Solve : Very bad Vundo-variant attack!?

1.	Solve : Very bad Vundo-variant attack!?
Answer» The computer seems to be working fine, thank you very much! The Genuine Windows was unable to validate. And the phrase "VIRUS ALERT!" is still in the taskbar next to the clock, which interestingly now READS in 24 hour time.What is the validation assistant saying? Is your Windows a paid copy? I don't care if it is or not but I need to know so I can give the right advice. Post a screenshot of the VIRUS ALERT so I can tell what it is. How to take a screen shot Open up your Web Browser. Or from the desktop. (for desktop screenshots) Look on your keyboard and there should be a button (usually in the top right corner) that reads PrtSc or Print Screen, press that button. Once the PrtSc button is pressed, Open up MICROSOFT Paint. Click Start Click Run Type in MSpaint Press Ok. Once Paint is open On the Menu bar click Edit > Paste On the menu bar click File > Save as... Choose the Save as type click the drop arrow, and choose Jpeg Choose the save to location as the Desktop. The click Save. . Add it as an attachment or host it online and post it in the thread. http://www.screenshots.cc/ ---------- To change military time to standard time Go to Start > Control Panel > Regional and Language Options Click the Customize button Select the Time tab In the Time Format area use the down arrow to select: h:mm:ss tt Click Apply Click OK Click Apply Click OK You may need to restart the computer to take effect.I purchased my Windows XP as an upgrade version. The computer was originally bought as a rebuilt with Windows 2000 already installed, so I don't know where that Windows came from. I can attach the "Failed Validation" screenshot if needed. [recovering space - attachment deleted by admin]Let's try to get the clock straightened out. 1. Using your mouse, Highlight and then Right-click \| Copy the entire contents of the Code box below. Do not change anything. Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Software Notifier] "InstallationID"=- [HKEY_CURRENT_USER\Control Panel\Colors] "Background"="0 78 152" [HKEY_CURRENT_USER\Control Panel\Desktop] "WallpaperStyle"="0" [HKEY_CURRENT_USER\Control Panel\Desktop] "TileWallpaper"="0" [HKEY_CURRENT_USER\Control Panel\Desktop] "Wallpaper"=" " [HKEY_CURRENT_USER\Control Panel\Desktop] "OriginalWallpaper"="" [HKEY_CURRENT_USER\Control Panel\Desktop] "ConvertedWallpaper"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmona"=- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice] "Start"=dword:00000002 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr] "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr] "ImagePath"="system32\DRIVERS\sr.sys" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR"=dword:00000000 [HKEY_CURRENT_USER\Control Panel\Desktop] "SCRNSAVE.EXE"=- [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General] "WallpaperFileTime"=- "WallpaperLocalFileTime"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "NoDispAppearancePage"=- "NoDispBackgroundPage"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoFolderOptions"=- "NoControlPanel"=- "DisableLocalMachineRun"=- "DisableLocalMachineRunOnce"=- "DisableCurrentUserRun"=- "DisableCurrentUserRunOnce"=- "NoControlPanel"=- "NoWindowsUpdate"=- "NoFind"=- "NoRun"=- "HideClock"=- "NoTrayContextMenu"=- "NoTrayItemsDisplay"=- "NoSetFolders"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoFolderOptions"=- "NoControlPanel"=- "DisableLocalMachineRun"=- "DisableLocalMachineRunOnce"=- "DisableCurrentUserRun"=- "DisableCurrentUserRunOnce"=- "NoControlPanel"=- "NoWindowsUpdate"=- "NoFind"=- "NoRun"=- "HideClock"=- "NoTrayContextMenu"=- "NoTrayItemsDisplay"=- "NoSetFolders"=- [HKEY_CURRENT_USER\ControlPanel\International] "sTimeFormat"="h:mm:ss tt" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoActiveDesktopChanges"=- "ForceActiveDesktopOn"=- Open a new Notepad It must be Notepad. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click \| Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "Fixreg.REG". Exit Notepad. Double click your new file and agree to the registry merge when asked. You can then delete this new file. Let me know if this worked.OK, I had to check a few different places on this one. You have a very new form of malware. Go HERE to get your Product ID issue straightened out (scroll down a bit). It also has another method for fixing the clock. Let me know if you have any questions and when you get done post a fresh Hijackthis log so we can see what all needs to be done to finish up. Also let me know how things are after the fixes are done.Miekiemoes' blog completed the last few minor repairs. The machine seems to be running fine. Thank you for all of your time and help. Your breadth of knowlege is staggering. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:28:22 PM, on 5/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DISH] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DISH" /O15 "\\DISH\EPSONSty" /M "Stylus CX3800" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: ConferenceRoom Java Client - http://java.financialchat.com:8000/java/cr.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://coop.mlxchange.com/Control/FileCruiser.cab O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://24.75.126.108/install/PMSImage.ocx O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://coop.mlxchange.com/Control/Specfile.cab O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://coop.mlxchange.com/Control/SISC.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://coop.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://coop.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://coop.mlxchange.com/Control/LiteGrid.cab O16 - DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} (IRCWwwPrint Class) - http://coop.mlxchange.com/Control/IRCWebPrint.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://ctmls.mlxchange.com/4.2.06.26/Control/IRCSharc.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211955591_0bef0b16a370840ba69aa7314db5214e&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://coop.mlxchange.com/Control/WebDog.cab O16 - DPF: {BC8E0F3E-2A7F-11D4-A0F2-0001022F24B8} (LIte Class) - http://coop.mlxchange.com/Components/OutlookXtract.cab O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://coop.mlxchange.com/Components/MPGridControl.cab O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://coop.mlxchange.com/Control/AspCustomCtrls.cab O23 - SERVICE: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/ -- End of file - 8999 bytes This was a real head twister. That was a new infection that i haven't seen before. Looks like we both learned some new tricks today ---------- Run Hijackthis and have it fix this entry unless you set it yourself. O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/ ---------- Final cleanup steps. Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done. . Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed) 1. Double click OTMoveIt2.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt2 Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working STATE if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. . Now run CCleaner. Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything LISTED. . Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. To prevent unknown applications from being installed on your computer install WinPatrol 2008 Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam. SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. Using SpywareBlaster to protect your computer from Spyware and Malware Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth. Let us know if anything else comes up.

