Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET nod32 - Win32/Spy.Ursnif.A virus


  • Please log in to reply
15 replies to this topic

#1 watz

watz

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 29 August 2009 - 08:26 AM

Referred from: http://www.bleepingcomputer.com/forums/t/250692/win32spyursnifa-virus-found-by-eset-nod32/ ~ OB

Per the advice of friendly Computer Masochist, Garmanma I am posting a DDS/HJT log. Thank you.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Amanda M. Watson at 7:59:53.98 on Sat 08/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.554 [GMT -4:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Amanda M. Watson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat

7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint

toolbar\ViewBarBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} -

c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UC_Start] c:\program files\ibm\updater\\ucstartup.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar

2.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: bingonet.net\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} -

hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} -

hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--173b264b-186b-4cbc-ad18-0d9ff96e4e5c/online/D

iner_Dash_3/en/ddfotg.1.0.0.37.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://merope.canisius.edu:8080/symantec/SAV/SAV1014/WebInst/webinst.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
LSA: Notification Packages = scecli pwdmon

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\amanda~1.wat\applic~1\mozilla\firefox\profiles\cqft7k15.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWTHost.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2005-7-29 59776]
R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [2005-7-29 14208]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-7-29 11520]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-7-29 2432]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2005-7-29 4608]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-7-29 4442]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10

24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [2005-7-29 6016]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-7-29 12288]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-08-28 06:30 --d----- c:\program files\Cobian Backup 8
2009-08-23 19:32 --d----- c:\documents and settings\amanda m. watson\DoctorWeb
2009-08-22 19:19 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-22 19:18 --d----- c:\program files\SUPERAntiSpyware
2009-08-22 19:18 --d----- c:\docume~1\amanda~1.wat\applic~1\SUPERAntiSpyware.com
2009-08-20 14:10 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-19 00:30 --d----- c:\windows\system32\XPSViewer
2009-08-19 00:29 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-19 00:29 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-19 00:29 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-19 00:29 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-19 00:29 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-19 00:29 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-19 00:29 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-19 00:29 --d----- C:\c4bbeb632ab9e2b45e62379293
2009-08-19 00:29 --d----- c:\windows\SxsCaPendDel
2009-08-19 00:24 221,184 -------- c:\windows\system32\wmpns.dll
2009-08-18 20:36 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-18 20:36 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 13:36 38,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-07-19 09:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 -------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2008-03-26 18:03 0 -------- c:\program files\temp01
2008-10-22 21:39 32,768 ---sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008102320081024\index.dat

============= FINISH: 8:00:08.45 ===============

The DDS/HJT attach log, zipped, has been attached.
Next I'll attach the Rootrepeal log. When I started Rootrepeal an error message came up "error - invalid PE image found!".
I clicked ok and proceeded with the scan.
Here is the log.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/29 08:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF190D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B94000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB761F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RRUbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRUbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRUbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRUbackups\pu.dat
Status: Invisible to the Windows API!

Path: C:\RRUbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRUbackups\system
Status: Invisible to the Windows API!

Path: C:\RRUbackups\system.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson
Status: Invisible to the Windows API!

Path: C:\Program Files\Yahoo! Games\Belle's Beauty Boutique\BellesBeautyBoutique.exe:{F1393A97-96D9-7127-A91C-8A796BF46E22}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Build-a-lot\BUILDA~1.EXE:{F691653C-7644-C42D-F558-81391E2D83E0}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\BurgerIsland\bi.exe:{96655232-88E2-08A4-F7C9-8F2146EBA811}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Chocolatier 2 - Secret Ingredients\chocotwo.exe:{FCF8974A-1A2F-C0E3-9F92-DAA93F8B4759}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Cooking Academy\CookingAcademy.exe:{E97C8A6C-6C52-8BE4-5119-F533A4EC862E}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Dream Chronicles 2\dream2.exe:{E5DEA355-0BE8-6A7A-ABC6-708B8B57DB4C}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Jojo's Fashion Show\JojosFashionShow.exe:{ED0AED8E-48C9-7BF4-3EDC-F8093EA6DA95}
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\RRUbackups\Documents and Settings\Amanda M. Watson\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data
Status: Invisible to the Windows API!

Path: C:\WINDOWS\security\logs\convert.log
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005
Status: Invisible to the Windows API!

