Help - Search - Members - Calendar
Full Version: infected with virus
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
chaoshadow102
May 10 2009, 08:02 AM
Everything started loading realllllly slow, then internet wouldnt load anymore (no connection), then something about the ip address, then these random thingys saying theres something wrong keeps popping up, then full screen ads from firefox and explorer kept popping up, then one time when it was turned on, trojan virus alerts from antivirus popped up nonstop and computer froze, then whole comp froze, then couldnt open task manager, then it said everything connected to computer could not be detected, thing popped up saying sound doesnt work/isnt connected correctly.

i used mbam (couldnt update because no internet access) and cleaned some of the viruses but everytime i start the computer, there is a popup for starwindservice.exe and cqcsss.exe every minute. i also used atf cleaner.



here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:00 AM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\cqcsss.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\lsass.exe
c:\lsass.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freemov2avi.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [17328] C:\cqcsss.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\g2wfjdu.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\g2wfjdu.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\827413948.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Downloads\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Downloads\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/...GamesLoader.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.0.6.5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.67.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159855951781
O16 - DPF: {89981B1D-07DA-43C3-9770-06C51E7E5DCE} (NostaleWebStarter Control) - http://game.nostale.com/sso/NostaleWebLauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {AC486D5F-AFDD-45D1-9927-429427C70E01} (MJapanRunDll1 Class) - http://www.mgame.jp/game/mjrun/mjrunmng1a.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c c:\progra~1\ThunMail\testabd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: aswUpdSv - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: AudioSrv - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Browser - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: CLTNetCnService - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Dhcp - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: dhcpsrv - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: dlbt_device - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Dot3svc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: EapHost - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: ERSvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Eventlog - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: helpsvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: HidServ - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: hkmsvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: ias - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: IDriverT - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lanmanserver - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: lanmanworkstation - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: LVCOMSer - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: LVPrcSrv - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: McciCMService - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: MDM - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: MSIServer - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: msncache - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: napagent - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Netlogon - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Netman - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Nla - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: NtLmSsp - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: NtmsSvc - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: ose - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: PlugPlay - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: PolicyAgent - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: ProtectedStorage - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: RasAuto - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\VRTB.tmp (file missing)
O23 - Service: Remote Network Access (RASNAL) - Unknown owner - C:\WINDOWS\system32\lsnsvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9832 bytes






Here is mbam log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/9/2009 7:01:34 PM
mbam-log-2009-05-09 (19-01-34).txt

Scan type: Quick Scan
Objects scanned: 76299
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 11
Folders Infected: 1
Files Infected: 62

Memory Processes Infected:
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Unloaded process successfully.
c:\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\tegapeba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rafahupu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fuseruve.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d646841b-dc95-4184-a302-7345ce5d20e9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d646841b-dc95-4184-a302-7345ce5d20e9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d646841b-dc95-4184-a302-7345ce5d20e9} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3fa56cf-b3f9-4328-9802-cfaacea86646} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b3fa56cf-b3f9-4328-9802-cfaacea86646} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{425d2599-af6a-4cdd-8e27-0fad21ea6749} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rafahupu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rafahupu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\namiviko.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\okiviman.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ramuzovi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ivozumar.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vasidifu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufidisav.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vovugesi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iseguvov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vutofudi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idufotuv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fuseruve.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\jksahfo93wjfkd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\tegapeba.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rafahupu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\179223\179223.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vipujizu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yujukumi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\t55ft2688f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\azton.mt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ch4oS Sh4DoW\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dobojobe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gelarijo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kejajumo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fakubija.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\ld08.exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\pp06.exe (Trojan.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.



LoPhatPhuud
May 10 2009, 03:56 PM
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.



**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.