Trojan infiltration

Greetings to all

About several days back, foolish me downloaded an .exe and opened it. Needless to say it turned out to be a virus. The effects were pretty quick. Thus i have to call in the heavy cavalry (you guys). I am using Microsoft Windows xp professional , version 2002 SP 2.

I could no longer access my windows firewall. Doing so would result in a prompt "Windows firewall settings cannot be displayed because the associated service is not running. Do you want to start the windows firewall/internet connection sharing (ics) service?"

Also I would get random error prompts, with one being " The application failed to initialize properly (0xc00000017). Click on OK to terminate the application." I cant view videos anymore, every video file i open just shows an algae green screen. My printer has also ceased to function, when i try printing a document , the printer settings page come up but I dont see the icon for my canon printer. Running games would reboot my computer, is this due to the virus disabling my video card?

When I bring up the task manager screen, i noticed several reader_s.exe running and I dont recall seeing it before i ran the dodgy executable file. Also, I cant access the internet with my pc anymore. The network connections(from control panel) that used to list my connection type has disappeared.It is a blank screen now. I ve tried creating a new broadband connection but after clicking done there is still a blank screen.

I have done all steps listed in the xp cleaning procedure except the combo fix step. Furthest i got was the screen saying it is scanning for infected files and it wont take more than 10 minutes but I've waited several hours but it does not progress. If it is necessary i will try getting the combofix log, but if so , do i have to start all over in numerical order listed in the xp windows procedure, eg superantispyware followed by malwarebytes then combofix and lastly mgtools? Or could I just retrieve the log and post it ?

Attached below are the superantispyware , malwarebytes and mgtools logs. Please help, I patiently await for advice, thank you for your time and help.

 

Download
- Pocket Killbox
- ExplorerXP

Using Add or Remove Programs in the Control Panel; uninstall the following:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+[RAZOR1911][WEB SEED] FAR CRY 2 CRACK - REAL 100% FULLY WORKING+FAH.exe ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+[RAZOR1911][WEB SEED] FAR CRY 2 CRACK

Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:

Code:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL (file missing)

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
  
  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run ATF Cleaner.

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

As an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download to your Desktop
- ComboFix by sUBs from >> Geeks2Go <<

Save as AvoidTDSS.exe during the download. ComboFix must be renamed before you download to your Desktop

Close ALL windows

Double click AvoidTDSS.exe follow the prompts

When finished, the program will produce a log

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip
• C:\combofix.txt

Make sure you tell me how things are working now!

 

Thank you for the reply shadow puter dude. I encountered this problems.


1. I could not find find opera 9.01 in add or remove programs.


2. As instructed by you to delete "FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+[RAZOR1911][WEB SEED] FAR CRY 2 CRACK" using hijack this. I am sure i copied and paste correctly. However attempting to delete an NT service brought up the prompt " FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+[RAZOR1911][WEB SEED] FAR CRY 2 CRACK was not found in the registry. Make sure you entered the name of the service correctly."

3. No pending file rename operations prompt ( Not a problem but you asked to note it)

4. I can only access my firewall by clicking the windows secuirty alerts icon in the bottom right corner of the taskbar. Accessing it through control panel>windows firewall would bring up the same prompt "Windows firewall settings cannot be displayed because the associated service is not running. Do you want to start the windows firewall/internet connection sharing (ics) service?"

5. I still can't connect to the internet. Under control panel>network connections, I clicked on Set up a home or small office network in Network Tasks tab. The Network setup wizard screen says "Cannot complete the network setup wizard, The wizard cannot find your network hardware. Before using this wizard, you must first install and configure your network cards, modems, cables and device drivers. For help installing your hardware, se hardware requirements overview in Help and Support Center. Then, when you are finished installing your network hardware,run this wizard again."

Attempts to install my linksys router brought up this error " Linksys easylink advisor setup wizard requires a wired network adapter to continue, error 312: No wired adapter detected." Continued below
"If your computer has a wired network adapter(i.e ethernet port), then follow these steps: 1) Enable your wired network adapter. 2) Click retry to try installing your router again. If your computer does not have a wired network adapter, then connect your computer manufacturer for help."

Sorry for the lengthy message but I wanted to add in everything necessary. I can view videos now and i dont get the green screen. Attached below are the relevant logs. Thank you for your patience and time.

 

Download
- Pocket Killbox

-----------------------------------------------------------

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load]
"zzz"=-
"hky"=-
"cert"=-
"forwas"=-
"scrensos"=-

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
"Userinit"="C:\WINDOWS\userinit.exe,"

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

Do the following:
Start -> Run
type: cmd
Click 'OK

The Command Console will open.

Enter each of the below commands, followed by pressing the ENTER key after each command. (The commands must be entered exactly as show)

Code:

del "c:\windows\system32\userinit.exe"
copy "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe" "c:\windows\system32\userinit.exe"
del "c:\windows\system32\svchost.exe"
copy "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe" "c:\windows\system32\svchost.exe"
del "c:\windows\system32\spoolsv.exe"
copy "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe" "c:\windows\system32\spoolsv.exe"
del "c:\windows\explorer.exe"
copy "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe" "c:\windows\explorer.exe"
exit

The Command Console will close.

-----------------------------------------------------------

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
  
  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run ATF Cleaner.

If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

As an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

-----------------------------------------------------------

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Shadow puter dude

I screwed up big time. I saved FixReg.reg to my desktop, after which i merged it with the registry. Next step was to run the command console, typed in del "c:\windows\system32\userinit.exe" but it said unable to locate userinit.exe or something along those lines. I closed the command console and rebooted my computer. Now I am stuck at my desktop startup screen (eg administrator,guest) where you have to choose a profile and input a password to start windows. Upon entering my password, initially the line of text below my profile name, says "loading your personal settings" after which it changes to "Closing network connections" and it reverts back to the screen where i can type my password again. Rebooting into safe mood does not help either. I am sorry this has to drag on and I sincerely apologize.

 

Boot to the Windows Recovery Console, log on to your Windows installation.

At the Command Prompt enter each of the below commands, followed by pressing the ENTER key after each command. (The commands must be entered exactly as show):

Code:

copy "C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe" "c:\windows\system32\userinit.exe"
exit

Your system will reboot, and you should now be able to log on to Windows.

 

Thank you shadow. I am able to log in to my profile now. Just a quick question, you mentioned opening the command console to delete this file "c:\windows\system32\userinit.exe". I am unable to locate this file in my task manager processes. However the rest of the files , svchost, spoolsv and explorer.exe are there in the processes window. Please advise on my next step. Thank you for your time and patience.

 

Run everything in the Read ME & Run First, make sure you delete all copies of MGTools and download a new copy of MGTools.

Let's take a fresh look at everything.

 

As instructed, this are the new logs. I would like to add that while running MGTools, I got this error.Other than this problem everything ran smoothly. Once again thanks for your patience and time shadow. Much appreciated.

"The application failed to initialize properly (0xc000007b). Click on OK to terminate the application.

Process DLL.EXE - Application Error The application failed to initialize properly (0xc0000135) Click on any key to terminate"

 

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u13 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

-----------------------------------------------------------

1) I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation.

2) Now we need to use ComboFix to remove some stuff.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FCOPY::
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe | C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe | C:\WINDOWS\system32\dllcache\userinit.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe | C:\WINDOWS\system32\dllcache\svchost.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe | C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe | C:\WINDOWS\system32\dllcache\explorer.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe | C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe | C:\WINDOWS\system32\dllcache\spoolsv.exe

File::
c:\windows\DUMP3930.tmp
c:\windows\DUMP3921.tmp
c:\windows\DUMP37f8.tmp
c:\windows\DUMP3fc8.tmp
c:\windows\DUMP3661.tmp
c:\windows\DUMP5236.tmp
c:\windows\DUMP96e1.tmp
c:\windows\DUMPc0df.tmp
c:\windows\DUMPc227.tmp
c:\windows\DUMP9bb3.tmp
c:\windows\adobe.bat
c:\windows\_id.dat
C:\WINDOWS\SYSTEM32\IPV6MONL.DLL

Folder::
C:\[U]0[/U]1b61db58cc68a146b15
C:\ae1245f9dc661b9bcb6b352f34b520
C:\be5f5ed058b62981632a95ec9f03e9
C:\ac000338c2bc2455d039098f14

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07884abb-4a35-11db-b2b7-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0933a5bc-5a18-11db-95fb-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c07f5bb-47e0-11db-b074-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{105f2916-6575-11db-8f15-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13c37bbb-5b8d-11db-9326-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23a7b83b-5362-11db-8124-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2776423b-4023-11db-aed3-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28987c3b-4ac5-11db-87a0-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{297a4ae1-3e39-11db-beb7-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d8a92bb-65d0-11db-a153-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{404623bb-4b0a-11db-95e2-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41f530e1-516b-11db-858e-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{453584bc-5de3-11db-b939-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e8708e2-41ff-11db-bf11-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54b0ece2-4399-11db-998d-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68e0bd3b-479a-11db-ac1d-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b32febb-5b2f-11db-aff5-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c74f731-3cba-11db-b331-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7993f9e1-496f-11db-a186-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c5f9c3b-6056-11db-bb3b-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81161461-4c89-11db-a635-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82b90615-64ae-11db-af99-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3da0ebb-5da1-11db-a8fe-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa1d9d62-40fe-11db-b06a-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b04bedbb-581c-11db-afbd-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c39f786f-63ed-11db-85af-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb3422e2-4530-11db-ad90-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e15a28bb-59aa-11db-a519-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e538a761-3ffe-11db-83b3-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6193f62-42c2-11db-8ffb-806d6172696f}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fffbd1e2-470a-11db-9402-806d6172696f}]
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FAH@C:+Program Files+Ubisoft+Far Cry 2+bin+[RAZOR1911][WEB SEED] FAR CRY 2 CRACK - REAL 100% FULLY WORKING+FAH.exe]
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{73364D99-1240-4dff-B11A-67E448373048}]
[HKEY_CLASSES_ROOT\CLSID\{73364D99-1240-4DFF-B11A-67E448373048}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  http://farm4.static.flickr.com/3014/3035535531_512f04c6a2_o.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3) FYI:

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

4) Now Run CCleaner!

5) Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

6) Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

I followed all your instructions successfully . The only problem i encountered was "the application failed to initialze properly, (0xc0000007b). click on ok to terminate the application." while running getlogs.bat Could you tell me how to reinstall my network card too ? Much appreciated shadow.

On a side note,I ll be going overseas for about two weeks and that means i ll be bringing my laptop with me, and the only way i can rectify it is to relay your replies to my brother. But i will try to do as much as i can. Once again Thank you for your time and patience Mr. Shadow. Logs are attached below.

 

Copy the below code to Notepad Save As DisableAutoRuns.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutorunSetting"=dword:00000001
"NoDriveAutoRun"=dword:03ffffff
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001

Locate DisableAutoRuns.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

NOTE: KB950582 must be applied before the registry changes made by this patch can take effect.

Prerequisites to disable Autorun capabilities

To disable Autorun capabilities, you must install the following updates:

• Update for Windows XP (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=CC4FB38C-579B-40F7-89C4-1721D7B8DAA5
• Update for Windows Server 2003 for Itanium-based Systems (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=5795F63E-1FD9-4A13-9650-1015E14B6D11
• Update for Windows Server 2003 x64 Edition (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=E8507286-CDF8-4BCB-AFC5-9734FE772C53
• Update for Windows Server 2003 (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=705305E5-7060-4236-B5D2-40CA63A967FB
• Update for Windows XP x64 Edition (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=21A0124C-6F50-4281-923E-E2B28068147A
• Update for Windows 2000 (KB950582)
  http://www.microsoft.com/downloads/details.aspx?FamilyId=C192EDCF-CA3D-44E3-8ECC-49C5F4DA5405

Note: Windows Vista and Windows Server 2008 systems must have update 950582 (Security bulletin MS08-038) installed to take advantage of the registry key settings that disable Autorun.

-----------------------------------------------------------

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
  
  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

-----------------------------------------------------------

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Thanks for your response. As usual I got this prompt while running getlogs.bat ""The application failed to initialize properly (0xc000007b). Click on OK to terminate the application."

There was no PendingFileRenameOperations prompt . I still cant surf the internet. When trying to create a home network I get the same prompt saying that the wizard cant find my network hardware. Please tell me how to reinstall my network card so I can surf the net again!! Log is attached below. Thank you for your persistence shadow.Much appreciated.

 

Download GMER

1. Click-on the "Download Exe" button, this will generate a random name for GMER, accept the default file name and save the file to your Desktop.
2. Double click the file you just downloaded.
3. Click the Rootkit tab and then click the Scan button.
4. IMPORTANT: Do NOT use the computer while the scan is in progress
5. Do not select the "Show all" checkbox during the scan.
6. When it finishes, click the Copy button. This will copy the results to your clipboard.
7. Paste the clipboard into a notepad file and save it to a log (like gmer.log).

Post the GMER log with your next reply.

 

Thank you for your prompt reply. I ve done as instructed but i got this prompt during the gmer scan. "WARNING !!! GMER has found system modification caused by rootkit activity. " Log is attached below. Thank you.

 

I need some information from your Event logs.

Start the Event Viewer

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
2. In the console tree, click Event Viewer.

The Application, Security, and System logs are displayed in the Event Viewer window.

Look through the Application Event log for this error message:
"The application failed to initialize properly (0xc000007b). Click on OK to terminate the application."

Tell me what application is causing the error.

 

Shadow i ve manually gone through every entry under application and i have tried using the find function under View and i am still unsuccessful in finding the renegade error. Thank you.

 

Download to your desktop OSAM Autorun Manager Portable from http://www2.online-solutions.ru/en/download_file.php?p=131097

This is a RAR archive and you will need a program like 7-zip, http://downloads.sourceforge.net/sevenzip/7z464.msi to unpack the archive.

Install 7-zip

Right click on osam_autorun_manager_portable.rar, select "7-Zip" -> Extract to "osam_autorun_manager_portable"

Open osam_autorun_manager_portable, double-click osam.exe.

When OSAM begins to run, click "Next" until you get to "Close" then click on "Close"

Press the second button in the top menu ("Save Log" button).

The standard Windows "Save as" dialog will appear.

You need to save a report in the .log format (not .html).

Save the log file somewhere you can find it, then attach the log to your reply.

 

Thanks shadow. Log is attached below.

 

1. Start OSAM, click "Next" until you get to "Close" then click on "Close".
2. Click on the "Settings" button in the top menu: and then change the value for "Disable objects using the driver" option to "Always".
3. Disable the following entries by removing the checkmarks in the checkboxes:

Code:

[Common]
-----( %SystemRoot%\Tasks )-----
"ADF929549436D8FC.job" - ? - C:\WINDOWS\Tasks\ADF929549436D8FC.job

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "ITBarLayout" - ? -   (COM-object registry key not found)
<binary data> "Megaupload Toolbar" - ? - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL  (File not found)
<binary data> "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" - ? -   (COM-object registry key not found)

4. Once you have finished with the disabling the items, press the "Apply" button.
5. Press the "Close" button.
6. Press the "Reboot now" button.

Once your computer has rebooted.

Run OSAM.

When OSAM begins to run, click "Next" until you get to "Close" then click on "Close"

Press the second button in the top menu ("Save Log" button).

The standard Windows "Save as" dialog will appear.

You need to save a report in the .log format (not .html).

Save the log file somewhere you can find it, then attach the log to your reply.

 

Thanks shadow, those four files were deleted successfully. Log is attached below.

 

1. Start the OSAM again - you will see the report about deleted entries.
2. Press the "Settings" button to change the value for "Disable objects using the driver" option back to "For undeletable objects only".
3. Also you can use the "Jump to file" function to delete the inactive trojan files.
4. And then use the "Delete from storage" function to delete the disabled items.
5. Exit OSAM

-----------------------------------------------------------

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
  
  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

-----------------------------------------------------------

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Thanks shadow. I received a pendingfilerenameoperations prompt, followed by "The application failed to initialize properly (0xc000007b). Click on OK to terminate the application." Log is attached below, thank you.

 

This error, "The application failed to initialize properly (0xc000007b). Click on OK to terminate the application." May be caused by an entry in the registry. Run a registry cleaner to removing invalid entries in the registry.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. Go to add/remove programs and uninstall HijackThis.
12. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
13. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
14. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks alot shadow, I really appreciate all your valuable time and effort spent. Is my computer free from the malicious files? one more thing , could you please tell me how to restore my network settings, so i could surf the net again.

 

Click Start -> Run
Type: cmd.exe
Click "OK"

Type the following commands, and then press ENTER after each command.

Code:

regsvr32 netshell.dll
regsvr32 netcfgx.dll
regsvr32 netman.dll

Click "OK" when the RegSvr32 dialog box appears for each command.

Restart the computer

Network Connections still empty?

 

Yes sir , empty like sahara. The jpegs below depicts what i see when i try to add new hardware. Thanks shadow.

 

OK, let's try resetting TCP/IP


Start -> Run
Type: cmd
Click 'OK'

At the command prompt, copy and paste (or type) the following command and then press ENTER:

Code:

netsh int ip reset c:\resetlog.txt
exit

The Command Console will close.

Reboot

Network Connections still empty?

 

hey shadow, I followed your instructions and I got this message, "Unable to open file for append". Checked network connections screen and it is still empty. Thanks.

 

OK, let's try it again; but this time with a slight modification in the commands.

Start -> Run
Type: cmd
Click 'OK'

At the command prompt, copy and paste (or type) the following command and then press ENTER:

Code:

netsh int ip reset resetlog.txt
exit

The Command Console will close.

Reboot

 

Hey shadow, i tried your instructions but it is still empty. Maybe its a little late to voice out , but i uninstalled my ethernet card like two weeks back and i tried installing the driver but nothing happened.

 

I strongly suspect that there is a RootKit active and responsible for this.

Download and install a-squared Free.

Run a scan and save the log. Do not delete or quarantine anything, I just want to see the log.

Attach the a-squared Free log.

 

Sorry shadow, now my computer wont even start. Let me rectify this problem first.

 

No problem, I'll be here.

 

Shadow, i have decided to discard my computer and i will get a new one (this time with an anti-virus program) , therefore this thread can be finally closed. I sincerely thank you for your patience and time that i consumed. HOORAH!!!