Nasty Virus Win:32 virut

Computing.Net > Forums > Security and Virus > Nasty Virus Win:32 virut

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Nasty Virus Win:32 virut

Name: Tim_B
Date: February 15, 2008 at 13:47:49 Pacific
OS: Win XP Home Ed 2002 (upgr
CPU/Ram: AMD Athlon 2800 2.26Ghz
Product: PC Chips P4 mobo

Comment:

I just reformatted and re-installed XP Home Ed on a new hard drive. I re-installed Avast antivirus and when I rebooted, Avast found several viruses in system 32, the initial virus being Win32:virut. Avast deleted them. When I rebooted and rescanned there were hundreds of viruses in my .exe files. Literally hundreds. I just stopped the machine after Avast had reached several hundred. I have re-formatted and re-installed XP several times, and it keeps coming back. Now when I go to shutdown, my computer won't shut down and just reboots. I try to use MicroTrend or Panda's online scanner and I get kicked out of IE. It just hangs in Firefox or I get error messages. I have Hijack this and I could post a logfile. I've searched this forum's knowledge base and the posts related to win32:virut seem to have solutions that are particular to the circumstance. Any help much appreciated.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: February 15, 2008 at 14:13:02 Pacific

Reply:

Please post your Hijack This log.

Response Number 2

Name: Tim_B
Date: February 15, 2008 at 14:28:23 Pacific

Reply:

Thanks for responding Jabuck, here is the logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:17 PM, on 2/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
--
End of file - 3450 bytes

Response Number 3

Name: jabuck
Date: February 15, 2008 at 14:41:04 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Response Number 4

Name: Tim_B
Date: February 15, 2008 at 15:05:46 Pacific

Reply:

