Solved XP downloader, smitfraud and others...

bad news

I followed the above steps for a new combofix and the scan is stuck again.

 

I'm now completely baffled as to why ComboFix is hanging.

Lets go another route. First, see if you can delete the following file.

C:\WINDOWS\system32\rlai.dll

Then, highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{e3dcf32c-d76e-494f-92ff-3cf77e5d3a2a}]

[-HKEY_CLASSES_ROOT\ekvgsnw.1]

[-HKEY_CLASSES_ROOT\TypeLib\{59D95FC4-8C15-4224-9AE5-43867E8BD69E}]

[-HKEY_CLASSES_ROOT\ekvgsnw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
 "{E3DCF32C-D76E-494F-92FF-3CF77E5D3A2A} "=-

Double click fix.reg and allow it to merge with the registry.
Reboot and run dss again, then post the log it produces.

 

rlai.dll

At least the system allows me to reboot it when combofix hangs. I searched for the rlai.dll file and was unable to locate it. I am viewing all files and protected operating system files. Should I go ahead and do the fixreg script still?
Thanks

 

Yes, run the reg file then post a new dss log.

 

Latest dss scan

fixreg run and completed successfully. PC rebooted and here is the latest main.txt:
Deckard's System Scanner v20071014.68
Run by MED on 2008-03-18 08:30:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as MED.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:30, on 2008-03-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\MED\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MED.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155928005687
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6811 bytes

-- Files created between 2008-02-18 and 2008-03-18 -----------------------------

2008-03-05 09:24:20 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-05 09:24:20 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-05 09:24:20 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-05 09:24:20 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-04 10:28:17 0 d-------- C:\Documents and Settings\MED\Application Data\Malwarebytes
2008-03-04 10:28:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-04 10:28:06 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-03 10:12:40 0 d-------- C:\Program Files\Trend Micro
2008-02-29 16:40:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-29 16:40:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-29 15:55:46 0 d-------- C:\WINDOWS\system32\appmgmt
2008-02-29 09:51:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-19 14:17:25 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-02-19 14:04:01 0 d-------- C:\Program Files\Windows Media Connect 2
2008-02-19 14:02:33 0 d-------- C:\WINDOWS\system32\LogFiles
2008-02-19 14:02:33 0 d-------- C:\WINDOWS\system32\drivers\UMDF


-- Find3M Report ---------------------------------------------------------------

2008-03-18 08:29:07 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-29 15:55:44 0 d-------- C:\Program Files\Dell
2008-02-19 14:18:44 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 05:22]
"HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 05:19]
"Persistence "= "C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 05:23]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 10:56]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 15:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 14:18]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6 "=" " []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-11-08 12:40:53]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@= "Service "




-- End of Deckard's System Scanner: finished at 2008-03-18 08:30:54 ------------

 

Looks good. Poke around in the C:\Qoobox folder and see if wininit.ini and rlai.dll happen to be in there. They will now have .vir extensions if present.

Run a scan with Kaspersky WebScanner and post the log here if anything is reported infected.

How's the computer behaving now? Any other issues?

 

kaspersky log 031908

Both those files are present with the .vir folder. Kaspersky seemed to find some additional issues:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-03-19 10:29
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/03/2008
Kaspersky Anti-Virus database records: 640079
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 32854
Number of viruses found: 21
Number of infected objects: 82
Number of suspicious objects: 0
Duration of the scan process: 00:32:02

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE10.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE10.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE10.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE10.tmp\upgrade.exe NSIS: infected - 3 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE15.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE15.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE15.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE15.tmp\upgrade.exe NSIS: infected - 3 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE35C3.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE35C3.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE35C3.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE35C3.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE35C3.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab/upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.f skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab/upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab/upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab/upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab/upgrade.exe Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4.tmp\upgrade.cab CAB: infected - 5 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE43F.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.f skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE43F.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE43F.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE43F.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE43F.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4CC.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4CC.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4CC.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4CC.tmp\upgrade.exe NSIS: infected - 3 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4D74.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4D74.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4D74.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4D74.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONE4D74.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONEC7E.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONEC7E.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONEC7E.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONEC7E.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\20080313074429\backup\WINDOWS\temp\ONEC7E.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40000.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.bzz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40001.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.cap skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DB40002.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.bzh skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\MED\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.74771 Infected: Trojan-Downloader.Win32.Agent.jnw skipped
C:\Documents and Settings\MED\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\MED\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\MED\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\MED\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MED\Local Settings\History\History.IE5\MSHist012008031920080320\index.dat Object is locked skipped
C:\Documents and Settings\MED\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MED\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\MED\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\filesubmit\oswdvaz118.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Program Files\filesubmit\VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rlai.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.th skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP294\A0014500.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP301\A0014659.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014832.exe Infected: not-a-virus:AdWare.Win32.Relevant.b skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014833.exe Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014834.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014835.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014837.dll Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014838.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP304\A0014849.exe Infected: not-a-virus:AdWare.Win32.RK.n skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP305\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.RK.v skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP306\A0016905.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP306\A0016913.dll Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP306\A0016914.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP306\A0016964.exe Infected: not-a-virus:AdWare.Win32.OneStep.g skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\snapshot\MFEX-63.DAT Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP312\snapshot\MFEX-63.DAT Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\A0017244.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP313\snapshot\MFEX-63.DAT Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\snapshot\MFEX-63.DAT Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\A0017257.dll Infected: not-a-virus:AdWare.Win32.OneStep.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\A0017258.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\A0017278.dll Infected: not-a-virus:AdWare.Win32.RK.v skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\A0017280.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP315\snapshot\MFEX-63.DAT Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP317\A0017333.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP324\A0017634.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP324\A0017635.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP326\A0017715.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP328\A0019800.exe Infected: not-a-virus:AdWare.Win32.RK.t skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP328\A0019801.dll Infected: not-a-virus:AdWare.Win32.RK.s skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP328\A0019805.dll Infected: not-a-virus:AdWare.Win32.Vapsup.bzn skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP330\A0019809.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP330\A0019812.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0020005.dll Infected: Trojan-Downloader.Win32.Agent.jnw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP336\A0020138.dll Infected: not-a-virus:AdWare.Win32.BHO.th skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP346\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Overall the computer is vastly improved. We are back to the regular background, the screen saver runs, it is actually responsive and can be rebooted easily and programs seem to be running fairly normally.

 

The KAV scan looks great. Only two files not already in quarantine to remove.

C:\Program Files\filesubmit\oswdvaz118.exe --> Win32.OneStep.c
C:\Program Files\filesubmit\VVSNInst.exe --> AdTool.Win32.WhenU.a

Open MBAM and select the Quarantine tab, then remove all entries.

Empty all items quarantined by Norton.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Finally, Run ATF Cleaner again to clear temps and empty the recycle bin.

That should wrap things up.

 

All done!

Excellent! All steps completed without further issue. If you don't mind sending the info on resetting the combofix changes for the autoplay for CD/USB, that would be great. Thanks again for all the help!

 

Happy to hear everything is back to normal. I've sent the autorun instructions via PM, though I would much prefer to see it left disabled. The autorun feature is becoming more and more of a method used to spread infections, and disabling the feature is the best form of protection against it.

Glad I could help!

 

thanks/autoplay

Thank you so much. I will save the autoplay reset instructions and keep them as currently configured unless it becomes an issue.
Thanks again!

 

You're most welcome.