Worm infection, suspect worm_vb.npm

[Keith_R]

Hi, I ran ComboFix before I came to the forum. The computer would not boot info Windows using normal boot. It would hand at the black Windows screen displaying the progress indicator. The progress bar would continue to show progress, but the system was stalled and would not go any further. In the past I had used ComboFix to alleviate infections which wouldn't allow Window to boot normally. After ComboFix I was able to boot into Windows, but there are still issues. ComboFix found and quarintined an "autorun.inf" file that was executing a file named info.exe. In the "Qoobox" folder the .inf file name was "info.exe folder.htt 480 480". After running ComboFix I then went to the Run command and uninstalled ComboFix by running "ComboFix /u". The machine still stalls from time to time during boot and must be shut down by turning off the power and restarting. I tried to run an online scan using TrendMicro and am not allow to connected to the step that allows their scanning engine to determine the platform. The Browser go to the "Unable to connect...".

I downloaded the utilities you requested in your sticky.
Your assistance would be greatly appreciated.

Logfile and attachment below:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 20:15:48.26 on Fri 04/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.652 [GMT -7:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234832712156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-20 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-20 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-20 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090408.002\IDSXpx86.sys [2009-4-10 276344]
R2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2009-2-16 10112]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-20 115560]
R3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2009-2-16 9216]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090410.003\NAVENG.SYS [2009-4-10 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090410.003\NAVEX15.SYS [2009-4-10 876144]

=============== Created Last 30 ================

2009-04-10 15:05 <DIR> --d----- C:\ComboFix
2009-04-10 14:40 <DIR> a-dshr-- C:\cmdcons
2009-03-26 17:37 <DIR> --d----- C:\Temp

==================== Find3M ====================

2009-03-20 16:36 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-20 16:36 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-20 16:36 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-20 16:36 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-12 02:03 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-22 12:59 68,965 a------- c:\windows\hpoins05.dat
2009-02-17 09:15 109,568 -------- c:\windows\system32\pxinsi64.exe
2009-02-17 09:15 108,544 -------- c:\windows\system32\pxcpyi64.exe
2009-02-17 09:15 20,640 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-02-16 20:59 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-16 18:59 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-19 15:08 524,288 a------- c:\windows\opuc.dll

============= FINISH: 20:16:24.56 ===============

[Ried]

Post the ComboFix.txt please.

Regarding your continued use of ComboFix on your own, I'd like to draw your attention to this post in our sticky topic.

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

[Keith_R]

Thanks for your reply. The only way I could even boot the system was in Safe mode with networking and even then I had no access to the start buton or Internet. The connectin was good, but the browser wasn't being allowed to open. I was able to use the run command from Task Mngr to access Windows Explorer to find my thumb drive to even get to the ComboFix utility. Currently the only way I can access that system is using my Active-undelete boot disc. That's how I was able to give you this ComboFix log file. Since I have been working on this computer I noticed that I now have an additional file on my thumb drive that was revealed by accessing the drive while booted with the boot disc. The file was named "system.exe". I deleted it from the thumb drive. It looks to me as if it became infected from the PC that I'm working on.

ComboFix Logfile:

ComboFix 09-04-04.01 - Administrator 2009-04-10 14:41:49.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.789 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-03-26 17:37 . 2009-03-26 17:37 <DIR> d-------- C:\Temp
2009-03-10 22:50 . 2009-03-10 22:50 726,008 --a------ c:\documents and settings\Janet\gotomypc_438.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 23:36 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-20 23:36 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-20 23:36 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-20 23:36 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-20 23:36 --------- d-----w c:\program files\Symantec
2009-03-12 09:03 36,400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-07 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\espionServerData
2009-03-06 08:13 --------- d-----w c:\documents and settings\Janet\Application Data\U3
2009-02-27 04:57 726,008 ----a-w c:\documents and settings\Janet\gotomypc_437.exe
2009-02-24 04:49 --------- d-----w c:\program files\Microsoft.NET
2009-02-24 04:49 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-23 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-22 19:51 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-22 19:49 --------- d-----w c:\program files\Common Files\HP
2009-02-22 19:47 --------- d-----w c:\program files\HP
2009-02-22 19:47 --------- d-----w c:\program files\Hewlett-Packard
2009-02-22 19:45 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-22 04:05 --------- d-----w c:\documents and settings\Janet\Application Data\Apple Computer
2009-02-19 00:16 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-19 00:16 --------- d-----w c:\program files\Java
2009-02-17 20:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-17 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-17 20:25 --------- d-----w c:\program files\Windows Sidebar
2009-02-17 20:25 --------- d-----w c:\program files\Norton Internet Security
2009-02-17 20:25 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-02-17 20:24 --------- d-----w c:\program files\NortonInstaller
2009-02-17 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-17 16:59 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-17 16:38 --------- d-----w c:\program files\Common Files\Adobe
2009-02-17 16:15 20,640 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-17 16:15 109,568 ------w c:\windows\system32\pxinsi64.exe
2009-02-17 16:15 108,544 ------w c:\windows\system32\pxcpyi64.exe
2009-02-17 15:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 15:57 --------- d-----w c:\program files\InterVideo
2009-02-17 15:57 --------- d-----w c:\program files\InterActual
2009-02-17 15:57 --------- d-----w c:\program files\Common Files\InterVideo
2009-02-17 15:56 --------- d-----w c:\program files\Creative
2009-02-17 15:55 --------- d-----w c:\program files\2BrightSparks
2009-02-17 15:54 --------- d-----w c:\program files\UPHClean
2009-02-17 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-17 05:12 --------- d-----w c:\program files\QuickTime
2009-02-17 05:12 --------- d-----w c:\program files\Apple Software Update
2009-02-17 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-17 04:57 --------- d-----w c:\program files\CleanUp!
2009-02-17 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 04:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-17 04:17 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-17 04:01 --------- d-----w c:\program files\Reference Assemblies
2009-02-17 04:01 --------- d-----w c:\program files\MSBuild
2009-02-17 02:06 --------- d-----w c:\program files\Alwil Software
2009-02-17 02:02 --------- d-----w c:\program files\NOS
2009-02-17 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-17 01:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-17 01:40 --------- d-----w c:\program files\BigFix
2009-02-17 01:35 --------- d-----w c:\program files\MSXML 4.0
2009-02-17 01:02 --------- d-----w c:\program files\Common Files\Real
2009-02-17 00:55 --------- d-----w c:\program files\Common Files\aolshare
2009-02-17 00:55 --------- d-----w c:\program files\Common Files\AOL
2009-02-17 00:39 --------- d-----w c:\program files\Digital Media Reader
2009-02-17 00:39 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-17 00:38 --------- d-----w c:\documents and settings\Janet\Application Data\SampleView
2009-02-17 00:38 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2009-02-17 00:36 --------- d-----w c:\program files\Microsoft Picture It! 9
2009-02-17 00:35 --------- d-----w c:\program files\Common Files\Ahead
2009-02-17 00:35 --------- d-----w c:\program files\Ahead
2009-02-17 00:35 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2009-02-17 00:34 --------- d-----w c:\program files\Pure Networks
2009-02-17 00:34 --------- d-----w c:\program files\Learn2.com
2009-02-17 00:34 --------- d-----w c:\program files\Common Files\Nullsoft
2009-02-17 00:34 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-02-17 00:33 --------- d-----w c:\program files\Microsoft Money
2009-02-17 00:32 --------- d-----w c:\program files\MSN Encarta Plus
2009-02-17 00:32 --------- d-----w c:\program files\CyberLink
2009-02-17 00:32 --------- d-----w c:\program files\Common Files\Java
2009-02-17 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-17 00:31 --------- d-----w c:\program files\Microsoft Works
2009-02-17 00:29 --------- d-----w c:\program files\Common Files\New Boundary
2009-02-17 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2009-02-17 00:27 --------- d-----w c:\program files\CONEXANT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-19 22:08 524,288 ----a-w c:\windows\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-18 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-02-16 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-02-17 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys [2009-03-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-20 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [2009-03-20 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSXpx86.sys [2009-03-23 276344]
S2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2009-02-16 10112]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-20 115560]
S3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2009-02-16 9216]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CX88XBAR
*NewlyCreated* - CXTUNE
*NewlyCreated* - MDMXSDK

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 14:42:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-04-10 14:44:21
ComboFix-quarantined-files.txt 2009-04-10 21:44:02

Pre-Run: 173,650,178,048 bytes free
Post-Run: 174,342,930,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

187 --- E O F --- 2009-03-11 00:56:34

[Ried]

Thanks, Keith.

Quote:

After ComboFix I was able to boot into Windows, ...The machine still stalls from time to time during boot and must be shut down by turning off the power and restarting.

Quote:

Currently the only way I can access that system is using my Active-undelete boot disc.

I'm a bit confused. Would you please tell me the exact state of the system as it stands right now?

[Keith_R]

Currently when I boot the computer in normal mode it boots up to the black Windows with the progress bar and hangs there. After I ran Combofix yester day I was then able to boot all the way into windows. As I mentioned in my previous post, the only way of even accessing external media was to boot into Safe mode and use Task Manager to start a new task by using the Windows Run command line to launch explorer.exe to view files on the computer. There was a task bar, but the start button was not viewable due to screen resolution in Safe Mode. ComboFix found and quarintined a virus and then I used the command line ComboFix /u to remove the program and Qoobox. All that was yesterday. It was booting fine until late last night and started hanging during boot again. Seems like the infection is completely active again. In order to boot the system to a state in which I could view files to send you the log file for ComboFix I had to us a boot disc created from my Active-Undelete software. The Active-Undelete boot disc loads enough Windows files to boot into an enviornment that allows you to use a different version of Windows Explorer and Internet Surfer software.

[Ried]

Thank you.

Download ComboFix again from one of these locations:

Link 1
Link 2
Link 3

While it will run from a usb drive, it's best if you can place it on the machine. Navigate to ComboFix.exe and run it. Post the resultant ComboFix.txt

[Keith_R]

Thanks Reid, It took awhile and in order to boot into Windows I had to us the Ultimate Boot Disc to achieve a successful boot into Safe Mode. I was able to run ComboFix from the Administrator's Desktop.

Here's the log file:
ComboFix 09-04-04.01 - Administrator 2009-04-11 9:35:57.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.826 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 18:25 . 2009-04-10 19:10 <DIR> d-------- c:\windows\BDOSCAN8
2009-03-26 17:37 . 2009-03-26 17:37 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 22:26 --------- d-----w c:\program files\Java
2009-03-20 23:36 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-20 23:36 7,386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-20 23:36 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-20 23:36 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-20 23:36 --------- d-----w c:\program files\Symantec
2009-03-12 09:03 36,400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-03-11 05:50 726,008 ----a-w c:\documents and settings\Janet\gotomypc_438.exe
2009-03-09 12:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\espionServerData
2009-03-06 08:13 --------- d-----w c:\documents and settings\Janet\Application Data\U3
2009-02-27 04:57 726,008 ----a-w c:\documents and settings\Janet\gotomypc_437.exe
2009-02-24 04:49 --------- d-----w c:\program files\Microsoft.NET
2009-02-24 04:49 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-23 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-22 19:51 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-02-22 19:49 --------- d-----w c:\program files\Common Files\HP
2009-02-22 19:47 --------- d-----w c:\program files\HP
2009-02-22 19:47 --------- d-----w c:\program files\Hewlett-Packard
2009-02-22 19:45 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-22 04:05 --------- d-----w c:\documents and settings\Janet\Application Data\Apple Computer
2009-02-17 20:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-17 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-17 20:25 --------- d-----w c:\program files\Windows Sidebar
2009-02-17 20:25 --------- d-----w c:\program files\Norton Internet Security
2009-02-17 20:25 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-02-17 20:24 --------- d-----w c:\program files\NortonInstaller
2009-02-17 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-17 16:59 --------- d-----w c:\program files\SystemRequirementsLab
2009-02-17 16:38 --------- d-----w c:\program files\Common Files\Adobe
2009-02-17 16:15 20,640 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-17 16:15 109,568 ------w c:\windows\system32\pxinsi64.exe
2009-02-17 16:15 108,544 ------w c:\windows\system32\pxcpyi64.exe
2009-02-17 15:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 15:57 --------- d-----w c:\program files\InterVideo
2009-02-17 15:57 --------- d-----w c:\program files\InterActual
2009-02-17 15:57 --------- d-----w c:\program files\Common Files\InterVideo
2009-02-17 15:56 --------- d-----w c:\program files\Creative
2009-02-17 15:55 --------- d-----w c:\program files\2BrightSparks
2009-02-17 15:54 --------- d-----w c:\program files\UPHClean
2009-02-17 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-17 05:12 --------- d-----w c:\program files\QuickTime
2009-02-17 05:12 --------- d-----w c:\program files\Apple Software Update
2009-02-17 05:12 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-17 04:57 --------- d-----w c:\program files\CleanUp!
2009-02-17 04:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 04:52 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-17 04:17 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-17 04:01 --------- d-----w c:\program files\Reference Assemblies
2009-02-17 04:01 --------- d-----w c:\program files\MSBuild
2009-02-17 02:06 --------- d-----w c:\program files\Alwil Software
2009-02-17 02:02 --------- d-----w c:\program files\NOS
2009-02-17 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-17 01:47 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-17 01:40 --------- d-----w c:\program files\BigFix
2009-02-17 01:35 --------- d-----w c:\program files\MSXML 4.0
2009-02-17 01:02 --------- d-----w c:\program files\Common Files\Real
2009-02-17 00:55 --------- d-----w c:\program files\Common Files\aolshare
2009-02-17 00:55 --------- d-----w c:\program files\Common Files\AOL
2009-02-17 00:39 --------- d-----w c:\program files\Digital Media Reader
2009-02-17 00:39 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-17 00:38 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-02-17 00:38 --------- d-----w c:\documents and settings\Janet\Application Data\SampleView
2009-02-17 00:38 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2009-02-17 00:36 --------- d-----w c:\program files\Microsoft Picture It! 9
2009-02-17 00:35 --------- d-----w c:\program files\Common Files\Ahead
2009-02-17 00:35 --------- d-----w c:\program files\Ahead
2009-02-17 00:35 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2009-02-17 00:34 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2009-02-17 00:34 --------- d-----w c:\program files\Pure Networks
2009-02-17 00:34 --------- d-----w c:\program files\Learn2.com
2009-02-17 00:34 --------- d-----w c:\program files\Common Files\Nullsoft
2009-02-17 00:34 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-02-17 00:33 --------- d-----w c:\program files\Microsoft Money
2009-02-17 00:32 --------- d-----w c:\program files\MSN Encarta Plus
2009-02-17 00:32 --------- d-----w c:\program files\CyberLink
2009-02-17 00:32 --------- d-----w c:\program files\Common Files\Java
2009-02-17 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-17 00:31 --------- d-----w c:\program files\Microsoft Works
2009-02-17 00:29 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-02-17 00:29 --------- d-----w c:\program files\Common Files\New Boundary
2009-02-17 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2009-02-17 00:27 --------- d-----w c:\program files\CONEXANT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-19 22:08 524,288 ----a-w c:\windows\opuc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-02-16 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 53248]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-02-17 237568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys [2009-03-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-20 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [2009-03-20 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090408.002\IDSXpx86.sys [2009-04-10 276344]
S2 CX88XBAR;AVerMedia AVerTV MPEG Crossbar (Dual-Input);c:\windows\system32\drivers\A88BarBB.sys [2009-02-16 10112]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [2009-03-20 115560]
S3 CXAVSAUD;AVerMedia AVerTV AvStream Audio Capture;c:\windows\system32\drivers\A88AudBB.sys [2009-02-16 9216]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CX88XBAR
*NewlyCreated* - CXTUNE
*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 09:39:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-04-11 9:41:39
ComboFix-quarantined-files.txt 2009-04-11 16:41:08
ComboFix2.txt 2009-04-10 21:44:22

Pre-Run: 177,494,667,264 bytes free
Post-Run: 177,474,994,176 bytes free

179 --- E O F --- 2009-04-10 22:29:34

[Ried]

Hi Keith,

My apologies for the delay, but this isn't going to be easy to diagnose. I've nothing to go on here. The infection you mentioned would not cause the OS not to boot. Something else is going on, or something happened during your attempts to remove it yourself.

What I'd like you to do is boot as though you were going to go into Safe Mode, but choose Last known good config. See if it will boot.

If you've already tried that, or - if it still won't boot. What I'd like you to do is again, bring up F8 menu and select 'Enable Boot Logging'.

Boot it up and let it fail.

Using UltimateBoot, navigate to C:\bootlog.txt. zip that up and attach it in your next reply.

[Ried]

Yes. Now that the system is functioning again, run this online scan. It can take some time, so please be patient and allow it to run it's full course:


**Vista users - right click on the IE icon and run as administrator



Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[Keith_R]

Hi Reid, I haven't done anything else except run a couple of online virus scans which didn't reveal any threats. The scans I ran were Panda Active Scan and Symantec. Both scans came up empty. I did as you said and booted up using "Last Known Good Config" and the system booted up normally. I assume that the logs I sent are clean. Is it still possible that part of the worm is still lurking and detectable with another utility? BTW, I still can't get the Trend Micro Housecall scan to run. I'm wondering if it may be something on their end. I'll try it on my other machine.

Thanks

[Keith_R]

Thanks, I'm running the Kapernsky scan now. We must have been posting at the same time because my post was after yours. Got a question thoigh in regards to Flash Disinfector. How well does this utility actuall work? According to the write-up on the site, it helps to keep inections from getting onto flash drives. Oh, I also tried the Trend Housecall online scanner on a different PC and got the same "Unable to Open" just like on the infected PC.

[Keith_R]

Hi Ried,
The online scan with Kaspernsky returned the following results. Looks pretty clean. Does this mean that the machine is good to go?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 12, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 12, 2009 19:59:49
Records in database: 2038355
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Files scanned: 79283
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:37:27

No malware has been detected. The scan area is clean.

The selected area was scanned.

[Ried]

As far as the efficacy of Flash_Disinfector - absolutely! Use it on all your personal flash drives as well as your own machine to protect yourself from the broad range of flash infections.


And yes, the scans are coming up clean so it would seem you're good to go. Shall I leave this thread open for a few more days to give you a chance to see if it continues to behave as expected?

[Keith_R]

Thank you Ried for you assistance and the advice regarding Flash Didinfector. Please close this thread and we'll call it resolved. The computer seems to be working great.

Thanks again and have a good day

[Ried]

You're welcome, Keith. Take care.