OK Jabuck, I was able to download and run ComboFix and it generated a logfile whicch I've posted below. After running ComboFix both browsers went offfline. I rebooted and re-ran ComboFix a couple times before discovering that after running ComboFix I needed to go and repair my network connection. So now here is the current logfile without rebooting afterwards:
ComboFix 08-02-16.2 - Tim 2008-02-16 14:57:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.708 [GMT -8:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.
2008-02-15 13:42 . 2002-08-29 04:00 375,808 --a------ C:\kmd.exe
2008-02-15 13:36 . 2008-02-15 13:36 <DIR> dr------- C:\Documents and Settings\Tim\Application Data\Brother
2008-02-15 13:33 . 2001-07-21 14:40 3,144 --a--c--- C:\WINDOWS\system32\dllcache\srgb.icm
2008-02-15 13:33 . 2008-02-15 13:36 462 --a------ C:\WINDOWS\BRWMARK.INI
2008-02-15 13:33 . 2008-02-15 13:33 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-02-15 13:33 . 2008-02-15 13:33 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-02-15 13:33 . 2008-02-15 13:33 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-02-15 13:32 . 2002-08-29 01:32 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-15 13:32 . 2002-08-29 01:32 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 13:32 . 2002-08-29 01:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-15 13:32 . 2002-08-29 01:50 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 13:32 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-15 12:24 . 2008-02-15 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 12:00 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-15 11:41 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 11:40 . 2008-02-15 11:40 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-02-15 11:40 . 2008-02-15 11:46 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\HouseCall 6.6
2008-02-15 11:24 . 2008-02-15 11:48 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 11:24 . 2008-02-15 11:48 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-15 11:23 . 2008-02-15 12:00 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-15 11:23 . 2008-02-15 11:48 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-15 11:15 . 2008-02-15 11:15 <DIR> d-------- C:\Program Files\CCleaner
2008-02-15 11:10 . 2008-02-15 11:10 <DIR> d---s---- C:\Documents and Settings\Tim\UserData
2008-02-15 11:08 . 2008-02-15 11:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-15 10:57 . 2008-02-15 10:57 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Talkback
2008-02-15 10:57 . 2008-02-15 10:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-14 22:41 . 2008-02-14 22:46 <DIR> d-------- C:\Folder Vault 2
2008-02-14 22:34 . 2008-02-14 22:41 <DIR> d-------- C:\Projects
2008-02-14 20:44 . 2008-02-14 21:00 <DIR> d-------- C:\Music
2008-02-14 20:23 . 2008-02-14 20:23 <DIR> d-------- C:\Program Files\PowerQuest
2008-02-14 20:10 . 2008-02-14 20:10 13,722 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-14 20:07 . 2008-02-14 20:07 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\ATI
2008-02-14 20:03 . 2004-07-09 04:27 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2008-02-14 19:57 . 2008-02-14 19:57 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-14 19:56 . 2008-02-14 20:04 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-14 19:56 . 2005-07-11 12:12 524,850 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.cpa
2008-02-14 19:56 . 2005-08-05 21:05 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-14 19:56 . 2005-08-03 22:07 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-02-14 19:56 . 2005-06-10 12:59 95,617 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-02-14 19:56 . 2005-06-08 11:45 58,560 -ra------ C:\WINDOWS\system32\drivers\ativckxx.vp
2008-02-14 19:56 . 2005-08-03 22:20 21,712 -ra------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2008-02-14 19:56 . 2005-06-06 23:25 5,496 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-02-14 19:56 . 2005-07-11 12:12 929 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.vp
2008-02-14 19:52 . 2004-09-17 01:37 61,440 -ra------ C:\WINDOWS\system32\vuins32.dll
2008-02-14 19:52 . 2005-03-18 00:39 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\AvRack
2008-02-14 19:49 . 2005-06-02 00:31 294,912 -r------- C:\WINDOWS\alcupd.exe
2008-02-14 19:49 . 2005-06-02 00:43 200,704 -r------- C:\WINDOWS\alcrmv.exe
2008-02-14 19:49 . 2005-05-17 21:38 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-02-14 19:47 . 2005-04-25 19:22 60,928 -ra------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-02-14 19:47 . 2001-08-17 13:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-02-14 19:47 . 2001-08-17 13:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-02-14 19:47 . 2003-07-01 12:42 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2008-02-14 19:46 . 2008-02-14 19:47 <DIR> d-------- C:\Program Files\VIA
2008-02-14 19:46 . 2008-02-14 19:46 <DIR> d-------- C:\Program Files\On-line Help Console
2008-02-14 19:46 . 2008-02-14 20:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-14 19:40 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-02-14 19:40 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-02-14 19:33 . 2008-02-14 19:33 <DIR> d-------- C:\WINDOWS\system32\Tools
2008-02-14 19:33 . 2008-02-14 19:55 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-14 19:32 . 2004-12-28 21:57 17,505 -ra------ C:\DBI.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 02:13 --------- d-----w C:\Program Files\Alwil Software
2008-02-15 02:04 558,142 ----a-w C:\WINDOWS\java\Packages\FZRFJ7J3.ZIP
2008-02-15 02:04 155,995 ----a-w C:\WINDOWS\java\Packages\6PNRHJ5F.ZIP
2008-02-15 02:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-25 19:22 589824]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 05:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
R3 Cap713x;Cap713x Video Capture;C:\WINDOWS\System32\DRIVERS\Cap713x.sys [2004-06-10 00:14]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 14:58:17
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-16 14:58:38
ComboFix2.txt 2008-02-16 22:53:34
ComboFix3.txt 2008-02-16 22:45:24

Response Number 5

Name: jabuck
Date: February 15, 2008 at 19:22:46 Pacific

Reply:

I see only one suspicious file.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

driver detective virus viamraid.sys usbstor.sys brother hr-5 del command switches the directory name is too long brother M1709 yazıcı default mail client is not properly installed windows 7 SysEvent.Evt corrupt ntuser.dat corrupt	domain rename tools 2008 trend micro uninstall password alcrmv.exe C:\Program Files\microsoft frontpage isa cache viewer Srvinstw.exe 2008 ntuser.ini virus software.log index.dat reader thekeys.ws virus
See More

Response Number 6

Name: Tim_B
Date: February 15, 2008 at 21:02:02 Pacific

Reply:

Hi Jabuck, I did as you suggested with system restore, ATF-Cleaner and Kapersky's online scanner. One thing, when I went into scan options in Kapersky ,and clicked on Scan Archives and Scan Mail Base, there were two choices above that:
standard - detects viruses, worms, Trojans, rootkits
extended - protect your computer from spyware, adaware, dialers and potentially dangerous software such as remote access utilities, prank programs and jokes. We do not recommend this option to beginners or inexperienced users.
By default it was on the 'extended' choice so i left it.
Here is the report:
---------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 16, 2008 8:59:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 568431
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 32439
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:36:20
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\history.dat Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\key3.db Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\ApplicationHistory\CLI.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Mozilla\Firefox\Profiles\ijshuve9.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temp\Perflib_Perfdata_434.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temp\Perflib_Perfdata_510.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tim\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\moved\1.exe Infected: Trojan-PSW.Win32.Nilage.beu skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{D69A2F88-7742-41A8-B905-39B39BC2ADB0}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_608.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\Downloads\IE Cache viewer\IECacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.h skipped
D:\Downloads\IE Cache viewer\iecacheview.zip/IECacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.h skipped
D:\Downloads\IE Cache viewer\iecacheview.zip ZIP: infected - 1 skipped
D:\Downloads\mIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Downloads\mIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Downloads\mIRC\mirc621.exe NSIS: infected - 2 skipped
D:\EDrive\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{D69A2F88-7742-41A8-B905-39B39BC2ADB0}\RP14\change.log Object is locked skipped
Scan process completed.

Response Number 7

Name: jabuck
Date: February 16, 2008 at 04:58:04 Pacific

Reply:

Navigate to and delete the contents of this folder, but do not delete the folder itself:
C:\Program Files\Alwil Software\Avast4\DATA\moved
The D: drive is infected, have Avast run a virus scan on the D: drive.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\DBI.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new kaspersky once you finish the above suggestions.

Response Number 8

Name: Tim_B
Date: February 16, 2008 at 12:33:53 Pacific

Reply:

Hi Jabuck, just to let you know I deleted C:\Program Files\Alwil Software\Avast4\DATA\moved
and I started the Avast scan of my D Drive this morning, using the 'thorough' and 'scan archive' options and it's still running now 3 hours and 52,000 files later, about 2/3's of the way through the drive. (no viruses detected yet)
Say my D drive is infected. All of the data on that drive (about 72 Gigs) was transferred there from my backed up data when I formatted and re-installed Win XP. That backed up data is still on my back up drive, which I disconnected when all of this started to happen, for fear that the virus would migrate there. I guess that means then I will also have to scan that data, or can I assume, because that data on D is a clone of my backup, that what ever virus shows up on D will be the same as my backup? Also, because this data on the D drive is backed up, couldn't I reformat the D drive and then just check the backed up data? Or am I accomplishing this now? Just not sure how to procedd with this or maybe I just need to be patient and deal with that when we get there and the time comes...

Response Number 9

Name: Tim_B
Date: February 16, 2008 at 15:01:38 Pacific

Reply:

