Nice little problem... Virus? Malware? could use a hand.

I'm not quite sure what exactly I have, But I seem to have gotten a not so nice birthday present today which really ruined my day, I did some searching on some of the things that was going on and one thread I had found was kinda similar to

First the main problem I have is trying to access my c:\ from My computer. When I double click on the c drive I get a nice little message. Windows cannot find 'RECYCLER\S-1-1-78-100032313-100016677-100020924-7262.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. I saw that and I flipped. I managed to get into the c:\ and looked and I guess for starters m auto.run.inf has been... "altered"

Code:

[autorun]
;bovnmgwdqhaokumtsphtttzytiixuhnmpznywsfchfvi
shellexecute="RECYCLER\S-1-1-78-100032313-100016677-100020924-7262.com c:\"
;fntpbwnekowbdzkgnidejydwfvpvxrffecemgftdlvzqwue
shell\Open\command="RECYCLER\S-1-1-78-100032313-100016677-100020924-7262.com c:\"
;rochguuyvrkqlkzueydcwfyorwsirgzbmskxqoajrizsdbotmhjlqmtyimivkjealjsgwtgiinykgzeqfaoewx
shell=Open

So then I did some weird searching and I see things in my C:\RECYCLER folder

S-1-5-21-515967899-602162358-839522115-1005 || It's a Folder

and there was a msdos thing too but it's not there anymore... so ya Then I tried to download spybot and it's pretty much as if something is preventing it from installing...

Error sending Request. The server name or address could not be resolved.

so I cant even install spybot....

I'll also post a hijackthis log, please if anyone could give me a hand it would be greatly appreciated, this wasn't exactly a birthday present I was planning for :'(

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:41 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vash\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url]http://windowsupdate.microsoft.com/[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [url]http://www.srtest.com/srl_bin/sysreqlab_srl.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227318148031[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6963 bytes

 

A quick google (which is where you probably should have started) indicates that this Is probably an "autorun worm"

The resolution is:

Try Flash Disinfector, it is proven to remove autorun worms.
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

 

Well I did google, maybe I just didn't search hard enough =/ anyways, thx it worked! I can get into my C:\ now with no issues =D although idk for what reason but I still can't install spybot, keep getting that error message, maybe have any ideas?

Edit - Also it seems to not be doing it for any of the kind of anti-spyware/virus programs, wont connect for install for spybot, wont for the online Kasper, wont for aware SE

 

Why are you trying to do internet installs??????

Common sense says if you can't do a direct install you should download and save the file and run locally.

If you can't save the file and install locally you may have additional problems that need to be fixed.

 

Sorry for not being clear I'll slow down a bit and make sure I get everything right, yes I was doing local installs, the only thing non-local was the Kaspersky Online Scanner. I downloaded Both Spybot and Adware-SE. Adware SE installed but cannot download the updates from their site. Spybot would not install with the auto-update box checked but would without. (After I tried that now) Spybot is not connecting to the site to download updates and the main program of spybot is not even coming up. Also when I was trying to get to the home page of Spybot it is not loading the page. I also had problems connecting to lavasofts page too, I would get redirected to other sites when trying to connect to it as well. (Something like http://results.googleadservices.com/)

(Also, I think Macafee has been detecting a few reoccurring advertising cookies in my "C:\Documents and Settings\Vash\Cookies" folder.)

 

OK, thanks for that. Makes more sense now.

I would guess that you have some malware that is preventing Ad-aware and Spybot from getting updated.

My SOP on this is:

1)Try to get one pass run with Spybot and Ad-aware just to see what they can find.

2)If there's anything left over you might Google to see if there's some specific way to clean it.

I can't read hijack this logs but there are some people who do it all day long.

The last time I had a really nasty spyware attach I spen a few hours reading the Stuff on Andy Manchesta's site and found something that matched. I used his suggestions to get it cleared, and promptly donated some $$$ to his site.

Good luck.

 

hmmm alright I'll give that a try and hope for the best, anyways thanks again.

 

Alls good, did a bit of searching, didn't really help much but was able to use proxies and download the updates manually and install them on my computer, got everything updated to most recent definitions, ran everything removed all the files that they found and restarted. Everything seems to be working now I can update all the things access the sits I couldn't =). Thanks again for the help for my previous problem and I'm glad everything is working great now.