Can't Delete From System Volume Information

Someone (my wife) downloaded something (a virus) onto her laptop running XP home. Now there are the usual **** icons on the desktop and windows popping up all over the place pretending to be virus scanners. It is not a subtle infection. Unfortuantely the CD drive is busted and I can't run my recovery disk to wipe things. I don't think the laptop is worth paying for repair so I'd like to salvage the current system if possible.


I went into safe mode and ran a manual bitdefender scan. It found many problems and couldn't delete four files. I manually deleted two of the four, but the other two are in the "system volume information" folder and XP won't let me open that folder.


This is the part of the manual scan log containing the two bad files:


<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP230\A0046968.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>


<AffectedItem itemType ="File" path="C:\System Volume Information\_restore{AA6C8498-140E-441D-9DDE-0826BE9E5F33}\RP232\A0048056.exe=](ZIP Sfx o)=]7.exe" threatType="virus" threatName="BehavesLike:Trojan.Downloader" action="none" finalStatus= "infected" error= "infected archive"/>


Here is my HJT log Can someone tell me what do now?


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 5:00:39 PM, on 9/4/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16705)


Boot mode: Safe mode


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\SYSTEM32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshibadirect.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/


O1 - Hosts: 64.78.20.51 EXVBE012-2


O1 - Hosts: 64.78.20.51 EXVBE012-2.exch012.intermedia.net


O1 - Hosts: 64.78.20.14 DC012-1.exch012.intermedia.net


O1 - Hosts: 64.78.20.15 DC012-2.exch012.intermedia.net


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll


O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe


O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe


O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe


O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe


O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe


O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe


O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe


O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run


O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


O4 - HKLM\..\Run: [iVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun


O4 - HKLM\..\Run: [\VIE85.exe] C:\Windows\System32\VIE85.exe


O4 - HKLM\..\Run: [\VIE86.exe] C:\Windows\System32\VIE86.exe


O4 - HKLM\..\Run: [\VIE87.exe] C:\Windows\System32\VIE87.exe


O4 - HKLM\..\Run: [\VIE88.exe] C:\Windows\System32\VIE88.exe


O4 - HKLM\..\Run: [Antivirus] C:\Program Files\MSA\MSA.exe


O4 - HKLM\..\Run: [\VIE89.exe] C:\Windows\System32\VIE89.exe


O4 - HKLM\..\Run: [\VIE2.exe] C:\Windows\System32\VIE2.exe


O4 - HKLM\..\Run: [\VIE1.exe] C:\Windows\System32\VIE1.exe


O4 - HKLM\..\Run: [\VIE3.exe] C:\Windows\System32\VIE3.exe


O4 - HKLM\..\Run: [\VIE4.exe] C:\Windows\System32\VIE4.exe


O4 - HKLM\..\Run: [\VIEA5.exe] C:\Windows\System32\VIEA5.exe


O4 - HKLM\..\Run: [\VIEA6.exe] C:\Windows\System32\VIEA6.exe


O4 - HKLM\..\Run: [\VIEA7.exe] C:\Windows\System32\VIEA7.exe


O4 - HKLM\..\Run: [\VIEA8.exe] C:\Windows\System32\VIEA8.exe


O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE" /s


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe


O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe


O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com


O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab


O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe


O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe


O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe


O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


--


End of file - 7481 bytes

Comments

  • Niels
    Niels
    edited September 2008

    Hello Mark Hahn,


    Please do this in safe mode:


    Click on start,right click on my computer choose properties,high light the system restore tab,check the option Disable System Restore (on all stations) confirm it. Wait a few seconds that depends how many restore points that are created. I recommend that you temporary disable system restore to prevent that your restore points got infected.


    After you have done that please do this:


    Press the windows button together with r now type msconfig press enter. Go to the startup tab and uncheck the startup items :


    that begins with VIE* (*= stands for a random number or numbers).


    MSA.exe


    Reboot your pc again.


    Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post.


    Kind regards,


    Niels

  • Here is the combofix log ....


    ComboFix 08-09-05.02 - linda 2008-09-05 19:40:52.1 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -7:00]


    Running from: C:\Documents and Settings\linda\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\linda\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    * Created a new restore point


    * Resident AV is active


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\linda\Cookies\linda@a.seenon[1].txt


    C:\Documents and Settings\linda\Cookies\linda@imiclk[2].txt


    C:\Documents and Settings\linda\Cookies\linda@insightexpressai[2].txt


    C:\Documents and Settings\linda\Cookies\linda@my.clearchannelradio[2].txt


    C:\Documents and Settings\linda\Cookies\linda@revsci[1].txt


    C:\Documents and Settings\linda\Cookies\linda@secure1.healthierwaytogo[2].txt


    C:\Documents and Settings\linda\Cookies\linda@turn[1].txt


    C:\Documents and Settings\linda\Cookies\linda@www35.vzw[1].txt


    C:\Program Files\PCHealthCenter\0.exe


    C:\Program Files\PCHealthCenter\0.gif


    C:\Program Files\PCHealthCenter\1.gif


    C:\Program Files\PCHealthCenter\1.ico


    C:\Program Files\PCHealthCenter\2.gif


    C:\Program Files\PCHealthCenter\2.ico


    C:\Program Files\PCHealthCenter\3.gif


    C:\Program Files\PCHealthCenter\5.exe


    C:\Program Files\PCHealthCenter\sc.html


    .


    ((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))


    .


    2008-09-04 17:09 . 2008-09-04 17:09 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml


    2008-09-04 17:09 . 2008-09-04 17:09 385 --a------ C:\WINDOWS\system32\user_gensett.xml


    2008-09-04 17:00 . 2008-09-04 17:00 <DIR> d-------- C:\Program Files\Trend Micro


    2008-09-04 16:51 . 2008-09-04 16:50 7,236 --a------ C:\1220572212_1_02.xml


    2008-09-04 16:50 . 2008-09-04 16:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BitDefender


    2008-09-04 13:40 . 2008-09-04 13:40 <DIR> d-------- C:\Documents and Settings\linda\Application Data\BitDefender


    2008-09-04 13:39 . 2008-09-04 13:39 <DIR> d-------- C:\Program Files\BitDefender


    2008-09-04 13:39 . 2008-09-04 13:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-09-04 13:37 . 2008-09-04 13:40 <DIR> d-------- C:\Program Files\Common Files\BitDefender


    2008-09-04 10:43 . 2008-09-04 10:43 8,627 --a------ C:\WINDOWS\system32\PAV_FOG.OPC


    2008-09-04 10:32 . 2008-09-04 10:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel


    2008-09-04 10:28 . 2008-09-04 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Backup


    2008-09-04 10:26 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Common Files\Panda Software


    2008-09-03 22:03 . 2008-09-04 13:33 <DIR> d-------- C:\Program Files\Panda Security


    2008-09-03 21:18 . 2004-08-10 13:23 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS


    2008-09-03 21:18 . 2004-08-10 14:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver


    2008-09-03 21:18 . 2004-08-10 15:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba


    2008-09-03 21:18 . 2004-08-10 15:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec


    2008-09-03 21:18 . 2004-08-16 13:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo


    2008-09-03 21:18 . 2004-08-10 15:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust


    2008-09-03 21:18 . 2007-06-03 18:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL


    2008-09-03 21:18 . 2008-09-03 21:18 <DIR> d-------- C:\Documents and Settings\Administrator


    2008-09-03 19:48 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\2.ico


    2008-09-03 19:44 . 2008-09-05 19:44 <DIR> d-------- C:\Program Files\PCHealthCenter


    2008-09-03 19:44 . 2008-09-05 19:45 <DIR> d-------- C:\Program Files\MSA


    2008-09-03 19:44 . 2008-08-28 15:57 3,262 --a------ C:\WINDOWS\system32\1.ico


    2008-09-03 19:39 . 2008-09-03 19:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn


    2008-09-03 19:39 . 2008-09-03 19:39 1,409 --a------ C:\WINDOWS\QTFont.for


    2008-08-14 03:15 . 2008-05-01 07:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll


    2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys


    2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\system32\drivers\bdfm.sys


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-09-04 23:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy


    2008-09-04 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


    2008-09-04 23:45 --------- d-----w C:\Program Files\Yahoo!


    2008-09-04 17:28 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-08-16 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help


    2008-07-21 03:41 --------- d-----w C:\Program Files\Flickr Uploadr


    2008-07-21 03:41 --------- d-----w C:\Documents and Settings\linda\Application Data\Flickr


    2008-07-19 05:26 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ


    2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll


    2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe


    2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll


    2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll


    2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll


    2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll


    2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll


    2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll


    2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll


    2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll


    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll


    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll


    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll


    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]


    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-27 68856]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-06-14 638976]


    "CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2004-08-19 135168]


    "TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-03-14 53248]


    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 335872]


    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-30 192512]


    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 1089589]


    "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 159744]


    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 157592]


    "IVPServiceMgr"="C:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-18 155648]


    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 716800]


    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 69632]


    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]


    "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 C:\WINDOWS\agrsmmsg.exe]


    "NDSTray.exe"="NDSTray.exe" [bU]


    C:\Documents and Settings\linda\Start Menu\Programs\Startup\


    Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-11-08 577536]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-17 124856]


    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-10 155648]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "VIDC.ACDV"= ACDV.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]


    --a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]


    "DisableMonitoring"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\iTunes\\iTunes.exe"=


    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 108864]


    S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    .


    Contents of the 'Scheduled Tasks' folder


    .


    - - - - ORPHANS REMOVED - - - -


    HKCU-Run-\VIE85.exe - C:\Windows\System32\VIE85.exe


    HKCU-Run-\VIE86.exe - C:\Windows\System32\VIE86.exe


    HKCU-Run-\VIE87.exe - C:\Windows\System32\VIE87.exe


    HKCU-Run-\VIE88.exe - C:\Windows\System32\VIE88.exe


    HKCU-Run-\VIE89.exe - C:\Windows\System32\VIE89.exe


    HKCU-Run-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    HKCU-Run-\VIE2.exe - C:\Windows\System32\VIE2.exe


    HKCU-Run-\VIE1.exe - C:\Windows\System32\VIE1.exe


    HKCU-Run-\VIE3.exe - C:\Windows\System32\VIE3.exe


    HKCU-Run-\VIE4.exe - C:\Windows\System32\VIE4.exe


    HKCU-Run-\VIEA5.exe - C:\Windows\System32\VIEA5.exe


    HKCU-Run-\VIE5.exe - C:\Windows\System32\VIE5.exe


    HKCU-Run-\VIEA4.exe - C:\Windows\System32\VIEA4.exe


    HKCU-Run-\VIEA6.exe - C:\Windows\System32\VIEA6.exe


    HKCU-Run-\VIEA7.exe - C:\Windows\System32\VIEA7.exe


    HKCU-Run-\VIEA8.exe - C:\Windows\System32\VIEA8.exe


    HKLM-Run-APVXDWIN - C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE


    HKLM-Run-Device Detector - DevDetect.exe


    Notify-WgaLogon - (no file)


    MSConfigStartUp-Antivirus - C:\Program Files\MSA\MSA.exe


    .


    ------- Supplementary Scan -------


    .


    R0 -: HKCU-Main,Start Page = hxxp://my.yahoo.com/


    R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8


    R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://toshibadirect.com/


    R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s


    O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML


    O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-09-05 19:46:09


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\WINDOWS\system32\ati2evxx.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


    C:\WINDOWS\system32\acs.exe


    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe


    C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe


    C:\WINDOWS\system32\DVDRAMSV.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


    C:\Toshiba\Ivp\Swupdate\swupdtmr.exe


    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe


    C:\Program Files\Apoint2K\ApntEx.exe


    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


    .


    **************************************************************************


    .


    Completion time: 2008-09-05 19:51:59 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-09-06 02:51:52


    Pre-Run: 46,993,235,968 bytes free


    Post-Run: 47,249,580,032 bytes free


    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    [boot loader]


    timeout=2


    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS


    [operating systems]


    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


    208 --- E O F --- 2008-08-16 00:43:20

  • P.S. It appears to be fixed now.


    Thanks so much.

  • Hello Mark Hahn,


    Please do this open wordpad and type this:


    Folder::


    C:\Program Files\PCHealthCenter


    C:\Program Files\MSA


    Save the worpad file as CFScript. Now drag and drop the wordpad file you just created on the Combofix program.


    See if you still can find VIE entries when you open the windows folder and afterwards the system 32 subfolder.


    Kind regards,


    Niels