Solved help with Bloodhound.Packed.Jmp and Infostealer.Gampass viruses

noahdfear · 2008/04/06

Looks great! Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

That should wrap things up. How's the computer behaving now?

P2P - I see you have P2P software ([color= "Red"]BitComet, eMule[/color]) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may have been a contributor to your recent situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

basketballfreak · 2008/04/06

hey noah

thanks very very much for your help, atm pc seems fine (norton not picking up anything yet) i will go run the kaspersky online scan tonight over night and see how it goes in the morning (12:30am here right now and need to get up 6:30 in the morning to goto work >_<)

any problems i will post back

ps thinking of ditching norton and giving avast a try...what you think of avast as anti virus??

once again thanks heaps for all your help, can't thank you enough

noahdfear · 2008/04/06

I've never used nor tested Avast, though Avast, AVG and Avira are all widely recommended and used freeware.

Glad I could help.

basketballfreak · 2008/04/06

hey noah, finished running kaspersky overnight and it still says i have virus

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 6:42:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 686440
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\
N:\

Scan Statistics:
Total number of scanned objects: 120633
Number of viruses found: 9
Number of infected objects: 98
Number of suspicious objects: 0
Duration of the scan process: 02:10:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP11.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP13.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP14.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP17.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP18.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP19.dll Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP2.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP21.dll Infected: Trojan-PSW.Win32.OnLineGames.yxg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP22.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP25.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP26.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP27.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP28.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP29.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP3.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP30.dll Infected: Trojan-PSW.Win32.OnLineGames.ywz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP31.dll Infected: Worm.Win32.AutoRun.dfg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP4.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP5.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP6.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP7.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP8.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP9.dll Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40002.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\history.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\key3.db Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tony Liu\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Mozilla\Firefox\Profiles\yf5llrry.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\MSHist012008040720080408\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_65c.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_b88.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tony Liu\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ASUS\PC Probe II\Pci.tab Object is locked skipped
C:\QooBox\Quarantine\C\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\C\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo.exe.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tavo.exe.vir Infected: Trojan.Win32.Vaklik.yu skipped
C:\QooBox\Quarantine\D\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\D\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\E\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\E\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\F\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\F\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\G\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\G\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\QooBox\Quarantine\H\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar.vir/KeyGen.exe Infected: not-a-virusSWTool.Win32.GetPass.h skipped
C:\QooBox\Quarantine\H\G2\Downloads\DivX\Codecs\DivX Create Bundle 6.2.0.rar.vir RAR: infected - 1 skipped
C:\QooBox\Quarantine\H\nl.com.vir Infected: Trojan.Win32.Vaklik.yt skipped
C:\QooBox\Quarantine\H\rjiybg.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000001.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000002.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000044.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000045.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001075.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001076.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001088.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001109.com Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001122.exe Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001125.exe Infected: Trojan.Win32.Vaklik.yu skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP4\A0001193.com Infected: Trojan.Win32.Vaklik.yt skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP5\A0001276.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1E8A3FAE-4DCB-412F-AEE4-81734FCDECE5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000003.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000004.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000046.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000047.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001077.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001078.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001111.com Infected: Trojan.Win32.Vaklik.yt skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001495.com Infected: Trojan.Win32.Vaklik.yt skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001496.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
D:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000005.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000006.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000048.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000049.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001079.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001080.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001113.com Infected: Trojan.Win32.Vaklik.yt skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001497.com Infected: Trojan.Win32.Vaklik.yt skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001498.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
E:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000007.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000008.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000050.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000051.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001081.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001082.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001115.com Infected: Trojan.Win32.Vaklik.yt skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001499.com Infected: Trojan.Win32.Vaklik.yt skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001500.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
F:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000009.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000010.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000052.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000053.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001083.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001084.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001117.com Infected: Trojan.Win32.Vaklik.yt skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001501.com Infected: Trojan.Win32.Vaklik.yt skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001502.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
G:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000011.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP1\A0000012.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000054.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0000055.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001085.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP2\A0001086.inf Infected: Trojan-PSW.Win32.OnLineGames.yxp skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP3\A0001119.com Infected: Trojan.Win32.Vaklik.yt skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001503.com Infected: Trojan.Win32.Vaklik.yt skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\A0001504.exe Infected: Trojan-PSW.Win32.OnLineGames.yxb skipped
H:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP6\change.log Object is locked skipped

Scan process completed.

sorry to bother you again

EDIT: just realised after running ComboFix /u to uninstall combofix and deckard's folder seems to still be there...could that be the reason the scan came back with viruses?

noahdfear · 2008/04/06

It doesn't appear that the combofix /u command uninstalled combofix. Did it give you a message that it was uninstalled? The C:\Qoobox folder is still present, and System Restore has not been reset. That's where the infections are located. ComboFix.exe should have disappeared from the desktop after uninstalling it. Is it still there?

Oh, and there are still infected items in the Norton Quarantine.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp << everything in the APTemp folder

basketballfreak · 2008/04/06

hey noah,

yea i didn't get combofix uninstalled message after running the command and combofix appears to still be there, also yea qoobox still there running norton scan as we speak and it quarantined a kavo file from qoobox folder

so what should i do next?

also heading out to work soon so might be later today before i reply

thanks for your help!

noahdfear · 2008/04/06

Copy the following command and paste it on the Run line then hit Enter.

combofix /u

Does combofix start and shortly thereafter produce a message?

basketballfreak · 2008/04/06

hey noah,

don't know why but after trying a few times finally after running the command combofix has been uninstalled and no longer on desktop, deckards folder in C drive has disappeared as well

also you mentioned the files in C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp << everything in the APTemp folder, should i go there and manually delete everything that is in that folder?

thanks for the help

noahdfear · 2008/04/06

Make sure the C:\Qoobox folder is gone too.

If you don't see any quarantined items from within the Norton interface, then do try to manually the contents of that folder.

Paste the following command on the Run dialog and hit enter.

%systemroot%\system32\restore\rstrui.exe

It should open the System Restore applet.
Select Restore my computer to an earlier time then click Next.
The next window will be a calendar. Any bolded date will be an available restore point.
There should only be one, the one just created by uninstalling ComboFix
You can then Cancel to exit
Please verify

basketballfreak · 2008/04/07

hi noah, sorry about the late reply, just came home from work

yeps C:\Qoobox folder is gone, i've manually deleted all files in the APTemp folder and checked only one restore point

going to run another scan now, will post back results

thanks!

basketballfreak · 2008/04/07

hey noah, just completed the kaspersky scan and here is the log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 8:33:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 687938
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\
N:\

Scan Statistics:
Total number of scanned objects: 119614
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:12:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40000.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FB40002.VBN Infected: Trojan-PSW.Win32.OnLineGames.yop skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\History\History.IE5\MSHist012008040720080408\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_848.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temp\Perflib_Perfdata_97c.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony Liu\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tony Liu\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ASUS\PC Probe II\Pci.tab Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD878C19-5AB9-411D-909A-D53246E42B66}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C8C1C3FB-39C3-4FF3-A954-8F5CC446095D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

says 1 virus found and 2 files infected...looks HEAPS better compared to before...just got that last one to go now

thanks!

noahdfear · 2008/04/07

Infected files are in the following location.

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

Everything else still seem to be OK?

basketballfreak · 2008/04/07

hi noah,

yea so far nothing is showing yet, so very relieved!

and regards to the last few bits of virus, i can just manually delete it from the folder?

thanks!

basketballfreak · 2008/04/08

hi noah, ran another kaspersky scan and it appears all viruses are gone!

if you don't mind me asking last couple questions:

could you please me guide to some reading materials (if any) in regards to virus removal, such as what you did with combofix etc

also with some of the usb hard drives we have, it ran through bitdefender's online scan and after it removed the viruses on the external hdd now when double clicking the hdd in "my computer" instead of just opening up a folder the "choose your app to open the program" window shows up is there a way to fix that (hope that made sense)

thanks for all your help!

noahdfear · 2008/04/08

You can surely try to manually delete that file.

I've not heard of that problem with an external HD before. Have you restarted the computer since the cleaning? If not, do so and let me know if the problem persists.

basketballfreak · 2008/04/09

hi noah,

i realised that the problem might be due to the fact that there were still viruses left in the external hdd's, when scanning with kaspersky the autorun.inf was still there and some files in system information were infected too (i assumed restore points) even after running flash disinfector, did some reading and found way to get rid of the autorun.inf via cmd window and turning off restore point in xp fixed up the files in system information right away, so it appears i am finally completely virus free! now the external hdd's seem to be working fine too!

and just with the previous post, any reading material you can guide me to in regards to virus removal especially with using things like combofix would be much appreciated

thanks once again for all your help and time with my virus problem!

noahdfear · 2008/04/09

Glad to hear things are working properly again. Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

If you're interested in learning malware removal, there are several schools where you could get training. It does require a considerable amount of time and dedication, and the expectation is that you would use your new skills to help others with malware problems. Let me know if you're interested and I can point you in the right direction.

basketballfreak · 2008/04/10

hey noah,

thanks for the tip, in regards to malware removal i would love to learn, always keen to learn new things, unfortunately i work full time and fairly long hours (~45 hours a week) that's why i was wondering if there was anything to read up on so i can have a look in my (limited) free time

either way, once again thanks very much for your help and time, will have to buy you a beer if you ever come here down under

noahdfear · 2008/04/10

Your best resource is Google. Browse through the malware forums at various sites, this one included. Much can be learned by watching what others recommend, see what gets removed and how, looking for it and signs of it in previous posts, etc.

You're very welcome. Glad I could help.

Log in or Sign up

Solved help with Bloodhound.Packed.Jmp and Infostealer.Gampass viruses

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved help with Bloodhound.Packed.Jmp and Infostealer.Gampass viruses

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

basketballfreak Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches