[Resolved] Infected with trojan/virus and windows will not boot anymore

**noahdfear** · 11th January 2009

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:


http://www.windowsbbs.com/malware-virus-removal/80304-active-infected-trojan-virus-windows-will-not-boot-anymore.html#post437465

Collect::
c:\windows\system32\drivers\ldznxx.sys
c:\windows\system32\tuvWopnn.dll
c:\windows\system32\stu2.exe
Folder::
c:\program files\tintinyproxyy
c:\windows\system32\994D46E4DC061202
Driver::
bnrgaeki
ezmevcc
flkuzsm
gvrwpn
hgidlvrp
ingzlb
mbrme
mqafxk
qjlg
ttzn
994D46E4DC061202

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

Please note that I have instructed CFScript to collect some files. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

gekostar · 11th January 2009

here is the combofix log file.i did not receive any prompt to upload a zip file tho.i did install the recovery tool.

ComboFix 09-01-10.02 - ryan 2009-01-11 3:38:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.261 [GMT -5:00]
Running from: c:\documents and settings\ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ryan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\tintinyproxyy
c:\windows\system32\drivers\ldznxx.sys
c:\windows\system32\stu2.exe
c:\windows\system32\tuvWopnn.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_994D46E4DC061202
-------\Service_994D46E4DC061202
-------\Service_bnrgaeki
-------\Service_ezmevcc
-------\Service_flkuzsm
-------\Service_gvrwpn
-------\Service_hgidlvrp
-------\Service_ingzlb
-------\Service_mbrme
-------\Service_mqafxk
-------\Service_qjlg
-------\Service_ttzn

((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-11 02:53 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll
2009-01-11 02:53 . 2008-10-16 14:13 202,776 --a--c--- c:\windows\system32\dllcache\wuweb.dll
2009-01-11 01:21 . 2009-01-11 01:21 <DIR> d-------- C:\~ErdUserProfile.$$$
2008-12-27 14:33 . 2009-01-11 01:31 <DIR> d-------- c:\program files\Norton Security Scan
2008-12-27 13:54 . 2008-12-27 13:54 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-12-27 13:54 . 2008-12-27 13:54 <DIR> d-------- c:\documents and settings\LocalService\Application Data\PCToolsFirewallPlus
2008-12-27 13:46 . 2009-01-11 01:31 <DIR> d-------- C:\malware
2008-12-25 00:53 . 2008-12-25 00:53 <DIR> d-------- c:\documents and settings\ryan\Application Data\PCToolsSpamMonitorPlus
2008-12-25 00:53 . 2008-12-25 00:53 <DIR> d-------- c:\documents and settings\ryan\Application Data\PCToolsFirewallPlus
2008-12-24 02:35 . 2009-01-11 01:31 <DIR> d-------- c:\program files\PC Tools Internet Security
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d-------- c:\program files\Browser Defender
2008-12-24 02:35 . 2008-12-24 02:35 <DIR> d-------- c:\documents and settings\ryan\Application Data\PC Tools
2008-12-24 02:35 . 2008-12-25 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-12-21 21:43 . 2008-12-21 21:43 <DIR> d-------- c:\documents and settings\ryan\Application Data\Malwarebytes
2008-12-21 20:34 . 2008-12-21 20:34 <DIR> d-------- C:\VundoFix Backups
2008-12-21 19:56 . 2008-12-21 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-21 19:53 . 2008-12-21 19:55 <DIR> d-------- C:\New Folder
2008-12-21 19:31 . 2009-01-11 01:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-21 13:02 . 2008-12-21 13:02 <DIR> d-------- c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Application Data\Malwarebytes
2008-12-21 12:48 . 2008-12-21 12:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:29 . 2008-12-21 12:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-19 00:47 . 2008-12-24 01:43 <DIR> d-------- C:\!KillBox
2008-12-16 01:31 . 2008-12-16 01:31 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-16 01:13 . 2008-12-20 06:13 <DIR> d-------- c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Application Data\webex
2008-12-16 00:11 . 2009-01-11 03:00 <DIR> d-------- C:\test
2008-12-15 23:38 . 2008-12-15 23:38 268 --ah----- C:\sqmdata00.sqm
2008-12-15 23:38 . 2008-12-15 23:38 244 --ah----- C:\sqmnoopt00.sqm
2008-12-15 23:29 . 2008-12-16 01:00 <DIR> d-------- c:\documents and settings\Administrator.GEKO-4XVBHOO2IJ\Contacts
2008-12-14 20:45 . 2008-12-27 13:41 <DIR> d-------- C:\hijackthis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 19:36 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-27 19:15 --------- d-----w c:\program files\CCleaner
2008-12-24 07:35 --------- d-----w c:\program files\Lavasoft
2008-12-24 07:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-24 06:49 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-16 07:23 --------- d-----w c:\program files\DivX
2008-12-16 07:19 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-16 07:07 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-14 21:34 --------- d-----w c:\documents and settings\ryan\Application Data\Skype
2008-12-14 21:09 --------- d-----w c:\documents and settings\ryan\Application Data\skypePM
2008-12-05 03:29 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-05 03:25 --------- d-----w c:\documents and settings\ryan\Application Data\Lavasoft
2008-12-05 02:43 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 02:42 --------- d-----w c:\program files\Symantec
2008-12-05 02:36 --------- d-----w c:\program files\Norton AntiVirus
2008-12-05 02:35 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-20 04:44 --------- d-----w c:\program files\BitComet
2008-11-17 22:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-17 06:21 --------- d-----w c:\program files\Common Files\Sony Shared
2004-03-11 17:27 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-12-16 06:13 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-16 06:13 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-16 06:13 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-12-16 06:13 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_ 2.53.05.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:57 24,576 -c--a-w c:\windows\system32\dllcache\userinit.exe
- 2008-12-15 05:08:26 8,704 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 07:56:57 24,576 ----a-w c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-12-10 03:06 7311360 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-12-10 03:06 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 22:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB Storage Toolbox]
--------- 2005-09-14 20:44 65536 c:\windows\UMStor\Res.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-12-10 03:06 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=3 (0x3)
"SBService"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\geko_star\\day of defeat\\hl.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.5.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\geko_star\\half-life\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"6881:UDP"= 6881:UDP:Azureus
"8317:TCP"= 8317:TCP:BitComet 8317 TCP
"8317:UDP"= 8317:UDP:BitComet 8317 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\drivers\cccp106.sys [2004-10-17 227200]

