Infected - [Help ASAP] - Logs | Many Information Included

Hello,

I am currently on a different computer, but my own pc is not working properly.
I've already requested help on a different forum, but I did not get an answer.

I need help as soon as possible, because I need my pc for school.

--

Note: I did read the Sticky, but I did not follow those step exactly.
I tried something else first and I have some logs.

--

Some problems I am having:

• I can't run Windows (XP) in normal mode. If I do this I get the following message:

Dutch:

Het systeem wordt door NT AUTORITHY\SYSTEM afgesloten.

C:\WINDOWS\SYSTEM32\SERVICES.EXE is onverwacht gestopt met statuscode 0.

English:

The system gets terminated by NT AUTORITHY\SYSTEM.

C:\WINDOWS\SYSTEM32\SERVICES.EXE terminated unexpectedly with status code 0.

--------------------

• I cannot install windows updates

I've had this problem for a while already, but I am not sure why.
Should I try to download and run Windows FixitCenter?

--------------------

I have tried the following things already:


-----

I scanned my pc with Malwarebytes twice.
One time 11 hours and one time 10+ hours. I don't know why the scans took so long.

This did not help.

-----

I did a Security Check, I scanned with ESET Online Scanner and with aswMBR.
Logs are down below.

I also tried to scan with OTL (OldTimer's List-It), but somehow I couldn't finish the scan with this.

Something else I tried was scanning with TDSS Killer (Kaspersky).
It found about 40 threats and I tried to remove all rootkits. I had to reboot the system, but when I did this my pc could not boot at all.

I restored my pc to the latest working settings. The TDSS Killer did not help.

-----

I would also like to say that I have quite some tools on my pc, such as CCleaner, RegCure Pro, RegClean Pro, Driver Detective, Smart Defrag 2, Smart Driver Updater, Advanced SystemCare 5, Process Hacker 2, Spybot Search & Destroy, HitmanPro.

I use these tools on a regular basis to fix Registry errors, clean temp files, etc.

-----

Scan logs:

SecurityCheck Log

Code:

 Results of screen317's Security Check version 0.99.46  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
[b][u]``Antivirus/Firewall Check:``[/b][/u] 
 [color=red][b]Windows Security Center service is not running! This report may not be accurate![/b][/color] 
Bitdefender Antivirus   
 Antivirus up to date!  
[b][u]``Anti-malware/Other Utilities Check:``[/b][/u] 
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware versie 1.62.0.1300  
 CCleane

 JavaFX 2.1.1    
 JavaFX 2.0.3 SDK   
 Java(TM) 6 Update 31  
 Java(TM) 7 Update 5  
 Java(TM) SE Development Kit 7 Update 2 
 Java(TM) SE Development Kit 7 Update 3 
 [color=red][b]Java version out of Date![/b][/color] 
 Adobe Flash Player 10 [color=red][b]Flash Player out of Date![/b][/color] 
 Adobe Flash Player 	11.1.102.62  
 Adobe Reader X 10.1.3 [color=red][b]Adobe Reader out of Date![/b][/color]  
 Mozilla Firefox 12.0 [color=red][b]Firefox out of Date![/b][/color]  
[b][u]``Process Check: objlist.exe by Laurent``[/b][/u]  
[b][u]``System Health check``[/b][/u] 
 Total Fragmentation on Drive C::  
[b][u]``End of Log``[/b][/u] 

ESET Online Scanner Log

Code:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=94c963d94c8ced43bea0f5fb2bf591fc
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-04 02:58:02
# local_time=2012-07-04 04:58:02 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777175 100 0 7057659 7057659 0 0
# compatibility_mode=8192 67108863 100 0 118 118 0 0
# scanned=317361
# found=3
# cleaned=3
# scan_time=7836
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll	a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined)	00	C
C:\Documents and Settings\Gebruiker\Bureaublad\Dark Comet Rat 5.2\DarkComet.exe	a variant of Win32/TrojanDownloader.Small.PDS trojan (cleaned by deleting - quarantined)	00	C
C:\Documents and Settings\Gebruiker\Bureaublad\Dark Comet Rat 5.2\Celesty Binder\Celesty.exe	a variant of Win32/TrojanDropper.Binder.NBH trojan (cleaned by deleting - quarantined)	00	C
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=94c963d94c8ced43bea0f5fb2bf591fc
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-08-25 11:16:35
# local_time=2012-08-25 01:16:35 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0
# compatibility_mode=8192 67108863 100 0 4480602 4480602 0 0
# scanned=579220
# found=5
# cleaned=5
# scan_time=6867
C:\Documents and Settings\Gebruiker\Mijn documenten\Bureaublad\Dark Comet Rat 5.2\cools?gpj.exe	Win32/TrojanDropper.Binder.NBH trojan (cleaned by deleting - quarantined)	00	C
C:\Documents and Settings\Gebruiker\Mijn documenten\Bureaublad\Dark Comet Rat 5.2\DarkComet.exe	a variant of Win32/TrojanDownloader.Small.PDS trojan (cleaned by deleting - quarantined)	00	C
C:\Documents and Settings\Gebruiker\Mijn documenten\Bureaublad\Dark Comet Rat 5.2\design.exe	a variant of Win32/Fynloski.AA trojan (cleaned by deleting - quarantined)	00	C
C:\Documents and Settings\Gebruiker\Mijn documenten\Bureaublad\Dark Comet Rat 5.2\Celesty Binder\Celesty.exe	a variant of Win32/TrojanDropper.Binder.NBH trojan (cleaned by deleting - quarantined)	00	C
D:\Documents and Settings\R\My Documents\Downloads\installer_sony_vegas_pro_10_0a_32_bits_English.exe	multiple threats (cleaned by deleting - quarantined)	00	C

aswMBR Log

Code:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-24 12:29:37
--
12:29:37.703    OS Version: Windows 5.1.2600 Service Pack 3
12:29:37.703    Number of processors: 2 586 0x604
12:29:37.703    ComputerName: GEBRUIKE-FDAE3D  UserName: Gebruiker
12:29:42.796    Initialize success
12:30:13.140    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:30:13.156    Disk 0 Vendor: ST3160812AS 3.AHL Size: 152627MB BusType: 3
12:30:13.171    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e
12:30:13.187    Disk 1 Vendor: ST3250823AS 3.01 Size: 238475MB BusType: 3
12:30:13.218    Disk 0 MBR read successfully
12:30:13.234    Disk 0 MBR scan
12:30:13.250    Disk 0 Windows XP default MBR code
12:30:13.265    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS  152617 MB offset 63
12:30:13.328    Disk 0 scanning sectors +312560640
12:30:13.531    Disk 0 scanning C:\WINDOWS\system32\drivers
12:30:48.968    Service scanning
12:32:38.500    Modules scanning
12:33:01.578    Disk 0 trace - called modules:
12:33:01.687    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys 
12:33:01.703    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ff030]
12:33:02.015    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\007d[0x8a79d9e8]
12:33:02.328    5 ACPI.sys[f75ad620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a79f940]
12:33:02.640    Scan finished successfully
12:47:06.218    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gebruiker\Bureaublad\Scan Logs\MBR.dat"
12:47:06.234    The log file has been saved successfully to "C:\Documents and Settings\Gebruiker\Bureaublad\Scan Logs\aswMBR.txt"

--------------------


You might've noticed that I have/had DarkCometRat on my pc.
I installed this myself, so you don't have to worry that someone Ratted me.

However, I believe I already deleted it, just to be sure.


--------------------


I have been trying to fix my pc for the past 30 hours, so I am a little tired.. However.. I NEED to get this fixed, so if anyone on this forum can help me, please reply as soon as possible.

Kind regards,
Grily

 

I will follow those steps, but I have one question/note:

I did some (more) research and I think I am infected with a (Sasser).Worm
This problem could also be caused, because I haven't installed any windows updates (I couldn't) in a long time (I think).

Therefor my question before I start the Malware Removal Guide:

Is there any tool to fix the problem with the Windows Updates?

If you think this won't fix the problem, please reply and I will start on the removal guide.

Side note: I have been scanning my pc (with different programs) for the past 30 hours now (20 hours with Malwarebytes and 10 with different tools).

--

I already scanned my pc with a Blaster scanner, but that didn't find anything.
I will now run a Sasser fixer and install a Windows Security Update via their website.

When I am done with that I'll get back to this thread to see if I should do something else or just follow the steps.

 

Allright, thank you. I will get back to you / edit this post when I have scanned everything.
I will scan everything in Safe Mode and I had problems with something before, but I hope this works out well.

 

Logs are below.
Malwarebytes could not find any threats and it didn't save any logs.

 

I scanned (and removed in Safe Mode (with networking)). Here's the RK log.
My computer is still on (didn't reboot).

Note: I think it saved a log after scanning and after deleting, not really sure.
Added 2 logs, just to be sure (they're almost the same).

 

RK Logs of DNS Fix are below.

Hopefully you read this soon: Can I turn off my computer? It has been on for the past 2 days.

 

Still the same problem(s) as in my first post.
Seems like it didn't fix anything.

I myself thought this problem could be, because I don't have the latest Windows updates? I can't install updates.

Maybe this is a sasser worm?

 

For some reason I couldn't turn off my anti-virus (Bitdefender), but the log of combofix is below.

 

When I try to run FixIt I get an error.

"Fix it Center Setup encountered an error.
An unexpected error has occured. Please close and try to run Setup again later."

I am safe mode with networking.

--

Note: I downloaded it on a different pc, on a USB; then from the USB on this pc.

When I downloaded it on the pc I could just run it.

 

Because I still have the same problem as in my first post (error).
All the steps didn't fix it.

What exactly do you mean with the install cd?

I also don't see the BITS in services.msc

 

I am not sure if I have a CD, but if I re-install XP; will everything be deleted (programs, files, etc.)?

 

So the only way to fix this is with a CD?
I don't know if I have a CD..

 

I have uninstalled Windows XP and I installed Windows 7.

All programs are gone, but so be it.

(I have a backup of my files).

School is starting very, very soon, so I need my computer.

--

I would like to thank you for all your help.