Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > new virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

new virus

Reply to Message Icon

Name: tal
Date: May 19, 2009 at 06:12:50 Pacific
OS: Microsoft Windows XP Home Edition
CPU/Ram: 2.8 GHz / 1021 MB
Product: Intel / D945psn
Subcategory: Viruses
Comment:

Hi,
Yesterday my computer got infected with some new virus. First it corrupted my Spyware Doctor then ad-awre...
. I manage to install avast program , but when I try to run it it says not a valid win32 apliccation.
I manage to install program called Malwarebytes' Anti-Malware . and is his resaluts...:
Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

19/05/2009 14:29:16
mbam-log-2009-05-19 (14-29-16).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 157991
Time elapsed: 39 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Rootkit.Bagle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sk9ou0s (Rootkit.Bagle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Rootkit.Bagle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\user\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\user\Application Data\drivers\srosa2.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{40D421F7-39F6-4826-8C93-FD4B4E39246E}\RP654\A0117657.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{40D421F7-39F6-4826-8C93-FD4B4E39246E}\RP655\A0117662.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\user\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\user\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
but is still there after reboot.
Any suggestions?
thank anyway..





Sponsored Link
Ads by Google

Response Number 1
Name: jdk (by neoark)
Date: May 19, 2009 at 06:19:33 Pacific
Reply:

Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


0

Response Number 2
Name: tal
Date: May 19, 2009 at 06:56:45 Pacific
Reply:

hi..
i wasn't sure what script i should past...
http://rapidshare.com/files/2347706...
i hope this is good..

thank you anyway


0

Response Number 3
Name: jdk (by neoark)
Date: May 19, 2009 at 07:18:54 Pacific
Reply:

Yes that was the file:

Run this script in AVZ same way as before:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\Documents and Settings\user\Local Settings\Temp\{D686CA34-CA11-49B1-8B42-2D6B80E68308}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE','');
 QuarantineFile('C:\WINDOWS\system32\wintems.exe','');
 QuarantineFile('C:\Documents and Settings\user\Application Data\m\flec006.exe','');
 QuarantineFile('C:\Documents and Settings\user\Application Data\drivers\winupgro.exe','');
 QuarantineFile('xlfgspdj.sys','');
 QuarantineFile('C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys','');
 QuarantineFile('.sys','');
 DeleteFile('.sys');
 DeleteFile('C:\DOCUME~1\user\LOCALS~1\Temp\catchme.sys');
 DeleteFile('xlfgspdj.sys');
 DeleteFile('C:\Documents and Settings\user\Application Data\drivers\winupgro.exe');
 DeleteFile('C:\Documents and Settings\user\Application Data\m\flec006.exe');
 DeleteFile('C:\WINDOWS\system32\wintems.exe');
 DeleteFile('C:\Documents and Settings\user\Local Settings\Temp\{D686CA34-CA11-49B1-8B42-2D6B80E68308}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

You computer will reboot. Once its back Let me know and i will tell you next steps.

--------------------------------------------
To Private Message me Click Here


0

Response Number 4
Name: tal
Date: May 19, 2009 at 07:49:10 Pacific
Reply:

done...


0

Response Number 5
Name: jdk (by neoark)
Date: May 19, 2009 at 07:53:13 Pacific
Reply:

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html How-To) until after the scanning and removal process has taken place. It is suggested to uninstall PCTool/threatfire and reinstall it back once combofix is finished.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

--------------------------------------------
To Private Message me Click Here


0

Related Posts

See More



Response Number 6
Name: tal
Date: May 19, 2009 at 08:06:15 Pacific
Reply:

ok.. the progrme is warning me taht Spyware Doctor is still active...
because the virus Spyware Doctor was block and his icon desapre from the botme line..and when i open the progrme(Spyware Doctor) it says : "unable to connect to Spyware Doctor engine..and all the aplicition is disabled.
now.. run Combofix anyway??


0

Response Number 7
Name: jdk (by neoark)
Date: May 19, 2009 at 08:11:33 Pacific
Reply:

Best way is to uninstall Spyware Doctor temporarily or try to go to control panel -> administrator tools -> services -> disable Spyware Doctor service or press cnt+alt+del and try to end spy doctor service. Also refer to http://www.pctools.com/spyware-doct...

--------------------------------------------
To Private Message me Click Here


0

Response Number 8
Name: tal
Date: May 19, 2009 at 08:39:44 Pacific
Reply:

i have uninstalled the porgem as you said...and this is the sacn log:
ComboFix 09-05-18.06 - user 05/19/2009 18:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1037.18.1022.662 [GMT 3:00]
Running from: c:\documents and settings\user\שולחן העבודה\combo-fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\drivers\downld
c:\documents and settings\user\Application Data\drivers\downld\101078.exe
c:\documents and settings\user\Application Data\drivers\downld\1024531.exe
c:\documents and settings\user\Application Data\drivers\downld\1025281.exe
c:\documents and settings\user\Application Data\drivers\downld\1025312.exe
c:\documents and settings\user\Application Data\drivers\downld\1051750.exe
c:\documents and settings\user\Application Data\drivers\downld\1053062.exe
c:\documents and settings\user\Application Data\drivers\downld\1053312.exe
c:\documents and settings\user\Application Data\drivers\downld\1054000.exe
c:\documents and settings\user\Application Data\drivers\downld\1054968.exe
c:\documents and settings\user\Application Data\drivers\downld\1055046.exe
c:\documents and settings\user\Application Data\drivers\downld\110062.exe
c:\documents and settings\user\Application Data\drivers\downld\122437.exe
c:\documents and settings\user\Application Data\drivers\downld\128390.exe
c:\documents and settings\user\Application Data\drivers\downld\129375.exe
c:\documents and settings\user\Application Data\drivers\downld\129562.exe
c:\documents and settings\user\Application Data\drivers\downld\130125.exe
c:\documents and settings\user\Application Data\drivers\downld\132109.exe
c:\documents and settings\user\Application Data\drivers\downld\132703.exe
c:\documents and settings\user\Application Data\drivers\downld\147984.exe
c:\documents and settings\user\Application Data\drivers\downld\15013328.exe
c:\documents and settings\user\Application Data\drivers\downld\15013718.exe
c:\documents and settings\user\Application Data\drivers\downld\15013734.exe
c:\documents and settings\user\Application Data\drivers\downld\15026984.exe
c:\documents and settings\user\Application Data\drivers\downld\15029515.exe
c:\documents and settings\user\Application Data\drivers\downld\15036093.exe
c:\documents and settings\user\Application Data\drivers\downld\15038875.exe
c:\documents and settings\user\Application Data\drivers\downld\15040171.exe
c:\documents and settings\user\Application Data\drivers\downld\15040750.exe
c:\documents and settings\user\Application Data\drivers\downld\15055859.exe
c:\documents and settings\user\Application Data\drivers\downld\15058984.exe
c:\documents and settings\user\Application Data\drivers\downld\15060906.exe
c:\documents and settings\user\Application Data\drivers\downld\15076640.exe
c:\documents and settings\user\Application Data\drivers\downld\15077421.exe
c:\documents and settings\user\Application Data\drivers\downld\15077609.exe
c:\documents and settings\user\Application Data\drivers\downld\15083781.exe
c:\documents and settings\user\Application Data\drivers\downld\15165046.exe
c:\documents and settings\user\Application Data\drivers\downld\15166234.exe
c:\documents and settings\user\Application Data\drivers\downld\15167109.exe
c:\documents and settings\user\Application Data\drivers\downld\15200015.exe
c:\documents and settings\user\Application Data\drivers\downld\15201031.exe
c:\documents and settings\user\Application Data\drivers\downld\15201812.exe
c:\documents and settings\user\Application Data\drivers\downld\15208046.exe
c:\documents and settings\user\Application Data\drivers\downld\15209843.exe
c:\documents and settings\user\Application Data\drivers\downld\15209859.exe
c:\documents and settings\user\Application Data\drivers\downld\15213015.exe
c:\documents and settings\user\Application Data\drivers\downld\15213093.exe
c:\documents and settings\user\Application Data\drivers\downld\15243468.exe
c:\documents and settings\user\Application Data\drivers\downld\15244921.exe
c:\documents and settings\user\Application Data\drivers\downld\15245500.exe
c:\documents and settings\user\Application Data\drivers\downld\15247671.exe
c:\documents and settings\user\Application Data\drivers\downld\15278140.exe
c:\documents and settings\user\Application Data\drivers\downld\15452625.exe
c:\documents and settings\user\Application Data\drivers\downld\15453000.exe
c:\documents and settings\user\Application Data\drivers\downld\15520906.exe
c:\documents and settings\user\Application Data\drivers\downld\155250.exe
c:\documents and settings\user\Application Data\drivers\downld\15525187.exe
c:\documents and settings\user\Application Data\drivers\downld\15525484.exe
c:\documents and settings\user\Application Data\drivers\downld\15543609.exe
c:\documents and settings\user\Application Data\drivers\downld\15544343.exe
c:\documents and settings\user\Application Data\drivers\downld\15544375.exe
c:\documents and settings\user\Application Data\drivers\downld\15549468.exe
c:\documents and settings\user\Application Data\drivers\downld\15557265.exe
c:\documents and settings\user\Application Data\drivers\downld\15557578.exe
c:\documents and settings\user\Application Data\drivers\downld\15557703.exe
c:\documents and settings\user\Application Data\drivers\downld\15558296.exe
c:\documents and settings\user\Application Data\drivers\downld\15558312.exe
c:\documents and settings\user\Application Data\drivers\downld\166546.exe
c:\documents and settings\user\Application Data\drivers\downld\204640.exe
c:\documents and settings\user\Application Data\drivers\downld\206218.exe
c:\documents and settings\user\Application Data\drivers\downld\207968.exe
c:\documents and settings\user\Application Data\drivers\downld\215421.exe
c:\documents and settings\user\Application Data\drivers\downld\216703.exe
c:\documents and settings\user\Application Data\drivers\downld\217421.exe
c:\documents and settings\user\Application Data\drivers\downld\285703.exe
c:\documents and settings\user\Application Data\drivers\downld\294375.exe
c:\documents and settings\user\Application Data\drivers\downld\300890.exe
c:\documents and settings\user\Application Data\drivers\downld\305234.exe
c:\documents and settings\user\Application Data\drivers\downld\306812.exe
c:\documents and settings\user\Application Data\drivers\downld\307421.exe
c:\documents and settings\user\Application Data\drivers\downld\309421.exe
c:\documents and settings\user\Application Data\drivers\downld\310359.exe
c:\documents and settings\user\Application Data\drivers\downld\311031.exe
c:\documents and settings\user\Application Data\drivers\downld\314218.exe
c:\documents and settings\user\Application Data\drivers\downld\315171.exe
c:\documents and settings\user\Application Data\drivers\downld\315187.exe
c:\documents and settings\user\Application Data\drivers\downld\317984.exe
c:\documents and settings\user\Application Data\drivers\downld\318781.exe
c:\documents and settings\user\Application Data\drivers\downld\318828.exe
c:\documents and settings\user\Application Data\drivers\downld\325859.exe
c:\documents and settings\user\Application Data\drivers\downld\327765.exe
c:\documents and settings\user\Application Data\drivers\downld\329125.exe
c:\documents and settings\user\Application Data\drivers\downld\329656.exe
c:\documents and settings\user\Application Data\drivers\downld\333796.exe
c:\documents and settings\user\Application Data\drivers\downld\334656.exe
c:\documents and settings\user\Application Data\drivers\downld\334875.exe
c:\documents and settings\user\Application Data\drivers\downld\335171.exe
c:\documents and settings\user\Application Data\drivers\downld\364750.exe
c:\documents and settings\user\Application Data\drivers\downld\365781.exe
c:\documents and settings\user\Application Data\drivers\downld\366000.exe
c:\documents and settings\user\Application Data\drivers\downld\47906.exe
c:\documents and settings\user\Application Data\drivers\downld\490593.exe
c:\documents and settings\user\Application Data\drivers\downld\491250.exe
c:\documents and settings\user\Application Data\drivers\downld\491562.exe
c:\documents and settings\user\Application Data\drivers\downld\514234.exe
c:\documents and settings\user\Application Data\drivers\downld\514609.exe
c:\documents and settings\user\Application Data\drivers\downld\514640.exe
c:\documents and settings\user\Application Data\drivers\downld\53875.exe
c:\documents and settings\user\Application Data\drivers\downld\54125.exe
c:\documents and settings\user\Application Data\drivers\downld\54140.exe
c:\documents and settings\user\Application Data\drivers\downld\54937.exe
c:\documents and settings\user\Application Data\drivers\downld\54968.exe
c:\documents and settings\user\Application Data\drivers\downld\567000.exe
c:\documents and settings\user\Application Data\drivers\downld\568343.exe
c:\documents and settings\user\Application Data\drivers\downld\569062.exe
c:\documents and settings\user\Application Data\drivers\downld\572671.exe
c:\documents and settings\user\Application Data\drivers\downld\576609.exe
c:\documents and settings\user\Application Data\drivers\downld\580078.exe
c:\documents and settings\user\Application Data\drivers\downld\580984.exe
c:\documents and settings\user\Application Data\drivers\downld\581000.exe
c:\documents and settings\user\Application Data\drivers\downld\582296.exe
c:\documents and settings\user\Application Data\drivers\downld\583843.exe
c:\documents and settings\user\Application Data\drivers\downld\584203.exe
c:\documents and settings\user\Application Data\drivers\downld\600703.exe
c:\documents and settings\user\Application Data\drivers\downld\601640.exe
c:\documents and settings\user\Application Data\drivers\downld\601828.exe
c:\documents and settings\user\Application Data\drivers\downld\609343.exe
c:\documents and settings\user\Application Data\drivers\downld\609421.exe
c:\documents and settings\user\Application Data\drivers\downld\610796.exe
c:\documents and settings\user\Application Data\drivers\downld\611093.exe
c:\documents and settings\user\Application Data\drivers\downld\611687.exe
c:\documents and settings\user\Application Data\drivers\downld\612687.exe
c:\documents and settings\user\Application Data\drivers\downld\612843.exe
c:\documents and settings\user\Application Data\drivers\downld\614015.exe
c:\documents and settings\user\Application Data\drivers\downld\614656.exe
c:\documents and settings\user\Application Data\drivers\downld\64890.exe
c:\documents and settings\user\Application Data\drivers\downld\66953.exe
c:\documents and settings\user\Application Data\drivers\downld\68125.exe
c:\documents and settings\user\Application Data\drivers\downld\69109.exe
c:\documents and settings\user\Application Data\drivers\downld\72625.exe
c:\documents and settings\user\Application Data\drivers\downld\73781.exe
c:\documents and settings\user\Application Data\drivers\downld\74390.exe
c:\documents and settings\user\Application Data\drivers\downld\75500.exe
c:\documents and settings\user\Application Data\drivers\downld\75531.exe
c:\documents and settings\user\Application Data\drivers\downld\895109.exe
c:\documents and settings\user\Application Data\drivers\downld\895562.exe
c:\documents and settings\user\Application Data\drivers\downld\90328.exe
c:\documents and settings\user\Application Data\drivers\downld\93140.exe
c:\documents and settings\user\Application Data\drivers\downld\95140.exe
c:\documents and settings\user\Application Data\drivers\downld\982750.exe
c:\documents and settings\user\Application Data\drivers\downld\985265.exe
c:\documents and settings\user\Application Data\drivers\downld\985625.exe
c:\documents and settings\user\Application Data\inst.exe
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SK9OU0S
-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-19 11:29 . 2009-05-19 13:48 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-19 11:29 . 2009-05-19 12:57 -------- d-----w c:\program files\Symantec
2009-05-18 19:34 . 2009-05-18 19:34 -------- d-----w c:\program files\Panda Security
2009-05-18 19:31 . 2009-05-18 19:31 -------- d-----w c:\documents and settings\user\Application Data\Uniblue
2009-05-18 19:31 . 2009-05-18 19:31 -------- d-----w c:\program files\Uniblue
2009-05-18 19:28 . 2009-05-18 19:31 -------- dc-h--w c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-18 18:08 . 2009-05-18 18:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-18 17:21 . 2009-05-18 17:21 -------- d-----w c:\program files\Alwil Software
2009-05-18 16:01 . 2009-05-19 15:24 -------- d--h--w c:\documents and settings\user\Application Data\drivers
2009-05-10 19:28 . 2009-05-10 19:28 -------- d-----w c:\documents and settings\user\Application Data\VitySoft
2009-04-23 12:02 . 2009-04-23 12:02 -------- d-----w c:\program files\iPod
2009-04-23 12:02 . 2009-04-23 12:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-23 12:02 . 2009-04-23 12:02 -------- d-----w c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-18 18:28 . 2008-07-31 16:06 -------- d-----w c:\program files\Microsoft IntelliType Pro
2009-05-18 18:08 . 2007-07-24 15:36 -------- d-----w c:\program files\Lavasoft
2009-05-18 15:59 . 2007-08-19 14:05 -------- d-----w c:\program files\Universal Math Solver
2009-05-18 13:12 . 2007-08-31 11:46 -------- d-----w c:\program files\studentMashov
2009-04-15 07:53 . 2006-03-02 12:00 58580 ----a-w c:\windows\system32\perfc00d.dat
2009-04-15 07:53 . 2006-03-02 12:00 311438 ----a-w c:\windows\system32\perfh00d.dat
2009-03-30 20:24 . 2009-03-30 20:24 -------- d-----w c:\program files\Bonjour
2009-03-30 20:23 . 2009-03-30 20:22 -------- d-----w c:\program files\QuickTime
2009-03-30 18:06 . 2009-03-30 18:01 -------- d-----w c:\program files\orange games
2009-03-30 18:01 . 2009-03-30 18:01 -------- d-----w c:\program files\Oberon Media
2009-03-30 18:01 . 2009-03-30 18:01 -------- d-----w c:\program files\Common Files\Oberon Media
2009-03-22 16:59 . 2007-09-11 08:37 50600 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 14:52 . 2009-04-04 14:04 -------- d-----w c:\program files\FreeRapid-0.81
2009-03-19 13:32 . 2008-01-29 09:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 19:16 . 2006-09-28 14:34 50600 ----a-w c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:20 . 2006-03-02 12:00 282112 ----a-w c:\windows\system32\pdh.dll
2009-03-05 20:59 . 2008-09-11 14:39 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 20:59 . 2007-11-12 16:36 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:08 . 2006-03-02 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-21 05:25 . 2008-12-31 15:04 691592 ----a-w c:\windows\system32\OGACheckControl.DLL
2009-02-20 17:11 . 2006-03-02 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2007-03-19 17:13 . 2007-07-25 15:54 6422611 ----a-w c:\program files\frostwire-4.13.1.6.windows.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.exe" [2006-06-15 790528]
"ICQ"="f:\icq 6\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"Hebrew"="c:\program files\הפוך על הפוך\Hebrew.exe" [2004-05-09 753664]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-05-19 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.exe" [2008-04-14 15360]

c:\documents and settings\user\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
PowerReg Scheduler.exe [2008-12-28 256000]

c:\documents and settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.exe [2001-2-13 83360]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2007-7-24 1114112]
Tray Application.lnk - c:\program files\Netex Client\NetexTray.exe [2008-9-30 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\VirtualDJ\\virtualdj.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\ICQ 6\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:פורט TPC
"4672:UDP"= 4672:UDP:פורט UPD
"4662:UDP"= 4662:UDP:פורט

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [25/10/2008 22:27 160792]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [02/03/2006 15:00 14336]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S3 DADriv1;DADriv1;\??\c:\documents and settings\user\My Documents\תיקיה חדשה\DAK32.sys --> c:\documents and settings\user\My Documents\תיקיה חדשה\DAK32.sys [?]
S3 lg3gbus;LGE KU580 driver (WDM);c:\windows\system32\drivers\lg3gbus.sys [15/03/2009 20:32 83080]
S3 lg3gobex;LGE KU580 USB WMC OBEX Interface;c:\windows\system32\drivers\lg3gobex.sys [15/03/2009 20:32 98568]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-type32 - c:\program files\Microsoft IntelliType Pro\type32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.walla.co.il/
uInternet Settings,ProxyOverride = *.local
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-19 18:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1583254649-2063405725-1787984166-1004\Software\Microsoft\  M*i*c*r*o*s*o*f*t* *M*a*n*a*g*e*m*e*n*t* *C*o*n*s*o*l*e*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File2"="c:\\WINDOWS\\system32\\Com\\comexp.msc"
"File3"="c:\\WINDOWS\\system32\\perfmon.msc"
"File4"="c:\\WINDOWS\\system32\\devmgmt.msc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.exe
c:\windows\system32\LEXPPS.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\c:\program files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WGATray.exe
.
**************************************************************************
.
Completion time: 2009-05-19 18:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-19 15:31

Pre-Run: 7,161,159,680 bytes free
Post-Run: 9,362,518,016 bytes free

328 --- E O F --- 2009-05-13 20:38


0

Response Number 9
Name: jdk (by neoark)
Date: May 19, 2009 at 10:45:01 Pacific
Reply:

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combo-fix /u > ok. Or Start > run > type combo-fix.exe /u > ok.

After i receive your file i will tell you next step to follow.

--------------------------------------------
To Private Message me Click Here


0

Response Number 10
Name: tal
Date: May 19, 2009 at 11:01:51 Pacific
Reply:

the progrme :" script excuted without errors"...


0

Response Number 11
Name: jdk (by neoark)
Date: May 19, 2009 at 11:10:16 Pacific
Reply:

What do you mean? Please read Response Number 9 carefully.

--------------------------------------------
To Private Message me Click Here


0

Response Number 12
Name: tal
Date: May 19, 2009 at 11:21:59 Pacific
Reply:

when i past the script like i did early the progrme :" script excuted without errors"...i uploded the screen pic to rapidshre...
http://rapidshare.com/files/2348912...


0

Response Number 13
Name: jdk (by neoark)
Date: May 19, 2009 at 11:29:27 Pacific
Reply:

Yes that's it. Go to step 2) of Response Number 9.

--------------------------------------------
To Private Message me Click Here


0

Response Number 14
Name: tal
Date: May 19, 2009 at 11:39:19 Pacific
Reply:

ok ok soryyyyy


0

Response Number 15
Name: jdk (by neoark)
Date: May 19, 2009 at 12:02:26 Pacific
Reply:

Thanks for the files. Also if you can't do step 3 of Response Number 9 please post screen shot of the error and what you typed to get that error. While you try Step 3 you can continue with following:

1) Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

--------------------------------------------
To Private Message me Click Here


0

Response Number 16
Name: tal
Date: May 19, 2009 at 12:13:46 Pacific
Reply:

i typed combo-fix /u both combo-fix.exe /u (not togther..) and the error appeared..(i sent early in privet the contents)


0

Response Number 17
Name: jdk (by neoark)
Date: May 19, 2009 at 12:16:21 Pacific
Reply:

You can try the full path where combo-fix is present c:\documents and settings\user\שולחן העבודה\combo-fix.exe /u. Also continue with Response Number 15 step 1.

--------------------------------------------
To Private Message me Click Here


0

Response Number 18
Name: tal
Date: May 19, 2009 at 12:47:32 Pacific
Reply:

it didn't work either.. it is critical?
however,i started the next step..but it will take a lot of time..it works realy slow..


0

Response Number 19
Name: jdk (by neoark)
Date: May 19, 2009 at 18:03:50 Pacific
Reply:

Try: Start > run > type combofix /u > ok Yes that scan will take some time depending on files you have.

--------------------------------------------
To Private Message me Click Here


0

Response Number 20
Name: tal
Date: May 20, 2009 at 05:43:25 Pacific
Reply:

hi..
the combofix unistall susscssfuly!
now the scan..at first,i started the scan and leaved the computer.. when i was back he restarted himself(rebot)....now i try again...there is any other recommended software ?
thanks alot !!


0

Response Number 21
Name: jdk (by neoark)
Date: May 20, 2009 at 05:49:14 Pacific
Reply:

There should be a log saved of that happened under reports please post that log. 1 more after you complete this step.

--------------------------------------------
To Private Message me Click Here


0

Response Number 22
Name: tal
Date: May 20, 2009 at 09:31:17 Pacific
Reply:

hi..
this is the last log file.
i cant open it on my computer...i hope this is the right file.
http://rapidshare.com/files/2352391...


0

Response Number 23
Name: jdk (by neoark)
Date: May 20, 2009 at 11:10:42 Pacific
Reply:

I was able to decrypt some of the file seems like you are infected with a worm. Did you rescan you Computer? Post screen shots of log it will be easier(detected tab).

--------------------------------------------
To Private Message me Click Here


0

Response Number 24
Name: tal
Date: May 20, 2009 at 11:33:19 Pacific
Reply:

The software is running now.. Until now there is no infected fills...
but, the virus is steel exist.( i cant run programe like ad-awrae or avast antivirus_)


0

Response Number 25
Name: jdk (by neoark)
Date: May 20, 2009 at 11:40:57 Pacific
Reply:

Once scan is over post the scan log. There is report button at the bottom with left and right side arrows. which will allow you go to last scan and export the scan results as txt file.

--------------------------------------------
To Private Message me Click Here


0

Response Number 26
Name: tal
Date: May 20, 2009 at 13:04:43 Pacific
Reply:

the computer restart himself again.. the "scan failed(the task was stooped, no threats detected.."


0

Response Number 27
Name: jdk (by neoark)
Date: May 20, 2009 at 14:00:42 Pacific
Reply:

Try to download/run new copy of Combofix and see if you still get that error. If you still get that error then its better to scan from Antivirus boot disc. Worm might be actively replicating and infecting other exe's. You can try Kaspersky Boot Disc from: ftp://ftp.kaspersky.com/devbuilds/RescueDisk/

--------------------------------------------
To Private Message me Click Here


0

Response Number 28
Name: tal
Date: May 21, 2009 at 06:27:00 Pacific
Reply:

HI..
i unistall the progarms that i mention early(ad-awre and avast antivirus) ans reinstall them. now it work as usual...
it seems like the virus has gone..it is possible ?


0

Response Number 29
Name: jdk (by neoark)
Date: May 21, 2009 at 07:13:31 Pacific
Reply:

How do you know its gone? Try to run Pause/stop Avast and ad-aware re-do Response Number 15 see if it completes without error.

--------------------------------------------
To Private Message me Click Here


0

Response Number 30
Name: cooljoebay
Date: May 21, 2009 at 07:44:31 Pacific
Reply:

Open msconfig, uncheck everything. Open regedit, search(find) the Run -and - Runonce folders. Delete everything in thos folders. Restart Windows in safe mode with network. Goto Add/Remove in control panel and remove anything you do not need. Restart in safe mode again. Open up task manager and see what s running. Go online to bitdefender online virus scan. You have to use IE for that. If you can get it to run it will wipe out any files that need to be eliminated.

Future. Stay aways from spyware eliminator programs, Hijack This, anything with "spyware" in the name, Adaware. They all suck and are broken.

Use Avast updated and another to work alongside it. Steer clear of Mcafee and Norton.


0

Response Number 31
Name: tal
Date: May 21, 2009 at 13:04:59 Pacific
Reply:

i run a full deep scan with avast! Antivirus, and no infected files founded..this porgrme is reliable??


0

Response Number 32
Name: jdk (by neoark)
Date: May 21, 2009 at 13:34:06 Pacific
Reply:

Not really Try to do Response Number 15 again (AVP tool part). Make sure you down it again a new copy and run full scan. Uninstall delete the old copy completely off your system. If avast was able to run means even infected copy AVP was able to remove most of the virus.

--------------------------------------------
To Private Message me Click Here


0

Response Number 33
Name: tal
Date: May 22, 2009 at 01:37:08 Pacific
Reply:

ok.. i have done it.. the scan compleated no threats detected..


0

Response Number 34
Name: jdk (by neoark)
Date: May 22, 2009 at 04:31:17 Pacific
Reply:

Install, update and run full scan with SuperAntiSpyware. Attach scan log, but Please Don't fix anything yet, until the log is reviewed.

--------------------------------------------
To Private Message me Click Here


0

Response Number 35
Name: tal
Date: May 22, 2009 at 06:24:37 Pacific
Reply:

screen picture: http://rapidshare.com/files/2359568...


0

Response Number 36
Name: jdk (by neoark)
Date: May 22, 2009 at 08:09:52 Pacific
Reply:

Fix what it detected. Now is your original problem solved? Virus gone or is it still getting detected?

--------------------------------------------
To Private Message me Click Here


0

Response Number 37
Name: tal
Date: May 22, 2009 at 08:56:24 Pacific
Reply:

My original problem solved,all the programs is working as usual (after re-installation...) and i can enter to safe mode again.
thank you very much!!


0

Response Number 38
Name: jdk (by neoark)
Date: May 22, 2009 at 09:08:15 Pacific
Reply:

Also to give finishing touch run these aswell: http://onecare.live.com/site/en-Us/... & http://onecare.live.com/site/en-Us/...

--------------------------------------------
To Private Message me Click Here


0

Response Number 39
Name: tal
Date: May 22, 2009 at 09:30:16 Pacific
Reply:

Defragmenting was recomneded.. the progarm is doing it now ...


0

Sponsored Link
Ads by Google
Reply to Message Icon



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: new virus
New Virus? www.computing.net/answers/security/new-virus/13981.html

new virus every 10 minets on system www.computing.net/answers/security/new-virus-every-10-minets-on-system/7512.html

new virus found www.computing.net/answers/security/new-virus-found/7358.html