Avatar of NCTETech
NCTETechFlag for United States of America

asked on 

Virus/trojan issues (buritos.exe)

I have two machines that are infected with viruses/trojans. They keep displaying messages that say windows is infected with spyware click here to clean up. It was pointing to a file called "winivstr.exe". TrendMicro OfficeScan 8 is running for AV. It keeps finding a "PAK_Generic.006" infection and names a "karina.dat" file in C:\Windows\system32\ . I found this file and a very suspect buritos.exe file. I have deleted them in normal and safe mode yet they keep returning. I have installed Ad-Aware; it finds nothing when doing a scan. Windows Defender won't run; neither will Spybot. I found the buritos.exe in the registry HKLM\software\microsoft\windows\currentversion\run\ . I deleted it from there as well, but no luck. Can anyone help me get rid of this garbage?
Anti-Virus AppsVulnerabilitiesWindows XP

Avatar of undefined
Last Comment
Avatar of smartsystemsinc

i have the same issue on a box that i am working on. webroot anti virus tells me the name is softcashier fakealert there are two files attached to it called c:\windows\buritos.exe and another called c:\windows\system32\buritos.exe there is also a reg entry hkey_local_machine/software/microsoft/windows/currentversion/run in there is buritos.exe value is buritos.exe
i have tried lots of different methods to clean with no headway at all.
Avatar of orangutang

If it's just HKLM\software\microsoft\windows\currentversion\run, you should be able to delete it in safe mode. Also, send us your HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) log.
Avatar of rpggamergirl
Flag of Australia image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of NCTETech
Flag of United States of America image


Orangutang- I tried deleting the registry key in safe mode, but it returned after a reboot.

Rpggamergirl- I also tried the ComboFix, even after disabling all AV I could not get it to run (safe or normal mode).

We may have a long, drawn out fix going now. I will post again tomorrow with an update and instructions if this works on our second machine.
Avatar of rpggamergirl
Flag of Australia image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of DafreekPC

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of paulmward

McAfee have released and extra.dat that will detect and delete buritos.exe.

I downloaded it from their https://www.webimmune.net site after submitting buritos.exe for inspection.

I've ran a full system scan after installing the extra.dat and the buritos.exe file was deleted along with karina.dat

The trouble is that after re-booting the files reappear in the windows and system32 folders.

I'm off to search again for something that will remove it completely.
Avatar of cgtyoder

This is very timely - I have a user who got hit with this yesterday from opening a .zip file in spam, purporting to be from UPS.

I can't figure out what is causing buritos.exe to reappear either.  I removed the ntos.exe entry from ...\Winlogon\Userinit, as described above, but there was no c:\windows\system32\ntos.exe to begin with (yes, I have show all files turned on).

Heaps of praises to whomever gets to the bottom of this.
Avatar of pncookson

I don't know if this will help but it is how I got rid of this issue thanks to this thread.

Tried killing processes with task manager and then process explorer. (not much luck, machine locked up a couple of times so be carefull if your remote.)
ran panda online scanner.  Found viruses and rootkits. removed viruses / left rootkits (google panda online scanner)
Then ran AVG rootkit free removed rootkits
Saved hijackthis under another name (good tip thanks) ran and and deleted obviouse.
buritos.exe  kept coming back in hijackthis and avgrootkit.
Saved and ran combofix (saved under different name again thanks)

I can now start spybot search and destroy and it's found win32.agent.pz so far but I can tell the main work is done.

I'll update any other steps I needed to take.  

BTW my customers infection was through one of those ups zip files.  Went straight through Symantec Corp Edision 10.?. Virus defs were 2-3 days old only.

Hope this helps,


Ok i finally got Combofix and HJT to run here are the logs from those two files and the problem seems to have gone away. After i removed the String ntos.exe and renamed combofix to get it to run the computer seems to be running fairly well. let me know what you think.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38, on 2008-07-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080311
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216824659890
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = station21.local
O17 - HKLM\Software\..\Telephony: DomainName = station21.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = station21.local
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

End of file - 3962 bytes


ComboFix 08-07-22.4 - Administrator 2008-07-23  8:31:09.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1779 [GMT -7:00]
Running from: E:\CFixBuritos.exe


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

---- Previous Run -------
C:\WINDOWS\system32\wsnpoem\audio.dll . . . . failed to delete
C:\WINDOWS\system32\wsnpoem\video.dll . . . . failed to delete

(((((((((((((((((((((((((   Files Created from 2008-06-23 to 2008-07-23  )))))))))))))))))))))))))))))))