Hi Jabuck
The Avast scan (4 & 1/2 hrs later) showed 0 infected files. It did show a results of scan window that had the following two entries:
D:\EDrive\Music\Mixes\Sept-songs Unable to scan:The directory name is invalid
D:\EDrive\Music\Pop and Bands\Coldplay - 01 -Politik - simplemp3s.mp3 Unable to scan: THe archive is corrupted
Here is the new Combofix log:
ComboFix 08-02-16.2 - Tim 2008-02-17 14:12:47.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.683 [GMT -8:00]
Running from: C:\Documents and Settings\Tim\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tim\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\DBI.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DBI.exe
.
((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.
2008-02-16 19:40 . 2008-02-16 19:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-16 19:40 . 2008-02-16 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-15 13:42 . 2002-08-29 04:00 375,808 --a------ C:\kmd.exe
2008-02-15 13:36 . 2008-02-15 13:36 <DIR> dr------- C:\Documents and Settings\Tim\Application Data\Brother
2008-02-15 13:33 . 2001-07-21 14:40 3,144 --a--c--- C:\WINDOWS\system32\dllcache\srgb.icm
2008-02-15 13:33 . 2008-02-15 13:36 462 --a------ C:\WINDOWS\BRWMARK.INI
2008-02-15 13:33 . 2008-02-15 13:33 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-02-15 13:33 . 2008-02-15 13:33 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-02-15 13:33 . 2008-02-15 13:33 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-02-15 13:32 . 2002-08-29 01:32 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-15 13:32 . 2002-08-29 01:32 28,160 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 13:32 . 2002-08-29 01:50 24,960 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-15 13:32 . 2002-08-29 01:50 24,960 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-15 13:32 . 2002-08-29 01:32 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-02-15 12:24 . 2008-02-15 12:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 12:00 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2008-02-15 11:41 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 11:40 . 2008-02-16 19:34 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-02-15 11:24 . 2008-02-15 11:48 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-15 11:24 . 2008-02-15 11:48 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-15 11:15 . 2008-02-15 11:15 <DIR> d-------- C:\Program Files\CCleaner
2008-02-15 11:10 . 2008-02-15 11:10 <DIR> d---s---- C:\Documents and Settings\Tim\UserData
2008-02-15 11:08 . 2008-02-15 11:08 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-15 10:57 . 2008-02-15 10:57 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\Talkback
2008-02-15 10:57 . 2008-02-15 10:57 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-14 22:41 . 2008-02-14 22:46 <DIR> d-------- C:\Folder Vault 2
2008-02-14 22:34 . 2008-02-14 22:41 <DIR> d-------- C:\Projects
2008-02-14 20:44 . 2008-02-14 21:00 <DIR> d-------- C:\Music
2008-02-14 20:23 . 2008-02-14 20:23 <DIR> d-------- C:\Program Files\PowerQuest
2008-02-14 20:10 . 2008-02-14 20:10 13,722 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-14 20:07 . 2008-02-14 20:07 <DIR> d-------- C:\Documents and Settings\Tim\Application Data\ATI
2008-02-14 20:03 . 2004-07-09 04:27 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2008-02-14 19:57 . 2008-02-14 19:57 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-14 19:56 . 2008-02-14 20:04 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-14 19:56 . 2005-07-11 12:12 524,850 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.cpa
2008-02-14 19:56 . 2005-08-05 21:05 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-02-14 19:56 . 2005-08-03 22:07 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-02-14 19:56 . 2005-06-10 12:59 95,617 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-02-14 19:56 . 2005-06-08 11:45 58,560 -ra------ C:\WINDOWS\system32\drivers\ativckxx.vp
2008-02-14 19:56 . 2005-08-03 22:20 21,712 -ra------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2008-02-14 19:56 . 2005-06-06 23:25 5,496 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-02-14 19:56 . 2005-07-11 12:12 929 -ra------ C:\WINDOWS\system32\drivers\ativcaxx.vp
2008-02-14 19:52 . 2004-09-17 01:37 61,440 -ra------ C:\WINDOWS\system32\vuins32.dll
2008-02-14 19:52 . 2005-03-18 00:39 42,496 -ra------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\Realtek AC97
2008-02-14 19:50 . 2008-02-14 19:50 <DIR> d-------- C:\Program Files\AvRack
2008-02-14 19:49 . 2005-06-02 00:31 294,912 -r------- C:\WINDOWS\alcupd.exe
2008-02-14 19:49 . 2005-06-02 00:43 200,704 -r------- C:\WINDOWS\alcrmv.exe
2008-02-14 19:49 . 2005-05-17 21:38 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-02-14 19:47 . 2005-04-25 19:22 60,928 -ra------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-02-14 19:47 . 2001-08-17 13:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-02-14 19:47 . 2001-08-17 13:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-02-14 19:47 . 2003-07-01 12:42 27,904 -ra------ C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2008-02-14 19:46 . 2008-02-14 19:47 <DIR> d-------- C:\Program Files\VIA
2008-02-14 19:46 . 2008-02-14 19:46 <DIR> d-------- C:\Program Files\On-line Help Console
2008-02-14 19:46 . 2008-02-14 20:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-14 19:40 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2008-02-14 19:40 . 2003-08-25 18:06 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-02-14 19:33 . 2008-02-14 19:33 <DIR> d-------- C:\WINDOWS\system32\Tools
2008-02-14 19:33 . 2008-02-14 19:55 <DIR> d-------- C:\Program Files\Common Files\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 02:13 --------- d-----w C:\Program Files\Alwil Software
2008-02-15 02:04 558,142 ----a-w C:\WINDOWS\java\Packages\FZRFJ7J3.ZIP
2008-02-15 02:04 155,995 ----a-w C:\WINDOWS\java\Packages\6PNRHJ5F.ZIP
2008-02-15 02:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-25 19:22 589824]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 05:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-06 01:07 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
R3 Cap713x;Cap713x Video Capture;C:\WINDOWS\System32\DRIVERS\Cap713x.sys [2004-06-10 00:14]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 14:13:36
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-17 14:13:59
ComboFix-quarantined-files.txt 2008-02-17 22:13:51
ComboFix2.txt 2008-02-16 22:58:38
ComboFix3.txt 2008-02-16 22:53:34
ComboFix4.txt 2008-02-16 22:45:24
Here is the new Kapersky log:
---------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 2:57:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 569531
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 32698
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:34:50
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temp\Perflib_Perfdata_870.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temp\Perflib_Perfdata_8d0.dat Object is locked skipped
C:\Documents and Settings\Tim\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tim\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tim\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{D69A2F88-7742-41A8-B905-39B39BC2ADB0}\RP14\A0001653.exe Infected: Trojan-PSW.Win32.Nilage.beu skipped
C:\System Volume Information\_restore{D69A2F88-7742-41A8-B905-39B39BC2ADB0}\RP15\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5f0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\Downloads\IE Cache viewer\IECacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.h skipped
D:\Downloads\IE Cache viewer\iecacheview.zip/IECacheView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.h skipped
D:\Downloads\IE Cache viewer\iecacheview.zip ZIP: infected - 1 skipped
D:\Downloads\mIRC\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Downloads\mIRC\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
D:\Downloads\mIRC\mirc621.exe NSIS: infected - 2 skipped
D:\EDrive\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{D69A2F88-7742-41A8-B905-39B39BC2ADB0}\RP15\change.log Object is locked skipped
Scan process completed.

Response Number 10

Name: jabuck
Date: February 16, 2008 at 15:46:13 Pacific

Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Format the D: drive.
You should be clean after that. Let us know how the computer is operating.

Response Number 11

Name: Tim_B
Date: February 16, 2008 at 23:38:57 Pacific

Reply:

Hey Jabuck
I did the above as you suggested. Afterwards I ran Kaspersky and it came up clean. But then Avast popped up and detected a virus. Ugh! So I decided to reformat my C Drive again, do a fresh install, and try again. During the install I reformatted my (now I have 3) partitions. I'm just in the process of downloading all the XP critical updates and I've switched back to AVG. THere is a suspicious file in my C drive. Just one lone executable file listed as DBI I scanned with AVG and it says no threat. I'll keep ya posted on how this latest install attempt turns out. Into my fourth day now of dealing with this.
Many thanks for all your help.
TIm

Sponsored Link

Ads by Google

backdoor trojan...help

built in hdd password

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Nasty Virus Win:32 virut

Win 32: Revop virus removal

Summary

www.computing.net/answers/security/win-32-revop-virus-removal/13250.html

Unknown win 32 virus help

Summary

www.computing.net/answers/security/unknown-win-32-virus-help/20728.html

Win 32/Cryptor Virus

Summary

www.computing.net/answers/security/win-32cryptor-virus/24753.html

From the Geek Dictionary
FaceBooked - To infect and screw up your computer by visiting the malware and spyware ri...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
realtek high definition audio manager problem

RAM configuration

Computer Problem please help

trying to find SYMMSICLEANUP.reg to download

extracting words from string literals

All Awaiting Reply

Tom's News
Google Launches Free Public DNS Service

UK Street May Be Named After Lara Croft

Universal to Release Blu-ray/DVD Combo Disc

Orangutan Takes Pics, Shares via Facebook

Man Suffocates Baby Over Gaming Marathon

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE