Laptop infected with W32.Rontokbro@mm

[adeeba222]

Hello...

I only got my laptop a few months ago. I have Norton Internet Security. It has detected w32.rontokbro@mm on my computer several times over the past couple days.

Every time it does, i apply the recommended actions (i.e. "fix") and restart when prompted, but then it finds the same threat agian in minutes. I can't seem to get it to go away.

I've tried downloading malwarebyes, but my laptop restarts every time. It also restarts when i try to access certain web pages. I've tried the bitdefender online scan, but it said 'scan failed' twice now. In addition, i tried to disable System Restore, and realized that i couldn't do this. I'm really at a loss here.

I am a university student and i need my laptop for my schoolwork, so any help would be greatly appreciated.

Thanks!

[tmclendon1977]

Hi.  I do not know if they will let my post stay or not; but I remember a friend of mine who had that nasty worm virus.  Here is a link to Symmantic that provides manual instructions to remove the virus.  It worked for my friend and he had the exact same virus.  I remember because of what this worm virus does with certain words in the window titles.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-092311-2608-99&tabid=3

I hope this helps; and if not, I am sure the moderators (or someone) here will get it solved for you. :-)

[adeeba222]

Thanks for your suggestion i appreciate it, but i can't disable System Restore which is the first step. But maybe i should try it anyway. Did your friend disable System Restore first?

thank you for your help!!

[tmclendon1977]

He followed the instructions.  The purpose of disabling the system restore is so that it will not create a restore point with the infection in it -- to prevent you from rolling back and landing in the pit of infection.

I DO NOT recommend it without the disabling of the system restore due to the importance of being able to roll back in n emergency.

However, I have provided you with the information of system resore and why it is recommended to disable it.  The actions you take is on your own accord.

If you do decide to do it without disabling the system restore -- just always keep in mind to NOT roll back to the current date/time in the restore calander.

Maybe someone will read this that has a different method.  Either way -- I would feel safe in saying that your systen restore ALREADY has images with the infection.  So as a precaution -- I wouldn't roll back anyway -- after the issue is fixed.

[evilfantasy]

This is a worm so if you have any flash drives they are likely the source of the infection and need to be cleaned up.

Flash Drive Cleanup

Download Flash Disinfector by sUBs and save it to your Desktop.
 

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
  
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

----------

Computer clean up

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[adeeba222]

hi again

i've realized my laptop restarts whenever i try to download any .exe file, so i'm not sure i'll be able to get combofix or flash disinfector on here. i tried downloading malwarebytes from several different links, and then just to test i tried to download another .exe file and my laptop kept restarting. isn't there any other way?

Thanks for your help!!

[rmr]

Hi! Why don't you download those files using other computer and transfer them to your computer? ComboFix is a great tool to remove this virus. My friend have the same problem as yours and it works.

[evilfantasy]

When you try to download the file or run the file?

If it is when you try to run it, right click on the file and re-name it to combofix.com and then try running it.

[adeeba222]

hi again

i deeply apologize for not replying sooner, this was the first chance i've had.

i am quite concerned right now, however. i downloaded and ran combofix as instructed. i saw that it had completed about 50 or so stages then i saw a message in the combofix window stating that my system would be rebooted. i allowed it to reboot in normal mode, then was prompted whether to system restore or not. i chose not. my computer restarted, i logged on and here i am.

i don't know where the combofix log is, my clock didn't return to normal, and my computer still has symptoms of the worm. my antivirus (Norton Internet Security) is still off.

what do i do at this point? it doesn't seem to have worked. where'd i go wrong?


thank you for your help!!


PS i have Vista, does it make a difference?

[evilfantasy]

The log saved to c:\combofix.txt

Just find the combofix.txt file in C:\ and post the contents back here.

[adeeba222]

It isn't there, i've checked. and i've searched for it, but no log file seems to have been created.

i saw that some files were deleted while it was running, but i still have the virus, maybe combofix didn't run properly. should i run it again? or would this lead to the same result?

[evilfantasy]

Run it again please.

[adeeba222]

i ran it again, i think it worked well this time. i didnt see any blue screen on restart or any prompts asking about system restore, plus my clock went back to normal this time.

this is the log file it created:


ComboFix 09-02-19.01 - Adeeba 2009-02-22 15:50:20.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.3581.2486 [GMT -3:00]
Running from: c:\users\Adeeba\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\Adeeba\AppData\Local\inetinfo.exe
c:\users\Adeeba\AppData\Local\lsass.exe
c:\users\Adeeba\AppData\Local\services.exe
c:\users\Adeeba\AppData\Local\winlogon.exe

.
(((((((((((((((((((((((((   Files Created from 2009-01-22 to 2009-02-22  )))))))))))))))))))))))))))))))
.

