BrentDemers

I appolized for not reading the 5 step rules to posting in my previous post. Hopefully I've statisfied those rules this time around.

My virus scan has been locating infrom.exe trojan horse in my external hard drive (D:) and local drive (C:).




;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-04 07:11:03
PROTECTIONS: 2
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00159660 adware/admess Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0}
00159660 adware/admess Adware No 0 Yes No hkey_classes_root\clsid\{9896231a-c487-43a5-8369-6ec9b0a96cc0}
00162900 Cookie/MediaTickets TrackingCookie No 0 Yes No C:\!KillBox\owner@kinghost[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
00249100 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\!KillBox\owner@cgi-bin[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\!KillBox\owner@atwola[1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP26\A0003578.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP34\A0005196.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No D:\System Volume Information\_restore{1920DD05-C3B3-4337-B7AE-8CBB7597E6CD}\RP27\A0003621.EXE[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\RECYCLER\S-1-5-21-2918181824-2526188489-1461026583-1003\Dc13.exe[327882R2FWJFW\NirCmdC.cfexe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================





Logfile of HijackThis v1.99.1
Scan saved at 8:36:39 PM, on 7/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.volcom.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194824712278
O18 - Protocol: x-excid - {9D6CC632-1337-4A33-9214-2DA092E776F4} - c:\WINNT\Downloaded Program Files\mimectl.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

BrentDemers

bump...Can you atleast tell me why I'm being skip-over. I don't understand.

LonnyRJones

Hello BrentDemers

"external hard drive (D:) and local drive (C:). "
Do you use any usb sticks ?

First Delete your old copy of hijackthis
Please do the following to download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer: http://www.trendsecure.com/portal/en...HJTInstall.exe
Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
exit the program, since dss mentioned below with show its log.


Download Deckard's System Scanner (DSS) to your Desktop.
Note:You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. If prompted to let dds download Hijackthis choose YES.
4. When the scan is complete, two text files will open - main.txt <- this one will be maximized
   and extra.txt <-this one will be minimized
5. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply Please
   attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt

2. Click Upload.

__________________


Our help is voluntary. But this site needs donations to operate.

BrentDemers

I recieved the trojan from sharing a usb flash drive (if that what you mean by usb stick).

My external hard drive is infected as well as my main hard drive.

I have Autorun...and I've noticed that there are alot of missing files from the list...can I just delete those?

Thanks for responding to me.




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-29 20:44:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-07-30 03:45:32 UTC - RP68 - Deckard's System Scanner Restore Point
57: 2008-07-29 03:14:55 UTC - RP67 - System Checkpoint
56: 2008-07-27 23:45:40 UTC - RP66 - System Checkpoint
55: 2008-07-25 03:07:21 UTC - RP65 - System Checkpoint
54: 2008-07-24 03:04:01 UTC - RP64 - Printer Driver doPDF 6 Printer Driver Installed


-- First Restore Point --
1: 2008-05-01 01:18:16 UTC - RP11 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:50 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.volcom.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194824712278
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 3607 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - C:\WINNT\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\winnt\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 RioPNP - c:\winnt\system32\drivers\riopnp.sys <Not Verified; RioPort.com; >
R3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\winnt\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
R3 nhcDriverDevice (Notebook Hardware Control Driver) - c:\winnt\system32\drivers\nhcdriver.sys <Not Verified; pBUS-167 Software - http://www.pbus-167.com; Notebook Hardware Control Driver>
R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 WDC_SAM (WD SCSI Pass Thru driver) - c:\winnt\system32\drivers\wdcsam.sys <Not Verified; Western Digital Technologies; WD External Storage>

S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 ATWPKT2 - c:\progra~1\americ~1.0\atwpkt2.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 20:52:00 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2008-07-29 20:29:38 418 --ah----- C:\WINNT\Tasks\User_Feed_Synchronization-{BCF09352-0836-419B-957E-F7E0274A374A}.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 20:42:21 0 d-------- C:\Program Files\Trend Micro
2008-07-23 20:08:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-23 20:02:29 0 d-------- C:\Program Files\Softland
2008-07-07 18:47:51 0 d-------- C:\WINNT\system32\CatRoot_bak
2008-07-07 09:00:52 0 d-------- C:\ie-spyad_zo
2008-07-01 19:50:45 0 d-------- C:\Program Files\Panda Security


-- Find3M Report ---------------------------------------------------------------

2008-06-24 20:26:40 0 d-------- C:\Program Files\Quicken
2008-06-24 20:26:17 0 d-------- C:\Program Files\Common Files
2008-06-24 20:23:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 20:17:17 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-06-12 12:48:40 0 d-------- C:\Program Files\SpywareBlaster
2008-06-12 12:05:59 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-12 12:05:04 0 d-------- C:\Program Files\SUPERAntiSpyware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 02:21 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/22/2002 02:10 PM]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [01/20/2006 02:14 PM]
"NotebookHardwareControl"="C:\Program Files\Notebook Hardware Control\nhc.exe" [05/03/2007 05:33 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/14/2001 03:03 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/14/2001 03:02 PM]
"Multi-function Keyboard"="GWHotKey.exe" [08/28/2001 10:13 AM C:\WINNT\GWHotKey.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [08/23/2001 11:23 AM C:\WINNT\system32\ico.exe]
"KernelFaultCheck"="C:\WINNT\system32\dumprep 0 -k" []
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [06/12/2002 04:23 PM]
"GWMDMMSG"="GWMDMMSG.exe" [05/06/2002 01:12 PM C:\WINNT\GWMDMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"ewido security suite control"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"PrismXL"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AresChatServer"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-29 20:54:37 ------------

Attached Files

extra.txt (14.0 KB, 2 views)

LonnyRJones

Which missing files are you refering to ?
Just becouse logs say missing doesnt nessesaraly mean they are.
Lets get back to that later, after cleanup.
When was it you ran combofix ?
Delete your old copy if still present
while your extenal drive and your usb sticks are pluged in >

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

[b]C:\ComboFix.txt

__________________


Our help is voluntary. But this site needs donations to operate.

BrentDemers

I used combo fix about a month ago...but the problem never was corrected.

...I'll remind of the files missing when your ready.

Attached Files

ComboFix.txt (7.4 KB, 7 views)

LonnyRJones

Combofix disables autorun to help with these infections, meaning if
you plug a usb stick/cd's in they wont automaticly open.
Having said that im not seeing the infection yet.
Is nav still seeing infrom.exe ?
If so id like a copy, you might have to temporaraly disable nav
submit it here please
http://www.bleepingcomputer.com/submit-malware.php?
also submit autorun.inf if it is present in same location as infrom

__________________


Our help is voluntary. But this site needs donations to operate.

BrentDemers

I sent the autorun.inf.vir to the maleware submission.

I wasn't able to find infrom.exe my anti virus is not locating it. When I used Combofix a month ago with another maleware forum, it had was fixed, but then came back. I assumed that it was still currently in my system. I don't understand why its not showing up.

Are you able to see errors that could be slowing down my computer as well?

BrentDemers

I've also noticed when I restart my computer...the external hard drive (connected by fire wire) must be disconnected to continue with booting up my computer (this was not like this before).

My computer runs very hot. It runs at 85 degree C, when it use to run at 67 degree C.

LonnyRJones

To confirm where is that autorun exactly ?
d: i assume ?
and why does it have a .vir extension ?

__________________


Our help is voluntary. But this site needs donations to operate.

LonnyRJones

Even 67 is high i believe
I suggest you post in the hardware section of the forum and not use the pc except when absolutly nessesary.
http://www.techsupportforum.com/hard...ards-bios-cpu/

__________________


Our help is voluntary. But this site needs donations to operate.

BrentDemers

E:\RUNAUT~1\ (Flash Drive)

and

D:\autorun\ (External Hard Drive)

These are quarintine in the "backup files" right now in my symantic virus scan...I'm confused of what autorun is which....I sent the file autorun.inf.vir (C:\QooBox\Quarantine\D\autorun.inf.vir) to the malware submit site. I'm alittle lost if that was the right one to send.

my computer has been freezing...where I have to restart, but it wont restart on its own (its gets stuck on the blue windows screen where its says "windows is preparing to shut down"). I have to manually hold the power button to un-freeze and restart, then unplug my external hard drive because if its plug in it will remain stuck (on the black windows loading screen right before boot up).

Its never been this bad before...what do you suggest?

BrentDemers

I've noticed that when my external and flash drives are in, thats when my computer starts to freeze up (especially when I try to access files from these drives). I tried to scan for viruses, but my symantec virus program can't locate the drives (they don't show up as if they don't exist).

I'm getting nervous about this because I store everything on my external hard drive.

BrentDemers

I didn't see your message that you sent. I just got it. I did what you've said but, I couldn't do the first part, because I have no access to my external drive (as I mentioned in the previous two posts). I continued on the fixme.reg file and did that. nothing seemed to happen. (I have my external hard drive unplugged because its causing comblications, and I need my computer right now).

LonnyRJones

Please do start a topic in the that hardware section asap.

__________________


Our help is voluntary. But this site needs donations to operate.