--- Other Services/Drivers In Memory ---

*Deregistered* - InCDrec
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 19:12]

2009-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-27 c:\windows\Tasks\Norton Security Scan for ryan.job
- c:\program files\Norton Security Scan\Nss.exe []

2008-12-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - c:\documents and settings\ryan\Application Data\Mozilla\Firefox\Profiles\nl5xa3gh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://handsomeboys.org/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 03:41:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-11 3:43:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-11 08:43:49
ComboFix2.txt 2009-01-11 07:54:36

Pre-Run: 18,314,043,392 bytes free
Post-Run: 18,296,668,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

227 --- E O F --- 2008-12-12 22:56:37

**noahdfear** · 11th January 2009

Please post the contents of C:\Qoobox\ComboFix-quarantined-files.txt

gekostar · 11th January 2009

here it is.

2001-08-23 07:00:00 A------- 8,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir
2004-10-18 11:24:42 A------- 5,487 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2004-10-18 11:24:42 A------- 6,412 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2005-12-20 19:27:15 A------- 2,235,149 C:\Qoobox\Quarantine\C\Documents and Settings\ryan\Application Data\Install.dat.vir
2008-12-14 17:04:51 A------- 441 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSmtvd.dat.vir
2008-12-14 20:11:52 A------- 662,351 C:\Qoobox\Quarantine\C\WINDOWS\system32\fgPooUtv.ini.vir
2008-12-14 20:11:54 A------- 662,351 C:\Qoobox\Quarantine\C\WINDOWS\system32\fgPooUtv.ini2.vir
2008-12-14 20:13:29 A------- 1,649,533 C:\Qoobox\Quarantine\C\WINDOWS\system32\kehartqs.ini.vir
2008-12-15 00:08:34 A------- 26,112 C:\Qoobox\Quarantine\C\WINDOWS\system32\stu2.exe.vir
2008-12-15 23:28:38 A------- 70,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvWopnn.dll.vir
2008-12-15 23:39:45 A------- 1,648,353 C:\Qoobox\Quarantine\C\WINDOWS\system32\ctcxraop.ini.vir
2008-12-24 02:05:21 A------- 61,440 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ldznxx.sys.vir
2009-01-11 02:03:14 A------- 8,960 C:\Qoobox\Quarantine\C\Program Files\tintinyproxyy\tinyproxy.exe.vir
2009-01-11 02:18:26 A------- 224 C:\Qoobox\Quarantine\catchme.log
2009-01-11 02:18:31 A------- 255 C:\Qoobox\Quarantine\C\autorun.inf.vir
2009-01-11 02:18:31 A------- 30,720 C:\Qoobox\Quarantine\C\resycled\boot.com.vir
2009-01-11 02:18:32 A------- 56,832 C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxawvljquh.dll.vir
2009-01-11 02:18:32 A------- 74,240 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxelqncqnn.sys.vir
2009-01-11 02:18:33 A------- 49,152 C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir
2009-01-11 02:19:40 A------- 740 C:\Qoobox\Quarantine\Registry_backups\Service_MSQPDXSERV.SYS.reg.dat
2009-01-11 02:19:40 A------- 1,157 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSSERV.SYS.reg.dat
2009-01-11 02:49:23 A------- 7,757 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-11 02:49:31 A------- 942 C:\Qoobox\Quarantine\Registry_backups\Legacy_PLUG_AND_PLAY_(PLUGPLAY)_.reg. dat
2009-01-11 02:49:31 A------- 998 C:\Qoobox\Quarantine\Registry_backups\Legacy_LOGICAL_DISK_MANAGER_(DMSERVER )_.reg.dat
2009-01-11 02:49:31 A------- 3,146 C:\Qoobox\Quarantine\Registry_backups\Service_Plug and Play (PlugPlay) .reg.dat
2009-01-11 02:49:31 A------- 3,168 C:\Qoobox\Quarantine\Registry_backups\Service_Logical Disk Manager (dmserver) .reg.dat
2009-01-11 02:53:09 A------- 94 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-PowerBar.reg.dat
2009-01-11 02:53:20 A------- 574 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AVG8_TRAY.reg.dat
2009-01-11 02:53:20 A------- 610 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-8c30d3b8.reg.dat
2009-01-11 02:53:21 A------- 578 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Cmaudio.reg.dat
2009-01-11 02:53:21 A------- 580 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MSFox.reg.dat
2009-01-11 02:53:21 A------- 598 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Cognac.reg.dat
2009-01-11 02:53:21 A------- 618 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Jnskdfmf9eldfd.reg.dat
2009-01-11 02:53:21 A------- 628 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-spywareguard.reg.dat
2009-01-11 03:38:17 A------- 97,375 C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@3.38.zip
2009-01-11 03:39:17 A------- 948 C:\Qoobox\Quarantine\Registry_backups\Service_ezmevcc.reg.dat
2009-01-11 03:39:17 A------- 964 C:\Qoobox\Quarantine\Registry_backups\Service_flkuzsm.reg.dat
2009-01-11 03:39:17 A------- 978 C:\Qoobox\Quarantine\Registry_backups\Service_gvrwpn.reg.dat
2009-01-11 03:39:17 A------- 982 C:\Qoobox\Quarantine\Registry_backups\Service_bnrgaeki.reg.dat
2009-01-11 03:39:17 A------- 1,124 C:\Qoobox\Quarantine\Registry_backups\Legacy_994D46E4DC061202.reg.dat
2009-01-11 03:39:17 A------- 2,848 C:\Qoobox\Quarantine\Registry_backups\Service_994D46E4DC061202.reg.dat
2009-01-11 03:39:18 A------- 954 C:\Qoobox\Quarantine\Registry_backups\Service_hgidlvrp.reg.dat
2009-01-11 03:39:18 A------- 966 C:\Qoobox\Quarantine\Registry_backups\Service_qjlg.reg.dat
2009-01-11 03:39:18 A------- 982 C:\Qoobox\Quarantine\Registry_backups\Service_ingzlb.reg.dat
2009-01-11 03:39:18 A------- 996 C:\Qoobox\Quarantine\Registry_backups\Service_ttzn.reg.dat
2009-01-11 03:39:18 A------- 1,006 C:\Qoobox\Quarantine\Registry_backups\Service_mbrme.reg.dat
2009-01-11 03:39:18 A------- 1,006 C:\Qoobox\Quarantine\Registry_backups\Service_mqafxk.reg.dat

**noahdfear** · 11th January 2009

Please upload the following file to this submission channel.

C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@3.38.zip

Now lets get an online scan. Do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

gekostar · 11th January 2009

here is the new log file.
i am hoping this is a good sign

Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 08:50:40
Records in database: 1601660
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 66750
Threat name: 7
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:22:30

File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\Program Files\Norton AntiVirus\Quarantine\420461FF.exe Infected: not-a-virus:AdWare.Win32.HelpExpress 1
C:\Program Files\Norton AntiVirus\Quarantine\46367D49.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c 3
C:\Program Files\Norton AntiVirus\Quarantine\463A2746.exe Infected: not-a-virus:AdWare.Win32.WebRebates.c 3
C:\Qoobox\Quarantine\C\Program Files\tintinyproxyy\tinyproxy.exe.vir Infected: Trojan.Win32.Agent.azgv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxawvljquh.dll.vir Infected: Trojan-PSW.Win32.Agent.lnk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.auff 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@3.38.zip Infected: Trojan.Win32.Agent.avvk 1

The selected area was scanned.

**noahdfear** · 11th January 2009

Good sign indeed!

Open the Norton interface and remove all files in quarantine.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete DDS.scr and any other specialized tools you used prior to coming here, eg; Killbox and the C:\!Killbox folder, VundoFix, etc.

Open MBAM and remove any items quarantined.

Finally, empty the recycle bin.

Let me know how your computer is behaving now.

gekostar · 11th January 2009

hello
so i am back and hopefully virus free
all of your steps have been followed and my last request is either a link or a point in the right direction for some tools on firewalls and anti-virus protection

**noahdfear** · 11th January 2009

Good work gekostar! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

An ounce of prevention is worth a pound of cure

Surf safe!