0

My computer has been affected by this virus Herss.exe
I had a new installation of windows xp recently as my older win got crashed i think.
When i try to open a drive it opens in a new window and i cannot view hidden files and system files. Also computer starts a little slower after i login and applications hang, i cannot access safemode for some reason or maybe it will load after a long time

To resolve the issue i ran a Mbam scan here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/25/2009 12:50:40 PM
mbam-log-2009-11-25 (12-50-40).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 116841
Time elapsed: 48 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\LiveMath\uninst-plugin.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
D:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.

couldnt complete the scan due to scheduled electricity outage so here is the next part:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/25/2009 1:20:19 PM
mbam-log-2009-11-25 (13-20-19).txt

Scan type: Full Scan (E:\|F:\|G:\|H:\|)
Objects scanned: 126343
Time elapsed: 12 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.
H:\i.cmd (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\autorun.inf (SuspectAutorun.Rootdrive.H) -> Quarantined and deleted successfully.
G:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\WINDOWS\system32\nmdfgds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\WINDOWS\system32\olhrwef.exe (Trojan.Agent) -> Quarantined and deleted successfully.
G:\Documents and Settings\Jazzy\Local Settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Delete on reboot.
G:\Documents and Settings\Jazzy\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\Documents and Settings\Jazzy\Local Settings\Temp\herss.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
G:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.

Yet the problem remains so i ran a superantispyware scan unfortunately i cannot post it because the notepad gets hanged. Any idea how to get it.

Here is the current hjt scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:48 PM, on 11/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cdoosoft] G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3768 bytes

3
Contributors
43
Replies
48
Views
7 Years
Discussion Span
Last Post by jazzyjaj
0

restarted windows so here is the Superantispyware scan result:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/25/2009 at 03:33 PM

Application Version : 4.15.1000

Core Rules Database Version : 4310
Trace Rules Database Version: 2175

Scan type       : Complete Scan
Total Scan Time : 01:40:21

Memory items scanned      : 324
Memory threats detected   : 2
Registry items scanned    : 3247
Registry threats detected : 8
File items scanned        : 115352
File threats detected     : 13

Trojan.Dropper/Gen-NV
    G:\DOCUME~1\JAZZY\LOCALS~1\TEMP\CVASDS0.DLL
    G:\DOCUME~1\JAZZY\LOCALS~1\TEMP\CVASDS0.DLL
    [cdoosoft] G:\DOCUME~1\JAZZY\LOCALS~1\TEMP\HERSS.EXE
    G:\DOCUME~1\JAZZY\LOCALS~1\TEMP\HERSS.EXE
    C:\YUDALD.BAT
    D:\YUDALD.BAT
    E:\YUDALD.BAT
    F:\YUDALD.BAT
    G:\DOCUMENTS AND SETTINGS\JAZZY\LOCAL SETTINGS\TEMP\CVASDS0.DLL
    G:\DOCUMENTS AND SETTINGS\JAZZY\LOCAL SETTINGS\TEMP\HERSS.EXE
    G:\YUDALD.BAT
    H:\YUDALD.BAT

Adware.Vundo Variant
    G:\WINDOWS\SYSTEM32\SOFTQQ0.DLL
    G:\WINDOWS\SYSTEM32\SOFTQQ0.DLL

Trojan.Sino-PWS/Gen
    HKLM\Software\Classes\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    HKCR\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    HKCR\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\InprocServer32
    HKCR\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}
    HKCR\CLSID\{B03A4BE6-5E5A-483E-B9B3-C484D4B20B72}

Adware.Tracking Cookie
    G:\Documents and Settings\Jazzy\Cookies\jazzy@doubleclick[1].txt

Trojan.Dropper/Sys-NV
    HKU\S-1-5-21-1409082233-299502267-1801674531-1005\Software\Microsoft\Windows\CurrentVersion\Run#cdoosoft [ G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe ]

Adware.Spyware Labs
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{72E251DF-77AB-4FC4-85DD-07293F019B5D}\RP123\A0654921.RBF

Notes if jholland1964 is to look after this one:

Hey how are you.
This computer is another computer so has nothing to do with my older posts.
I have not yet run combofix.exe , although i thought about it but then remembered you.

Edited by Nick Evan: Fixed formatting

0

Please update MBA-M then do another full scan. Remove what is found, then reboot the computer.
Post it's log and a new hijackthis log please.

0

I updated MBA-M then ran another full scan here is the result:

Malwarebytes' Anti-Malware 1.41
Database version: 3228
Windows 5.1.2600 Service Pack 2

11/25/2009 7:11:41 PM
mbam-log-2009-11-25 (19-11-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 235814
Time elapsed: 59 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Nero v7.0 Premium\nero7keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
G:\Documents and Settings\Jazzy\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

The Hjt log immediately after reboot is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:43 PM, on 11/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Symantec AntiVirus\DoScan.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3744 bytes

But when i tried to open the hard drive it still opened in another window then i ran the Hjt again and here is the result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:30 PM, on 11/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cdoosoft] G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3768 bytes

The herss.exe was back.

0

I think my superantispyware is part of the problem now as i think it is the application that is getting hang again and again.
should i uninstall it.

0

It is probably having problems trying to remove something.

==

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

============

Download DDS from the following location:


DDS Tool

Save dds.scr to the desktop

Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

Once you double-click the icon a Windows security warning may also appear asking if you are sure you would like to run the program. Click on the Run button to start DDS. If no warning appeared, then you should just continue.

DDS will now display a small black window providing information as to what DDS is doing on your computer.

DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two Notepad windows named dds.txt and attach.txt.

You will then be shown a small box giving instructions as to what you should do with these files. Feel free to close this message box by pressing the OK button.

We now need to save the two log files that were created. First click on the DDS.txt window and click on the File menu and then select Save As... menu option.

Save DDS.txt to the desktop. Now click on the Attach.txt Notepad window and save that to the desktop also.

Copy the contents of the DDS.txt log and paste it into your reply here.
Attach the attach.txt log with your reply using Reply to Thread button, then the Manage Attachments button.

Edited by crunchie: n/a

0

I was able to do both task as you said,
however when i ran ATF cleaner i did not get the option of firefox. which i think is because i never installed it on this new windows and the one i installed from my previous windows is what i am running.

The dds log is:


DDS (Ver_09-11-24.02) - NTFSx86
Run by Jazzy at 8:42:50.45 on Thu 11/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1668 [GMT 5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Documents and Settings\Jazzy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [SUPERAntiSpyware] g:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [cdoosoft] g:\docume~1\jazzy\locals~1\temp\herss.exe
mRun: [ccApp] "g:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] g:\progra~1\symant~1\VPTray.exe
mRun: [IgfxTray] g:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] g:\windows\system32\hkcmd.exe
mRun: [TkBellExe] "g:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "g:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "g:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - g:\windows\system32\NavLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - g:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;g:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-18 112688]
R3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 SavRoam;SAVRoam;g:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]

=============== Created Last 30 ================

2009-11-25 10:48:32 0 d-----w- g:\program files\Trend Micro
2009-11-25 08:37:41 0 d-----w- g:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-25 08:37:38 0 d-----w- g:\program files\SUPERAntiSpyware
2009-11-25 08:37:38 0 d-----w- g:\docume~1\jazzy\applic~1\SUPERAntiSpyware.com
2009-11-25 08:37:26 0 d-----w- g:\program files\common files\Wise Installation Wizard
2009-11-25 08:35:16 57 --sh--r- G:\autorun.inf
2009-11-25 06:48:57 693760 ----a-w- g:\windows\isRS-000.tmp
2009-11-25 06:33:56 0 d-----w- g:\program files\ConvertHelper
2009-11-25 06:28:57 0 d-----w- g:\docume~1\jazzy\applic~1\Malwarebytes
2009-11-25 06:28:51 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 06:28:48 19160 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-11-25 06:28:48 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-11-25 06:28:48 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-25 06:25:14 116090 --sh--r- G:\ngp8l.exe
2009-11-25 06:20:47 0 d-----w- g:\windows\FLV Player
2009-11-24 10:33:51 5632 ----a-w- g:\windows\system32\ptpusb.dll
2009-11-24 10:33:49 159232 ----a-w- g:\windows\system32\ptpusd.dll
2009-11-24 10:33:48 15104 -c--a-w- g:\windows\system32\dllcache\usbscan.sys
2009-11-24 10:33:48 15104 ----a-w- g:\windows\system32\drivers\usbscan.sys
2009-11-24 06:26:39 0 d-----w- g:\documents and settings\jazzy\dwhelper
2009-11-23 13:42:27 0 d-----w- g:\program files\uTorrent
2009-11-23 13:17:21 0 d-----w- g:\program files\iPod
2009-11-23 13:17:13 0 d-----w- g:\program files\iTunes
2009-11-23 13:17:05 0 d-----w- g:\program files\Bonjour
2009-11-23 13:16:01 30464 ----a-w- g:\windows\system32\drivers\usbaapl.sys
2009-11-23 13:10:58 0 d-----w- g:\windows\system32\appmgmt
2009-11-22 15:54:38 0 d-----w- g:\program files\common files\xing shared
2009-11-22 15:54:03 0 d-----w- g:\program files\common files\Real
2009-11-22 08:30:06 3495784 ----a-w- g:\windows\system32\d3dx9_33.dll
2009-11-22 07:13:51 163840 ----a-w- g:\windows\system32\igfxres.dll
2009-11-22 06:32:55 0 ----a-w- g:\windows\vpc32.INI
2009-11-22 04:39:33 0 d--h--w- g:\windows\PIF

