[dazkool]

Here is what that Sophos one found:

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-18\Control Panel\international_combofixbackup
Removable: No
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP25\A0010012.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

I'm going home for the weekend now (all this is on my work PC!!). Will be back on Monday.

[evilfantasy]

Is it on a network?

[dazkool]

No - stand-alone Internet PC with a static IP address.

[evilfantasy]

I will need the exact (complete) error message to track it down.

Run this online scanKaspersky
When the scan is finished Save the results from the scan!
Paste them in the next post.

[dazkool]

Quote:

Originally Posted by evilfantasy

I will need the exact (complete) error message to track it down.

Here's that error message again:

Quote:

Upon rebooting, the following error message appeared: The title of the dialog box was "Advanced INF Install" and the message was "Error: Could not locate INF file: C:\Windows\inf\GETPLUSo.INF". I have to press OK and then Windows continues to load the desktop as normal.

And the results from the Kapersky scan:

Critical Area Scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 12:23:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 419725
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Darren\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 13859
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:11:49
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DF9379.tmp Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DF93C3.tmp Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DF99F7.tmp Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DF9A04.tmp Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DFE7FE.tmp Object is locked skipped
C:\DOCUME~1\Darren\LOCALS~1\Temp\~DFE80E.tmp Object is locked skipped
Scan process completed.

[dazkool]

My Computer scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 1:39:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 419725
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 83608
Number of viruses found: 7
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 01:13:16
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070917_Time-114552296_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070917_Time-114552296_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MSG-SUPPORT2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MSG-SUPPORT2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.t xt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Darren\Application Data\Lavasoft\Ad-Aware\logs\AWEVLOG.txt Object is locked skipped
C:\Documents and Settings\Darren\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Darren\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Darren\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Darren\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\Working\database_2E10_A225_10A1_F3CD\df sr.db Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\Working\database_2E10_A225_10A1_F3CD\fs r.log Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\Working\database_2E10_A225_10A1_F3CD\fs rtmp.log Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Messenger\dazkool@hotmail.com\Shari ngMetadata\Working\database_2E10_A225_10A1_F3CD\tm p.edb Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Windows Live Contacts\dazkool@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Application Data\Microsoft\Windows Live Contacts\dazkool@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\History\History.IE5\MSHist012007091720070 918\index.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DF9379.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DF93C3.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DF99F7.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DF9A04.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DFE7FE.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temp\~DFE80E.tmp Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Darren\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Darren\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Downloads\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Downloads\DivXPro511Adware.exe NSIS: infected - 2 skipped
C:\Downloads\mirc615.exe Infected: Virus.Win32.Virut.p skipped
C:\Downloads\winmx353.exe Infected: Virus.Win32.Virut.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP21\A0001505.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP21\A0001505.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP21\A0001505.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP33\A0010792.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP40\A0011393.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{0E27B915-C1A5-4E84-8AE1-EF567BB161FE}\RP42\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

[evilfantasy]

Hi, I have not forgotten you. I am still trying to pin down what is going on. I think I am getting closer.
Post a new HJT log.
The error that is coming up is due to something that was removed as part of the infection. I believe you were infected by email, or from opening a .pdf document online.

The GETPLUSo.INF do you know what that is?

[howardhopkinson]

Hi evilfantasy:

If it`s ok with you, I would like to try and offer some assistance with this thread?

You know who I am(I`m a mod on another tech site) We spoke the other day via pm`s.

Regards Howard.

[evilfantasy]

Howard I know who you are and how you work.

I would love a hand with this one my friend!

Please do, I am sure I can learn from you.

Welcome to TCF

[howardhopkinson]

Ok mate, let`s see what we can do to help dazkool out.

dazkool: please do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

WinPop

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

winpop.exe
w?crtupd.exe<The question mark can be any random letter/number etc
Update.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [{10A1F3CD-0A21-2057-0924-03041620002c}] "C:\Program Files\Common Files\{10A1F3CD-0A21-2057-0924-03041620002c}\Update.exe" mc-110-12-0001291

O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall

O4 - HKCU\..\Run: [Tpee] "C:\PROGRA~1\COMMON~1\YSTEM3~1\explorer.exe" -vt yazb

O4 - HKCU\..\Run: [Uttkrx] "C:\Program Files\??curity\w?crtupd.exe"

O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\WinPop<Delete the entire folder.
C:\Program Files\??curity<Delete the entire folder.
C:\PROGRA~1\COMMON~1\YSTEM3~1<Delete the entire folder. {b]Not to be confused with the System folder.[/b]
C:\Program Files\Common Files\{10A1F3CD-0A21-2057-0924-03041620002c}<Delete the entire folder.
C:\WINDOWS\inf\GETPLUSo.INF

Reboot into normal mode and rehide your protected OS files.

Rename the Hijackthis.exe file to Crusty.exe. This is because some malware can hide from HijackThis.exe. Right click the HijackThis.exe file and choose rename. Click in the title box and press the delete key to clear what`s there, type Crusty.exe and press the enter key. Right click the Crusty.exe file and send to desktop(create shortcut).

Please post a fresh HJT log and let us know if you`re still having problems.

Regards Howard.