Rustock.gen! C Thread and Problem

[strobelfamily]

Ok...Hello...I found a tread on this site and a thread about the Rustock.gen! C virus and I am willing (althought not happy) to read everything from the original thread between Coachkd89 and Ried but before I jump in to doing that...I'm wondering if it will do me much good to read all of the previously posted information or should I just follow Ried's first set of instructions and post my results for analysis?

I know I have this virus, or at least that's what the MS web site tells me everytime my system recovers from a re-boot, which is now happening everytime I try to install a new antivirus software. Yea!

I originally had problems getting Norton's AntiVirus 2007 to update correctly thru their liveupdate site following a new installation from CD that was immediately after a removal of Norton's AntiVirus 2004. I've never successufully completed the update to liveupdate with this software. Now everytime I try to load Windows Live OneCare as an alternative AntiVirus my computer reboots.

Any help is greatly appreciated.

Laura

[sUBs]

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[strobelfamily]

"Laura Strobel" - 07-03-24 17:40:59 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Laura Strobel\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\U.exe
C:\setup.exe
C:\WINDOWS\system32\msvcrl.dll
C:\WINDOWS\system32\lzx32.sys


((((((((((((((((((((((((((((((( Files Created from 2007-02-24 to 2007-03-24 ))))))))))))))))))))))))))))))))))


2007-03-24 16:32 <DIR> d-------- C:\DOCUME~1\LAURAS~1\APPLIC~1\Lavasoft
2007-03-24 14:00 <DIR> d-------- C:\{8000D287-0000-0000-2408-7FCE950D2B54}
2007-03-24 14:00 <DIR> d-------- C:\{80005CEC-0000-0000-28B1-C2D718D9259D}
2007-03-24 12:06 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-03-24 11:07 <DIR> d-------- C:\Program Files\Symantec
2007-03-24 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-03-23 20:57 84,992 --a------ C:\WINDOWS\csm.exe
2007-03-23 20:57 81,408 --a------ C:\WINDOWS\installer.exe
2007-03-23 20:57 23,552 --a------ C:\WINDOWS\system32\uvcx.exe
2007-03-22 14:57 <DIR> d-------- C:\MT123


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ... driver unloaded successfully. Run ADS scan for remnant driver file

2007-03-24 14:09 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-24 12:32 -------- d-------- C:\Program Files\quicktime
2007-03-24 10:22 15946 --a------ C:\WINDOWS\system32\ansirget.dll
2007-02-25 11:02 -------- d-------- C:\DOCUME~1\LAURAS~1\APPLIC~1\yahoo!
2007-02-24 04:50 -------- d-------- C:\Program Files\yahoo!
2007-02-13 15:04 254464 --a------ C:\WINDOWS\system32\logixcrt.dll
2007-02-07 17:11 -------- d--h----- C:\Program Files\installshield installation information
2007-02-07 17:11 -------- d-------- C:\Program Files\google
2007-01-31 12:13 -------- d-------- C:\Program Files\pccloneex
2007-01-30 12:04 -------- d-------- C:\Program Files\the learning company
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe"
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\LaunchPd.exe\""
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"Spyware Doctor"="C:\\PROGRA~1\\SPYWAR~2\\swdoctor.exe /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"NVIDIA nForce APU1 Utilities"="NVATray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\DSS]
@="C:\\WINDOWS\\\\BBStore\\DSS\\dssagent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="NVDESK32.DLL"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"Midemres"="{CAC4FC89-105D-4237-AB44-E4A9FF403879}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
"GURL01"="C:\\WINDOWS\\System32\\gdwfil.dll"
"PHR01"="C:\\WINDOWS\\System32\\usrfil.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MCHINJDRV


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\User_Feed_Synchronization-{39709331-3275-44EF-9325-B6A67FD0BC8A}.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-24 17:48:57

[sUBs]

Looks good. Your system should be less sluggish now.

What type of antivirus program do you have installed on this machine?


