet in safe mode with networking and to a degree in normal start up, but the pc is still infected and not running particularly well.

I also tried running combofix and it generated the report below.

I'm desperate to fix this and really need somebody to talk me through it step by step as I'm not particularly pc literate and been trying to fix this for the past week almost constantly.

Please help!

Thanks

Jon

ComboFix 11-04-12.02 - Jon 13/04/2011 18:28:50.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1789.1321 [GMT 1:00]
Running from: c:\users\Jon\Desktop\ComboFix.exe
AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-03-13 to 2011-04-13 )))))))))))))))))))))))))))))))
.
.
2011-04-13 17:34 . 2011-04-13 17:35 -------- d-----w- c:\users\Jon\AppData\Local\temp
2011-04-13 17:34 . 2011-04-13 17:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-13 17:11 . 2011-04-13 17:11 -------- d-----w- c:\program files\CCleaner
2011-04-13 16:58 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 16:58 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 16:14 . 2011-04-13 16:14 -------- d-----w- c:\programdata\IsolatedStorage
2011-04-12 19:43 . 2010-07-16 13:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-04-12 19:43 . 2010-07-16 13:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-04-12 19:43 . 2011-01-17 08:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-04-12 19:43 . 2010-12-16 07:38 103232 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-04-12 19:43 . 2010-12-10 15:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-12 19:43 . 2010-12-10 12:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-04-12 19:43 . 2010-12-16 07:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-04-12 19:43 . 2011-04-13 11:45 -------- d-----w- c:\program files\PC Tools Security
2011-04-12 19:43 . 2011-04-12 19:51 -------- d-----w- c:\program files\Common Files\PC Tools
2011-04-12 19:43 . 2011-04-12 19:43 -------- d-----w- c:\users\Jon\AppData\Roaming\PC Tools
2011-04-12 19:40 . 2011-04-12 19:43 -------- d-----w- c:\programdata\PC Tools
2011-04-10 19:19 . 2011-04-10 19:19 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\44e5a68f1cbf7b403\InstallManager_WLE_WLE.exe
2011-04-10 19:19 . 2011-04-10 19:19 6260088 ----a-w- c:\program files\Common Files\Windows Live\.cache\2a894c6f1cbf7b401\Silverlight.4.0.exe
2011-04-10 12:52 . 2011-04-10 19:06 -------- d-----w- c:\users\Jon\AppData\Roaming\uTorrent
2011-04-09 08:42 . 2011-04-09 08:42 -------- d-----w- c:\programdata\WindowsSearch
2011-04-08 07:10 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{15CB06C2-3CCA-4B8D-A06B-2D9B6AA77A30}\mpengine.dll
2011-03-25 16:57 . 2011-04-11 19:13 -------- d-----w- c:\users\Jon\AppData\Roaming\SuperNZB
2011-03-25 16:56 . 2011-03-25 16:56 -------- d-----w- c:\program files\SuperNZB
2011-03-23 13:21 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 13:21 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 13:21 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 15:01 . 2011-03-04 15:01 51712 ----a-r- c:\users\Jon\AppData\Roaming\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-04 15:01 . 2011-03-04 15:01 51712 ----a-r- c:\users\Jon\AppData\Roaming\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-04 15:01 . 2011-03-04 15:01 51712 ----a-r- c:\users\Jon\AppData\Roaming\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-04 15:01 . 2011-03-04 15:01 27648 ----a-r- c:\users\Jon\AppData\Roaming\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2011-02-02 18:11 . 2009-10-09 17:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 14:19 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 14:19 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 14:19 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 14:19 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 14:19 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 14:19 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 14:19 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 14:19 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 14:19 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 14:19 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 14:19 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 14:19 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 14:19 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 14:19 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 14:19 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 14:19 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 14:19 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 14:19 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 14:19 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 14:19 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 14:19 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 14:19 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 14:19 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 14:19 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 14:19 683008 ----a-w- c:\windows\system32\d2d1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"LXCECATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2007-02-22 73728]
"lxcemon.exe"="c:\program files\Lexmark 4300 Series\lxcemon.exe" [2007-05-17 205744]
"EzPrint"="c:\program files\Lexmark 4300 Series\ezprint.exe" [2007-05-17 103344]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
c:\users\Jon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-9-27 576000]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Jon^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Jon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 23:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\topi]
2007-07-10 08:24 581632 ----a-w- c:\program files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Registration]
2008-01-11 02:07 574864 ----a-w- c:\program files\TOSHIBA\Registration\ToshibaRegistration.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba TEMPO]
2008-08-26 14:27 103824 ----a-w- c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [x]
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-11-21 691696]
R1 aswSP;avast! Self Protection; [x]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2009-07-15 41144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-01 1029456]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2009-07-15 179640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 TempoMonitoringService;Notebook Performance Tuning Service ;c:\program files\Toshiba TEMPRO\TempoSVC.exe [2008-08-26 99720]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-10 239168]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://vshare.toolbarhome.com/?hp=df
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEE&bmod=TSEE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\users\Jon\AppData\Roaming\Mozilla\Firefox\Profiles\p7g9u54z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cardiffcity-mad.co.uk/
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54343
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-13 18:35
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-04-13 18:36:49
ComboFix-quarantined-files.txt 2011-04-13 17:36
ComboFix2.txt 2011-04-13 12:20
ComboFix3.txt 2011-04-13 12:10
.
Pre-Run: 19,027,046,400 bytes free
Post-Run: 19,058,925,568 bytes free
.
- - End Of File - - 6A41AFCF8D6712E896D8846EB67112A4

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users