Path: \\?\C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\186e176c-3eb5-48a8-95e7-34763df3194b
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\1e8ef0c4-f878-480e-9249-15514537e95c
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\48876b3b-2767-4932-97e6-789eef9524b1
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\4890797e-69fe-4f96-a2ad-c707d109e4bf
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\57ec0a97-ecb3-4fe7-89c6-c02b3d3ffe01
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\701b3a11-1c2d-4557-b5dc-91a7ee70c4ad
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\92618a7e-2dc7-4ab4-9a18-c66825bdb67f
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\cb41f0a2-0fd9-4084-a132-fac613b71457
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\d6eef5a4-2f35-44b6-95e6-2e122dfaa81e
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\e140e1cc-52c8-4a70-ad0c-c7d7f9ee09f0
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\ff4106e1-8ae8-4d37-90b5-f7660698175a
Status: Invisible to the Windows API!

Path: C:\RRUbackups\Documents and Settings\Amanda M. Watson\Application Data\Microsoft\Protect\S-1-5-21-3653999601-1449472169-1328970463-1005\Preferred
Status: Invisible to the Windows API!

Hidden Services
-------------------
Service Name: TDSSserv.sys)
Image Path: C:\WINDOWS\system32\drivers\TDSSmqlt.sys

==EOF==

Thanks for your time and effort. Hopefully y'all can help me get this nastiness off my daughters computer.
Watz

Attached Files


Edited by Orange Blossom, 29 August 2009 - 11:45 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 30 August 2009 - 11:30 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 30 August 2009 - 04:06 PM

Good afternoon Sam, Happy to meet you!
Thanks for your time and effort. I have attached the Combofix log file for your investigation. When I opened Internet Explorer to make this post I did not receive the "ESET threat found alert". That's a good sign. Hopefully that's that's the end of the virus. We'll see what happens.
Watz

Edit: Didn't take long for this to come up.


ESET NOD32 Threat found alert

Object: C:\System Volume Information\_restore{5D527826-05...\A0253315.exe
Threat: Win32/Spy.Ursnif.A virus
Comment: Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.

Attached Files


Edited by watz, 30 August 2009 - 04:33 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 31 August 2009 - 11:12 AM

Good sign! The one file it did detect is in your system restore files. Those need to flushed out.


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.


====================



Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 31 August 2009 - 07:25 PM

Performed system restore exercise per your directions. updated MBAM and ran full scan. The were no mailicious items found according to MBAM.

But ESET came up with 2 threats found

1st

Object:
C:\Qoobox\Quarantine\C\WINDOWS\System32\winlogon.exe.vir

Threat:
Win32/Spy.Ursnif.A virus

Comment:
Evebt occurred during an attempt to run the by the application: C:\Program Files\Malwarebytes' Anti-Malware\MBAM.exe.

2nd

Object:
C:\WINDOWS\system32\termsrv.dll
Threat and comment are the same as first message.

The computer functions except it gets the threat found alerts when an application or service starts up.
Thanks
watz

here's the log for MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3

8/31/2009 7:22:24 PM
mbam-log-2009-08-31 (19-22-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 184145
Time elapsed: 50 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I know it kind of feels like we're chasing our tails on this but I've got a feeling you are getting us closer to eliminating this virus from my daughters computer. Your efforts are much appreciated.

Edited by watz, 31 August 2009 - 07:46 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 01 September 2009 - 12:27 PM

They don't make it easy to remove this crap any more, that's for sure. :(

The first detection from your antivirus is a file that's already been quarantined by Combofix. So that one doesn't concern me at all. But the other one is somewhat concerning. Normally that's a system file, so I'm not sure if it's infected or just a false positive from nod32. So let's see what we can find out.

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    C:\WINDOWS\system32\termsrv.dll


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 01 September 2009 - 08:44 PM

Ok Jotti scan determined the C:\WINDOWS\system32\termsrv.dll file was empty.
Jotti's malware scan
Language:
File to scan:


Status: File is empty (0 bytes)!
Upload progress:


--------------------------------------------------------------------------------

I went into WINDOWS\system32 folder and put my cursor over the termsrv.dll file and an ESET threat found alert popped up
object: C:\WINDOWS\system32\termsrv.dll
Threat: Win32/Spy.Ursnif.A virus
comment: Event occurred during an attempt to run the file by the application: C:\WINDOWS\Explorer.exe

When I put my cursor over the icon the file information states that the file was created 8/9/2004 at 1:51pm and it's 288KB.
There isn't a description, company or file version listed in the information box. In the properties there is only one tab "general". No version or summary tabs.

There is a file next to it named termsrv.old so I clicked on the properties and all three tabs are there and it looks normal like the termsrv.dll on my good desktop pc. It looks like maybe the good termsrv.dll file was renamed "termsrv.OLD" and replaced with a rogue termsrv.dll file.

I am stuffing my temptations in my back pocket.
Strangely this interests me to no end. I just wonder about the thoughts and brain storming that takes place trying to troubleshoot and repair these operating systems.

Thank you
watz

Edited by watz, 01 September 2009 - 09:04 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 02 September 2009 - 12:18 PM

I know what you're thinking and you've got the right idea. But first let's confirm that the termsrv.OLD file is clean. Please submit it to Jotti to be scanned. If it comes back clean, rename the infected termsrv.dll to termsrv.dll.vir and then rename the clean file back to termsrv.dll

Once you've renamed the infected file, see if you can then submit it to Jotti.


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 03 September 2009 - 07:13 AM

Did what you stated. Here is the log for now. I will fill in more explanation later.
(see edit below)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=2661449c939b2243b95cf9572440b49b
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-03 12:00:11
# local_time=2009-09-03 08:00:11 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5889 61 66 100 764188215468750
# compatibility_mode=8196 21 100 100 300660000000
# scanned=88476
# found=2
# cleaned=2
# scan_time=4405
# nod_component=V3 Build:0x30000000
C:\Documents and Settings\Amanda M. Watson\DoctorWeb\Quarantine\DinerDashSetup-dm[1].exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Amanda M. Watson\DoctorWeb\Quarantine\mirrormagicSetup-dm[1].exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Off to work will add more info later.

edit
I renamed the suspicious file by adding .vir and tried to change the .OLD file to .dll and I got the message that a file already existed with that name and it wouldn't let me continue to rename it. A termsrv.dll had mysteriously appeared and the properties look genuine.
At this point I ran the termsrv.dll.vir thru Jotti and it still came up as an empty file. I ran the termsrv.dll thru Jotti and "nothing found" came up for every scanner. I ran thru twice just to be sure. Then I did the online ESET scanner and the log is posted above. I rebooted and opened IE without any ESET alerts. Unfortunately that's when I had leave for work. Regards until next time.
watz

Edited by watz, 03 September 2009 - 09:46 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 03 September 2009 - 11:41 AM

Ok, see if you just scan that file specifically with Nod32 that's installed on your machine. If necessary just run a complete virus scan and let me know what turns up.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 03 September 2009 - 11:40 PM

I ran a complete scan and here are the two items found to be infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir - Win32/Spy.Ursnif.A virus

C:\WINDOWS\system32\termsrv.dll.vir - Win32/Spy.Ursnif.A virus

This ESET Threat found Alert just popped up before I could add this reply.
Object:System Volume Information\_restor{5d527826-05bd...\A0001098.dll
Threat:Win32/Spy.Ursnif.A virus
Comment:Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe

I scanned the svchost app with Jotti: nothing found
I wanted scan A0001098.dll But I did not know how to browse to System Volume Information

Watz

Ok, I slept on it. Based on what you have told me to do before I decided to eliminate the bad .dll by creating a new restore point.
Then I ran a "Custom scan" with Nod32 targeting termsrv.dll.vir and winlogon.exe.vir. When each Threat found alert came up I clicked delete and Nod32 deleted them each time.
So far so good, no new alerts and it's about 20 minutes. we'll see what happens . . .
Thanks
watz

Edited by watz, 04 September 2009 - 06:37 AM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 04 September 2009 - 11:29 AM

You got it! Only I'd take it a step further at this point and completely flush out all old restore points since we know they are infected. Then set up a new clean restore point that you can revert back to without concern of reinfection.


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.


Let me know how it goes and if there's anything else I can help you with.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 06 September 2009 - 04:33 AM

Sam

Missiion accomplished! Thank you for your time and expertise and especially your friendly service. A donation is definately in order.
My Daughter used her computer much of yesterday without a problem. Sweet!

Thanks again, watz

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:21 AM

Posted 06 September 2009 - 10:36 AM

Glad I could help! :(
There's just a few last steps and then some recommendations for you.



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 watz

watz
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 08 September 2009 - 01:17 PM

ComboFix has been removed and steps 1-7 have been read and followed. Step 8 will be followed going forward.
Your directions are fantastic.
I thank you for your attention and professional service.
This is by far the best forum experience I have ever had.
watz

ps. My Daughter loves the way her computer is workng now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users