BleepingComputer.com: Artemis and Vundu infection in win32, etc.

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Artemis and Vundu infection in win32, etc. I understand y'all may know how to remove'em

#1 User is offline   cleveland88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 29-December 08

Posted 30 December 2008 - 12:28 AM

Howdy!
Mcafee scan shows Artemis and vundu infection in system files. MalwareBytes scan confirms. As these are in mission critical files I'm interested in learning how y'all remove the malware if its possible. This is first trip down this rabbit hole. Probably not the last. any help would be greatly appreciated. Especially if I can learn how its done.
Thanks!
Cleveland



DDS (Version 1.1.0) - NTFSx86
Run by ADMIN_Cleveland at 0:12:47.68 on Tue 12/30/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.587 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\JWPEN.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\ADMIN_Cleveland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: neisxl.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin_~1\applic~1\mozilla\firefox\profiles\xc0egmf8.default\

============= SERVICES / DRIVERS ===============

R0 hypen;Hy Pen;c:\windows\system32\drivers\hypen.sys [2008-4-18 10548]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-10-4 207656]
R2 HWSuperPowerTablet;HWSuperPowerTablet;c:\windows\system32\JWPEN.exe [2008-4-18 225280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-18 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-10-4 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-10-4 605512]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-10-4 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-10-4 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-10-4 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-10-4 34152]

=============== Created Last 30 ================

2008-12-28 18:35 1,306,974 ---sh--- c:\windows\system32\eegnfktj.ini
2008-12-28 18:35 90,112 a------- c:\windows\system32\jtkfngee.dll
2008-12-28 18:35 139,264 a------- c:\windows\system32\llfqomrn.dll
2008-12-26 23:45 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-26 23:04 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 19:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-26 19:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 22:47 136,192 a------- c:\windows\system32\mgefjpfg.dll
2008-12-24 21:58 136,192 a------- c:\windows\system32\asalaupi.dll
2008-12-24 21:56 1,661,209 ---sh--- c:\windows\system32\ppftfwgq.ini
2008-12-23 22:02 1,661,209 ---sh--- c:\windows\system32\srcenlyi.ini
2008-12-20 21:38 1,661,209 ---sh--- c:\windows\system32\obyapctm.ini
2008-12-04 10:42 <DIR> --d----- c:\documents and settings\admin_cleveland\.netbeans-registration

==================== Find3M ====================

2008-10-23 07:36 286,720 -------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 -------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 -------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 -------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\strmdll.dll
2008-07-04 22:21 54,134 a------- c:\program files\INSTALL.LOG
2008-01-12 02:30 19,543,005 -------- c:\documents and settings\all users\gwt-windows-1.4.61.zip
2007-08-30 11:22 36,963 a----r-- c:\program files\common files\SM1updtr.dll
2008-08-26 14:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 0:13:41.23 ===============

Attached File(s)


#2 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 05 January 2009 - 04:42 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.
Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 User is offline   cleveland88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 29-December 08

Posted 06 January 2009 - 12:22 AM

ThankYou.
Here are the logs. Whats it all mean?
Cleveland


DDS (Version 1.1.0) - NTFSx86
Run by ADMIN_Cleveland at 0:15:18.42 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.669 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\JWPEN.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATTToolbar\FDServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\ADMIN_Cleveland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.earthlink.net/
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: neisxl.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin_~1\applic~1\mozilla\firefox\profiles\xc0egmf8.default\

============= SERVICES / DRIVERS ===============

R0 hypen;Hy Pen;c:\windows\system32\drivers\hypen.sys [2008-4-18 10548]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-10-4 207656]
R2 HWSuperPowerTablet;HWSuperPowerTablet;c:\windows\system32\JWPEN.exe [2008-4-18 225280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-18 358736]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-10-4 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-10-4 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-10-4 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-10-4 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-10-4 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-10-4 605512]

=============== Created Last 30 ================

2009-01-05 23:56 <DIR> a-dshr-- C:\cmdcons
2009-01-05 23:38 161,792 a------- c:\windows\SWREG.exe
2009-01-05 23:38 98,816 a------- c:\windows\sed.exe
2009-01-05 23:38 <DIR> --d----- C:\ComboFix
2008-12-26 23:45 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-26 23:04 <DIR> --d----- c:\program files\Trend Micro
2008-12-26 19:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-26 19:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 19:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-26 19:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-10-23 07:36 286,720 -------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 -------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 -------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 -------- c:\windows\system32\muweb.dll
2008-01-12 02:30 19,543,005 -------- c:\documents and settings\all users\gwt-windows-1.4.61.zip
2007-08-30 11:22 36,963 a----r-- c:\program files\common files\SM1updtr.dll
2008-08-26 14:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 0:15:54.25 ===============

ComboFix 09-01-05.04 - ADMIN_Cleveland 2009-01-05 23:57:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.583 [GMT -5:00]
Running from: c:\documents and settings\ADMIN_Cleveland\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\drivers\fad.sys
c:\windows\system32\eegnfktj.ini
c:\windows\system32\gdiuqakd.ini
c:\windows\system32\obyapctm.ini
c:\windows\system32\ppftfwgq.ini
c:\windows\system32\srcenlyi.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2008-12-26 23:04 . 2008-12-26 23:04 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 19:09 . 2008-12-26 19:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 19:09 . 2008-12-26 19:09 <DIR> d-------- c:\documents and settings\Tiffany.PASSITON-R3RRRD\Application Data\Malwarebytes
2008-12-26 19:09 . 2008-12-26 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 19:09 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 19:09 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-21 09:58 . 2008-12-21 09:58 <DIR> d-------- c:\documents and settings\Tiffany.PASSITON-R3RRRD\Application Data\MSN6
2008-12-20 21:32 . 2008-12-26 22:14 <DIR> d-------- c:\documents and settings\Tiffany.PASSITON-R3RRRD\Application Data\ATTTOOLBAR
2008-12-18 09:48 . 2008-12-18 09:48 <DIR> d-------- c:\documents and settings\Cleveland.PASSITON-R3RRRD\workspace
2008-12-06 11:01 . 2008-12-06 11:01 <DIR> d-------- c:\documents and settings\David.PASSITON-R3RRRD\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\ATTToolbar
2008-12-24 02:45 --------- d-----w c:\documents and settings\ADMIN_Cleveland\Application Data\ATTToolbar
2008-12-19 02:51 --------- d-----w c:\documents and settings\Cleveland.PASSITON-R3RRRD\Application Data\U3
2008-12-04 15:42 --------- d-----w c:\program files\glassfish-v2
2008-11-15 23:07 --------- d-----w c:\program files\McAfee
2008-10-23 12:36 286,720 ------w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ------w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ------w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ------w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ------w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ------w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ------w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ------w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ------w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ------w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ------w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ------w c:\windows\system32\muweb.dll
2008-08-02 06:01 0 ------w c:\documents and settings\Tiffany.PASSITON-R3RRRD\jagex_runescape_preferences.dat
2008-01-12 07:30 19,543,005 ------w c:\documents and settings\All Users\gwt-windows-1.4.61.zip
2007-08-30 16:22 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2008-12-20 05:01 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 05:01 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 05:01 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 05:01 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 05:01 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-26 19:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=neisxl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 hypen;Hy Pen;c:\windows\system32\drivers\HYPEN.sys [2008-04-18 10548]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R4 HWSuperPowerTablet;HWSuperPowerTablet;c:\windows\system32\jwpen.exe [2008-04-18 225280]

--- Other Services/Drivers In Memory ---

*Deregistered* - HYCtl
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-31 c:\windows\Tasks\Roxio_Backup_initial_07_08.job
- c:\program files\Sonic\Backup MyPC Deluxe 6\System\sbestart.exe [2004-11-30 03:10]

2009-01-06 c:\windows\Tasks\tydindmi.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.earthlink.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.turbotax.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\ADMIN_Cleveland\Application Data\Mozilla\Firefox\Profiles\xc0egmf8.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 00:02:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-01-06 0:05:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-06 05:04:59

Pre-Run: 1,530,486,784 bytes free
Post-Run: 1,907,699,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

165 --- E O F --- 2008-12-27 16:27:38

#4 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 06 January 2009 - 01:44 AM

Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :files
c:\windows\Tasks\tydindmi.job

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



NEXT


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic



Run ComboFix again.. Post these logs in your next reply..

1. OTMoveIt3
2. ESET Online report
3. ComboFix
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#5 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 12 January 2009 - 03:14 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users