Laptop infected with W32.Rontokbro@mm

[adeeba222]

Hello...

I only got my laptop a few months ago. I have Norton Internet Security. It has detected w32.rontokbro@mm on my computer several times over the past couple days.

Every time it does, i apply the recommended actions (i.e. "fix") and restart when prompted, but then it finds the same threat agian in minutes. I can't seem to get it to go away.

I've tried downloading malwarebyes, but my laptop restarts every time. It also restarts when i try to access certain web pages. I've tried the bitdefender online scan, but it said 'scan failed' twice now. In addition, i tried to disable System Restore, and realized that i couldn't do this. I'm really at a loss here.

I am a university student and i need my laptop for my schoolwork, so any help would be greatly appreciated.

Thanks!

[tmclendon1977]

Hi.  I do not know if they will let my post stay or not; but I remember a friend of mine who had that nasty worm virus.  Here is a link to Symmantic that provides manual instructions to remove the virus.  It worked for my friend and he had the exact same virus.  I remember because of what this worm virus does with certain words in the window titles.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-092311-2608-99&tabid=3

I hope this helps; and if not, I am sure the moderators (or someone) here will get it solved for you. :-)

[adeeba222]

Thanks for your suggestion i appreciate it, but i can't disable System Restore which is the first step. But maybe i should try it anyway. Did your friend disable System Restore first?

thank you for your help!!

[tmclendon1977]

He followed the instructions.  The purpose of disabling the system restore is so that it will not create a restore point with the infection in it -- to prevent you from rolling back and landing in the pit of infection.

I DO NOT recommend it without the disabling of the system restore due to the importance of being able to roll back in n emergency.

However, I have provided you with the information of system resore and why it is recommended to disable it.  The actions you take is on your own accord.

If you do decide to do it without disabling the system restore -- just always keep in mind to NOT roll back to the current date/time in the restore calander.

Maybe someone will read this that has a different method.  Either way -- I would feel safe in saying that your systen restore ALREADY has images with the infection.  So as a precaution -- I wouldn't roll back anyway -- after the issue is fixed.

[evilfantasy]

This is a worm so if you have any flash drives they are likely the source of the infection and need to be cleaned up.

Flash Drive Cleanup

Download Flash Disinfector by sUBs and save it to your Desktop.
 

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
  
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

----------

Computer clean up

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[adeeba222]

hi again

i've realized my laptop restarts whenever i try to download any .exe file, so i'm not sure i'll be able to get combofix or flash disinfector on here. i tried downloading malwarebytes from several different links, and then just to test i tried to download another .exe file and my laptop kept restarting. isn't there any other way?

Thanks for your help!!

[rmr]

Hi! Why don't you download those files using other computer and transfer them to your computer? ComboFix is a great tool to remove this virus. My friend have the same problem as yours and it works.

[evilfantasy]

When you try to download the file or run the file?

If it is when you try to run it, right click on the file and re-name it to combofix.com and then try running it.

[adeeba222]

hi again

i deeply apologize for not replying sooner, this was the first chance i've had.

i am quite concerned right now, however. i downloaded and ran combofix as instructed. i saw that it had completed about 50 or so stages then i saw a message in the combofix window stating that my system would be rebooted. i allowed it to reboot in normal mode, then was prompted whether to system restore or not. i chose not. my computer restarted, i logged on and here i am.

i don't know where the combofix log is, my clock didn't return to normal, and my computer still has symptoms of the worm. my antivirus (Norton Internet Security) is still off.

what do i do at this point? it doesn't seem to have worked. where'd i go wrong?


thank you for your help!!


PS i have Vista, does it make a difference?

[evilfantasy]

The log saved to c:\combofix.txt

Just find the combofix.txt file in C:\ and post the contents back here.

[adeeba222]

It isn't there, i've checked. and i've searched for it, but no log file seems to have been created.

i saw that some files were deleted while it was running, but i still have the virus, maybe combofix didn't run properly. should i run it again? or would this lead to the same result?

[evilfantasy]

Run it again please.

[adeeba222]

i ran it again, i think it worked well this time. i didnt see any blue screen on restart or any prompts asking about system restore, plus my clock went back to normal this time.

this is the log file it created:


ComboFix 09-02-19.01 - Adeeba 2009-02-22 15:50:20.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.3581.2486 [GMT -3:00]
Running from: c:\users\Adeeba\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\Adeeba\AppData\Local\inetinfo.exe
c:\users\Adeeba\AppData\Local\lsass.exe
c:\users\Adeeba\AppData\Local\services.exe
c:\users\Adeeba\AppData\Local\winlogon.exe

.
(((((((((((((((((((((((((   Files Created from 2009-01-22 to 2009-02-22  )))))))))))))))))))))))))))))))
.

2009-02-18 13:35 . 2009-02-18 13:46   <DIR>   d--------   c:\users\Adeeba\AppData\Roaming\Dev-Cpp
2009-02-18 13:34 . 2009-02-18 13:34   <DIR>   d--------   C:\Dev-Cpp
2009-02-18 10:05 . 2008-12-05 01:26   1,244,672   --a------   c:\windows\System32\mcmde.dll
2009-02-18 10:05 . 2008-12-05 01:29   428,032   --a------   c:\windows\System32\EncDec.dll
2009-02-18 10:05 . 2008-12-05 01:28   292,352   --a------   c:\windows\System32\psisdecd.dll
2009-02-18 10:05 . 2008-12-05 01:28   217,088   --a------   c:\windows\System32\psisrndr.ax
2009-02-18 10:05 . 2008-12-05 01:29   177,152   --a------   c:\windows\System32\mpg2splt.ax
2009-02-18 10:05 . 2008-12-05 01:27   80,896   --a------   c:\windows\System32\MSNP.ax
2009-02-18 10:05 . 2008-12-05 01:27   68,608   --a------   c:\windows\System32\Mpeg2Data.ax
2009-02-18 10:05 . 2008-12-05 01:27   57,856   --a------   c:\windows\System32\MSDvbNP.ax
2009-02-11 19:09 . 2009-02-11 19:09   118   --a------   c:\windows\System32\MRT.INI
2009-02-07 23:08 . 2009-02-08 01:10   <DIR>   d--------   c:\windows\BDOSCAN8
2009-01-24 23:09 . 2009-02-12 20:16   <DIR>   d--------   c:\users\Adeeba\random

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 18:46   ---------   d-----w   c:\programdata\Roxio
2009-02-22 14:45   ---------   d-----w   c:\programdata\Symantec
2009-02-12 06:00   ---------   d-----w   c:\program files\Windows Mail
2009-02-11 19:15   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\LimeWire
2009-01-21 23:08   ---------   d-----w   c:\programdata\CyberLink
2009-01-15 04:16   52,736   ----a-w   c:\windows\AppPatch\iebrshim.dll
2009-01-08 01:39   27,934   ----a-w   c:\users\All Users\nvModes.dat
2009-01-08 01:39   27,934   ----a-w   c:\programdata\nvModes.dat
2009-01-06 21:35   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\Common Files\PX Storage Engine
2009-01-06 19:23   806   ----a-w   c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 19:23   124,464   ----a-w   c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:23   10,635   ----a-w   c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:23   ---------   d-----w   c:\program files\Symantec
2008-12-29 16:20   ---------   d-----w   c:\users\Guest\AppData\Roaming\vlc
2008-12-10 19:17   174   --sha-w   c:\program files\desktop.ini
2008-10-05 02:37   0   ----a-w   c:\users\Adeeba\AppData\Roaming\wklnhst.dat
2008-09-04 22:00   76   --sh--r   c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-05 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"FactFinder"="c:\program files\Microsoft FactFinder\ff.exe" [2001-06-22 81920]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-09 166432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-09 13515296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-09 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-04-09 92704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MRT"="c:\windows\system32\MRT.exe" [2009-02-03 21244864]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-04 19:12 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 01:04 86528 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B3C4EB0-20B3-4B89-B248-E7810C130E59}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{627A842B-3E8F-4799-8213-1861B640F3D1}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{AC91ED12-8024-4F90-8F4A-C628C30B6DD7}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{0DFC109E-7369-4ADC-9E57-33354C1291D6}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{57656B01-03BC-482E-999C-C75AA8FD923B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9FFA8897-FF49-48DC-A83A-3C507F856C54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3DDA4CA1-59F3-409D-B5A4-A7C6CA5D3558}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{EF8B4C7D-510D-412C-88FF-0C61E0323733}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1020596F-1992-4F0B-BC16-78FF0BC3340F}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E5558807-9126-4799-B51D-94498BC8F93D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C2D15551-E4C0-49B7-B83F-8A3ACEF8DA08}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{821A94FD-6723-401C-AAE0-1059373787BC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{602E7440-16D9-4512-A78E-980FE6A2406D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090212.002\IDSvix86.sys [2009-02-16 270384]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-09-04 73728]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-10-27 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-07 99376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-09-05 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-09-05 7424]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\System32\drivers\cmo_bus.sys [2008-10-05 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\System32\drivers\cmo_mdfl.sys [2008-10-05 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\System32\drivers\cmo_mdm.sys [2008-10-05 93904]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-09-05 209408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc790409-b5e1-11dd-8c0e-002268995227}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Adeeba.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 14:19]

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{A17C346D-D918-4BF3-888D-B1FAD8D6E04B}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 06:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 15:55:38
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(4144)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Microsoft FactFinder\FFMH.DLL
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Fingerprint Reader Suite\psqltray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\combofix\hidec.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-02-22 16:01:41 - machine was rebooted [Adeeba]
ComboFix-quarantined-files.txt  2009-02-22 18:59:52

Pre-Run: 77,157,249,024 bytes free
Post-Run: 77,124,923,392 bytes free

232   --- E O F ---   2009-02-18 17:31:34





so how's that?


thank you immensely for your patience and help!!

[evilfantasy]

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[adeeba222]

did what you said, here's the log:


Malwarebytes' Anti-Malware 1.34
Database version: 1794
Windows 6.0.6000

22/02/2009 05:36:58 PM
mbam-log-2009-02-22 (17-36-58).txt

Scan type: Quick Scan
Objects scanned: 63522
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Adeeba\Local Settings\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



thanks