---------------


Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\DSS]

[-HKEY_CLASSES_ROOT\CLSID\{CAC4FC89-105D-4237-AB44-E4A9FF403879}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Midemres"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"GURL01"=-
"PHR01"=-

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

Reboot the machine before proceeding to the next step


---------------


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\WINDOWS\csm.exe
  C:\WINDOWS\installer.exe
  C:\WINDOWS\system32\uvcx.exe
  C:\WINDOWS\\BBStore\DSS\dssagent.exe
  C:\WINDOWS\System32\gdwfil.dll
  C:\WINDOWS\System32\usrfil.dll

-----------


Please take a look inside these folders & tell me what's in them:

* C:\{8000D287-0000-0000-2408-7FCE950D2B54}
* C:\{80005CEC-0000-0000-28B1-C2D718D9259D}
* C:\MT123


-----------


Please download the Suspicious File Packer → http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\system32\ansirget.dll
C:\WINDOWS\system32\logixcrt.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site → http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.


-----------


We shall proceed with the disinfection after your next reply

[strobelfamily]

Right now there is absolutely no AntiVirus software on the computer because it (Norton AntiVirus 2007) failed to load and update properly after multiple (8+)attempts to load from CD and 3 online chats with there tech support yesterday. My husband then surfed the internet for about an hour last night and this morning when I attempted to try again I had the problem with the Rustock.gen! C file. I didn't even have a web browser that worked when I first turned the computer on.

Windows said the Rustock.gen! C virus was the problem and so I spent about 3 hours trying to get rid of it before I found this forum. I tried to install Windows Live OneCare as an alternative (like I stated in my original post) and every time I try to install it the computer re-boots.

I am now going to work on the rest of your instructions. I'll post results and other answers in just as few minutes as possible.

Thanks,
Laura

[sUBs]

Norton's not my favourite choice of antivirus programs but since you already have it, please try installing it now.

Rustock (pe386) is nuetralised. We only need to go after the leftovers.

[strobelfamily]

Ok...I was succesful in the fix.reg instructions and re-booted the machine.

I was able to delete all the files you instructed me to with one exception...
C:\WINDOWS\BBStore\DSS folder was empty so I couldn't delete the dssagent.exe file.

The file contents you asked for is listed below...
c:\{8000D287-0000-0000-2408 (etc). and the other folder with this odd name both contained a DATA.CAB (winzip file) and manifest.ini (configuration file)

C:\MT123 contained....
Folders: Algebra, DataMan, Geometry, Measure, Number, xtras
Files: awiml32.dll, dvd.dll, fontmap.txt, install.log, journal, js32.dll, login.exe, MT123_Reward, MT123LST.txt, MT123icon.ico, Remove.exe, settings.ini, unwise.exe and VCT32161.dll

The CAB archive was submitted successfully and I was told to let you know that.

Lastly I tried to install my Norton (I hate that software too but I hate McAffee even more and haven't heard of a better suggestion) and it tells me that liveupdate is running in the background and it can't complete the install. The odd think is that the last thing I did yesterday before shutting off the computer (before my husband turned it back on) was to run the Norton Removal Tool. It said that was successful but apparently not.

What is your suggestion for a better virus software? I am so ready to dump Norton.

Thanks,
Laura

[sUBs]

I had a look at the 2 files submitted. Please delete ansirget.dll. The other one is okay.

C:\MT123 appears to be related to some learning software. Probably came in with the same product that installed this other folder - `C:\Program Files\the learning company'. Should be okay to ignore

The {8000D287-0000-0000-xxxx-xxxxxxxxx} folders are stilll questionmarks. From your descript, it sounds like some sort of temporary folder created during a software installation.
Both were created on this date - 2007-03-24 14:00. Can you recall what you were doing at that time? Please doubleclick on those manifest.ini's & post their contents here.


------------


Before any new antivirus programs can be installed on the machine, we shall need to fully remove Norton. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable conflicts. Please try the Norton Removal Tool once more. Let's see if it removes it cleanly.


As for recommended AV programs, here's a link to a good & free antivirus program - ActiveVirusShield. It's powered by Kaspersky


If you're seeking to purchase, I would recommend either of these:

1. Kaspersky - Has a comprehensive scanner but a bit of a resource hog. Recomended only for fast computers.
2. Nod32 - light on resources & has fastest scanner engine. This is the one I have on my main machine

Both of the above have trial versions which you can try before purchase

[strobelfamily]

Contents of Manifest.ini files......

[QUARANTINE]
ID={8000D287-0000-0000-2408-7FCE950D2B54}
VERSION=1.2306
RESOURCES=2
[TIMESTAMP]
VALUE=0x1C76E46BBE7F7FA
[INFECTION_INFO]
NAME=Trojan:JS/Loop
THREATID=2147537543
[RESOURCE1]
SCHEMA=file
NAME=\\?\C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\HTML Editor\setup.exe
NAMESIZE=93
ATTRIBUTES=32
PHYSPATH=C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\HTML Editor\setup.exe
PHYSSIZE=89
[RESOURCE2]
SCHEMA=file
NAME=\\?\C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\HTML Editor\1stpage2.zip
NAMESIZE=96
ATTRIBUTES=32
PHYSPATH=C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\HTML Editor\1stpage2.zip
PHYSSIZE=92


[QUARANTINE]
ID={80005CEC-0000-0000-28B1-C2D718D9259D}
VERSION=1.2306
RESOURCES=1
[TIMESTAMP]
VALUE=0x1C76E46BBA9FAD6
[INFECTION_INFO]
NAME=TrojanDownloader:Win32/VB.AH
THREATID=2147507436
[RESOURCE1]
SCHEMA=file
NAME=\\?\C:\WINDOWS\syswast.exe
NAMESIZE=27
ATTRIBUTES=32
PHYSPATH=C:\WINDOWS\syswast.exe
PHYSSIZE=23

What I was doing at the time these were created is most likely trying to install the MS OneCare Virus software. Norton wasn't loading properly and still isn't loading properly.

I have run Norton Removal Tool, removed all other references as instructed by their tech support yesterday, reinstalled from their web site and it still won't update the virus definintions thru liveupdate.symantecliveupdate.com. I can run the liveupdate on other computers I own so I'm pretty sure the problems still reside in this computer somehow.

[sUBs]

It's quarantine folders created by MS OneCare. Please delete them.


-----------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. We only require a report from it.
  It does not provide an option to clean/disinfect.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[strobelfamily]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 25, 2007 12:57:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/03/2007
Kaspersky Anti-Virus database records: 285556
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91798
Number of viruses found: 5
Number of infected objects: 12 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\Laura Strobel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped
C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\screensaversinstaller.exe Infected: not-a-virus:AdWare.Win32.Comet.bc skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\History\History.IE5\MSHist012007032420070325\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temp\Perflib_Perfdata_634.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temp\~DF35CE.tmp Object is locked skipped
C:\Documents and Settings\Laura Strobel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\ntuser.dat Object is locked skipped
C:\Documents and Settings\Laura Strobel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP778\A0166270.dll Infected: Trojan-Spy.Win32.Goldun.ms skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP778\A0172688.exe Infected: Trojan-Downloader.Win32.Small.cul skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP778\A0172693.dll Infected: Trojan-Spy.Win32.Goldun.ms skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP781\A0173609.exe Infected: Trojan-Downloader.Win32.Small.cul skipped
C:\System Volume Information\_restore{66436E90-B0E5-4F60-8785-39471453B8E8}\RP783\change.log Object is locked skipped
C:\WINDOWS\ast_5_main.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.AdWast.a skipped
C:\WINDOWS\ast_5_main.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C92234B0-8EEF-4B27-BA47-454D7F4EED33}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[sUBs]

Please delete these:

* C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\Music\BSINSTALL.exe
* C:\Documents and Settings\Laura Strobel\Desktop\Internet Downloads\screensaversinstaller.exe
* C:\WINDOWS\ast_5_main.exe


Then clear the infected files from System Restore's cache by doing this...

Go to Start → Run → type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK


--------------


Have we managed to get rid of Norton yet?

[strobelfamily]

Ok...that is done.

As far as Norton goes I have run the Norton Removal Tool again but I know there are still remenants of the software in certain places. I did not go and delete everything again after running the removal tool after the last failed attempt. I can do that though if I need to. I just have to delete alot and reboot 3 or 4 times before it says that it is all gone.

[sUBs]

Best make it a clean removal.

I have seen from past experience where those remnants have rendered a machine unusable. Programs like these, sink their hooks so deep into the Operating System