2008-07-23 08:08 . 2008-07-23 08:13      9,216      --a------      C:\WINDOWS\buritos.exe
2008-07-23 08:08 . 2008-07-23 08:13      6,144      --a------      C:\WINDOWS\system32\karina.dat
2008-07-23 08:08 . 2008-07-23 08:13      6,144      --a------      C:\WINDOWS\karina.dat
2008-07-23 08:00 . 2008-07-23 08:07            d--------      C:\WINDOWS\system32\CatRoot_bak
2008-07-23 08:00 . 2008-07-23 08:00            d--------      C:\Program Files\Trend Micro
2008-07-23 08:00 . 2008-07-23 08:00            d--------      C:\43f747590a34eca8eb51c37a
2008-07-22 18:52 . 2008-07-23 07:50            d--------      C:\Documents and Settings\administrator.STATION21\.housecall6.6
2008-07-22 14:37 . 2008-07-22 14:37      3,992      --a------      C:\WINDOWS\system32\tmp.reg
2008-07-22 14:31 . 2008-07-22 14:31            d--------      C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-07-22 13:11 . 2008-07-22 13:11            d--------      C:\Documents and Settings\LocalService\Application Data\Webroot
2008-07-22 13:10 . 2008-07-22 13:10      276      --a------      C:\WINDOWS\system32\MRT.INI
2008-07-22 13:09 . 2008-07-22 13:09            d--------      C:\Program Files\Webroot
2008-07-22 13:09 . 2008-07-22 13:09            d--------      C:\Documents and Settings\All Users\Application Data\Webroot
2008-07-22 13:09 . 2008-07-22 13:09            d--------      C:\Documents and Settings\administrator.STATION21\Application Data\Webroot
2008-07-22 13:09 . 2008-07-13 09:53      1,538,928      --a------      C:\WINDOWS\WRSetup.dll
2008-07-22 13:09 . 2008-07-22 13:09      146      --a------      C:\WINDOWS\ODBC.INI
2008-07-22 13:08 . 2008-06-10 02:32      73,728      --a------      C:\WINDOWS\system32\javacpl.cpl
2008-07-22 13:04 . 2008-07-22 13:04      164      --a------      C:\install.dat
2008-07-22 12:56 . 2008-07-22 12:56            d--------      C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-13 01:03 . 2008-07-13 01:03      166,512      --a------      C:\WINDOWS\system32\drivers\ssidrv.sys
2008-07-13 01:03 . 2008-07-13 01:03      29,808      --a------      C:\WINDOWS\system32\drivers\ssfs0bbc.sys
2008-07-13 01:03 . 2008-07-13 01:03      23,152      --a------      C:\WINDOWS\system32\drivers\sshrmd.sys
2008-07-02 13:26 . 2008-07-02 13:26      173,448      --a------      C:\WINDOWS\system32\wdfproc.dll
2008-07-02 13:26 . 2008-07-02 13:26      103,304      --a------      C:\WINDOWS\system32\drivers\pwipf6.sys

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-07-23 00:10      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-22 20:08      ---------      d-----w      C:\Program Files\Java
2008-06-30 22:40      ---------      d-----w      C:\Documents and Settings\chief.STATION21\Application Data\U3
2008-06-20 10:45      360,320      ----a-w      C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44      138,368      ----a-w      C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52      225,920      ----a-w      C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10      272,128      ------w      C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 20:49      ---------      d-----w      C:\Program Files\Softland
2008-05-28 19:59      ---------      d-----w      C:\Documents and Settings\chief.STATION21\Application Data\PC-FAX TX
2008-05-28 19:57      ---------      d-----w      C:\Documents and Settings\chief.STATION21\Application Data\ScanSoft

(((((((((((((((((((((((((((((   snapshot@2008-07-22_14.04.32.90   )))))))))))))))))))))))))))))))))))))))))
- 2008-07-22 21:01:11      32,768      ----a-w      C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-22 21:42:02      32,768      ----a-w      C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-07-22 21:01:11      32,768      ----a-w      C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-22 21:42:02      32,768      ----a-w      C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-22 21:01:11      147,456      ----a-w      C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 21:42:02      147,456      ----a-w      C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-03-21 01:06:36      1,480,232      ------w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-07-31 02:18:34      207,736      ----a-w      C:\WINDOWS\system32\muweb.dll
+ 2008-04-14 12:42:38      7,680      ----a-w      C:\WINDOWS\system32\spdwnwxp.exe
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 13:46 255528]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 03:00 158208]


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup=C:\WINDOWS\pss\Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
--------- 2007-03-05 12:00 630784 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--------- 2006-11-07 19:03 65536 C:\Program Files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-07-17 11:23 162328 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-07-26 16:03 178712 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-07-17 11:23 141848 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2007-01-29 21:10 46632 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2007-01-29 21:12 30248 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 14:23 118784 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-07-17 11:23 137752 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2007-09-24 17:12 1036288 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-07-13 09:53 5418864 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-10-25 09:03 210472 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Webroot Desktop Firewall]
--a------ 2008-07-02 13:26 2401672 C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\buritos]
--a------ 2008-07-23 08:13 9216 C:\WINDOWS\buritos.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"WebrootSpySweeperService"=2 (0x2)
"WDFNet"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys [2008-07-13 01:03]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 07:35]
R1 pwipf6;pwipf6;C:\WINDOWS\system32\drivers\pwipf6.sys [2008-07-02 13:26]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 11:30]
S0 Ppu54;Ppu54;C:\WINDOWS\system32\Drivers\Ppu54.sys []
S4 WDFNet;Webroot Desktop Firewall network service;C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe [2008-07-02 13:26]
Contents of the 'Scheduled Tasks' folder
"2008-07-22 20:09:27 C:\WINDOWS\Tasks\wrSpySweeperFullSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe%/ScheduleSweep=wrSpySweeperFullSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
------- Supplementary Scan -------
R0 -: HKCU-Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0080311
R0 -: HKLM-Main,Start Page = hxxp://www.dell.com

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf
C:\WINDOWS\Downloaded Program Files\Manager.exe
C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 08:34:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

------------------------ Other Running Processes ------------------------
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
Completion time: 2008-07-23  8:36:54 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-07-23 15:36:37

Pre-Run: 145,584,771,072 bytes free
Post-Run: 143,414,304,768 bytes free

179      --- E O F ---      2008-07-22 20:10:09

Avatar of pncookson

Shoot, sorry forgot.

After running panda it pointed out ntos.exe and beep.sys in dllcache.  notos in system32.  I could not delete them so I removed all permissions from them incudind system.  This seems to stop ntos running.  Just seemd to get in the ways of combofix for beep.sys and I had to restore it from cd.
Avatar of paulmward

I have successfully removed this file and related files by doing the following

1) Turn off System Restore in Windows (http://support.microsoft.com/kb/310405 XP Version)
2) Download the free version of AVG Virus Scan from here http://free.avg.com/ww.download?prd=afe
3) Boot Windows into Safe Mode and install AVG
4) Re-boot Windows into normal mode for AVG to load fully
5) Run AVG and perform and update of database files to the latest version
6) Once the database files have been updated run a complete scan of all local drives. (This may take a while)
7) At the end of the process AVG automatically removes/quarantines any infected files and prompts you to re-boot.
8) After re-booting into normal mode the burritos.exe file and related files should not exist

Below are the results of the AVG scan on my infected system which is now clean.

"Scan ""Scan whole computer"" was finished."
"Infections found:";"12"
"Infected objects removed or healed:";"12"
"Not removed or healed:";"0"
"Spyware found:";"0"
"Spyware removed:";"0"
"Not removed:";"0"
"Warnings count:";"319"
"Information count:";"0"
"Scan started:";"23 July 2008, 15:08:06"
"Scan finished:";"23 July 2008, 16:55:14 (1 hour(s) 47 minute(s) 7 second(s))"
"Total object scanned:";"548029"
"User who launched the scan:";"Administrator"

"C:\Documents and Settings\Administrator.machinename\Local Settings\Temporary Internet Files\Content.IE5\WFPUEAB2\Install[1].exe";"Trojan horse Generic10.ABTV";"Moved to Virus Vault"
"C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLK22\UPS_INVOICE_978172 (2).zip";"Trojan horse Dropper.Small.BC";"Moved to Virus Vault"
"C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLK22\UPS_INVOICE_978172 (2).zip:\UPS_INVOICE_978172.exe";"Trojan horse Dropper.Small.BC";"Moved to Virus Vault"
"C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLK22\UPS_INVOICE_978172.zip";"Trojan horse Dropper.Small.BC";"Moved to Virus Vault"
"C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLK22\UPS_INVOICE_978172.zip:\UPS_INVOICE_978172.exe";"Trojan horse Dropper.Small.BC";"Moved to Virus Vault"
"C:\WINDOWS\buritos.exe";"Trojan horse Downloader.FraudLoad.C";"Moved to Virus Vault"
"C:\WINDOWS\karina.dat";"Virus found Small";"Moved to Virus Vault"
"C:\WINDOWS\system32\buritos.exe";"Trojan horse Downloader.FraudLoad.C";"Moved to Virus Vault"
"C:\WINDOWS\system32\dllcache\beep.sys";"Trojan horse Agent.3.R";"Moved to Virus Vault"
"C:\WINDOWS\system32\drivers\beep.sys";"Trojan horse Agent.3.R";"Moved to Virus Vault"
"C:\WINDOWS\system32\karina.dat";"Virus found Small";"Moved to Virus Vault"
"C:\WINDOWS\system32\winivstr.exe";"Trojan horse Generic10.ABTV";"Moved to Virus Vault"

Success after removing the ntos.exe string from userinit, and renaming and runing combofix the virus is nomore thank you very much for your help.
Oh an a Full sweep with webroot spysweeper with antivirus
Avatar of NCTETech
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of NCTETech
Flag of United States of America image


I forgot to mention when you do the Windows Explorer searches (like in step 7), be sure to allow it to look in the system folders and the hidden files and folders.
Avatar of Andret2k
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of eits2004
Flag of Australia image

Running the current version of ComboFix did the job for me.

Nasty little piece of malware this one.
Avatar of tcurtispc2

Follow NCTETech 07.23.2008 at 11:53AM CDT, ID: 22071230 steps...

I found the same focusing on  the date of infection and researching the web as I found each portion...
I would skip steps 9 thru 14 though, after number 8, you should be able to run your AV and Spybot, etc. I would download and run ComboFix (run a google search to find).

Initially, my client's regular AV wouldn't fire up - but I was able to install AVGFree 8.x and manually added the VDef. -to assist and quarantine the buritos.exe each time it recreated itself.

Also, Spybot and HiJackThis would not fire up - but I was able to get it's Spybot's Teatimer feature to run as I worked (you can set it ath time of install/re-install - load it's updates manually, etc).

Turned out that the beep.sys in the d:\Windows\System32\drivers folder was infected (on mine) and kept recreating the buritos.exe as well as inhibiting Spybot S&D, HiJackThis, Windows Defender, Symantec AV, etc. from running (services starting etc.).

Also, there may be a folder: d:\Windows\System32\wsnpoem - delete it and it's contents (two dll files).

After the infected beep.sys is erradicated, your regular tools will work properly (Spybot scan, etc.).

I ran ComboFix as soon as I could -to clean up, it worked well. Of course, I ran the Spybot S&D in full scan, as well as SAVCE after a VDef update, etc..

Hats off to NCTETech! Pretty close to being right on up to item 9...wished I would have had that info for my client's workstation.
Avatar of rpggamergirl
Flag of Australia image

this infection  patches Beep.sys that's why programs won't run.

You haven't deleted those buritos.exe have you? if you haven't then let combofix do it.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:



[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\buritos]

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
Avatar of rpggamergirl
Flag of Australia image

It's never a good idea to turn off System Restore while in the process of cleaning the system, as in some rare cases where malware are so vicious and hard to remove you might need one of those restore points. And if system Restore is turned off then there is nothing to go back to. It's better to have a bad restore points than none.
Any viruses in the System Restore(if any) are harmless while in that folder.
Avatar of DafreekPC

Ok guys, here is what worked for me for this scenario.
1. Downloaded and extracted SDFix
2. Restarted in safe mode and ran SDFix from it's folder on the desktop (if it doesn't extractt just change the name of the file and it will work)
3. once SDFix finished and I was back in Windows I Installed AVG Free 8 (latest Downloadable version from Download.com)
4. Updated and Ran a full system scan
All files were deleted after that.
Avatar of NCTETech
Flag of United States of America image


Ultimately, we found our own solution for the first machine. I am going to award points to the people whose ideas I used on the second machine, as they were a little different.
Avatar of techmattters

Two good tools to remove this.

-Download F-Prot Antivirus

-Download TR
Avatar of dempsedm

Combofix, what a great tool, I'm glad I found it.  It seems to have worked well, I'm still cleaning up, but I think that tool is pretty awesome!
Avatar of bilbus

to get your removal programs to run, delete beep.sys .. thats the program thats closing your removal apps.
Avatar of Tonyb28

I am running a "Tiny" machine with an Athlon 64 3500 processor with Windows XP (SP1) originally installed.
When I updated to XP (SP2) and later to SP3 all my screen icons have disappeared along with the task bar.
I can access the programs from "Task Manager/Desktop" and they all seem to work OK,  also SP3 is better at catching bugs and seems to work a little faster than SP2.
However, I would appreciate any assistance to regain my dektop
Windows XP
Windows XP

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo