Infected by Prunnet.exe/Virtumonde/Vundo Trojans

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected by Prunnet.exe/Virtumonde/Vundo Trojans, Not sure if they are completely gone

Options

VVG View Member Profile	Jan 10 2009, 06:54 PM Post #1
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	I recently (about four days ago) go infected by a series of Trojans that I have been battling for the past several days. Initially, I could not update my Norton antivirus program (whenever I tried, it said all of the files were up to date, but the definition file was dated December 14), after reinstalling Norton I could update it, but it would say "scan complete" after scanning only 877 files. When attempting to run McAfee antivirus, half way through my computer would give me a Win32 error, and force a restart of windows. Whenever spybot would run it would find re-occurring instances of Virtumonde and Vundo Trojans, which it would successfully clean, only to find them again after restarting my computer. I ran several online virus scans, one of which gave me a prunnet.exe infection, and the symantec online virus scan pointed out two .dll files as viruses that were created at the time I initially noticed the infection. After manually deleting the two .dll infections and cleanly reinstalling all Norton End-Protection, I was able to update and run all of the programs. Norton caught over 14 trojans and deleted them. My system appeared to have been cleaned and ran well, however, I lost control over the Terminal Services and Remote Procedure Protocol Services (as in the option for startup type as well as start, stop, pause, and resume buttons were greyed out). I was able to regain control over terminal services by forcing a disable in safe mode. However, RPC options are still all greyed out. I also periodically hear my computer make a noise as if an error window pops open, though no window appears, and I noticed the noise corresponds to a second rundll32.exe process starting on my computer (which I then end). My computer is also making a lot of noise as if it is working something, even when I am only using firefox or microsoft word. I'm worried that my computer is still infected with something, and that in time it will just download more viruses and I will have to spend days getting rid of them all over again. Please help!! Thanks! DDS (Ver_09-01-07.01) - NTFSx86 Run by Owner at 18:29:47.62 on Sat 01/10/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -5:00] AV: Symantec Endpoint Protection On-access scanning enabled (Updated) FW: Symantec Endpoint Protection enabled ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = .local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {584983AA-F7C8-4DE7-8F32-CA89DCF40E6F} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll BHO: {d0637c55-da0b-46e9-b6ea-d5ef0da3ff82} - c:\windows\system32\khfEtRJC.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll uRun: [ATI Launchpad] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [<NO NAME>] uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [<NO NAME>] mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL AppInit_DLLs: KATRACK.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dr8dydl6.default\ FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: XUL Cache: {F6CADF43-80E8-403D-91C4-A8393C60F2BF} - c:\windows\system32\config\systemprofile\local settings\application data\{f6cadf43-80e8-403d-91c4-a8393c60f2bf}\ ============= SERVICES / DRIVERS =============== R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-8 99376] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090110.003\NAVENG.SYS [2009-1-10 89104] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090110.003\NAVEX15.SYS [2009-1-10 876112] R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664] R4 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2007-9-15 110304] R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392] R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392] R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-9 65536] R4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576] R4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120] S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888] S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344] =============== Created Last 30 ================ 2009-01-08 23:56 <DIR> --d----- C:\VundoFix Backups 2009-01-08 16:25 120 a--sh--- c:\windows\system32\xrsydkwf.ini 2009-01-08 13:52 92,488 a------- c:\windows\system32\drivers\SysPlant.sys 2009-01-08 13:51 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-01-08 13:51 60,800 a------- c:\windows\system32\S32EVNT1.DLL 2009-01-08 13:51 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-01-08 13:51 805 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-01-08 04:12 143 a------- c:\windows\system32\mcrh.tmp 2009-01-07 23:43 <DIR> --d----- C:\QUARANTINE 2009-01-07 21:31 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll 2009-01-07 21:31 <DIR> --d----- c:\program files\common files\Cisco Systems 2009-01-07 16:23 120 a--sh--- c:\windows\system32\rsqmdasb.ini 2009-01-07 16:22 73,216 a------- c:\windows\system32\ffkuz.dll 2009-01-07 16:06 <DIR> --d----- c:\windows\Internet Logs 2009-01-07 16:04 110,080 a------- c:\windows\system32\drivers\dne2000.sys 2009-01-07 16:04 94,720 a------- c:\windows\system32\dneinobj.dll 2009-01-07 16:04 <DIR> --d----- c:\program files\common files\Deterministic Networks 2009-01-07 16:04 <DIR> --d----- c:\program files\Cisco Systems 2009-01-07 16:04 1,592 a------- c:\windows\VPNInstall.MIF 2009-01-07 16:03 <DIR> --d----- c:\temp\MU_Secure_Download 2009-01-06 22:03 2,206 a------- c:\windows\system32\tmp.reg 2009-01-06 20:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys 2009-01-06 20:09 <DIR> --d----- c:\documents and settings\owner\.housecall6.6 2009-01-06 17:22 93 a------- c:\windows\wininit.ini 2009-01-06 14:22 0 a------- c:\windows\system32\drivers\seneka.sys 2009-01-06 14:04 59 a------- c:\windows\system32\seneka.dat 2009-01-06 14:04 3 a------- c:\windows\system32\senekadf.dat 2009-01-06 13:59 123,852 a------- c:\windows\system32\senekalog.dat 2009-01-05 19:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sling Media 2009-01-05 19:54 <DIR> --d----- c:\program files\Sling Media ==================== Find3M ==================== 2008-12-16 14:34 55,024 a------- c:\windows\War3Unin.dat 2008-12-16 14:32 2,829 a------- c:\windows\War3Unin.pif 2008-12-16 14:32 139,264 a------- c:\windows\War3Unin.exe 2008-12-08 21:43 42,312 a------- c:\windows\system32\drivers\WPSDRVnt.sys 2008-12-08 21:43 357,704 a------- c:\windows\system32\sysfer.dll 2008-12-08 21:43 107,848 a------- c:\windows\system32\SymVPN.dll 2008-12-08 21:42 49,480 a------- c:\windows\system32\FwsVpn.dll 2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe 2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll 2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll 2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll 2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe 2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll 2008-11-18 18:17 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys 2008-11-18 18:01 10,537 a------- c:\windows\system32\drivers\coh_mon.cat 2008-11-18 18:01 706 a------- c:\windows\system32\drivers\COH_Mon.inf 2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll 2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll ============= FINISH: 18:30:59.14 =============== Attached File(s)* Attach.txt ( 11.51k ) Number of downloads: 2

JSntgRvr View Member Profile	Jan 10 2009, 09:23 PM Post #2
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Hi, VVG Welcome. Click here to download HJTInstall.exe Save HJTInstall.exe to your desktop. Doubleclick on the HJTInstall.exe icon on your desktop. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Do not run it yet Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop Please, never rename Combofix unless instructed. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combofix.exe & follow the prompts. If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply. Install the Recovery Console upon request. When finished, it will produce a report for you. Scan with Hijackthis and save the log. Please post the "C:\ComboFix.txt" along with a HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 10 2009, 10:19 PM Post #3
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Hi JSntgRvr, Thank you so much for your help. I really appreciate it. Here is the Malwarebytes log: Malwarebytes' Anti-Malware 1.32 Database version: 1640 Windows 5.1.2600 Service Pack 3 1/10/2009 9:46:00 PM mbam-log-2009-01-10 (21-46-00).txt Scan type: Quick Scan Objects scanned: 56289 Time elapsed: 3 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully. I'm also attaching the ComboFix.txt and HijackThis log. I wasn't able to install the recovery tool for ComboFix, because when I clicked to install it now, it said that my computer did not have an internet connection. Should I install it now, after ComboFix finished running? Also, I wasn't sure whether I was suppose to once again turn on my antivirus and antimalware programs, so I did prior to going online to post. Thanks again for your help! I am awaiting your reply Attached File(s) hijackthis.log ( 8.56k ) Number of downloads: 6 ComboFix.txt ( 15.4k ) Number of downloads: 6

JSntgRvr View Member Profile	Jan 11 2009, 01:35 AM Post #4
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Hi, VVG Copy the entire contents of the Quote Box below to Notepad. Name the file as CFScript.txt Change the Save as Type to All Files and Save it on the desktop CODE Collect:: c:\windows\system32\ffkuz.dll File:: c:\windows\Tasks\liqwgbfi.job DirLook:: c:\temp\MU_Secure_Download Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log. Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip Please submit this file to: http://www.bleepingcomputer.com/submit-malware.php?channel=4 Please include a link to this topic in the message. Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following is checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. Upgrading Java: Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11. Click the "Download" button to the right. Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.". Click on Continue. Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.. Close any programs you may have running - especially your web browser. Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java version. Reboot your computer once all Java components are removed. Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.") -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 11 2009, 01:52 PM Post #5
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Hi JSntgRvr, I did as you said. I'm pasting the ComboFix report and the Kaspersky WebScanner results, and attaching the HijackThis Log. In case you were wondering about the MU_Secure_Download file, its on my computer because I used the University of Missouri (MU) to download a fresh copy of Symantec Endpoing. Thanks so much for your help! I'm not deleting any of the files found by Kaspersky, and am awaiting further instructions! One thing that does concern me is that the Kaspersky scanner only scanned some 150,000 files, and I know I have over 300,000 on my computer. I'm not sure if that means anything? ComboFix 09-01-10.02 - Owner 2009-01-11 1:56:53.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1474 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt AV: Symantec Endpoint Protection On-access scanning disabled (Updated) FW: Symantec Endpoint Protection disabled * Created a new restore point FILE :: c:\windows\Tasks\liqwgbfi.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ffkuz.dll c:\windows\Tasks\liqwgbfi.job . ((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 ))))))))))))))))))))))))))))))) . 2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-10 21:41 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-10 21:41 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-10 21:40 . 2009-01-10 21:40 <DIR> d-------- c:\program files\Trend Micro 2009-01-08 23:56 . 2009-01-08 23:56 <DIR> d-------- C:\VundoFix Backups 2009-01-08 15:30 . 2009-01-08 15:30 <DIR> d---s---- c:\documents and settings\Administrator\UserData 2009-01-08 13:52 . 2008-12-08 21:45 92,488 --a------ c:\windows\system32\drivers\SysPlant.sys 2009-01-08 13:51 . 2009-01-08 13:52 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS 2009-01-08 13:51 . 2009-01-08 13:52 60,800 --a------ c:\windows\system32\S32EVNT1.DLL 2009-01-08 13:51 . 2009-01-08 13:52 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT 2009-01-08 13:51 . 2009-01-08 13:52 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF 2009-01-07 23:43 . 2009-01-09 03:13 <DIR> d-------- C:\QUARANTINE 2009-01-07 21:31 . 2009-01-07 21:31 <DIR> d-------- c:\program files\Common Files\Cisco Systems 2009-01-07 21:31 . 2006-12-19 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll 2009-01-07 16:06 . 2009-01-07 16:06 <DIR> d-------- c:\windows\Internet Logs 2009-01-07 16:04 . 2009-01-07 16:04 <DIR> d-------- c:\program files\Common Files\Deterministic Networks 2009-01-07 16:04 . 2009-01-07 16:04 <DIR> d-------- c:\program files\Cisco Systems 2009-01-07 16:04 . 2005-08-18 19:22 110,080 --a------ c:\windows\system32\drivers\dne2000.sys 2009-01-07 16:04 . 2005-08-18 19:22 94,720 --a------ c:\windows\system32\dneinobj.dll 2009-01-07 16:04 . 2009-01-07 16:06 1,592 --a------ c:\windows\VPNInstall.MIF 2009-01-07 16:03 . 2009-01-07 16:19 <DIR> d-------- c:\temp\MU_Secure_Download 2009-01-06 23:12 . 2009-01-08 15:30 <DIR> d-------- c:\documents and settings\Administrator 2009-01-06 20:10 . 2009-01-06 20:09 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-01-06 20:09 . 2009-01-06 20:10 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6 2009-01-06 17:22 . 2009-01-06 17:22 93 --a------ c:\windows\wininit.ini 2009-01-05 19:55 . 2009-01-05 19:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sling Media 2009-01-05 19:54 . 2009-01-05 19:55 <DIR> d-------- c:\program files\Sling Media . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-09 08:19 --------- d-----w c:\program files\SPSS 2009-01-08 18:53 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-01-08 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2009-01-08 18:52 --------- d-----w c:\program files\Symantec 2009-01-08 02:26 --------- d-----w c:\program files\Symantec AntiVirus 2009-01-07 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-01-07 08:04 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-01-07 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-07 05:50 --------- d-----w c:\program files\Lavasoft 2009-01-07 05:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-07 02:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet 2009-01-06 19:12 --------- d-----w c:\documents and settings\Owner\Application Data\dvdcss 2009-01-05 04:56 --------- d-----w c:\program files\DivX 2008-12-16 19:44 --------- d-----w c:\program files\Warcraft III 2008-12-16 19:32 2,829 ----a-w c:\windows\War3Unin.pif 2008-12-16 19:32 139,264 ----a-w c:\windows\War3Unin.exe 2008-12-09 09:07 --------- d-----w c:\program files\Sure Delete 2008-12-09 02:43 42,312 ----a-w c:\windows\system32\drivers\WPSDRVnt.sys 2008-12-09 02:43 357,704 ----a-w c:\windows\system32\sysfer.dll 2008-12-09 02:43 107,848 ----a-w c:\windows\system32\SymVPN.dll 2008-12-09 02:42 49,480 ----a-w c:\windows\system32\FwsVpn.dll 2008-11-27 02:50 --------- d-----w c:\documents and settings\Owner\Application Data\U3 2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe 2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll 2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll 2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll 2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe 2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll 2008-11-18 23:17 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys 2008-11-18 23:01 706 ----a-w c:\windows\system32\drivers\COH_Mon.inf 2008-11-18 23:01 10,537 ----a-w c:\windows\system32\drivers\coh_mon.cat 2008-11-12 08:08 --------- d-----w c:\program files\Project64 1.6 2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\temp\MU_Secure_Download ---- 2009-01-06 09:03 65360959 --a------ c:\temp\MU_Secure_Download\SEP_11_M4_x32_Unmanaged.exe 2006-02-20 17:20 10939132 --a------ c:\temp\MU_Secure_Download\CiscoVPNClient4.8.00.exe ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-08 7081984] "NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 113664] VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2009-01-07 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon] [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon] [BU] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=KATRACK.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "msacm.divxa32"= divxa32.acm "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] --a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2007-04-27 16:17 50736 c:\program files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess] --a------ 2006-10-09 13:00 552960 c:\windows\keyacc32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-06-20 12:49 451872 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-03-30 23:16 1271032 c:\program files\Steam\steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "TabletService"=2 (0x2) "mnmsrvc"=3 (0x3) "iPod Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\BitTornado\\btdownloadgui.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\WINDOWS\\keyacc32.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"= "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"= "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"= R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376] R4 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2007-09-15 110304] R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-09 65536] R4 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{160a40a8-9baf-11dc-bfce-00132094ee27}] \Shell\AutoRun\command - F:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f65925a-8132-11dd-8038-00132094ee27}] \Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37baa650-bb74-11dd-8057-00132094ee27}] \Shell\AutoRun\command - f:\wd_windows_tools\WDSetup.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . - - - - ORPHANS REMOVED - - - - BHO-{584983AA-F7C8-4DE7-8F32-CA89DCF40E6F} - (no file) BHO-{D0637C55-DA0B-46E9-B6EA-D5EF0DA3FF82} - (no file) . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dr8dydl6.default\ FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-11 01:57:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2009-01-11 1:59:41 ComboFix-quarantined-files.txt 2009-01-11 06:59:39 ComboFix2.txt 2009-01-11 03:06:16 Pre-Run: 169,050,456,064 bytes free Post-Run: 169,038,450,688 bytes free 231 --- E O F --- 2009-01-09 08:00:11 KASPERSKY ONLINE SCANNER 7 REPORT Sunday, January 11, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, January 11, 2009 06:22:22 Records in database: 1601316 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ Scan statistics Files scanned 159358 Threat name 4 Infected objects 4 Suspicious objects 0 Duration of the scan 02:21:56 File name Threat name Threats count C:\Documents and Settings\Owner\.housecall6.6\Quarantine\hgGywVlL.dll.bac_a01380 Infected: Packed.Win32.PolyCrypt.d 1 C:\Documents and Settings\Owner\.housecall6.6\Quarantine\prunnet.exe.bac_a01380 Infected: Trojan.Win32.Agent.bcbh 1 C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@1.56.zip Infected: Trojan-Downloader.Win32.Murlo.vn 1 C:\UBCD4Win\BartPE\PROGRAMS\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1 The selected area was scanned. Attached File(s)** hijackthis2.log ( 8.93k ) Number of downloads: 1

JSntgRvr View Member Profile	Jan 11 2009, 04:30 PM Post #6
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet. -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 11 2009, 04:41 PM Post #7
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Hi JSntgRvr, Here is the log! GooredFix v1.8 by jpshortstuff Log created at 16:40 on 11/01/2009 running Option #1 (Owner) Firefox version 3.0.4 (en-US) =====Suspect Goored Entries===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\" =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\"

JSntgRvr View Member Profile	Jan 11 2009, 07:06 PM Post #8
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Please double-click GooredFix.exe on your Desktop to run it. Select "2. Fix Goored" by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs. -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 11 2009, 07:47 PM Post #9
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Hi JSntgRvr, Here is the log: GooredFix v1.8 by jpshortstuff Log created at 19:39 on 11/01/2009 running Option #2 (Owner) Firefox version 3.0.4 (en-US) =====Goored Deletions===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\" ->Backing up value... Done. ->Deleting value... Done. C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\ ->Backing up folder... Done. ->Emptying folder... Done. ->Deleting folder... Failed. ->Delete on reboot... Set. =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" =====Reboot=====

JSntgRvr View Member Profile	Jan 11 2009, 09:21 PM Post #10
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	How is the computer doing? -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 11 2009, 09:37 PM Post #11
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Hi JSntgRvr, Everything seems to be running smoothly , Thank you!! I still do not have the ability to change options in the Remote Procedure Call process under administrative tools, but I don't if I'm meant to have that option. However, since that last fix, I have not noticed the computer making any noise or starting extra rundll32 processes. Is it okay for me to delete the viruses that are in the different quarantine folders pointed out by the Kaspersky Webscanner? Thanks again for your help. I'm glad very glad to have my computer back in working order!

JSntgRvr View Member Profile	Jan 11 2009, 09:57 PM Post #12
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Hi, VVG Lets do some housekeeping. Open TrenMicro and remove the Quarantined Files. Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.) To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP) 1. Turn off System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. On the Desktop, right-click My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK.. Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools. Follow these steps to uninstall Combofix and tools used in the removal of malware Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there. Create a Restore point (If the above process fails to do so): Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. In the System Restore dialog box, click Create a restore point, and then click Next. Type a description for your restore point, such as "After Cleanup", then click Create. The Remote Procedure Call should be set to Automatic and all button are greyed by default. Without it most Windows' functions wont work, thus it is protected. How is it set in the computer? -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

VVG View Member Profile	Jan 11 2009, 10:12 PM Post #13
New Member Group: Members Posts: 10 Joined: 10-January 09 Member No.: 280,945	Thanks JSntgRvr, I have performed all of the steps. The Remote Procedure Call is set to Automatic and everything is greyed out, so everything seems to check out fine. I was a little surprised that this infection happened, as I had Spy-Bot and Symantec running the entire time and did not manually execute any files. Do you have any suggestions on any software I should download to prevent further attacks in the future? (I'm running the default Windows Firewall, so I don't know how effective that is...) Thanks again. You guys perform a wonderful service, and I'm trully grateful for your help!

JSntgRvr View Member Profile	Jan 12 2009, 03:32 PM Post #14
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Hi, VVG There is no defense against new variants. Only by observing good practices while online you will be able to protect yourself. The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well. SpywareBlaster - Great prevention tool to keep nasties from installing on your system. ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask. To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes. Best wishes! -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

JSntgRvr View Member Profile	Jan 18 2009, 04:16 AM Post #15
Distinguished Member Group: HJT Team Posts: 757 Joined: 4-March 06 From: Puerto Rico Member No.: 57,930	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. -------------------- If I have helped you, consider making a donation to help me continue the fight against Malware!

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive