trojan-gen {delphi} in chest, cannot use pc, all in chest!

hi everybody! first sorry for my bad english…
i have to solve a distance-problem and i don’t know how to do… please help me!
A friend of mine, in Indonesia, buy his first computer only two week ago. Yesterday he contact me to ask some help for skype and other software, so I use LOG ME IN to go to check and help him installing some programs (is a great software, if you didn’t try yet you have to do! www.logmein.com )
I saw that he didn’t have an antivirus intalled, so I installed it on his pc.
When the installation finished he reboot the pc to make the first boot scan.

Avast find 3 virus: Win32:Trojan-gen{Delphi}, Win32:Viking-V[Wrm] and Win32:Viking-O-UPK [Wrm]
the most of the file are infected by the first of this.

He put all the infected file in the chest, during the boot scan.

Now I have to tell him how to clean, considering that both mine and his connection is a very low indonesian dial-up and that he don’t know absolutly nothing about pc, me little bit more but not so much…

So, if there is anybody of you can give me an help with this…

the virus infected also the flash disk and the memory of the camera! so he cannot also use the camera!
what i can tell him to do? there is a removal tool for this virus?

Thanks to all a some time to help me

really there is nobody can help me!!! please,…

I search a lot on internet and i find a lot of removal for malware that maybe can help, but is very long for me to try, anybody now if there is one useful?
and also, we already try to scan the pc with clamwin, and he didn’t find any virus… so the question, maybe supid i’m sorry, is, if i ask him to download a malware treatment after it will find the virus in the chest? because i think no…
and the fact is that we have to clean, we cannot let in the chest (at least this is wat i think) because avast put in the chest C/Windows, C/Programs files, H/ (that is the flash disk), J/ That is the memory of the camera and so on… so is impossible to use anything!

We already try to make a sistem restore but was not useful…

We also try to delete all file in the chest relative to the memory of the camera, take out the memory, take some picture and put again in the pc… but fails also this time, he don’t let to see the disk…
What we can do?

Vikng infection means, in my eyes, format the PC/Harddisk. You can try to use Drweb cureit from freedrweb.com to clean the infected files, but you will not able to say, if they are realy 100% clean after trying to cure it.

Many thanks,
and if they stay in the chest?
or better, if i try to clean with DrWeb Cure it, what I have to tell him to do, to take out the file from the chest before or just run like this?
Any idea for Trojan-gen {Delphy}? is the most popular on the infected pc…

Right format! I panic and don’t use the brain, what stupid I am, for the memory of camera and for flash disk is the better solution I think, but bor pc? is it necessary?


I’ve just read a message in this forum from DavidR that tells to always give some more information, so i do:

  • What OS are you using? is it up to date?
    Win XP, I think is not up to date because, as i just told you, the connection is low and the pc new, i saw on the computer infected, that the update are downloading actually at 3%

  • What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
    Avast Home and it is up to date because just after the installation it automatically update himself

  • What was the virus name, what was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?

so i copy here file name, location and name of virus

000000032.exe D:\recycler\nprotect win32:Trojan-gen{Delphi}
000000033.exe D:\recycler\nprotect win32:Trojan-gen{Delphi}
000000034.exe D:\recycler\nprotect win32:Trojan-gen{Delphi}
000000035.exe D:\recycler\nprotect win32:Trojan-gen{Delphi}
000000036.exe D:\recycler\nprotect win32:Trojan-gen{Delphi}

word file from user D: win32:Trojan-gen{Delphi}
DCIM.exe (this is from memory of camera) I: win32:Trojan-gen{Delphi}
Document and Settings.exe C: win32:Trojan-gen{Delphi}
Documents.exe (This if from flash disk) H: win32:Trojan-gen{Delphi}
hkcmd.exe C:\windows\system32 Win32:Viking-V [Wrm]
hkcmd.exe C:\windows\system32\ReinstallBackups\0000\DriverFiles Win32:Viking-V [Wrm]
igfxdiag.exe C:\windows\system32\ReinstallBackups\0000\DriverFiles Win32:Viking-O-UPK [Wrm]
igfxdiag.exe C:\windows\system32 Win32:Viking-O-UPK [Wrm]
igfxext.exe C:\windows\system32\ReinstallBackups\0000\DriverFiles Win32:Viking-V [Wrm]
igfxext.exe C:\windows\system32 Win32:Viking-V [Wrm]
images.exe D: win32:Trojan-gen{Delphi}
MISC.exe (this also from camera) I: win32:Trojan-gen{Delphi}
My Music.exe C:\Document and Settings\Administrator\My Documents win32:Trojan-gen{Delphi}
My Pictures.exe C:\Document and Settings\Administrator\My Documents win32:Trojan-gen{Delphi}
My Skype received Files.exe C:\Document and Settings\Administrator\My Documents win32:Trojan-gen{Delphi}
Program Files.exe C: win32:Trojan-gen{Delphi}
qwrtaw5pc3ryyxrvcga=.com C:\windows\system32 win32:Trojan-gen{Delphi}
uvdsdgfxnxbjm1j5wvhsd… C:\windows win32:Trojan-gen{Delphi}
VVZkU2RHRlhOWEJqTTFKNVd… C:\Document and Settings\Administrator\Local Settings\Temp win32:Trojan-gen{Delphi}
Windows.exe C: win32:Trojan-gen{Delphi}

  • What actions have you taken to try and resolve the problem?

all the infected file are in the chest
we cancel temp file from intenten explorer
we cancel also java temp
and we to disk cleanup

we try to cancel from the chest the 2 file relatives of the memory of the camera, take new picture and put again in the pc but are still all bloked

now i’m downloading ad-aware but il will be useful or not? before to use we have to put out the file from the chest or not?

many thanks to everybody can help…

If you are able to restore the infected files with orginal ones, that would be perfect. You can delete the “win32:Trojan-gen” files. They are not infected, they are the trojans themself.

Adaware is not usefull in this case. Try to scan the pc with cureit and let us know what it finds.

but I can delete file like Program Files.exe and windows.exe in C:\ from the chest?
What means are they the Trojan themselves? if i open c:\ i didn’t find folders… (I think because are in the chest…

So wat you think, i can format flash disk and memory of camera, also Disk of data like D: and then run DrWeb CureIt directly without do nothing with the chest of avast?

I can make fast format or I have to do the long ones? and there is something i have to know to make the format of hard drive? (of course, not to format C Drive!)

Thank you very much, i’m in panic and my frend in there belive that i can help him but i’m not sure i can do… with your help is much more easy…

You can use fast format, but i meant format drive c too! :slight_smile:

The first thing he has to do is make a backup from all his important Data(Emails, Documents etc.). Let Avast and Drweb cure everything they find, but remember it is possible that this may crash the windows installation!

The folders are not in chest, but the Trojans are. This Trojan gives itself the name of every folder it finds and also uses the folder icons, so it is difficult to see, whats a folder and whats the trojan with the same name and Icon!

This location "000000032.exe D:\recycler\nprotect " is the Norton protected recycle bin, so it would appear that you have remnants of Norton on your system. What Norton product did/do you have.

The windows.exe would appear to be a trojan so there is no repair involved, http://www.liutilities.com/products/wintaskspro/processlibrary/windows/, there are a lot of hits on a google search.

Program files.exe may be an indication of the Brontok worm.

Files in the chest can do no harm there and there is no rush to delete.

Check with the manufactures web site of the flash drive it may have advice on formatting it as it uses a different format to your HDD.

Personally I wouldn’t be in a hurry to reformat the hard drive.

Have your friend post ComboFix and HijackThis logs and we’ll see if we can keep it from going that far.

Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

ok, i have the log fil of hjekthis and combofix before CureIt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:47 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
H:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
H:\Skype\Skype.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [LogMeIn GUI] “C:\Program Files\LogMeIn\x86\LogMeInSystray.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\SPEEDD~1\nopdb.exe


End of file - 4690 bytes

continue…

And this is from ComboFix:

ComboFix 07-08-17.2 - “Administrator” 2007-08-23 11:42:15.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT 7:00]

  • Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-07-23 to 2007-08-23 )))))))))))))))))))))))))))))))

2007-08-23 11:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-23 09:53 d-------- C:\WINDOWS\LastGood
2007-08-23 09:53 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Thunderbird
2007-08-22 12:29 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-22 12:18 1,556,480 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-08-22 11:44 d-------- C:\WINDOWS\LMI49.tmp
2007-08-21 13:55 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-21 13:55 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-21 13:55 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-21 13:55 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-21 13:55 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-21 13:55 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-21 13:55 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-21 13:55 d-------- C:\Program Files\Alwil Software
2007-08-20 09:26 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-08-20 09:23 d-------- C:\Program Files\Opera
2007-08-16 15:56 229,376 --ah----- C:\DOCUME~1\LOGMEI~1\ntuser.dat
2007-08-15 16:45 83,552 --a------ C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-08-15 16:45 46,112 --a------ C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2007-08-15 16:45 26,176 --a------ C:\WINDOWS\system32\LMIport.dll
2007-08-15 16:44 63,040 --a------ C:\WINDOWS\system32\LMIinit.dll
2007-08-15 16:44 d-------- C:\Program Files\LogMeIn
2007-08-15 14:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-15 14:00 d–h----- C:\WINDOWS$hf_mig$
2007-08-15 14:00 d-------- C:\WINDOWS\system32\PreInstall
2007-08-15 12:01 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-08-14 10:34 d-------- C:\Program Files\nobrand
2007-08-02 17:00 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Image Zone Express
2007-08-02 16:49 d—s---- C:\DOCUME~1\LOCALS~1\UserData
2007-08-02 15:08 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Image Zone Express
2007-08-02 15:02 d—s---- C:\DOCUME~1\ADMINI~1\UserData
2007-08-02 14:55 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
2007-08-02 14:53 d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\HP
2007-08-02 14:44 d-------- C:\Program Files\Common Files\HP
2007-08-02 14:44 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-02 14:42 d-------- C:\Program Files\Hewlett-Packard
2007-08-02 14:41 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-02 14:39 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-08-02 14:39 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-08-02 14:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-08-02 14:39 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-08-02 14:39 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-08-02 14:39 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-08-02 14:35 7,577 --------- C:\WINDOWS\hpomdl08.dat
2007-08-02 14:35 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-08-02 14:35 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2007-08-02 14:35 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-08-02 14:35 110,019 --a------ C:\WINDOWS\hpoins08.dat
2007-08-02 14:34 614,400 -ra------ C:\WINDOWS\system32\hpotscl2.dll
2007-08-02 14:34 602,112 -ra------ C:\WINDOWS\system32\hpowiax2.dll
2007-08-02 14:34 282,624 -ra------ C:\WINDOWS\system32\HPZc3212.dll
2007-08-02 14:34 254,026 -ra------ C:\WINDOWS\system32\hpovst09.dll
2007-08-02 14:34 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-08-02 14:34 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-02 14:31 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-01 14:43 86,016 --a------ C:\WINDOWS\system32\mdmxsdk.dll
2007-08-01 14:43 685,056 --a------ C:\WINDOWS\system32\drivers\HSFCXTS2.sys
2007-08-01 14:43 32,285 --a------ C:\WINDOWS\system32\HSFCISP2.dll
2007-08-01 14:43 220,032 --a------ C:\WINDOWS\system32\drivers\HSFBS2S2.sys
2007-08-01 14:43 11,868 --a------ C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-08-01 14:43 1,041,536 --a------ C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2007-07-29 01:03 d-------- C:\Program Files\HP
2007-07-29 01:02 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-07-29 01:02 45,056 --a------ C:\WINDOWS\system32\hpzll3xu.dll
2007-07-28 13:12 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-07-26 21:52 d-------- C:\WINDOWS\Cache
2007-07-26 21:45 d-------- C:\Program Files\iview
2007-07-26 21:42 d–h----- C:\WINDOWS\PIF
2007-07-26 21:24 d-------- C:\Program Files\Skype
2007-07-26 21:24 d-------- C:\Program Files\Common Files\Skype
2007-07-26 21:24 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-07-26 21:24 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-07-26 09:16 d-------- C:\WINDOWS\system32\appmgmt