Answer»

The computer seems to be working fine, thank you very much!
The Genuine Windows was unable to validate. And the phrase "VIRUS ALERT!" is still in the taskbar next to the clock, which interestingly now READS in 24 hour time.What is the validation assistant saying?

Is your Windows a paid copy? I don't care if it is or not but I need to know so I can give the right advice.

Post a screenshot of the VIRUS ALERT so I can tell what it is.
How to take a screen shot

Open up your Web Browser.
Or from the desktop. (for desktop screenshots)
Look on your keyboard and there should be a button (usually in the top right corner) that reads PrtSc or Print Screen, press that button.

Once the PrtSc button is pressed, Open up MICROSOFT Paint.
- Click Start
- Click Run
- Type in MSpaint
- Press Ok.

Once Paint is open
On the Menu bar click Edit > Paste

On the menu bar click File > Save as...
Choose the Save as type click the drop arrow, and choose Jpeg
Choose the save to location as the Desktop.
The click Save.

.
Add it as an attachment or host it online and post it in the thread. http://www.screenshots.cc/

----------

To change military time to standard time

Go to Start > Control Panel > Regional and Language Options
Click the Customize button
Select the Time tab
In the Time Format area use the down arrow to select: h:mm:ss tt
Click Apply
Click OK
Click Apply
Click OK

You may need to restart the computer to take effect.I purchased my Windows XP as an upgrade version. The computer was originally bought as a rebuilt with Windows 2000 already installed, so I don't know where that Windows came from.

I can attach the "Failed Validation" screenshot if needed.

[recovering space - attachment deleted by admin]Let's try to get the clock straightened out.

1. Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below. Do not change anything.

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Software Notifier]
"InstallationID"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_CURRENT_USER\Control Panel\Desktop]
"WallpaperStyle"="0"

[HKEY_CURRENT_USER\Control Panel\Desktop]
"TileWallpaper"="0"

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=" "

[HKEY_CURRENT_USER\Control Panel\Desktop]
"OriginalWallpaper"=""

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ConvertedWallpaper"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmona"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srservice]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr]
"Start"=dword:00000000

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Control Panel\Desktop]
"SCRNSAVE.EXE"=-

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=-
"NoControlPanel"=-
"DisableLocalMachineRun"=-
"DisableLocalMachineRunOnce"=-
"DisableCurrentUserRun"=-
"DisableCurrentUserRunOnce"=-
"NoControlPanel"=-
"NoWindowsUpdate"=-
"NoFind"=-
"NoRun"=-
"HideClock"=-
"NoTrayContextMenu"=-
"NoTrayItemsDisplay"=-
"NoSetFolders"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions"=-
"NoControlPanel"=-
"DisableLocalMachineRun"=-
"DisableLocalMachineRunOnce"=-
"DisableCurrentUserRun"=-
"DisableCurrentUserRunOnce"=-
"NoControlPanel"=-
"NoWindowsUpdate"=-
"NoFind"=-
"NoRun"=-
"HideClock"=-
"NoTrayContextMenu"=-
"NoTrayItemsDisplay"=-
"NoSetFolders"=-

[HKEY_CURRENT_USER\ControlPanel\International]
"sTimeFormat"="h:mm:ss tt"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"ForceActiveDesktopOn"=-
Open a new Notepad It must be Notepad. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "Fixreg.REG". Exit Notepad.

Double click your new file and agree to the registry merge when asked. You can then delete this new file.

Let me know if this worked.OK, I had to check a few different places on this one. You have a very new form of malware.

Go HERE to get your Product ID issue straightened out (scroll down a bit). It also has another method for fixing the clock.

Let me know if you have any questions and when you get done post a fresh Hijackthis log so we can see what all needs to be done to finish up.

Also let me know how things are after the fixes are done.Miekiemoes' blog completed the last few minor repairs. The machine seems to be running fine.
Thank you for all of your time and help. Your breadth of knowlege is staggering.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:22 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DISH] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DISH" /O15 "\\DISH\EPSONSty" /M "Stylus CX3800"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://java.financialchat.com:8000/java/cr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://coop.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {13D448F2-4D80-40BD-B1D7-25A9B7CB1474} (PMSImage Control) - http://24.75.126.108/install/PMSImage.ocx
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://coop.mlxchange.com/Control/Specfile.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://coop.mlxchange.com/Control/SISC.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://coop.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://coop.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://coop.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {7A7537FC-5988-11D3-8B33-00104B9E5A4A} (IRCWwwPrint Class) - http://coop.mlxchange.com/Control/IRCWebPrint.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://ctmls.mlxchange.com/4.2.06.26/Control/IRCSharc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1211955591_0bef0b16a370840ba69aa7314db5214e&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://www.ct-mls.com/dss/ENUclientPro.cab
O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://coop.mlxchange.com/Control/WebDog.cab
O16 - DPF: {BC8E0F3E-2A7F-11D4-A0F2-0001022F24B8} (LIte Class) - http://coop.mlxchange.com/Components/OutlookXtract.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://coop.mlxchange.com/Components/MPGridControl.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://coop.mlxchange.com/Control/AspCustomCtrls.cab
O23 - SERVICE: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/

--
End of file - 8999 bytes

This was a real head twister. That was a new infection that i haven't seen before.

Looks like we both learned some new tricks today

----------

Run Hijackthis and have it fix this entry unless you set it yourself.

O24 - Desktop Component 4: (no name) - http://ctmls.mlxchange.com/

----------

Final cleanup steps.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working STATE if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.

Now run CCleaner.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything LISTED.

.
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

Using SpywareBlaster to protect your computer from Spyware and Malware

Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let us know if anything else comes up.

Solve : Very bad Vundo-variant attack!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment