Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Virus issues. Cannot remove with Symantec


  • Please log in to reply
12 replies to this topic

#1 edjogo2

edjogo2

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 22 May 2009 - 09:09 PM

hello. I have a ton of viruses. I dont know what to do. I ran norton in safeboot and it found 3 but then i restarted my computer and immediately got a virus notification. The viruses that it says i have are called:

pp10.exe - Downloader
870159.dll - Trojan Horse
stonce_12343044286.exe - Trojan Horse
websrvx[1].exe - Trojan Horse
new_drv.sys - Hacktool.Rootkit
load[1].exe - W32.IRCbot
pdfupd.exe - W32.IRCbot
Acr73.tmp - Bloodhound.Exploit.196
nrf[1].exe - W32.Koobface.A
tokutide.exe - Trojan.vundo
Torazusa.dll - Packed.Generic.217

and many many more.

here is the DDS report:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Ed Gomes at 21:46:42.65 on Fri 05/22/2009
Internet Explorer: 8.0.6001.18241
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1152 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\pp10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
svchost.exe
C:\WINDOWS\9129837.exe
C:\WINDOWS\system32\SYSDLL.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost.exe "C:\WINDOWS\system32\advapi32x.exe"
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\SYSDLL.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ed Gomes\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Ed Gomes\Desktop\virus issue\dds.scr
C:\WINDOWS\system32\igfxsrvc.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: 870159 Class: {9e263d08-4127-4b99-9043-4fb044e6fcbc} - c:\windows\system32\870159\870159.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\ed gomes\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PhoneDaemon] c:\documents and settings\ed gomes\desktop\iphone_pc_suite\PhoneDaemon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [ttool] c:\windows\9129837.exe
uRun: [sysdll] SYSDLL
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [90398f75] rundll32.exe "c:\windows\system32\rutejera.dll",b
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [cpm930abce9] Rundll32.exe "c:\windows\system32\lawapuvo.dll",a
mRun: [pp] c:\windows\pp10.exe
mRun: [mokiwaneto] Rundll32.exe "c:\windows\system32\zasovore.dll",s
StartupFolder: c:\docume~1\edgome~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: Mp4ikfat - {06E6ED3C-78D0-4FFB-8F74-839A657D32D9} - c:\windows\system32\popagmac.dll
SSODL: ssodl - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli c:\windows\system32\vobaruwi.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\naveng.sys [2009-5-22 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090522.002\navex15.sys [2009-5-22 876144]
S2 MSIServerBrowser;Windows Installer MSIServerBrowser;c:\windows\system32\advapi32x.exe srv --> c:\windows\system32\advapi32x.exe srv [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 new_drv;!!!!;\??\c:\windows\new_drv.sys --> c:\windows\new_drv.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]

=============== Created Last 30 ================

2009-05-22 20:19 2 ----h--- c:\windows\sto453148.dat
2009-05-22 18:43 <DIR> --d----- c:\program files\Cobian Backup 9
2009-05-22 18:21 <DIR> --dsh--- c:\documents and settings\ed gomes\PrivacIE
2009-05-22 18:17 56,832 a------- c:\windows\9129837.exe
2009-05-22 18:17 28,672 a------- c:\windows\ld08.exe
2009-05-22 18:17 393 a------- c:\windows\st_1242773037.exe
2009-05-22 18:17 392 a------- c:\windows\st_1242791486.exe
2009-05-22 18:17 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-22 18:17 13,824 -------- c:\windows\pp10.exe
2009-05-22 18:03 <DIR> -cd-h--- c:\windows\ie8
2009-05-22 16:00 2 ----h--- c:\windows\sto452730.dat
2009-05-22 16:00 16,896 a------- c:\windows\system32\SYSDLL.exe
2009-05-22 16:00 <DIR> --d----- c:\windows\system32\121973
2009-05-22 06:28 <DIR> --d----- c:\windows\system32\870159
2009-05-19 18:43 <DIR> --d----- c:\program files\Alcohol Soft
2009-05-19 18:43 2 ----h--- c:\windows\sto453250.dat
2009-05-19 18:41 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-18 21:08 32 a--s---- c:\windows\system32\418323888.dat
2009-05-18 21:08 53,248 ---shr-- c:\windows\system32\advapi32x.exe
2009-05-08 01:15 257,536 a------- c:\windows\system32\brofent.dll
2009-05-06 22:18 <DIR> --d----- c:\program files\OpenSSH
2009-05-06 20:12 <DIR> --d----- c:\program files\WinSCP
2009-05-06 20:07 <DIR> --d----- c:\program files\NCH Software
2009-05-06 20:07 <DIR> --d----- c:\program files\NCH Swift Sound
2009-05-05 21:55 <DIR> --d----- c:\program files\Winamp Toolbar
2009-05-05 21:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2009-05-05 00:15 <DIR> --d----- C:\_OTListIt
2009-05-03 17:04 <DIR> --d----- c:\docume~1\edgome~1\applic~1\Malwarebytes
2009-05-03 17:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-03 17:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 17:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-02 19:07 <DIR> --d----- c:\program files\Trend Micro
2009-05-02 09:13 <DIR> --d----- C:\VundoFix Backups
2009-05-02 09:09 77,464,712 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-04-29 19:19 5,632 a------- c:\windows\system32\ptpusb.dll
2009-04-29 19:19 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-04-29 19:19 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-04-29 19:19 159,232 a------- c:\windows\system32\ptpusd.dll
2009-04-28 19:07 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-28 19:07 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-28 19:07 <DIR> --d----- c:\program files\iPod
2009-04-28 19:07 <DIR> --d----- c:\program files\iTunes
2009-04-28 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 19:05 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-04-28 19:05 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-04-27 09:21 <DIR> --d----- c:\program files\MSXML 4.0
2009-04-27 09:18 <DIR> --d----- c:\windows\pss
2009-04-26 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe
2009-04-26 18:32 4,767 a------- c:\windows\Irremote.ini
2009-04-26 18:11 <DIR> --d----- c:\program files\Nero
2009-04-26 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-04-26 11:29 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-26 11:29 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-26 11:29 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-26 11:29 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-26 11:29 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-26 11:29 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-26 11:29 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-26 11:29 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-26 11:29 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-26 11:28 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-26 11:28 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-26 11:28 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-21 10:06 2,478,080 a------- c:\windows\system32\ddekubro.dll
2009-03-21 10:06 1,265,664 a------- c:\windows\system32\chmekpol.dll
2009-03-21 10:06 1,175,552 a------- c:\windows\system32\monupbro.exe
2009-03-21 10:06 1,064,960 a------- c:\windows\system32\popagmac.dll
2009-03-21 10:06 158,350 a------- c:\windows\system32\urimopac32.dll
2009-03-21 10:06 118,784 a------- c:\windows\system32\webidcal.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-01 01:36 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-28 15:37 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-28 14:42 319,488 a------- c:\windows\HideWin.exe
2009-02-28 14:22 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 21:48:47.37 ===============

please help

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 24 May 2009 - 02:26 AM

Hello edjogo2.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image If you are a casual viewer, do NOT try this on your system!
If you are not edjogo2 and have a similar problem, do NOT post here; start your own topic[/color]

Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.


Let's have you create a restore point (at this time).
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. If there is a check mark next to "Turn off System Restore on all drives", then click on the line to clear it.
4. If C is your system drive (as it is in most cases) and you see other drives monitored in the list (like D, E, etc) click on the other drives, press Settings button, and get the other drives turned off.
5. we only want to monitor the drive with Windows o.s.
If you are unable to activate System Restore or if the service is disabled, then.....
from the Start button > RUN option .... type in
services.msc

look for System Restore service
If it is listed as off or inactive, press on the link at top left to Start it.

Next, See and do as outlined here http://bertk.mvps.org/html/createrp.html

After that, also do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=
Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


=
RE-Enable your AntiVirus and AntiSpyware applications.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
Posted ImageIt's very important that you be using the most recent version (v2.417 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected
Reply with a copy of C:\Combofix.txt
sysclean.log
the MBAM scan log
and C:\rapport.txt

Edited by Maurice Naggar, 24 May 2009 - 02:30 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 May 2009 - 09:01 AM

I am attaching the files that you have requested. Thank you again for your help. If i have missed anything please let me know. Again, thank you very much.

<Edited to place all reports IN-Line ~ Maurice>
Please do NOT put your logs / reports as attachments ! Always Copy & Paste them & put within main body of reply !


Combofix.txt:
ComboFix 09-05-24.03 - Ed Gomes 05/24/2009 18:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.451 [GMT -4:00]
Running from: c:\documents and settings\Ed Gomes\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\9129837.exe
c:\windows\ld08.exe
c:\windows\st_1242773037.exe
c:\windows\st_1242791486.exe
c:\windows\system32\121973
c:\windows\system32\121973\121973.dll
c:\windows\system32\SYSDLL.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSISERVERBROWSER
-------\Service_MSIServerBrowser
-------\Service_new_drv


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 21:18 . 2009-05-24 21:18 -------- d-----w c:\program files\ERUNT
2009-05-23 13:55 . 2009-05-23 13:55 -------- d-----w c:\windows\ie8updates
2009-05-23 13:04 . 2009-05-23 13:04 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-05-23 00:19 . 2009-05-23 00:19 2 ---h--w c:\windows\sto453148.dat
2009-05-22 22:43 . 2009-05-22 22:44 -------- d-----w c:\program files\Cobian Backup 9
2009-05-22 22:21 . 2009-05-22 22:21 -------- d-sh--w c:\documents and settings\Ed Gomes\PrivacIE
2009-05-22 22:03 . 2009-05-22 22:04 -------- dc-h--w c:\windows\ie8
2009-05-22 21:41 . 2009-05-22 21:41 -------- d-----w c:\documents and settings\Ed Gomes\Local Settings\Application Data\Winamp Toolbar
2009-05-22 20:00 . 2009-05-22 20:00 2 ---h--w c:\windows\sto452730.dat
2009-05-22 10:28 . 2009-05-23 01:34 -------- d-----w c:\windows\system32\870159
2009-05-19 22:43 . 2009-05-19 22:43 -------- d-----w c:\program files\Alcohol Soft
2009-05-19 22:43 . 2009-05-19 22:43 2 ---h--w c:\windows\sto453250.dat
2009-05-19 22:41 . 2009-05-19 22:41 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-19 22:11 . 2009-05-19 22:11 -------- d-----w c:\program files\7-Zip
2009-05-19 01:08 . 2009-05-19 01:08 32 --s-a-w c:\windows\system32\418323888.dat
2009-05-08 05:15 . 2009-05-08 05:15 257536 ----a-w c:\windows\system32\brofent.dll
2009-05-07 02:18 . 2009-05-07 02:18 -------- d-----w c:\program files\OpenSSH
2009-05-07 00:12 . 2009-05-07 00:12 -------- d-----w c:\program files\WinSCP
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\NCH Swift Sound
2009-05-07 00:08 . 2009-05-07 00:08 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\Recordpad
2009-05-07 00:07 . 2009-05-07 00:07 -------- d-----w c:\program files\NCH Software
2009-05-07 00:07 . 2009-05-07 00:10 -------- d-----w c:\program files\NCH Swift Sound
2009-05-06 01:55 . 2009-05-06 01:55 -------- d-----w c:\program files\Winamp Toolbar
2009-05-06 01:55 . 2009-05-06 01:55 -------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2009-05-05 16:49 . 2009-05-05 16:49 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-05-05 12:41 . 2009-05-05 12:41 -------- d-----w c:\documents and settings\Ed Gomes\Local Settings\Application Data\Cranium_Consulting_and_Cu
2009-05-05 04:15 . 2009-05-05 04:15 -------- d-----w C:\_OTListIt
2009-05-03 21:04 . 2009-05-03 21:04 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\Malwarebytes
2009-05-03 21:04 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 21:04 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 21:04 . 2009-05-03 21:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 21:04 . 2009-05-03 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 23:07 . 2009-05-02 23:07 -------- d-----w c:\program files\Trend Micro
2009-05-02 13:13 . 2009-05-02 13:13 -------- d-----w C:\VundoFix Backups
2009-05-02 13:09 . 2009-05-02 13:09 77464712 ----a-w C:\SYM_REGISTRY_BACKUP.reg
2009-04-29 23:19 . 2001-08-18 03:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-29 23:19 . 2008-04-13 17:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-29 23:19 . 2008-04-13 17:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-29 23:19 . 2008-04-13 23:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-28 23:07 . 2009-05-16 20:52 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\Apple Computer
2009-04-28 23:05 . 2009-04-28 23:05 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-28 23:05 . 2009-04-28 23:07 -------- d-----w c:\documents and settings\Ed Gomes\Local Settings\Application Data\Apple Computer
2009-04-27 13:21 . 2009-04-27 13:21 -------- d-----w c:\program files\MSXML 4.0
2009-04-26 23:09 . 2009-04-26 23:09 -------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-04-26 23:03 . 2009-04-26 23:16 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\Nero
2009-04-26 22:29 . 2009-04-26 22:29 -------- d-----w c:\program files\Windows Sidebar
2009-04-26 22:11 . 2009-04-26 22:31 -------- d-----w c:\program files\Nero
2009-04-26 22:10 . 2009-04-26 22:20 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-26 22:10 . 2009-04-26 22:54 -------- d-----w c:\program files\Common Files\Nero
2009-04-26 22:09 . 2009-04-26 22:09 -------- d-----w c:\program files\Common Files\LightScribe
2009-04-26 15:29 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-26 15:29 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-26 15:29 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-26 15:29 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-26 15:29 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-26 15:29 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-26 15:29 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-26 15:29 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-26 15:29 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-26 15:28 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-26 15:28 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 22:31 . 2009-03-01 03:38 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-19 22:42 . 2009-03-01 02:41 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\uTorrent
2009-05-13 07:02 . 2009-02-28 20:53 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-06 02:45 . 2009-05-06 01:54 -------- d-----w c:\program files\Winamp
2009-05-06 02:14 . 2009-05-06 01:54 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\Winamp
2009-04-28 23:07 . 2009-04-28 23:07 -------- d-----w c:\program files\iTunes
2009-04-28 23:07 . 2009-04-28 23:07 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-28 23:07 . 2009-04-28 23:07 -------- d-----w c:\program files\iPod
2009-04-28 23:07 . 2009-04-28 23:05 -------- d-----w c:\program files\Common Files\Apple
2009-04-28 23:07 . 2009-04-28 23:06 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-28 23:07 . 2009-02-28 21:29 -------- d-----w c:\program files\Bonjour
2009-04-28 23:06 . 2009-04-28 23:06 -------- d-----w c:\program files\QuickTime
2009-04-28 23:06 . 2009-04-28 23:06 -------- d-----w c:\program files\Apple Software Update
2009-04-12 03:02 . 2009-04-12 03:02 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-09 22:00 . 2009-04-09 22:00 -------- d-----w c:\program files\Xilisoft
2009-04-09 21:53 . 2009-04-09 21:50 -------- d-----w c:\program files\Common Files\AVSMedia
2009-04-09 21:53 . 2009-04-09 21:50 -------- d-----w c:\program files\AVS4YOU
2009-04-09 21:51 . 2009-04-09 21:51 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\AVS4YOU
2009-04-09 21:51 . 2009-04-09 21:51 -------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-07 22:34 . 2009-04-07 22:34 -------- d-----w c:\documents and settings\Ed Gomes\Application Data\AdobeUM
2009-04-03 13:46 . 2009-02-28 22:16 -------- d-----w c:\program files\World of Warcraft
2009-04-02 21:29 . 2009-04-02 21:29 75048 ------w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 04:53 . 2009-03-28 04:53 -------- d-----w c:\program files\Microsoft
2009-03-28 04:53 . 2009-03-28 04:53 -------- d-----w c:\program files\Windows Live
2009-03-28 04:53 . 2009-03-28 04:53 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-28 03:57 . 2009-03-28 03:57 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-26 20:23 . 2009-04-28 23:05 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 20:23 . 2009-04-28 23:05 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-21 14:06 . 2004-08-04 12:00 2478080 ----a-w c:\windows\system32\ddekubro.dll
2009-03-21 14:06 . 2004-08-04 12:00 158350 ----a-w c:\windows\system32\urimopac32.dll
2009-03-21 14:06 . 2004-08-04 12:00 1265664 ----a-w c:\windows\system32\chmekpol.dll
2009-03-21 14:06 . 2004-08-04 12:00 118784 ----a-w c:\windows\system32\webidcal.dll
2009-03-21 14:06 . 2004-08-04 12:00 1175552 ----a-w c:\windows\system32\monupbro.exe
2009-03-21 14:06 . 2004-08-04 12:00 1064960 ----a-w c:\windows\system32\popagmac.dll
2009-03-19 21:32 . 2009-04-28 23:07 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 21:32 . 2009-03-19 21:32 23400 ------w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-01 05:36 . 2009-02-28 20:04 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-01 03:36 . 2009-02-28 20:05 69624 ----a-w c:\documents and settings\Ed Gomes\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-28 19:37 . 2009-02-28 18:24 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-28 18:42 . 2009-02-28 18:42 319488 ----a-w c:\windows\HideWin.exe
2009-02-28 18:22 . 2009-02-28 18:22 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-28 133104]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-19 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2008-06-19 2808832]

c:\documents and settings\Ed Gomes\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-2-28 25214]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Mp4ikfat"= {06E6ED3C-78D0-4FFB-8F74-839A657D32D9} - c:\windows\system32\popagmac.dll [2009-03-21 1064960]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 7:56 PM 173392]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1214440339-682003330-1004.job
- c:\documents and settings\Ed Gomes\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 21:16]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9E263D08-4127-4B99-9043-4FB044E6FCBC} - c:\windows\system32\870159\870159.dll
HKCU-Run-PhoneDaemon - c:\documents and settings\Ed Gomes\Desktop\iPhone_PC_Suite\PhoneDaemon.exe
HKLM-Run-90398f75 - c:\windows\system32\rutejera.dll
HKLM-Run-cpm930abce9 - c:\windows\system32\lawapuvo.dll
HKLM-Run-mokiwaneto - c:\windows\system32\zasovore.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3280)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\popagmac.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\chmekpol.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\maxincat\ocxabans\vgadocap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\searchindexer.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-05-24 18:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 22:35

Pre-Run: 163,259,834,368 bytes free
Post-Run: 163,174,207,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

280 --- E O F --- 2009-05-23 13:55

Edited by Maurice Naggar, 25 May 2009 - 12:28 PM.


#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 25 May 2009 - 12:30 PM

SYSCLEAN log

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-24, 22:34:08, Auto-clean mode specified.
2009-05-24, 22:34:09, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-24, 22:34:09, Running scanner "C:\Documents and Settings\Ed Gomes\Desktop\DCE\TSC.BIN"...
2009-05-24, 22:34:28, Scanner "C:\Documents and Settings\Ed Gomes\Desktop\DCE\TSC.BIN" has finished running.
2009-05-24, 22:34:28, TSC Log:


2009-05-24, 22:34:28, Running scanner "C:\Documents and Settings\Ed Gomes\Desktop\DCE\VSCANTM.BIN"...
2009-05-24, 23:56:17, Scanner "C:\Documents and Settings\Ed Gomes\Desktop\DCE\VSCANTM.BIN" has finished running.
2009-05-24, 23:56:17, VSCANTM Log:

2009-05-24, 23:56:17, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 22:34:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Ed Gomes\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Ed Gomes\Desktop\DCE\lpt$vpn.145

C:\Qoobox\Quarantine\C\WINDOWS\9129837.exe.vir [TSPY_PAPRAS.BN]
C:\Qoobox\Quarantine\C\WINDOWS\ld08.exe.vir [WORM_KOOBFACE.FN]
99662 files have been read.
99662 files have been checked.
99344 files have been scanned.
391765 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 23:56:17 1 hour 21 minutes 49 seconds (4908.38 seconds) has elapsed.(49.250 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 23:56:17, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 22:34:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Ed Gomes\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Ed Gomes\Desktop\DCE\lpt$vpn.145

99662 files have been read.
99662 files have been checked.
99344 files have been scanned.
391765 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 23:56:17 1 hour 21 minutes 49 seconds (4908.38 seconds) has elapsed.(49.250 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 23:56:17, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/24/2009 22:34:28
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 145 (401987/401987 Patterns) (2009/05/22) (614500)

Command Line: C:\Documents and Settings\Ed Gomes\Desktop\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Ed Gomes\Desktop\DCE\lpt$vpn.145

99662 files have been read.
99662 files have been checked.
99344 files have been scanned.
391765 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/24/2009 23:56:17 1 hour 21 minutes 49 seconds (4908.38 seconds) has elapsed.(49.250 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-24, 23:56:17, Running SSAPI scanner ""...
2009-05-24, 23:58:33, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.73
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/24/2009 23:56:21

MBAM log
Malwarebytes' Anti-Malware 1.36
Database version: 2071
Windows 5.1.2600 Service Pack 3

5/25/2009 9:39:39 AM
mbam-log-2009-05-25 (09-39-39).txt

Scan type: Quick Scan
Objects scanned: 81786
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\9g2234wesdf3dfgjf23 (Trojan.KoobFace) -> Quarantined and deleted successfully.

Rapport.txt
SmitFraudFix v2.417

Scan done at 9:48:35.12, Mon 05/25/2009
Run from C:\Documents and Settings\Ed Gomes\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{536D5F42-35BB-4863-ABE9-543AC1EA7E93}: DhcpNameServer=12.127.16.67 12.127.17.71
HKLM\SYSTEM\CS2\Services\Tcpip\..\{536D5F42-35BB-4863-ABE9-543AC1EA7E93}: DhcpNameServer=12.127.16.67 12.127.17.71
HKLM\SYSTEM\CS3\Services\Tcpip\..\{536D5F42-35BB-4863-ABE9-543AC1EA7E93}: DhcpNameServer=24.93.41.127 24.93.41.128
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=12.127.16.67 12.127.17.71
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=12.127.16.67 12.127.17.71
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.93.41.127 24.93.41.128


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

End
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 25 May 2009 - 01:01 PM

Hello edjogo2,

If you do not already have OTListIt2 on this system (though I think you do) then get it
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    c:\windows\sto453148.dat
    c:\windows\sto452730.dat
    c:\windows\sto453250.dat
    c:\windows\system32\418323888.dat
    c:\windows\9129837.exe
    c:\windows\ld08.exe
    c:\windows\st_1242773037.exe
    c:\windows\st_1242791486.exe
    c:\windows\9g2234wesdf3dfgjf23
    c:\windows\pp10.exe
    c:\windows\new_drv.sys 
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Plug in your Flash-thumb-USB drives so that some of the following utilities will find them.
I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Reply with a copy of the OTListIt2 MovedFiles log
and the DrWeb-CureIt report
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 May 2009 - 03:42 PM

Hello, Here is my otlist log:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\windows\sto453148.dat moved successfully.
c:\windows\sto452730.dat moved successfully.
c:\windows\sto453250.dat moved successfully.
c:\windows\system32\418323888.dat moved successfully.
File\Folder c:\windows\9129837.exe not found.
File\Folder c:\windows\ld08.exe not found.
File\Folder c:\windows\st_1242773037.exe not found.
File\Folder c:\windows\st_1242791486.exe not found.
File\Folder c:\windows\9g2234wesdf3dfgjf23 not found.
File\Folder c:\windows\pp10.exe not found.
File\Folder c:\windows\new_drv.sys not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05252009_162603

Files moved on Reboot...

Registry entries deleted on Reboot...


I do appreciate you helping me. When i was following your steps, i got to the step where you told me to "Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection. http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced."

when i clicked on the link, My symantec immediately popped up with a 2 virus alerts that said that they were trojan horses:
file names 6.tmp and f_000295

i stopped what i was doing and immediately replied.

#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 25 May 2009 - 03:55 PM

Let's have you delete all temporary files by using ATF Cleaner and then download the disinfector from the next link below.

A. Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Temporarily disable your Symantec AV by following directions here How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

B: Download and SAVE to your Desktop. After, run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.

After that, re-enable your Symantec.

Next, do the other things I listed before in my earlier reply.

Edited by Maurice Naggar, 25 May 2009 - 03:57 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 May 2009 - 07:48 PM

hello. I did as you instructed. I downloaded the disinfector and also did the drweb cureit. here is the file from drweb cureit:

popagmac.dll;c:\windows\system32;Probably WIN.MAIL.WORM.Virus;Incurable.Deleted.;
00840000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
01B00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
01C40002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Inject.5512;Deleted.;
01C40004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Inject.5512;Deleted.;
01F00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
04880000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880008.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488000A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488000C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488000E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880010.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880012.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880014.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880016.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880018.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488001A.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488001C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0488001E.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880020.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880022.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
04880024.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
05900000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.HLLW.Facebook.73;Deleted.;
05900001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;BackDoor.IRC.Bot.114;Deleted.;
05900002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0A640000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0C140000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.based.25;Incurable.Moved.;
0D180000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0D180001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Inject.5512;Deleted.;
0E780000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0E800000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.HLLW.Facebook.73;Deleted.;
0F8C0000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0FA00000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.PWS.Haiuy.13;Deleted.;
0FA00001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Proxy.5789;Deleted.;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Ed Gomes\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Ed Gomes\Desktop\SmitfraudFix.exe;Tool.ShutDown.14;;
SmitfraudFix.exe;C:\Documents and Settings\Ed Gomes\Desktop;Archive contains infected objects;Moved.;
01C40002.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Inject.5512;Deleted.;
01C40004.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Inject.5512;Deleted.;
01F00000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
04880000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880002.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880004.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880006.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880008.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488000A.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488000C.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488000E.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880010.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880012.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880014.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880016.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880018.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488001A.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488001C.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0488001E.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880020.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880022.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
04880024.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0A640000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
0C140000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Virtumod.based.25;Incurable.Moved.;
0D180000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
0D180001.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Inject.5512;Deleted.;
0E780000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
0F8C0000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
0FA00000.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.PWS.Haiuy.13;Deleted.;
0FA00001.VBN;"C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Syma";Trojan.Proxy.5789;Deleted.;


I do want you to know that when i rebooted, i got a virus pop up saying that the disinfector was a trojan horse, and it immediately moved it to quarantine.

what should i do?

#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 26 May 2009 - 04:46 PM

Which program "flagged" the disinfector utility? We'll go ahead & proceed to have you do an online scan, see the results, then advise me as to how the system is doing.

Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.
How is your system now :?:
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 28 May 2009 - 01:33 PM

The antivirus that I am using right now is Symantec Antivirus Corporate Edition v 9.0.2.1000

The results from Kaspersky Online scan are:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 13:07:16
Records in database: 2264960
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 103106
Threat name: 8
Infected objects: 72
Suspicious objects: 0
Duration of the scan: 04:19:59


File name / Threat name / Threats count
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C40002.VBN Infected: Backdoor.Win32.Zdoogu.dn 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01C40004.VBN Infected: Backdoor.Win32.Zdoogu.dn 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01F00000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880000.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880002.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880004.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880006.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880008.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488000A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488000C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488000E.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880010.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880012.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880014.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880016.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880018.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488001A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488001C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0488001E.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880020.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880022.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04880024.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C140000.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D180000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D180001.VBN Infected: Backdoor.Win32.Zdoogu.dm 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E780000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F8C0000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00000.VBN Infected: Rootkit.Win32.Agent.ex 1
C:\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\Ed Gomes\Desktop\back up\C 2009-05-22 18;59;48\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00001.VBN Infected: Trojan-Proxy.Win32.Agent.bnq 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880000.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880001.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880002.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880003.VBN Infected: Trojan.Win32.Stuh.fkb 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880004.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880005.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880006.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880007.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880008.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880009.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488000A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488000C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488000E.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880010.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880011.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880012.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880013.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880014.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880015.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880016.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880017.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880018.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880019.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488001A.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488001C.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0488001E.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880020.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880021.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880022.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880023.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880024.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880025.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880029.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880039.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880049.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880059.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880069.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\04880079.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0C140000.VBN Infected: Packed.Win32.Krap.p 1
C:\Documents and Settings\Ed Gomes\DoctorWeb\Quarantine\0C140001.VBN Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\121973\121973.dll.vir Infected: Trojan-Downloader.Win32.BHO.mip 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SYSDLL.exe.vir Infected: Trojan.Win32.Agent2.jvx 1

The selected area was scanned.

thanks again for the help.

#11 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 30 May 2009 - 07:04 AM

The last scan was very good. All items tagged are already in prior quarantine.
Let's have you run 1 more utulity and then we should be ready to wrap this up.

Please download VundoFix to your desktop.
  • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Tell me, How is your system now Posted Image
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#12 edjogo2

edjogo2
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 30 May 2009 - 01:57 PM

i downloaded the vundo fix file and ran it, but when it was done running, it said that it could not find any infected files.

#13 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:32 AM

Posted 30 May 2009 - 03:18 PM

You are good to go after these steps.
Clear out the quarantined items in the Symantec AV quarantine by starting Symantec, navigate to the quarantine module, have it remove permanently (delete) the items.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
Do the same for Kaspersky online scanner.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users