2009-02-18 13:35 . 2009-02-18 13:46   <DIR>   d--------   c:\users\Adeeba\AppData\Roaming\Dev-Cpp
2009-02-18 13:34 . 2009-02-18 13:34   <DIR>   d--------   C:\Dev-Cpp
2009-02-18 10:05 . 2008-12-05 01:26   1,244,672   --a------   c:\windows\System32\mcmde.dll
2009-02-18 10:05 . 2008-12-05 01:29   428,032   --a------   c:\windows\System32\EncDec.dll
2009-02-18 10:05 . 2008-12-05 01:28   292,352   --a------   c:\windows\System32\psisdecd.dll
2009-02-18 10:05 . 2008-12-05 01:28   217,088   --a------   c:\windows\System32\psisrndr.ax
2009-02-18 10:05 . 2008-12-05 01:29   177,152   --a------   c:\windows\System32\mpg2splt.ax
2009-02-18 10:05 . 2008-12-05 01:27   80,896   --a------   c:\windows\System32\MSNP.ax
2009-02-18 10:05 . 2008-12-05 01:27   68,608   --a------   c:\windows\System32\Mpeg2Data.ax
2009-02-18 10:05 . 2008-12-05 01:27   57,856   --a------   c:\windows\System32\MSDvbNP.ax
2009-02-11 19:09 . 2009-02-11 19:09   118   --a------   c:\windows\System32\MRT.INI
2009-02-07 23:08 . 2009-02-08 01:10   <DIR>   d--------   c:\windows\BDOSCAN8
2009-01-24 23:09 . 2009-02-12 20:16   <DIR>   d--------   c:\users\Adeeba\random

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 18:46   ---------   d-----w   c:\programdata\Roxio
2009-02-22 14:45   ---------   d-----w   c:\programdata\Symantec
2009-02-12 06:00   ---------   d-----w   c:\program files\Windows Mail
2009-02-11 19:15   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\LimeWire
2009-01-21 23:08   ---------   d-----w   c:\programdata\CyberLink
2009-01-15 04:16   52,736   ----a-w   c:\windows\AppPatch\iebrshim.dll
2009-01-08 01:39   27,934   ----a-w   c:\users\All Users\nvModes.dat
2009-01-08 01:39   27,934   ----a-w   c:\programdata\nvModes.dat
2009-01-06 21:35   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\Common Files\PX Storage Engine
2009-01-06 19:23   806   ----a-w   c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 19:23   124,464   ----a-w   c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:23   10,635   ----a-w   c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:23   ---------   d-----w   c:\program files\Symantec
2008-12-29 16:20   ---------   d-----w   c:\users\Guest\AppData\Roaming\vlc
2008-12-10 19:17   174   --sha-w   c:\program files\desktop.ini
2008-10-05 02:37   0   ----a-w   c:\users\Adeeba\AppData\Roaming\wklnhst.dat
2008-09-04 22:00   76   --sh--r   c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-05 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"FactFinder"="c:\program files\Microsoft FactFinder\ff.exe" [2001-06-22 81920]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-09 166432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-09 13515296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-09 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-04-09 92704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MRT"="c:\windows\system32\MRT.exe" [2009-02-03 21244864]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-04 19:12 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 01:04 86528 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B3C4EB0-20B3-4B89-B248-E7810C130E59}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{627A842B-3E8F-4799-8213-1861B640F3D1}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{AC91ED12-8024-4F90-8F4A-C628C30B6DD7}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{0DFC109E-7369-4ADC-9E57-33354C1291D6}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{57656B01-03BC-482E-999C-C75AA8FD923B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9FFA8897-FF49-48DC-A83A-3C507F856C54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3DDA4CA1-59F3-409D-B5A4-A7C6CA5D3558}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{EF8B4C7D-510D-412C-88FF-0C61E0323733}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1020596F-1992-4F0B-BC16-78FF0BC3340F}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E5558807-9126-4799-B51D-94498BC8F93D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C2D15551-E4C0-49B7-B83F-8A3ACEF8DA08}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{821A94FD-6723-401C-AAE0-1059373787BC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{602E7440-16D9-4512-A78E-980FE6A2406D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090212.002\IDSvix86.sys [2009-02-16 270384]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-09-04 73728]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-10-27 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-07 99376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-09-05 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-09-05 7424]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\System32\drivers\cmo_bus.sys [2008-10-05 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\System32\drivers\cmo_mdfl.sys [2008-10-05 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\System32\drivers\cmo_mdm.sys [2008-10-05 93904]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-09-05 209408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc790409-b5e1-11dd-8c0e-002268995227}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Adeeba.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 14:19]

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{A17C346D-D918-4BF3-888D-B1FAD8D6E04B}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 06:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 15:55:38
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(4144)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Microsoft FactFinder\FFMH.DLL
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Fingerprint Reader Suite\psqltray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\combofix\hidec.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-02-22 16:01:41 - machine was rebooted [Adeeba]
ComboFix-quarantined-files.txt  2009-02-22 18:59:52

Pre-Run: 77,157,249,024 bytes free
Post-Run: 77,124,923,392 bytes free

232   --- E O F ---   2009-02-18 17:31:34





so how's that?


thank you immensely for your patience and help!!

[evilfantasy]

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[adeeba222]

did what you said, here's the log:


Malwarebytes' Anti-Malware 1.34
Database version: 1794
Windows 6.0.6000

22/02/2009 05:36:58 PM
mbam-log-2009-02-22 (17-36-58).txt

Scan type: Quick Scan
Objects scanned: 63522
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Adeeba\Local Settings\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\smss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Users\Adeeba\Local Settings\Application Data\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



thanks

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[adeeba222]

i did it, here's the latest log:


ComboFix 09-02-19.01 - Adeeba 2009-02-22 18:02:12.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.1.1033.18.3581.2540 [GMT -3:00]
Running from: c:\users\Adeeba\Desktop\ComboFix.exe
Command switches used :: c:\users\Adeeba\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-01-22 to 2009-02-22  )))))))))))))))))))))))))))))))
.

2009-02-22 17:12 . 2009-02-22 17:12   <DIR>   d--------   c:\users\All Users\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12   <DIR>   d--------   c:\users\Adeeba\AppData\Roaming\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12   <DIR>   d--------   c:\programdata\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-22 17:12 . 2009-02-11 10:19   38,496   --a------   c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-22 17:12 . 2009-02-11 10:19   15,504   --a------   c:\windows\System32\drivers\mbam.sys
2009-02-18 13:35 . 2009-02-18 13:46   <DIR>   d--------   c:\users\Adeeba\AppData\Roaming\Dev-Cpp
2009-02-18 13:34 . 2009-02-18 13:34   <DIR>   d--------   C:\Dev-Cpp
2009-02-18 10:05 . 2008-12-05 01:26   1,244,672   --a------   c:\windows\System32\mcmde.dll
2009-02-18 10:05 . 2008-12-05 01:29   428,032   --a------   c:\windows\System32\EncDec.dll
2009-02-18 10:05 . 2008-12-05 01:28   292,352   --a------   c:\windows\System32\psisdecd.dll
2009-02-18 10:05 . 2008-12-05 01:28   217,088   --a------   c:\windows\System32\psisrndr.ax
2009-02-18 10:05 . 2008-12-05 01:29   177,152   --a------   c:\windows\System32\mpg2splt.ax
2009-02-18 10:05 . 2008-12-05 01:27   80,896   --a------   c:\windows\System32\MSNP.ax
2009-02-18 10:05 . 2008-12-05 01:27   68,608   --a------   c:\windows\System32\Mpeg2Data.ax
2009-02-18 10:05 . 2008-12-05 01:27   57,856   --a------   c:\windows\System32\MSDvbNP.ax
2009-02-11 19:09 . 2009-02-11 19:09   118   --a------   c:\windows\System32\MRT.INI
2009-02-07 23:08 . 2009-02-08 01:10   <DIR>   d--------   c:\windows\BDOSCAN8
2009-01-24 23:09 . 2009-02-12 20:16   <DIR>   d--------   c:\users\Adeeba\random

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 20:42   ---------   d-----w   c:\programdata\Symantec
2009-02-22 18:46   ---------   d-----w   c:\programdata\Roxio
2009-02-12 06:00   ---------   d-----w   c:\program files\Windows Mail
2009-02-11 19:15   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\LimeWire
2009-01-21 23:08   ---------   d-----w   c:\programdata\CyberLink
2009-01-15 04:16   52,736   ----a-w   c:\windows\AppPatch\iebrshim.dll
2009-01-08 01:39   27,934   ----a-w   c:\users\All Users\nvModes.dat
2009-01-08 01:39   27,934   ----a-w   c:\programdata\nvModes.dat
2009-01-06 21:35   ---------   d-----w   c:\users\Adeeba\AppData\Roaming\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\DivX
2009-01-06 21:32   ---------   d-----w   c:\program files\Common Files\PX Storage Engine
2009-01-06 19:23   806   ----a-w   c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 19:23   124,464   ----a-w   c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:23   10,635   ----a-w   c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:23   ---------   d-----w   c:\program files\Symantec
2008-12-29 16:20   ---------   d-----w   c:\users\Guest\AppData\Roaming\vlc
2008-12-10 19:17   174   --sha-w   c:\program files\desktop.ini
2008-10-05 02:37   0   ----a-w   c:\users\Adeeba\AppData\Roaming\wklnhst.dat
2008-09-04 22:00   76   --sh--r   c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((   SnapShot@2009-02-22_15.59.16.77   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 18:55:28   262,144   --sha-w   c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-22 21:06:22   262,144   --sha-w   c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-22 18:55:28   262,144   --sha-w   c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-22 21:06:22   262,144   --sha-w   c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-22 18:55:12   16,384   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-22 21:06:12   16,384   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-22 18:55:12   32,768   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-22 21:06:12   32,768   --sha-w   c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-22 18:55:12   16,384   --sha-w   c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-22 21:06:12   16,384   --sha-w   c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-22 18:56:53   6,076   ----a-w   c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin
+ 2009-02-22 20:48:15   6,092   ----a-w   c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin
- 2009-02-22 18:56:53   72,356   ----a-w   c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-22 20:48:15   72,356   ----a-w   c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-22 17:18:39   43,140   ----a-w   c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-22 20:48:14   43,140   ----a-w   c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 01:13   721408   --a------   c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-05 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"FactFinder"="c:\program files\Microsoft FactFinder\ff.exe" [2001-06-22 81920]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-09 166432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-09 13515296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-09 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-04-09 92704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MRT"="c:\windows\system32\MRT.exe" [2009-02-03 21244864]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-04 19:12 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages   REG_MULTI_SZ      scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B3C4EB0-20B3-4B89-B248-E7810C130E59}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{627A842B-3E8F-4799-8213-1861B640F3D1}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{AC91ED12-8024-4F90-8F4A-C628C30B6DD7}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{0DFC109E-7369-4ADC-9E57-33354C1291D6}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{57656B01-03BC-482E-999C-C75AA8FD923B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9FFA8897-FF49-48DC-A83A-3C507F856C54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3DDA4CA1-59F3-409D-B5A4-A7C6CA5D3558}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{EF8B4C7D-510D-412C-88FF-0C61E0323733}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1020596F-1992-4F0B-BC16-78FF0BC3340F}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E5558807-9126-4799-B51D-94498BC8F93D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C2D15551-E4C0-49B7-B83F-8A3ACEF8DA08}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{821A94FD-6723-401C-AAE0-1059373787BC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{602E7440-16D9-4512-A78E-980FE6A2406D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090212.002\IDSvix86.sys [2009-02-16 270384]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-09-04 73728]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-10-27 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-07 99376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-09-05 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-09-05 7424]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\System32\drivers\cmo_bus.sys [2008-10-05 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\System32\drivers\cmo_mdfl.sys [2008-10-05 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\System32\drivers\cmo_mdm.sys [2008-10-05 93904]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-09-05 209408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc790409-b5e1-11dd-8c0e-002268995227}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Adeeba.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 14:19]

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{A17C346D-D918-4BF3-888D-B1FAD8D6E04B}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 06:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {8EAB7167-A061-4B3E-95F2-205C02AA3EA6} = 196.3.132.1 196.3.132.4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 18:06:25
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(1952)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Microsoft FactFinder\FFMH.DLL
c:\users\Adeeba\AppData\Local\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\combofix\hidec.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Fingerprint Reader Suite\psqltray.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\combofix\Catchme.tmp
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-22 18:11:25 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-22 21:10:05
ComboFix2.txt  2009-02-22 19:01:42

Pre-Run: 78,872,215,552 bytes free
Post-Run: 78,635,069,440 bytes free

242   --- E O F ---   2009-02-18 17:31:34





thanks

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
.
----------

Use the

Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[adeeba222]

i could kick myself for what i've done. i inserted my flash drive (which was the source of the worm) to run Flash Disinfector, but somehow it didn't work, and now i've re-infected the laptop. i even scanned the flash drive with Norton Internet Security and it came up clean, i don't understand.

i've already uninstalled combofix, but i'll download it again and run it once more. i don't believe it, but i'm back to square one.

[evilfantasy]

Run Flash Disinfector first, then install and run ComboFix.

[adeeba222]

hello again

sorry for the delay in my response. i ran the Windows Malicious Software Removal Tool, and it seems to have worked. all the symptoms of the worm seem to be gone now. i also ran flash disinfector for my flash drive on another computer that has XP, since i think maybe it doesn't run properly on Vista. but so far so good.

thank you immensely for all your help!!