[RatHat]

That was probably because of the virus, and now that we have got rid of (hopefully) it, this will clean any leftovers up and give us a report that identifies any stragglers.

Yes, shut down the programs, you should see their icons in the system tray (bottom right hand corner of your desktop next to the clock), right click on them and choose Exit, or Quit etc.

Then disconnect your computer from the internet and run Combofix. When it has completed, if it did not reboot your machine, reboot manually and reconnect to the internet. Post me the log that will be found at C:\Combofix.txt in your next reply.

[Advertisements]

Hello again!

I have attached the logs for the three scans. When I attached the fix and ran fix in otscan, it made me reboot right away so I did and then opened it again and ran it. That is the log I have attached.

Combofix seemed to have run fine and it did get rid of the message on my desktop. I have also attached a hijack this log.

Thank you again so much!

 hijackthis.log_3_25.txt   9.31KB   107 downloads

 OTScanIt.Txt_3_25.txt   79.75KB   119 downloads

 combofixlog3_25.txt   10.59KB   120 downloads

[GoodDoctor]

Hello again!

I have attached the logs for the three scans. When I attached the fix and ran fix in otscan, it made me reboot right away so I did and then opened it again and ran it. That is the log I have attached.

Combofix seemed to have run fine and it did get rid of the message on my desktop. I have also attached a hijack this log.

Thank you again so much!

 hijackthis.log_3_25.txt   9.31KB   107 downloads

 OTScanIt.Txt_3_25.txt   79.75KB   119 downloads

 combofixlog3_25.txt   10.59KB   120 downloads

[RatHat]

There are a couple of files I would like to check:

Please go to Jotti's malware scan

• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
  • C:\WINNT\java\PARTYPokerDir\PARTYPokerDA.dll
• Click on the submit button
• When the scan is complete, highlight all the results and copy them into Notepad
• Save the Notepad file to your desktop as Poker.txt
• Please post the contents in your next reply.

Now do the same with this file:C:\WINNT\system32\diperto3b97-6fe8.sys

[*]Click on the submit button
[*]When the scan is complete, highlight all the results and copy them into Notepad
[*]Save the Notepad file to your desktop as diperto.txt
[*]Please post the contents in your next reply.
[/list]
Regards,
RatHat

[GoodDoctor]

Hello,

Here are the results of the scan for partypoker,

Service load: 0% 100%

File: PARTYPokerDA.dll
Status: OK
MD5: d2c57a6ed4627dbb0783565f7b7bef90
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 25 Mar 2008 14:57:11 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



When I tried to scan the second one, it said that the file is 0 bytes and cannot be uploaded due to probably being protected by a firewall or malware.

thanks again,

[RatHat]

Good stuff!

One last scan and I think we'll be done

TrendMicro™ HouseCall Java Scan

• Please go HERE to run the Trend Micro™ HouseCall Scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• Under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

If you have problems running the Java Scan, try the Active X scan:


TrendMicro™ HouseCall ActiveX Scan

• Please go HERE to run the Trend Micro™ HouseCall Scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• Under "Browser plug-in" Installing and using Housecall kernel, click the Starting HouseCall>> button.
• You may receive a prompt to install the ActiveX, click install.
• If you are taken back to the main page, click Launching HouseCall>> button again.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Let me know if how it goes, and how your computer is behaving now.

Regards,
Rathat

[GoodDoctor]

I ran the scan,

It found cookies, and then there about 80 or so files named ms07-01 etc, and it says there was an error trying to find information and currently no more information etc.

I clicked of clean now and it says there are unselected files and do you really want to take no action?

What should I do next?

[RatHat]

Click OK, to come out of the Trend Micro scan, then lets do a different scan to make sure there were no errors with Trend Micro:

• Go to http://support.f-sec.../home/ols.shtml
• Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
• Allow the Active X control to be installed on your computer, then click the Accept button
• Click Full System Scan and allow the components to download and the scan to complete.
• If malware is found, check Submit samples to F-Secure then select Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

• When the cleaning option is presented, Uncheck Submit samples to F-Secure
• Click Automatic cleaning
• When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
• Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

• This scan will only work with Internet Explorer
• You must have administrator rights to run this scan
• This scan can take a while, so please be patient

This may be a pain, but I would like to make 100% sure you are clean, OK.

Regards,
RatHat

[GoodDoctor]

I went to the link and when I tried to download to do the scan, it was trying to download and a message would read in the box Status: Network error : Resuming connection. It would do this 3 times as it tried to do it and then would pop up a message: unable to download neccessary online scanner components - please try again.

Thanks for continuing to try to fix this!

[RatHat]

Could you run OTScanIt and post a new log for me, then I will clear out the files that Trend and F-Secure install, and we can give it another go. If not I will give you an downloadable scan.

Other than this, how is the computer behaving?

Regards,
RatHat

[GoodDoctor]

I have attached the scan.

My computer seems just fine. The link is off the desktop and I have access to my control panel. I have not noticed any issues with it.

Thanks,

 OTScanIt.Txt_3_25__2.txt   86.2KB   105 downloads

[RatHat]

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[Reg Error: Key does not exist or could not be opened.]
YN -> {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}[HKEY_LOCAL_MACHINE] -> http://acs.pandasoftware.com/activescan/as5free/asinst.cab[ActiveScan Installer Class]
YN -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3]
[Files/Folders - Modified Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> 5 C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\administrator\Local Settings\Temp\*.tmp
[Extra Files]
C:\WINNT\system32\diperto3b97-6fe8.sys
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Save the Notepad file to your Desktop and post the log in your next reply.

Now, could you try the F-Secure scan again and let me know if it runs this time.

Regards,
RatHat

[GoodDoctor]

sorry, same error message.

Is it possibly due to administrator privilages? I am on a networked computer. I do log in under administrator but is this possibly why?

[GoodDoctor]

sorry, I have attached the otscan after the fix.

 OTScanIt.Txt_3_25__3.txt   88.86KB   98 downloads

[RatHat]

OK, I think the best thing to do here seeing as this could be a network issue, is to run DrWeb again, as outlined in post 6.

Post me the results, and a fresh DSS log.

Regards,
RatHat

[GoodDoctor]

I ran the DrWeb scan, it did not find anything under both scans. I wasn't sure again but I did not have the option for clicking on "select drives." Was I to do an express scan the second time or is it supposed to be a complete or custom scan? There was no report list created from the scan.


I have attached the dss scan.

Thank you for your continuing efforts!

 dss_scan_3_25.txt   17.41KB   97 downloads