something awful

[jholland1964]

I would like you to go to the following page:

http://virusscan.jotti.org/

and upload the following files for scanning.
Report back with the info.

c:\windows\system32\VCCLSID.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\WS2Fix.exe

[philtro]

first one found:

c:\windows\system32\VACFix.exe

File: VACFix.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 81bc780e5fd520838c6a417840127635
Packers detected:
PE_PATCH.UPX, UPX

Norman Virus Control
Found W32/Smalldrp.APNN


still need to scan:

c:\windows\system32\IEDFix.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\WS2Fix.exe

[philtro]

next and last positive:

c:\windows\system32\IEDFix.exe

File: IEDFix.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 799a9ea3ffb220780ae3d3c11b08d067
Packers detected:
PE_PATCH.UPX, UPX

A-Squared
Found Hoax.Win32.Renos.vaoz!A2
AntiVir
Found nothing
ArcaVir
Found Trojan.Packed.Cryptexe

[philtro]

now i'm scared :*(

[jholland1964]

First of all I want you to remove combofix.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u
Press Enter.


After that you need to install a new copy of combofix from that original link I gave you.
Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

File::

c:\windows\system32\IEDFix.exe
c:\windows\system32\VACFix.exe

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Next post please attach
combofix.txt
New HijackThis log

[philtro]

There wasn't any links for combofix in our discussion, so I re/downloaded it from bleepingcomputers...

And for some reason I can't get the HJT log to upload without a .log at the end, so here it is, copied and pasted:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:51 AM, on 11/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DeltaIITray.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2913 bytes

[jholland1964]

Update Malwarebytes' Anti-Malware and run a FULL scan with it. Remove everything found. Save the log and copy/paste it here. I would really rather have logs copy/pasted rather than uploaded.
Judy

[philtro]

Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 3

11/29/2008 9:48:20 PM
mbam-log-2008-11-29 (21-48-20).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|)
Objects scanned: 105607
Time elapsed: 32 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[jholland1964]

combofix removed those files and the MBA-M shows clean. Now one thing I just noticed in your log is you are running TWO firewalls because from the information I could find about
Kaspersky Internet Security 2009, it includes a firewall, and you also are running Zone Alarm. You should remove Zone Alarm and also be certain you don't have the built in Windows Firewall turned on too.

[philtro]

Ah yes, I had Kaspersky's firewall disabled when I installed ZA, it must have re-enabled itself (I think from running combofix?). I'm using a trial of Kaspersky and I'm pretty sure I won't be able to afford to pay when it runs out, do you think using Kaspersky 6 would be effective enough? I have a few months license thanks to my gigabyte MB and now I don't feel so comfortable going back to AVG. Commodore and Spybot were the two other defenses this infection got past.

Also, thanks for your help! I really appreciate folks like yourself who help people with these problems...

phillip

...I was wondering if it might be possible to tell what the primary infection(s) might have been or even where they came from, ie internet browsing or downloading an infected executable. I even suspect my original install of nlite was infected from months ago, is this possible?