continue…

and the second part…

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 18:09 --------- d-------- C:\Program Files\Winamp
2007-07-22 18:08 --------- d–h----- C:\Program Files\InstallShield Installation Information
2007-07-22 18:08 --------- d-------- C:\Program Files\CyberLink
2007-07-22 18:08 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-22 18:07 --------- d-------- C:\Program Files\Prolific Publishing, Inc
2007-07-22 17:50 47399 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-07-22 17:50 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-07-22 17:50 218624 --a------ C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-07-22 17:50 2165 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-07-22 17:44 --------- d-------- C:\Program Files\Speed Disk
2007-07-22 17:44 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-07-22 17:43 --------- d-------- C:\Program Files\Symantec
2007-07-22 17:43 --------- d-------- C:\Program Files\Norton Utilities
2007-07-22 17:43 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-22 17:41 --------- d-------- C:\Program Files\Common Files\ACD Systems
2007-07-22 17:36 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-22 17:26 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-22 17:15 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-22 16:54 0 -rahs---- C:\MSDOS.SYS
2007-07-22 16:54 0 -rahs---- C:\IO.SYS
2007-07-22 16:54 0 --a------ C:\CONFIG.SYS
2007-07-22 16:54 0 --a------ C:\AUTOEXEC.BAT
2007-07-22 16:54 --------- d-------- C:\Program Files\microsoft frontpage
2007-07-22 16:52 --------- d–h----- C:\Program Files\WindowsUpdate
2007-07-22 16:51 --------- d-------- C:\Program Files\Movie Maker
2007-07-22 16:51 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-07-22 16:50 --------- d-------- C:\Program Files\Online Services
2007-07-22 16:50 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-07-22 16:50 --------- d-------- C:\Program Files\Messenger
2007-07-22 16:49 --------- d-------- C:\Program Files\Windows NT
2007-07-22 16:45 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-07-22 16:45 --------- d-------- C:\Program Files\Common Files\ODBC
2007-05-25 15:22 24000 --a------ C:\WINDOWS\system32\lmimirr.dll
2007-05-25 15:22 10304 --a------ C:\WINDOWS\system32\lmimirr2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2006-09-13 11:54]
“SoundMan”=“SOUNDMAN.EXE” [2005-02-23 17:13 C:\WINDOWS\SOUNDMAN.EXE]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2005-12-15 11:18]
“LogMeIn GUI”=“C:\Program Files\LogMeIn\x86\LogMeInSystray.exe” [2007-04-17 14:03]
“SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe” [2004-09-28 20:26]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-07-28 05:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-06-08 15:18]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-08-04 01:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“NoActiveDesktop”=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Norton System Doctor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton System Doctor.lnk
backup=C:\WINDOWS\pss\Norton System Doctor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

R2 LMIInfo;LogMeIn Kernel Information Provider;??\C:\Program Files\LogMeIn\x86\RaInfo.sys
R2 LMIRfsDriver;LogMeIn Remote File System Driver;??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 NPDriver;Norton Unerase Protection Driver;??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-23 11:43:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


Completion time: 2007-08-23 11:44:05

--- E O F ---

after he run Cure It but he didn’t find virus :-\

we also try to put out from avast quarantene the h/document folder, to scan H: with CureIt but it didn’t find virus.
After we open H: and Avast block it because of the virus and ask to put again in quarantene…

What file (name and path) is found on H: ? This may be a false positive. The registry loading points that normally show up in ComboFix with this kind of infection are not present. Other than this detection are there any symptoms of infection?

You do need to finish uninstalling Norton, update Java, and consider a third party firewall but this is all I see in your logs.

Isn’t it the time to use RunScanner?

Please download [urlhttp://"http//www.runscanner.net/download.aspx%22]RunScanner] and install.
When the first page comes up select Beginner Mode.
On the next page select Save a binary .Run file (optional).
Then click Start full computer scan at the bottom.
At this time Runscanner.exe may request access to the Internet please allow it to do so.
It will then run for 2 or 3 minutes.
On completion it will ask for a location to save the file and a name.
It will do this for both the .run file and the log.
Call the file test and save to your desktop.
You will see the .run file on your desktop. Please zip that file by right clicking and selecting send to Zip file.
Then upload that as an attachment to your next post.
Along with the log file produced.

I believe it is … :smiley:

hallo again friends!

sorry for the delay… i have some news from my friend… really, i don’t know, funny… or… terrible… anyway,
my friend format the pc, because as i told you was quite new so he didn’t have important files on it.

He is in indonesia, so you have to understand is a world compleatly different…
he go to the guy that sold him the pc for format it, he ask to put also avast already so he don’t have to download it again.
After have the pc back he contact me, i go in his pc with log me in, i download the update of the program and i run a boot scan…
and…
a lot of virus Viking was find! much more than before… all in system32 folder and in System Volume Information folder… now are again in the chest…
i really don’t know how to say… just… they can stay there?
i mean, i think the virus came from the people that format the pc, from his flash disk or cd or pc… and now, after he format, have the same problem again but because now the Trojan-gen {Delphi} was not found he don’t have problem of folder that he cannot use, memory of camera that he cannot read… so he can just use the pc like this with the infected file in the chest?

is better we run again the software you told me to check the log file?
we have to run RunScanner?

What problem can cause Viking virus from the chest?

Thanks to all…

They are safe there and can do no harm.

Yes, please post the avast! log and new ComboFix and HijackThis logs.