==================== Find3M ====================

2009-11-22 15:54:07 348160 ----a-w- g:\windows\system32\msvcr71.dll

============= FINISH: 8:43:01.37 ===============

Just for my knowledge why did u ask to attach the file when i could have pasted it.

0

Just for my knowledge why did u ask to attach the file when i could have pasted it.

That is a good question :). Logs can be overly long and contain information that one does not want to advertise :).

==

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
G:\ngp8l.exe
g:\docume~1\jazzy\locals~1\temp\herss.exe
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)


==

Run ATF cleaner again. Run Hijackthis and post a new log.

Let me know how the pc is.

0

Here is the avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at G:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "G:\ngp8l.exe" deleted successfully.

Error: file "g:\docume~1\jazzy\locals~1\temp\herss.exe" not found!
Deletion of file "g:\docume~1\jazzy\locals~1\temp\herss.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:38 AM, on 11/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
G:\Program Files\Symantec AntiVirus\DoScan.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [cdoosoft] G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3817 bytes

I ran ATF it hardly deleted anything.
The pc still starts slow and the drive opening still has the same problem.
Also please note that when i restart the pc it does not load all the drives and my DVD drive, this used to happen before but not always as it is now. However i shutdown the pc then when i start again it loads all the drive's.
I have to two hard drive the OS drive opens up all the time but the other HD and DVD does not open unless complete shtdown takes place.

Edited by jazzyjaj: n/a

0

Ok. Close all your browser windows, run Hijackthis and do a scan. Put a tick in the box to the left of the following entry;

O4 - HKCU\..\Run: [cdoosoft] G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe

then click 'Fix checked.'

==

Update MBA-M and run a full scan and remove what is found.

==

If you have Combofix on your pc, please do the following;


  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

==

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Ok. Close all your browser windows, run Hijackthis and do a scan. Put a tick in the box to the left of the following entry;

O4 - HKCU..\Run: [cdoosoft] G:\DOCUME~1\Jazzy\LOCALS~1\Temp\herss.exe

then click 'Fix checked.'

Done as requested

Update MBA-M and run a full scan and remove what is found.

Done as requested here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 3235
Windows 5.1.2600 Service Pack 2

11/26/2009 2:14:32 PM
mbam-log-2009-11-26 (14-14-32).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 232024
Time elapsed: 58 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
G:\Documents and Settings\Jazzy\Local Settings\Temp\cvasds1.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

==
[QUOTE=crunchie;1058901]
If you have Combofix on your pc, please do the following;
[/QUOTE] 
I did not have combofix previously.

==
[QUOTE=crunchie;1058901]
Please [u]download[/u] [b]ComboFix[/b] by sUBs from  [url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][color=red][b]HERE[/b][/color][/url]  or [url=http://www.forospyware.com/sUBs/ComboFix.exe][color=red][b]HERE[/b][/color][/url][list]
        [*] [color=blue][b]You must [u]download it to and run it from[/u] your Desktop[/b][/color]
        [*]Physically disconnect from the internet.
        [*] Now [b]STOP all your monitoring programs[/b] (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
        [*] Double click combofix.exe & follow the prompts.
        [*] When finished, it will produce a log.  [b][u]Please save that log to post in your next reply along with a fresh HJT log[/u][/b]
        [*] [b]Re-enable all the programs that were disabled[/b] during the running of ComboFix..[/list]

        [b][u]Note:[/u][/b]
        [b][color=red]Do not mouse-click combofix's window while it is running. That may cause it to stall.[/color][/b]

        [b]CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty [u]and terminates prematurely[/u], the connection can be manually restored by restarting your machine.[/b]

[b][color=red]Run Combofix ONCE only!![/color][/b][/QUOTE] 

Done as requested here is the log:
ComboFix 09-11-25.05 - Jazzy 11/26/2009 14:25.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1657 [GMT 5:00]
Running from: g:\documents and settings\Jazzy\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\ngp8l.exe
C:\wfx062.exe
D:\autorun.inf
D:\ngp8l.exe
D:\wfx062.exe
E:\Autorun.inf
E:\ngp8l.exe
E:\wfx062.exe
F:\autorun.inf
F:\ngp8l.exe
F:\wfx062.exe
G:\autorun.inf
G:\ngp8l.exe
g:\recycler\S-1-5-21-2681017343-3660946461-3242847100-1004
g:\recycler\S-1-5-21-2681017343-3660946461-3242847100-1007
G:\wfx062.exe
H:\autorun.inf
H:\ngp8l.exe
H:\wfx062.exe

g:\windows\system32\drivers\AGP440.sys . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2009-10-26 to 2009-11-26  )))))))))))))))))))))))))))))))
.

2009-11-25 10:48 . 2009-11-25 10:48 --------    d-----w-    g:\program files\Trend Micro
2009-11-25 08:37 . 2009-11-25 08:37 --------    d-----w-    g:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-25 08:37 . 2009-11-25 08:37 --------    d-----w-    g:\program files\SUPERAntiSpyware
2009-11-25 08:37 . 2009-11-25 08:37 --------    d-----w-    g:\documents and settings\Jazzy\Application Data\SUPERAntiSpyware.com
2009-11-25 08:37 . 2009-11-25 08:37 --------    d-----w-    g:\program files\Common Files\Wise Installation Wizard
2009-11-25 06:47 . 2009-11-25 06:47 4045528 ----a-w-    g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-25 06:42 . 2009-11-25 06:42 --------    d-----w-    g:\documents and settings\Jazzy\Application Data\Apple Computer
2009-11-25 06:40 . 2009-11-25 06:40 12328   ----a-w-    g:\documents and settings\Jazzy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-25 06:33 . 2009-11-25 06:34 --------    d-----w-    g:\program files\ConvertHelper
2009-11-25 06:28 . 2009-11-25 06:28 --------    d-----w-    g:\documents and settings\Jazzy\Application Data\Malwarebytes
2009-11-25 06:28 . 2009-09-10 09:54 38224   ----a-w-    g:\windows\system32\drivers\mbamswissarmy.sys
2009-11-25 06:28 . 2009-11-25 06:49 --------    d-----w-    g:\program files\Malwarebytes' Anti-Malware
2009-11-25 06:28 . 2009-11-25 06:28 --------    d-----w-    g:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-25 06:28 . 2009-09-10 09:53 19160   ----a-w-    g:\windows\system32\drivers\mbam.sys
2009-11-25 06:20 . 2009-11-25 06:20 --------    d-----w-    g:\windows\FLV Player
2009-11-25 06:20 . 2009-11-25 06:20 --------    d-----w-    g:\program files\FLV Player
2009-11-24 10:33 . 2001-08-17 17:36 5632    ----a-w-    g:\windows\system32\ptpusb.dll
2009-11-24 10:33 . 2004-08-03 19:56 159232  ----a-w-    g:\windows\system32\ptpusd.dll
2009-11-24 10:33 . 2004-08-03 17:58 15104   -c--a-w-    g:\windows\system32\dllcache\usbscan.sys
2009-11-24 10:33 . 2004-08-03 17:58 15104   ----a-w-    g:\windows\system32\drivers\usbscan.sys
2009-11-24 06:26 . 2009-11-24 06:26 --------    d-----w-    g:\documents and settings\Jazzy\dwhelper
2009-11-24 06:11 . 2009-11-24 06:11 --------    d-----w-    g:\documents and settings\Jazzy\Local Settings\Application Data\Apple Computer
2009-11-23 13:42 . 2009-11-23 13:42 --------    d-----w-    g:\program files\uTorrent
2009-11-23 13:42 . 2009-11-24 16:19 --------    d-----w-    g:\documents and settings\Khurram\Application Data\uTorrent
2009-11-22 17:13 . 2009-11-22 17:13 --------    d-----w-    g:\documents and settings\Khurram\Application Data\vlc
2009-11-22 15:54 . 2009-11-22 15:54 --------    d-----w-    g:\program files\Common Files\xing shared
2009-11-22 15:54 . 2009-11-22 15:54 --------    d-----w-    g:\program files\Real
2009-11-22 15:54 . 2009-11-22 15:54 --------    d-----w-    g:\program files\Common Files\Real
2009-11-22 15:45 . 2009-11-22 15:45 --------    d-----w-    g:\documents and settings\Jazzy\Application Data\vlc
2009-11-22 15:35 . 2009-11-22 15:35 --------    d-----w-    g:\documents and settings\Jazzy\Local Settings\Application Data\Mozilla
2009-11-22 10:21 . 2009-11-22 10:21 12328   ----a-w-    g:\documents and settings\Khurram\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-22 10:14 . 2009-11-22 10:14 --------    d-----w-    g:\documents and settings\Khurram\Local Settings\Application Data\Mozilla
2009-11-22 10:13 . 2009-11-24 13:07 --------    d-----w-    g:\documents and settings\Khurram\Application Data\Orbit
2009-11-22 08:30 . 2007-03-13 00:42 3495784 ----a-w-    g:\windows\system32\d3dx9_33.dll
2009-11-22 07:13 . 2004-11-02 03:58 163840  ----a-w-    g:\windows\system32\igfxres.dll
2009-11-22 04:39 . 2009-11-22 04:39 --------    d--h--w-    g:\windows\PIF

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 09:20 . 2008-10-18 10:54 --------    d-----w-    g:\program files\Symantec AntiVirus
2009-11-25 06:48 . 2009-11-25 06:48 693760  ----a-w-    g:\windows\isRS-000.tmp
2009-11-25 06:21 . 2009-11-22 15:32 --------    d-----w-    g:\documents and settings\Jazzy\Application Data\Orbit
2009-11-23 13:17 . 2009-11-23 13:17 --------    d-----w-    g:\documents and settings\Khurram\Application Data\Apple Computer
2009-11-23 13:17 . 2009-11-23 13:17 --------    d-----w-    g:\program files\iTunes
2009-11-23 13:17 . 2009-11-23 13:17 --------    d-----w-    g:\program files\iPod
2009-11-23 13:17 . 2009-11-23 13:16 --------    d-----w-    g:\documents and settings\All Users\Application Data\Apple Computer
2009-11-23 13:17 . 2009-11-23 13:17 --------    d-----w-    g:\program files\Bonjour
2009-11-23 13:16 . 2009-11-23 13:16 --------    d-----w-    g:\program files\QuickTime
2009-11-23 13:16 . 2009-11-23 13:16 --------    d-----w-    g:\program files\Apple Software Update
2009-11-23 13:15 . 2009-11-23 13:15 --------    d-----w-    g:\program files\Common Files\Apple
2009-11-23 13:15 . 2009-11-23 13:15 --------    d-----w-    g:\documents and settings\All Users\Application Data\Apple
2009-11-22 15:54 . 2008-10-18 10:52 348160  ----a-w-    g:\windows\system32\msvcr71.dll
2009-11-22 07:13 . 2008-10-18 14:26 --------    d-----w-    g:\program files\Common Files\InstallShield
.

------- Sigcheck -------

[-] 2004-08-03 18:07 . 0B98421AA81DF881D000CFC552D10342 . 42368 . . [------] . . g:\windows\system32\drivers\AGP440.SYS
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="g:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="g:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"IgfxTray"="g:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="g:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"TkBellExe"="g:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-22 198160]
"QuickTime Task"="g:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Malwarebytes Anti-Malware (reboot)"="g:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "g:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 08:41    294912  ----a-w-    g:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"g:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

R1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 10:33 AM 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;g:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/18/2008 3:54 PM 112688]
S3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 10:33 AM 7408]
S3 SavRoam;SAVRoam;g:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
.
- - - - ORPHANS REMOVED - - - -

AddRemove-RealPlayer 12.0 - g:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2009-11-26 14:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
g:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-11-26 14:31
ComboFix-quarantined-files.txt  2009-11-26 09:31
ComboFix2.txt  2008-06-16 07:26

Pre-Run: 14,226,993,152 bytes free
Post-Run: 14,376,767,488 bytes free

- - End Of File - - 0DD240D52322C3D5D7C486F30AFA8E36

However please not that since u mentioned to physically disconnect from internet i did not install the recovery console ,although i have it on my cd.

Here is the HJT log after all this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:07 PM, on 11/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\Program Files\Symantec AntiVirus\DefWatch.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\system32\wscntfy.exe
G:\PROGRA~1\SYMANT~1\VPTray.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Symantec AntiVirus\DoScan.exe
G:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] G:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - G:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - G:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - G:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - G:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - G:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 3989 bytes

Edited by Reverend Jim: Fixed formatting

0

The computer appears to be running fine right now the hard drive open normally and i can edit the folder view options, however i have a few questions:
1. How to remove my old installation of winxp on C: drive,
2. Why on restart my pc loads only my primary Hard Drive, how to fix it.
3. How did i get infected with this virus, as i think it could still be on my usb, so how to get rid of that.
4. I notice that there is a internet explorer icon my desktop which was not there previously, i only use firefox, do u think it is a virus.

0

I will try to answer your questions later, as I am in a hurry to go out :).
In the meantime, Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

g:\windows\system32\drivers\AGP440.sys

0

i took the scan on Jotti's here is the result:
Filename: AGP440.SYS
Status:
Scan finished. 0 out of 21 scanners reported malware.
http://virusscan.jotti.org/en/scanresult/e7e2e9536ea369c6e556fb6fff320499a8a6068c

I have a hunch this file relates to my graphic card:
here's another story Something went wrong with my graphic card in my new winxp and it wont load properly infact when windows start the screen goes black, after which i switched back to my built in graphic card which works fine. I thought that my graphic card was at fault.

0
g:\windows\system32\drivers\AGP440.sys . . . is infected!!

Combofix reckons the file is infected. You might be able to download the file here; http://www.dll-files-download.com/A/2008-01-12/846.html
Ideally, you would want to boot from another drive and replace the file that way.

==

You should be able to replace the XP on the other drive by formatting it.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

When done remove any Startup RUN value by downloading and using Autoruns.

0

The links for the dll and flash disinfector are not correct as they give the error of page not found.
as for the the other application you told me i dont get what value to remove.
sorry!

0

I replaced the file, its difficult to say how the pc performance is after that but things appear normal to me. However i tried to boot in safe mode it got stuck after loading agp440.sys and then the flashing message of SPTD.sys.
I think prevously it used to get stuck at mup.sys which is before agp440.sys so maybe there is another driver corrupt as well.
Also i havent tried my graphic card yet do you think i can give it a try

Edited by jazzyjaj: n/a

0

Are your graphics drivers up-to-date? That would be my next move. See if you can boot into safe mode after updating.
Let me know if your graphics card works ok.

0

The computer appears to be running fine right now the hard drive open normally

what about my drives not loading on reboot

You made it appear that all was well.

Please explain exactly the problem. Which drives are they? What is on them?

0

I have to hard drives and one DVD drive.
On restart One hard drive(primary drive with windows) only opens and the other hard drive and the DVD drive do not load.
The Hard Drive with windows installed has three partitions while the other one has four.
Although things work normal if the computer is shutdown completely.

0

If I understand correctly, when you restart windows, the other hard drive and DVD drive do not show in the drive list?
Have you tried uninstalling the drives, then reboot and have them re-detected?
Not sure what else to suggest for you.

0

Yes excatly this is the problem.
I havent tried it yet, thought it was too risky to do without advise or supervision.
do you think i should try what you suggested and can you be more clear about the process.
Also do you think its again a problem of my motherboard and by now it has gone old.

0

Go in to the Device Manager and under disc drives and also DVD drives, locate the drives that are giving problems and double click on them.
Go to the driver Tab and select 'uninstall' driver.
When you start your computer, the drive should be re-detected.

0

I tried but no result.
still on restart it does not recognize those drives.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.