[NeonFx]

Try using this one instead:

http://www.virustotal.com/

[wfd31]

Hi, I can copy the file, but cannot paste it in the file box. When I browse for the file, where do I look? Both programs only allow you to brows for the file.

If I copy what you sent, where do I paste it so I can browse for it.

Thanks

[NeonFx]

I'm confused.. If you browse for it, are you not seeing it in the Windows > System32 folder?

[wfd31]

neonfx,

Sorry for the delay, have been away all weekend.

Finally managed to locate missing file.

Hope the attached virscan is what you are looking for.

WFD31

[wfd31]

Hi, not sure if the original went thru.

Here's second post of visscan log

[NeonFx]

That didn't work. We'll need a bigger hammer.

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to move:
C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll | C:\WINDOWS\System32\ws2_32.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy/paste the content of c:\avenger.txt into your reply.



After that's done, please scan the same file again at one of the online scanning websites and post the results here.

[wfd31]

Language
English 简体中文 繁體中文 한국어 日本語 Français Deutsch česky Portuguese Brazil Русский українська Nederlands Türkçe ภาษาไทย Polski Español (Latin America) Română Italiano

Server load

Suspicious file(s) to scan:
1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Current Position:

Current Scanner:

Last Scanned:

Suspicious percentage:


File Name:

File Size:

File Type:

MD5:

SHA1:

Compressed:

Current Position:
0 / (0%)
Elapsed time:
0
Est Time Left:
0
Est Speed:
0

File information File Name : ws2_32.dll File Size : 82432 byte File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3 MD5 : bee273ec5d9800fb289f412661155b58 SHA1 : 1830a0ad94f76d84bb3267901c4a5046b853b134
Scanner results Scanner results : 22% Scanner(s) (8/37) found malware! Time : 2009/11/02 15:04:02 (EST) Scanner Engine Ver Sig Ver Sig Date Scan result Time a-squared 4.5.0.8 20091103030118 2009-11-03 -
0.080 AhnLab V3 2009.11.03.00 2009.11.03 2009-11-03 -
0.081 AntiVir 8.2.1.53 7.1.6.180 2009-11-02 TR/Patched.HG.35
0.481 Antiy 2.0.18 20091102.3201984 2009-11-02 -
0.017 Arcavir 2009 200911021438 2009-11-02 -
0.036 Authentium 5.1.1 200911021412 2009-11-02 -
1.326 AVAST! 4.7.4 091102-0 2009-11-02 Win32:Patched-KW [Trj]
0.010 AVG 8.5.288 270.14.45/2476 2009-11-02 Win32/Patched
0.305 BitDefender 7.81008.4480800 7.28711 2009-11-03 Trojan.Patched.EM
3.943 CA (VET) 35.1.0 7094 2009-10-30 -
0.079 ClamAV 0.95.2 9975 2009-11-03 -
0.023 Comodo 3.12 2816 2009-11-02 -
0.079 CP Secure 1.3.0.5 2009.10.30 2009-10-30 -
0.002 Dr.Web 4.44.0.9170 2009.11.02 2009-11-02 -
6.336 F-Prot 4.4.4.56 20091102 2009-11-02 -
1.317 F-Secure 7.02.73807 2009.11.02.12 2009-11-02 Trojan.Win32.Patched.hg [AVP]
8.829 Fortinet 2.81-3.120 11.14 2009-11-02 -
0.079 GData 19.8695/19.532 20091102 2009-11-02 -
0.079 Ikarus T3.1.01.72 2009.11.02.74417 2009-11-02 Trojan.Win32.Patched
4.718 JiangMin 11.0.800 2009.11.02 2009-11-02 -
0.083 Kaspersky 5.5.10 2009.11.02 2009-11-02 Trojan.Win32.Patched.hg
0.056 KingSoft 2009.2.5.15 2009.11.2.21 2009-11-02 -
0.087 McAfee 5.3.00 5790 2009-11-02 -
3.388 Microsoft 1.5202 2009.11.02 2009-11-02 -
0.080 Norman 6.01.09 6.01.00 2009-11-02 -
4.007 nProtect 20091030.01 6063347 2009-10-30 -
0.079 Panda 9.05.01 2009.10.31 2009-10-31 -
0.079 Quick Heal 10.00 2009.11.02 2009-11-02 -
0.079 Rising 20.0 21.54.04.00 2009-11-02 -
0.079 Sophos 3.00.1 4.46 2009-11-03 Mal/WSHack-A
2.829 Sunbelt 5482 5482 2009-11-01 -
0.085 Symantec 1.3.0.24 20091031.035 2009-10-31 -
0.003 The Hacker 6.5.0.2 v00058 2009-10-31 -
0.079 Trend Micro 8.700-1004 6.596.07 2009-11-02 -
0.030 VBA32 3.12.10.11 20091102.1420 2009-11-02 -
1.969 ViRobot 20091102 2009.11.02 2009-11-02 -
0.080 VirusBuster 4.5.11.10 10.113.5/1998065 2009-11-02 -
2.422■Heuristic/Suspicious ■Exact
NOTICE: Results are not 100% accurate and can be reported as a false positive by some scannerswhen and if malware is found. Please judge these results for yourself.
.clip_button{ display:block; background:url("/images/button.gif") no-repeat 0 0; width:120px; height:39px; line-height:39px; color:#fff; font-size:12px; font-weight:bold; text-decoration:none; text-align:center;margin:0 auto; color:#fff; } .clip_button.hover { background:url("/images/button.gif") no-repeat 0 -39px } .clip_button.active { color:#666; }

Copy to clipboard

Main Menu
HOME About VirSCAN Report Help VirSCAN Submit Bugs Contact us

About VirSCAN | Privacy policy | Contact us | Help VirSCAN
Translated by Keith Miller, United States

[NeonFx]

I didn't want to have to resort to this but now we have to.... Please do the following:


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
• Double click on ComboFix.exe & follow the prompts.
  
  Note: Combofix will run without the Recovery Console installed.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[wfd31]

hi, combofix logs attached.

I checked for system restore after combo fix,and I still do not have a system restore function.

wfd31

[NeonFx]

This is exactly what I wanted to see

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP155\A0154869.dll

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

KillAll::

FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\system32\drivers\beep.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\ServicePackFiles\i386\powrprof.dll | c:\windows\system32\powrprof.dll

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[wfd31]

Neofx

Here's the lates combofix log.

wfd31

[NeonFx]

For some reason one of them didn't copy over properly... Let's try it again. Otherwise, how's the computer running?

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

FCopy::
c:\windows\system32\dllcache\powrprof.dll | c:\windows\system32\powrprof.dll

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[wfd31]

Hi, eureka!!! System restore has been restored!!

PC appears to function well. Have not tried all aspects of it, however.



latest combo log attached.

wfd31

[NeonFx]

Excellent. Let's run another Kaspersky scan. It should be quicker now that you've downloaded most of the files.

Also, try your computer out and let me know if you spot anything we need to take care of.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
  
  
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[wfd31]

Good evening.

PC appears to be working well. It also appears to run a lot faster.

Attached is the latest KasReport.

wfd31