PC infected with Packed.Generic.200

May 17, 2009 at 13:28:55
Specs: Windows XP
My PC is infected with this virus. I tried turning off the system restore, running a scanm and turning the system restore back on but the virus is still there. Please help.

See More: PC infected with Packed.Generic.200

Report •


#1
May 17, 2009 at 13:34:59
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial


Report •

#2
May 17, 2009 at 13:50:47

Report •

#3
May 17, 2009 at 14:27:28
Run this script in your AVZ Same way as before:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
 QuarantineFile('C:\WINDOWS\system32\UACknqwltenqwqmslv.dll','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACknqwltenqwqmslv.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UACknqwltenqwqmslv.dll');
 DeleteFile('C:\WINDOWS\system32\UACknqwltenqwqmslv.dll');
 DeleteFile('C:\WINDOWS\system32\sdra64.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

You computer will reboot after reboot let me know and i will tell you next steps.


Report •

Related Solutions

#4
May 17, 2009 at 14:33:37
ok. I run the script, Right before the PC rebooted, I saw a message "script run with errors" The PC rebooted anyway.

Report •

#5
May 17, 2009 at 14:37:49
Try to rerun again with this and let me know if you get error.

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACknqwltenqwqmslv.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UACknqwltenqwqmslv.dll');
 DeleteFile('C:\WINDOWS\system32\sdra64.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.



Report •

#6
May 17, 2009 at 14:42:14
File executed without errors

Report •

#7
May 17, 2009 at 14:44:00
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.


Report •

#8
May 17, 2009 at 15:06:16
ComboFix 09-05-17.03 - Jenniffer Maldonado 05/17/2009 17:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.625 [GMT -5:00]
Running from: c:\documents and settings\Jenniffer Maldonado\Desktop\123.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Google\googletoolbar1.dll
c:\windows\system32\drivers\UACitexmoiybwisdot.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\UACardlvmpptwnnaqb.dll
c:\windows\system32\UACflqhooruypdubop.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACitirfuxjtjwaptw.dat
c:\windows\system32\UACiulkkmgbjwapdmm.log
c:\windows\system32\UACknqwltenqwqmslv.dll
c:\windows\system32\UACpruqdqqptvkbwcb.dll
c:\windows\system32\UACsmecitfcypfxyea.log
c:\windows\system32\UACycairqfsvlfqhyl.dll
c:\windows\system32\UACyxqamitmjbohffk.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 22:48 . 2009-05-17 22:49 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-17 20:01 . 2009-05-17 20:01 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Local Settings\Application Data\The Weather Channel
2009-05-17 20:01 . 2009-05-17 20:01 -------- d-----w c:\program files\AskBarDis
2009-05-17 18:46 . 2009-05-17 18:46 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Local Settings\Application Data\Deployment
2009-05-16 02:16 . 2009-05-16 02:16 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Option
2009-05-12 13:35 . 2009-05-12 13:35 -------- d-----w c:\windows\Sun
2009-05-11 00:34 . 2009-05-11 00:34 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-26 22:43 . 2009-04-26 22:43 -------- d-----w C:\KA
2009-04-26 22:43 . 1997-05-12 22:53 314368 ----a-w c:\windows\IsUninst.exe
2009-04-26 22:43 . 2009-04-26 22:43 -------- d-----w c:\documents and settings\Jenniffer Maldonado\WINDOWS
2009-04-26 22:30 . 2009-04-26 22:30 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\Snapfish
2009-04-26 22:20 . 2008-04-14 05:09 5504 -c--a-w c:\windows\system32\dllcache\mstee.sys
2009-04-26 22:20 . 2008-04-14 05:09 5504 ----a-w c:\windows\system32\drivers\MSTEE.sys
2009-04-26 22:17 . 2009-04-26 22:17 -------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2009-04-26 22:14 . 1999-11-10 17:05 86016 ----a-w c:\windows\unvise32qt.exe
2009-04-26 22:13 . 2009-04-26 22:14 -------- d-----w c:\windows\system32\QuickTime
2009-04-26 22:13 . 2009-04-26 22:14 -------- d-----w c:\program files\QuickTime
2009-04-26 22:13 . 2009-05-06 00:41 -------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-04-26 22:12 . 2009-04-26 22:12 -------- d-----w c:\program files\Common Files\Ulead Systems
2009-04-26 22:12 . 2006-11-22 23:13 16024 ------w c:\windows\system32\drivers\iviaspi.sys
2009-04-26 22:12 . 2009-04-26 22:12 -------- d-----w c:\program files\Common Files\Ulead
2009-04-26 22:12 . 2009-04-26 22:12 -------- d-----w c:\program files\InterVideo Information Service
2009-04-26 22:11 . 2009-04-26 22:11 -------- d-----w c:\program files\Common Files\InterVideo
2009-04-26 22:11 . 2009-04-26 22:11 -------- d-----w c:\program files\InterVideo
2009-04-26 22:11 . 2007-10-10 21:31 87312 ----a-w c:\windows\mws.exe
2009-04-26 22:11 . 2009-04-26 22:11 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\InterVideo
2009-04-26 22:08 . 2004-04-12 19:32 41760 ----a-w c:\windows\system\VFWWDM.DRV
2009-04-26 22:08 . 2007-02-27 02:28 24192 ----a-w c:\windows\system32\drivers\NVTCAMD2.SYS
2009-04-26 22:08 . 2007-02-27 02:28 55808 ----a-w c:\windows\system32\drivers\nvtcam.sys
2009-04-26 22:08 . 2009-04-26 22:08 -------- d-----w c:\program files\SANYO Digital Camera
2009-04-26 20:34 . 2009-04-26 20:34 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\Hewlett-Packard
2009-04-26 20:24 . 2009-04-26 20:24 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-04-26 20:22 . 2009-04-26 20:22 -------- d-----w c:\program files\Hewlett-Packard
2009-04-26 20:21 . 2003-04-22 15:24 16606 ------w c:\windows\hpomdl01.dat
2009-04-26 20:21 . 2009-04-26 20:33 19558 ------w c:\windows\hpoins01.dat
2009-04-26 20:21 . 2009-04-26 20:21 -------- d-----w C:\temp
2009-04-26 20:21 . 2009-04-26 20:21 -------- d-----w c:\temp\HP All-in-One Series Web Release
2009-04-26 00:09 . 2009-04-26 00:09 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\CyberLink
2009-04-25 18:02 . 2009-04-25 18:02 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-25 17:59 . 2009-04-25 18:00 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-25 17:59 . 2009-04-25 17:59 -------- d-----w c:\windows\system32\LogFiles
2009-04-25 17:57 . 2009-04-25 17:57 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\Peachtree
2009-04-25 17:55 . 2008-04-18 23:10 2134016 ----a-w c:\windows\system32\cdintf251.dll
2009-04-25 17:53 . 2009-05-14 00:05 -------- d-----w c:\windows\Crystal
2009-04-25 17:50 . 2009-04-25 17:51 -------- d-----w c:\program files\Business Objects
2009-04-25 17:48 . 2009-05-14 00:02 -------- d-----w C:\pvsw
2009-04-25 17:48 . 2009-05-14 00:02 -------- d-----w c:\program files\Common Files\Pervasive Software Shared
2009-04-25 17:47 . 2009-04-25 17:49 -------- d-----w c:\program files\Sage Software
2009-04-25 17:44 . 2001-01-01 05:00 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-04-25 17:43 . 2009-04-25 17:43 -------- d-----w c:\windows\PeachInst
2009-04-25 17:43 . 2009-04-25 17:43 -------- d-----w C:\Peach2009TrialInstaller
2009-04-20 16:04 . 2009-04-20 16:04 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Local Settings\Application Data\Identities
2009-04-19 18:10 . 2009-05-14 02:21 -------- d-----w c:\documents and settings\Jenniffer Maldonado\Application Data\LimeWire
2009-04-18 14:44 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-18 14:44 . 2008-06-13 11:05 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-18 14:43 . 2009-05-17 20:34 -------- d-----w c:\program files\Norton Security Scan
2009-04-18 14:42 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-18 14:42 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-18 14:42 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-18 14:41 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-18 14:40 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 23:32 . 2009-04-18 14:55 -------- d-----w c:\windows\system32\Adobe
2009-04-17 23:02 . 2009-04-17 23:02 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-17 23:02 . 2009-04-17 23:02 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 23:00 . 2008-10-29 01:27 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-17 22:57 . 2008-10-29 01:06 -------- d-----w c:\program files\Google
2009-05-17 18:46 . 2009-04-17 22:36 66880 ----a-w c:\documents and settings\Jenniffer Maldonado\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 00:06 . 2008-10-29 01:37 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-11 00:34 . 2008-10-29 01:22 -------- d-----w c:\program files\Java
2009-04-25 17:44 . 2008-10-29 01:09 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-21 01:59 . 2008-10-29 01:27 -------- d-----w c:\program files\Norton 360
2009-04-21 00:55 . 2008-10-29 01:26 -------- d-----w c:\program files\Symantec
2009-04-21 00:55 . 2008-10-29 01:26 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-21 00:55 . 2008-10-29 01:26 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-04-21 00:55 . 2008-10-29 01:26 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-21 00:55 . 2008-10-29 01:26 10635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-06 14:22 . 2008-04-14 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-08-14 02:54 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-04-14 22:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-19 19:03 . 2009-02-19 19:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 19:03 . 2009-02-19 19:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 18:31 . 2009-02-19 18:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 18:31 . 2009-02-19 18:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 18:31 . 2009-02-19 18:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 18:31 . 2009-02-19 18:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 18:31 . 2009-02-19 18:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 18:31 . 2009-02-19 18:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 18:31 . 2009-02-19 18:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 18:31 . 2009-02-19 18:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 20:20 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-29 24064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-11 148888]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-25 988512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-26 98304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\Jenniffer Maldonado\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2007-8-16 2342912]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 4:11 PM 16384]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/17/2008 4:37 PM 149352]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 1:42 AM 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 6:03 AM 131072]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/11/2008 11:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/17/2009 6:04 PM 101936]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/28/2008 8:05 PM 24064]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\Norton Security Scan for Jenniffer Maldonado.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 01:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LaunchApp - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0409&m=el1200-06w
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 18:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2992)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
.
**************************************************************************
.
Completion time: 2009-05-17 18:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 23:03

Pre-Run: 59,348,672,512 bytes free
Post-Run: 59,454,201,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

247 --- E O F --- 2009-05-13 11:03


Report •

#9
May 17, 2009 at 15:42:06
Run this script in AVZ:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\32788R22FWJFW.0.tmp\*.*','');
DeleteFileMask('C:\32788R22FWJFW.0.tmp\','*.*',true);
DeleteDirectory('C:\32788R22FWJFW.0.tmp\');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

You Computer will reboot. After reboot follow these steps:

Also upload c:\documents and settings\Jenniffer Maldonado\Local Settings\Application Data\GDIPFONTCACHEV1.DAT to rapidshare and private message me the download link.

1) Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type 123 /u > ok. Or Start > run > type 123.exe /u > ok.

4) Also, if you use Windows System restore, turn it off > reboot and do a full scan with Antivirus. Then turn system restore back on, if you wish; this to remove malware from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?q... Let me know if your antivirus still detects anything and is unable to get rid of it.

5) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.


Report •

#10
May 17, 2009 at 15:55:07
Here is the link for the first upload:

http://rapidshare.com/files/2341837...

The link for quarantine.zip is:

http://rapidshare.com/files/2341850...


Report •

#11
May 17, 2009 at 15:57:14
Here is the C:\qoobox...file:

http://rapidshare.com/files/2341857...


Report •

#12
May 17, 2009 at 16:05:58
Is C:\32788R22FWJFW.0.tmp directory still there of deleted?

Report •

#13
May 17, 2009 at 16:29:23
The file is still there. I'm running a scan and the antivirus (Norton) detected and fixed one risk so far which didn't happened before. Hopefully when scan is over I'll know the risk. Now I'm waiting for the scan to end to change the system restore and install the Malwarebytes software

Report •

#14
May 17, 2009 at 16:44:50
Aler - Restart required: Risk name: Backdoor.Tidserv.

Do I Reboot the computer?


Report •

#15
May 17, 2009 at 16:50:03
Yes at the end post scan log of what gets detected and what it coud not fix. After scan is finished continue with Response Number 9 part 5.

Report •

#16
May 17, 2009 at 17:27:23
Scan is over. 3 risks were found and fixed: Tracking cookie, Backdoor.Tidserv and Packed.Generic.200.

Here is the full scan log (Response 9 Part 5)

Malwarebytes' Anti-Malware 1.36
Database version: 2146
Windows 5.1.2600 Service Pack 3

5/17/2009 8:25:48 PM
mbam-log-2009-05-17 (20-25-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 149548
Time elapsed: 24 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\Google\googletoolbar1.dll.vir (Trojan.BHO) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACitexmoiybwisdot.sys.vir (Rootkit.TDSS) -> No action taken.


Report •

#17
May 17, 2009 at 17:29:29
Ok Virus seems removed. you can delete C:\Qoobox\ . Also uninstall combofix. Every thing seems good to you?

Report •

#18
May 17, 2009 at 17:32:39
Qoobox deleted. Combofix also deleted.

Report •

#19
May 17, 2009 at 17:38:58
It looks good so far ! May I run a Norton scan again? just to make sure. At least now I don't have to enter a code everytime I wanted to access a site nor I see a pornographic banner everytime I access a site which is great, specially when you have kids at home. Thank you so much for all your help and patience. It sure was a long road to go but everything turned out great.

Report •

#20
May 17, 2009 at 17:42:38
No problem, sure run the scan again. For matter of fact don't scan again with norton use kaspersky/bitdefender online scanner. It will cover all the areas better.

Report •


Ask Question