Computer virus

[infected]

YAY the Avira AntiVir Rescue System worked.. however it didnt remove or repair anything, it just said it renamed 17 and i had 117 warnings. After i started up my laptop the combofix log appeared! I attached it to the post.

[attachment deleted by admin]

[evilfantasy]

OK that didn't actually remove what we were trying to remove so we need Dr. Web.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
  
• An information notice will appear, click OK.
  
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
  
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
  
• Under the Scanning tab UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  
• Click Yes to all if it asks if you want to cure/move any file(s).
  
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[infected]

Ok did that, here's the log.

ComboFix.exe.XXX/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Gebruiker\Bureaublad\ComboFix.exe.XXX/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Gebruiker\Bureaublad;Archive contains infected objects;;
ComboFix.exe.XXX;C:\Documents and Settings\Gebruiker\Bureaublad;Container contains infected objects;Moved.;
Gebruiker.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Gebruiker;Trojan.DownLoad.33158;Deleted.;
A0135998.dll.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0135999.exe.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136001.dll.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136002.dll.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136003.dll.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136004.exe.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136006.dll.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;Adware.Altnet;Deleted.;
A0136008.exe.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP407;BackDoor.IRC.Sdbot.3762;Deleted.;
A0137655.exe;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP410;Trojan.DownLoad.33158;Deleted.;
A0137677.EXE.XXX;C:\System Volume Information\_restore{227247DB-6E98-434A-B8F6-F95ADA9E61F4}\RP410;Program.PsExec.170;Deleted.;
PSEXESVC.EXE.XXX;C:\WINDOWS;Program.PsExec.170;Deleted.;
port135sik.sys.XXX;C:\WINDOWS\system32\drivers;Trojan.NtRootKit.2763;Deleted.;
securentm.sys.XXX;C:\WINDOWS\system32\drivers;Trojan.NtRootKit.2763;Deleted.;


Thanks for all the help so far by the way. 

[evilfantasy]

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your Desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Drivers to disable:
systemntmi
ws2_32sik
acpi32
fips32cup
i386si
ksi32sk
netsik
nicsk32

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

[infected]

Ok, here it is.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "systemntmi" disabled successfully.
Driver "ws2_32sik" disabled successfully.
Driver "acpi32" disabled successfully.
Driver "fips32cup" disabled successfully.
Driver "i386si" disabled successfully.
Driver "ksi32sk" disabled successfully.
Driver "netsik" disabled successfully.
Driver "nicsk32" disabled successfully.

Completed script processing.

*******************

Finished!  Terminate.





Haven't had any warnings from McAffee last day, so that seems pretty positive.

[evilfantasy]

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Drivers to delete:
systemntmi
ws2_32sik
acpi32
fips32cup
i386si
ksi32sk
netsik
nicsk32

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
  
• Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
  
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

• Add the Avenger log in your next post.

[infected]

Done.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "systemntmi" deleted successfully.
Driver "ws2_32sik" deleted successfully.
Driver "acpi32" deleted successfully.
Driver "fips32cup" deleted successfully.
Driver "i386si" deleted successfully.
Driver "ksi32sk" deleted successfully.
Driver "netsik" deleted successfully.
Driver "nicsk32" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

[evilfantasy]

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

• Click on Online Services and then Online Scanner
  
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.

[infected]

Scanning Report
Sunday, April 05, 2009 12:25:20 - 13:29:22
Computer name: BEDRIJF-B65247C
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29005
System: 3443
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-04-03
F-Secure AVP: 7.0.171, 2009-04-04
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

[evilfantasy]

Looks good. How is the computer running now?

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete: ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Download OTMoveIt3 by OldTimer OTMoveIt3.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[infected]

Awesome, thank you very much!! 

[evilfantasy]

Your welcome.

Safe surfing