47 replies to this topic

[Icedrake]

My SpyBot S&D detects this trojan spyware called Vanbot and everytime SpyBot deletes it, the spyware keeps coming back right after its deleted. Please help! Also my McAfee anti virus detects this virus everytime my PC restarts. Its called something like ZapChast.reg and it's in my registry. Or atleast thats where McAfee found the virus. I don't know what do do about this. And i'm not a computer expert either, i pretty much don't know anything about them. PLEASE someone help me remove them!

HiJackThis Logfile
--------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:34 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\avfpmh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\My Documents\My Stuff\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 6434 bytes

[AndyManchesta]

Hi Icedrake, Welcome to the forum

You do have a backdoor infection showing there which is a serious threat as it allow the attacker to have access to your system using IRC channels, once we get things cleaned up you will have to change passwords for any sites you have recently accessed and if you do any banking or paying for goods online it would also be wise to contact the bank to notify them of your situation so they can monitor your account,

Run HijackThis and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally generate a report of the Add/Remove screen entries using HijackThis:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the SDFix log, Uninstall list and a new HijackThis log, let us know if you have any problems

Cheers

Andy

[Icedrake]

Hello Andy,
Before i do the removing process, can you please tell me what these files are?:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Also, I just looked up what ALCXMNTR.EXE is and i found that it's a part of your computers sound. And i also found some people saying its a good file and some people saying its bad!

[AndyManchesta]

Hi,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Browser Helper Object related to Windows Live Messenger, its missing the path to the file (no file) so its fine to fix as its a leftover registry entry from a previously installed program


O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Added by Realtek to collect data from customers, not required to start with Windows

http://www.castlecop...cxmntr_exe.html


O4 - HKLM\..\Run: [Microsoft Update Machine] avfpmh.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] avfpmh.exe

Backdoor Infection from the RBot family of trojans

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=39437

Quote

Once the victim's computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit. The backdoor can also be instructed to:

download and execute files from the Internet
retrieve system information such as Operating System details
retrieve CD keys for certain computer games, if present
start a SOCKS proxy
perform denial of service (DoS) attacks
start several other servers: rlogin, http, tftp. The ports used for these are configurable.
log keystrokes
capture video from a webcam, if present
send e-mail
Process Termination

[Icedrake]

Ok so is ALCXMNTR.EXE a bad program? And do i have to remove it? because i don't want to lose my sound.
Im really sorry about asking you so much questions, its just that i've broken 2 computers trying to remove spyware so i don't want to mess up my new computer. (The one i'm using right now)

[AndyManchesta]

Its really open to debate, its added by a legit company so it isnt a trojan but it's also not required to start with Windows, the Castlecops link explains it's use in more detail and I'm not suggesting you delete the file itself, you are just fixing its registry run value so it doesnt start with Windows but if you wish to leave it then please do and move onto the other steps

EDIT: I just noticed the extra comments you added to the last post, fixing that entry will not make you lose your sound and everything that is fixed with HijackThis is backed up so you could easily restore it if you wanted to at a later stage using the HijackThis > Misc Tools > Backups feature, if you'd rather not fix it then that is fine as its not added by malware but getting rid of that backdoor trojan that is running on your system is important so please complete the other steps

Cheers

[Icedrake]

I just extracted SDFix to the C drive and my McAfee Virus Found dialog came up. It said that SDFix was a Potentially Unwanted Program, and removed it! What do i do now? Hellp!

::::EDIT::::

Actually McAfee deleted part of SDFix because the SDFix folder with RunThis.bat is there, with catchme.exe and SDFIX_ReadMe_Online.

[AndyManchesta]

I like the way McAfee detects a legit tool but doesnt have issues with a backdoor trojan running on your system

Delete the SDFix.exe and C:\SDFix folder incase its now been damaged by McAfee, please then turn off McAfee while you download and run SDFix so it doesnt interfere and then download SDFix again and continue with the safe mode steps, SDFix is my tool so I can assure you its 100% clean, McAfee will be detecting a file in it named process.exe which is used to stop any trojan files before the fixtool starts the repairs, if process.exe was added by a trojan then it could be a threat which is why its being flagged as a potentially unwanted program but in this case its fine to ignore.

If you still have problems let me know

Cheers

[Icedrake]

Hello Andy,

I can't fix the computer right now because my parents are going to start using it pretty soon because they just came home from work, so i'm going to have to fix my computer tomorrow. I will reply to you tomorrow about this!

Also, my McAfee always detects this Trojan called ZapChast.reg and deletes it; but the Trojan always comes back when my computer restarts! I don't know what to do about this.

Ice

[AndyManchesta]

No problems Ice, we can continue when your able to,

At least fix those two Microsoft Update Machine 04 entries as that will stop the backdoor running as its a serious threat with it allowing the attacker to have access and control of your system via IRC Channels, although SDFix may not get the file it will repair any damage the trojan may of caused such as adding restrictions to prevent you using Windows updates or disabling services like the Firewall and Security Center so its worth a run to restore settings to Microsoft's default,

Regarding the McAfee detection for the Zapchast, Its likely related to the active backdoor trojan thats running so once we get that cleared up the detections from McAfee should stop but getting information about where its detecting the file would help if it finds it again

Cheers

[Icedrake]

Hi! If i remove those 2 Windows Update Machine 04 backdoors, will it stop them from coming back if i restart my computer?

Also, i just found out where the ZapChast.reg virus is. Here it is:

Name: C:\a.bat
Detected As: ZapChast.reg

Oh and when ever my computer starts and loads up everything and after the virus detection message comes up, McAfee starts blocking all these port actions right after my computer starts. And it keeps increasing. Maybe thats McAfee is blocking the backdoor from accessing the internet? Also in my task manager, theres this process running thats called avfpmh.exe Is that the backdoor?

[AndyManchesta]

Yeah, removing the run values for the trojan will stop it running next time you start the pc, it will not remove the trojan file though or repair any of the damage it may of caused in other area's which is where sdfix will come in useful, after that then you will need to run a online scan to check for remaining problems but its easier to just take it one step at a time for now so if you can run sdfix and post back its log and also post back the uninstall list as I mentioned in the earlier post then we can move onto the next step.

[AndyManchesta]

Icedrake, on Sep 22 2007, 01:18 PM, said:

Also, i just found out where the ZapChast.reg virus is. Here it is:

Name: C:\a.bat
Detected As: ZapChast.reg

Oh and when ever my computer starts and loads up everything and after the virus detection message comes up, McAfee starts blocking all these port actions right after my computer starts. And it keeps increasing. Maybe thats McAfee is blocking the backdoor from accessing the internet?

Rather than edit your posts to add more info just add another if there's something extra you wish to add as it makes it alot easier for me to follow, the batch file is related to the rbot variant so its not added by zapchast, it will stop coming back when you complete the steps I put in my first reply but if you'd rather not follow the steps then just delete the 04 entries for Microsoft Update Machine, delete the trojan file C:\WINDOWS\system32\avfpmh.exe, delete the C:\a.bat and then run a online scan at Kaspersky http://www.kaspersky.com/virusscanner and save the scan log if you need more help so we can see what it found,

Cheers

[Icedrake]

Ok i cant do the Safe Mode stuff right now, but im doing a SpyBot S&D scan to see if the backdoor file is still on my computer. If it is, then im going to remove it and run SpyBot again to see if the backdoor is still replacing itself. Is that alright?

[Icedrake]

Hello Andy,
Just ran a spybot s&d scan and it said that SpyBot found no spyware on my computer!!!! Before, it kept finding the backdoor called Vanbot! But now its not finding Vanbot anymore! (Thanks to you of course) Does that mean that the backdoor is not on my computer anymore?

----EDIT----
Searched my computer for the file avfpmh.exe and i only found 1 file. Here is is:

Name: AVFPMH.EXE-1D836EE7
In Folder: C:\WINDOWS\Prefetch
Size: 27 KB
Type: PF File
Date Modified: 9/19/07

[AndyManchesta]

Hi Ice,

Its difficult for me to comment or help any more on this topic as Ive not seen any logs from your system except for a HijackThis log so Ive no idea if Spybot was finding the same RBot that was showing in your HJT log, it should of really been able to remove it earlier if that was the case rather than constantly show the same detections each time it was used.

Maybe it was able to delete it after you fixed the 04 entries and stopped it running but as you didnt post the Sdfix log or Kaspersky log I really cannot say if your system is currently clean or not. The prefetch file you found in the search is harmless and will not contain any malicious code so its fine to ignore but If you cannot find the actual .exe file in system32 then maybe its been removed by Spybot or maybe its set with hidden and system attributes so you can check for it manually if you want

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button then click Apply and OK.

As you posted asking for help but then decided not to follow any of the advise given there's really nothing more I can do here except repeat the suggestion that you atleast run the kaspersky scanner to check for remaining problems and post back the log if it finds any infected items as well as a new HijackThis log

Cheers

Andy

[Icedrake]

Hello Andy!

Just ran a Kaspersky online scan and here's the report. Btw, i did the My Computer scan type.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 22, 2007 11:50:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 22/09/2007
Kaspersky Anti-Virus database records: 422171
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 63130
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:40:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_CHULA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_CHULA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\NAILogs\UpdaterUI_CHULA.log Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP157\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AA84956D-EE06-425E-B4B1-2631A19CA78C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\avfpmh.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Icedrake]

Just did what you said above and i found a file called avfpmh.exe in the system32 folder. Should i delete it?

[AndyManchesta]

Yes it needs removing, before you do delete it though please visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

In the Link to topic where this file was requested: area copy and paste this

http://forum.pirifor...showtopic=12355

In the Browse to the file you want to submit: area, copy and paste this

C:\WINDOWS\system32\avfpmh.exe

Then click Send File. Once it shows

Quote

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Then close the Bleeping Computer link,

Then delete the file and also delete the a.bat on C:\ if it still exists, once you have done that set windows back to hide hidden and system files as explained earlier by pressing the restore defaults button,

The a.bat that is created by the IRCBot on C:\ which McAfee kept finding will create a registry file named 1.reg in your temp folder when its run, it then merges the reg file to make changes to your system so it could of disabled protection software or it could of disabled Windows services or even added restrictions in other area's of the registry, sdfix would of repaired those changes but you may as well just delete SDFix now and upload a sample of the file and I'll check it abit later, also run CCleaner to clear the contents of the temp folders.

Andy

[Icedrake]

Hello Andy!
Just submitted the info on Bleeping Computer. Deleted avfpmh.exe. But i don't get this part though "upload a sample of the file and I'll check it abit later" what do you mean by that? What sample do i have to upload.

Also, i can't delete the a.bat file because McAfee already deleted it when i started my computer this morning. So what do i do about that?