Can't Delete From System Volume Information

mchahn

Someone (my wife) downloaded something (a virus) onto her laptop running XP home. Now there are the usual **** icons on the desktop and windows popping up all over the place pretending to be virus scanners. It is not a subtle infection. Unfortuantely the CD drive is busted and I can't run my recovery disk to wipe things. I don't think the laptop is worth paying for repair so I'd like to salvage the current system if possible.

I went into safe mode and ran a manual bitdefender scan. It found many problems and couldn't delete four files. I manually deleted two of the four, but the other two are in the "system volume information" folder and XP won't let me open that folder.

This is the part of the manual scan log containing the two bad files:

<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP230\A0046968.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>

<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP232\A0048056.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>

Here is my HJT log Can someone tell me what do now?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:00:39 PM, on 9/4/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/

O1 - Hosts: 64.78.20.51 EXVBE012-2

O1 - Hosts: 64.78.20.51 EXVBE012-2.exch012.intermedia.net

O1 - Hosts: 64.78.20.14 DC012-1.exch012.intermedia.net

O1 - Hosts: 64.78.20.15 DC012-2.exch012.intermedia.net

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [iVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun

O4 - HKLM\..\Run: [\VIE85.exe] C:\Windows\System32\VIE85.exe

O4 - HKLM\..\Run: [\VIE86.exe] C:\Windows\System32\VIE86.exe

O4 - HKLM\..\Run: [\VIE87.exe] C:\Windows\System32\VIE87.exe

O4 - HKLM\..\Run: [\VIE88.exe] C:\Windows\System32\VIE88.exe

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\MSA\MSA.exe

O4 - HKLM\..\Run: [\VIE89.exe] C:\Windows\System32\VIE89.exe

O4 - HKLM\..\Run: [\VIE2.exe] C:\Windows\System32\VIE2.exe

O4 - HKLM\..\Run: [\VIE1.exe] C:\Windows\System32\VIE1.exe

O4 - HKLM\..\Run: [\VIE3.exe] C:\Windows\System32\VIE3.exe

O4 - HKLM\..\Run: [\VIE4.exe] C:\Windows\System32\VIE4.exe

O4 - HKLM\..\Run: [\VIEA5.exe] C:\Windows\System32\VIEA5.exe

O4 - HKLM\..\Run: [\VIEA6.exe] C:\Windows\System32\VIEA6.exe

O4 - HKLM\..\Run: [\VIEA7.exe] C:\Windows\System32\VIEA7.exe

O4 - HKLM\..\Run: [\VIEA8.exe] C:\Windows\System32\VIEA8.exe

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 7481 bytes

Niels

Hello Mark Hahn,

Please do this in safe mode:

Click on start,right click on my computer choose properties,high light the system restore tab,check the option Disable System Restore (on all stations) confirm it. Wait a few seconds that depends how many restore points that are created. I recommend that you temporary disable system restore to prevent that your restore points got infected.

After you have done that please do this:

Press the windows button together with r now type msconfig press enter. Go to the startup tab and uncheck the startup items :

that begins with VIE* (*= stands for a random number or numbers).

MSA.exe

Reboot your pc again.

Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.

Kind regards,

Niels

mchahn

Here is the combofix log ....

ComboFix 08-09-05.02 - linda 2008-09-05 19:40:52.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -7:00]

Running from: C:\Documents and Settings\linda\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\linda\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\linda\Cookies\linda@a.seenon[1].txt

C:\Documents and Settings\linda\Cookies\linda@imiclk[2].txt

C:\Documents and Settings\linda\Cookies\linda@insightexpressai[2].txt

C:\Documents and Settings\linda\Cookies\linda@my.clearchannelradio[2].txt

C:\Documents and Settings\linda\Cookies\linda@revsci[1].txt

C:\Documents and Settings\linda\Cookies\linda@secure1.healthierwaytogo[2].txt

C:\Documents and Settings\linda\Cookies\linda@turn[1].txt

C:\Documents and Settings\linda\Cookies\linda@www35.vzw[1].txt

C:\Program Files\PCHealthCenter\0.exe

C:\Program Files\PCHealthCenter\0.gif

C:\Program Files\PCHealthCenter\1.gif

C:\Program Files\PCHealthCenter\1.ico

C:\Program Files\PCHealthCenter\2.gif

C:\Program Files\PCHealthCenter\2.ico

C:\Program Files\PCHealthCenter\3.gif

C:\Program Files\PCHealthCenter\5.exe

C:\Program Files\PCHealthCenter\sc.html

.

((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))

.

2008-09-04 17:09 . 2008-09-04 17:09 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml

2008-09-04 17:09 . 2008-09-04 17:09 385 --a------ C:\WINDOWS\system32\user_gensett.xml

2008-09-04 17:00 . 2008-09-04 17:00 <DIR> d-------- C:\Program Files\Trend Micro

2008-09-04 16:51 . 2008-09-04 16:50 7,236 --a------ C:\1220572212_1_02.xml

2008-09-04 16:50 . 2008-09-04 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender

2008-09-04 13:40 . 2008-09-04 13:40 <DIR> d-------- C:\Documents and Settings\linda\Application Data\BitDefender

2008-09-04 13:39 . 2008-09-04 13:39 <DIR> d-------- C:\Program Files\BitDefender

2008-09-04 13:39 . 2008-09-04 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender

2008-09-04 13:37 . 2008-09-04 13:40 <DIR> d-------- C:\Program Files\Common Files\BitDefender

2008-09-04 10:43 . 2008-09-04 10:43 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC

2008-09-04 10:32 . 2008-09-04 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel

2008-09-04 10:28 . 2008-09-04 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup

2008-09-04 10:26 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Common Files\Panda Software

2008-09-03 22:03 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Panda Security

2008-09-03 21:18 . 2004-08-10 13:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-09-03 21:18 . 2004-08-10 14:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2008-09-03 21:18 . 2004-08-10 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba

2008-09-03 21:18 . 2004-08-10 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2008-09-03 21:18 . 2004-08-16 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo

2008-09-03 21:18 . 2004-08-10 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust

2008-09-03 21:18 . 2007-06-03 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2008-09-03 21:18 . 2008-09-03 21:18 <DIR> d-------- C:\Documents and Settings\Administrator

2008-09-03 19:48 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\2.ico

2008-09-03 19:44 . 2008-09-05 19:44 <DIR> d-------- C:\Program Files\PCHealthCenter

2008-09-03 19:44 . 2008-09-05 19:45 <DIR> d-------- C:\Program Files\MSA

2008-09-03 19:44 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\1.ico

2008-09-03 19:39 . 2008-09-03 19:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-09-03 19:39 . 2008-09-03 19:39 1,409 --a------ C:\WINDOWS\QTFont.for

2008-08-14 03:15 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys

2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\system32\drivers\bdfm.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-04 23:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-09-04 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-09-04 23:45 --------- d-----w C:\Program Files\Yahoo!

2008-09-04 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-08-16 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-07-21 03:41 --------- d-----w C:\Program Files\Flickr Uploadr

2008-07-21 03:41 --------- d-----w C:\Documents and Settings\linda\Application Data\Flickr

2008-07-19 05:26 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ

2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll

2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-27 68856]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 638976]

"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 135168]

"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 53248]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 192512]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 157592]

"IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-18 155648]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]

"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]

"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]

"NDSTray.exe"="NDSTray.exe" [bU]

C:\Documents and Settings\linda\Start Menu\Programs\Startup\

Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-11-08 577536]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-17 124856]

RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 108864]

S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-\VIE85.exe - C:\Windows\System32\VIE85.exe

HKCU-Run-\VIE86.exe - C:\Windows\System32\VIE86.exe

HKCU-Run-\VIE87.exe - C:\Windows\System32\VIE87.exe

HKCU-Run-\VIE88.exe - C:\Windows\System32\VIE88.exe

HKCU-Run-\VIE89.exe - C:\Windows\System32\VIE89.exe

HKCU-Run-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKCU-Run-\VIE2.exe - C:\Windows\System32\VIE2.exe

HKCU-Run-\VIE1.exe - C:\Windows\System32\VIE1.exe

HKCU-Run-\VIE3.exe - C:\Windows\System32\VIE3.exe

HKCU-Run-\VIE4.exe - C:\Windows\System32\VIE4.exe

HKCU-Run-\VIEA5.exe - C:\Windows\System32\VIEA5.exe

HKCU-Run-\VIE5.exe - C:\Windows\System32\VIE5.exe

HKCU-Run-\VIEA4.exe - C:\Windows\System32\VIEA4.exe

HKCU-Run-\VIEA6.exe - C:\Windows\System32\VIEA6.exe

HKCU-Run-\VIEA7.exe - C:\Windows\System32\VIEA7.exe

HKCU-Run-\VIEA8.exe - C:\Windows\System32\VIEA8.exe

HKLM-Run-APVXDWIN - C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE

HKLM-Run-Device Detector - DevDetect.exe

Notify-WgaLogon - (no file)

MSConfigStartUp-Antivirus - C:\Program Files\MSA\MSA.exe

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://toshibadirect.com/

R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s

O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-05 19:46:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ati2evxx.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Toshiba\Ivp\Swupdate\swupdtmr.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\Apoint2K\ApntEx.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

.

**************************************************************************

.

Completion time: 2008-09-05 19:51:59 - machine was rebooted

ComboFix-quarantined-files.txt 2008-09-06 02:51:52

Pre-Run: 46,993,235,968 bytes free

Post-Run: 47,249,580,032 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

208 --- E O F --- 2008-08-16 00:43:20

mchahn

P.S. It appears to be fixed now.

Thanks so much.

Niels

Hello Mark Hahn,

Please do this open wordpad and type this:

Folder::

C:\Program Files\PCHealthCenter

C:\Program Files\MSA

Save the worpad file as CFScript. Now drag and drop the wordpad file you just created on the Combofix program.

See if you still can find VIE entries when you open the windows folder and afterwards the system 32 subfolder.

Kind regards,

Niels