Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Repeated Occurance Of Virtumonde


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ashok_Chandra

Ashok_Chandra

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 31 January 2008 - 01:42 PM

I have a virtumonde trojan in my PC. Using the existing PC Tools software, Adaware and Spybot tools it seems like all the related traces are deleted. However, after browsing a website by opening an Internet Explorer and searching for any infectinos in the PC the trojan re appears. Despite of repated removals, the trojan is still present in the system. It disguises itself under various file names such as hhxxxgg.dll, etc... under the path "C:\windows\system32" and also there are some files placed in the sytem volum information as well. I'd be grateful for any help any of you can extend. Till now I haven't faced the actue problem of system reboots or slowdown in the system performance. Maybe it is the next step if I don't get rid of the trojan at the earliest.

Pasting the log generated by hijackthis software.

Note: I have checked in the "Add/Remove Programs" and have found that I don't have any version of Java runtime software installed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:53 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
E:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://go.microsoft.com/fwlink/?linkid=54834
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

172.18.88.88:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.satyam.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

E:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf

Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISTray] "E:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKCU\..\Policies\Explorer\Run: [1] \\ctpadc001\\netlogon\safeimp.vbs
O4 - HKCU\..\Policies\Explorer\Run: [2] \\ctpadc001\netlogon\bcp.exe
O4 - HKCU\..\Policies\Explorer\Run: [3] \\ctpadc001\netlogon\ctp-profile.bat
O4 - HKCU\..\Policies\Explorer\Run: [4] \\ctpadc001\NETLOGON\proxy.vbs
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\Spybot -

Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} (ScheduleServices.CtlScheduleServices) -

http://slw.satyam.com/SatyamLearningWorld/...uleServices.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.satyam.ad
O17 - HKLM\Software\..\Telephony: DomainName = corp.satyam.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.satyam.ad
O22 - SharedTaskScheduler: IE Component Categories cache daemon -

{553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC -

C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program

Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program

Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program

Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program

Files\CA\eTrustITM\InoTask.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program

Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation -

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation -

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program

Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program

Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation -

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8516 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 31 January 2008 - 05:18 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 02 February 2008 - 05:21 AM

Dear Sam,

I'd like to thank you for your response. As suggested in the reply I ran "Combofix.exe" and below is the log generated by the same. Will await further response from you on the interpretation of this log file.

Regards
Ashok.
---------------

ComboFix 08-02.02.5 - AG55749 2008-02-02 15:31:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1500 [GMT 5.5:30]
Running from: C:\Documents and Settings\ag55749\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-01-31 23:53 . 2008-01-31 23:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-31 21:07 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-31 20:35 . 2008-01-31 21:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-31 20:35 . 2008-01-31 20:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-31 20:35 . 2008-01-31 20:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-31 20:35 . 2008-01-31 20:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-31 14:35 . 2008-02-01 23:03 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-31 01:34 . 2008-01-31 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 00:55 . 2008-02-02 15:34 <DIR> d-------- C:\MDT
2008-01-31 00:55 . 2008-01-31 00:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-01-31 00:51 . 2008-01-31 00:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 00:51 . 2008-01-31 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-31 00:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-31 00:23 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-31 00:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-31 00:00 . 2008-01-31 00:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\ag55749\Application Data\Nero
2008-01-29 22:34 . 2008-01-30 18:38 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-29 22:34 . 2008-01-30 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-26 20:16 . 2008-01-26 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-01-26 20:16 . 2008-01-26 20:17 <DIR> d-------- C:\Documents and Settings\ag55749\Application Data\CyberLink
2008-01-25 21:31 . 2008-02-02 15:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-25 21:31 . 2008-01-25 21:31 <DIR> d-------- C:\Documents and Settings\ag55749\Application Data\PC Tools
2008-01-25 21:31 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-25 21:31 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-25 21:31 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-25 21:31 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-25 15:48 . 2008-01-25 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-25 15:48 . 2006-10-20 17:23 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-01-25 15:47 . 2008-01-25 15:47 <DIR> d-------- C:\Program Files\CyberLink
2008-01-25 15:47 . 2006-10-20 17:23 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-01-25 15:47 . 2006-10-20 17:23 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-22 17:35 . 2006-10-26 19:58 30,512 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-22 17:28 . 2008-01-22 17:29 683 --a------ C:\WINDOWS\system32\DWRCCMDError.ini
2008-01-22 17:26 . 2007-10-30 12:42 233,472 --a------ C:\WINDOWS\system32\DWRCSET.dll
2008-01-22 17:26 . 2007-10-30 12:42 225,792 --a------ C:\WINDOWS\system32\DWRCS.EXE
2008-01-22 17:26 . 2007-10-30 12:42 74,240 --a------ C:\WINDOWS\system32\DWRCST.EXE
2008-01-22 17:26 . 2007-10-30 12:42 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2008-01-22 17:26 . 2004-07-01 09:22 714 --a------ C:\WINDOWS\system32\DWRCST.exe.manifest
2008-01-20 19:33 . 2008-01-22 10:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-12 23:06 . 2008-01-12 23:06 <DIR> d-------- C:\Documents and Settings\ag55749\Application Data\pdf995
2008-01-12 23:06 . 2008-01-12 23:06 28 --a------ C:\WINDOWS\pdf995.ini
2008-01-12 23:04 . 2008-01-12 23:05 <DIR> d-------- C:\Program Files\pdf995
2008-01-12 23:04 . 2008-01-30 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-12 23:04 . 2008-01-12 23:04 249,856 --a------ C:\WINDOWS\system32\pdfmona.dll
2008-01-12 23:04 . 2008-01-12 23:04 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-12 23:04 . 2008-01-30 22:15 60 --a------ C:\WINDOWS\wpd99.drv
2008-01-11 15:41 . 2008-01-11 15:41 <DIR> d-------- C:\Program Files\MSBuild
2008-01-11 11:02 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini
2008-01-08 22:50 . 2008-01-08 22:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-08 12:36 . 2007-07-09 18:39 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-06 00:02 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-04 21:12 . 2008-01-04 21:12 <DIR> d-------- C:\Program Files\D-Link DSLs
2008-01-04 19:45 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-04 19:45 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-04 19:45 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-04 19:45 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-04 19:31 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\ag55749\Application Data\Intel
2008-01-04 19:19 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-01-04 19:19 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-04 19:19 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-04 19:17 . 2008-01-04 19:18 <DIR> d-------- C:\Program Files\CA
2008-01-04 19:13 . 2008-01-20 19:33 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-04 19:08 . 2008-01-04 19:08 <DIR> d-------- C:\WINDOWS\SchCache
2008-01-04 19:00 . 2008-01-12 20:36 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-04 18:54 . 2008-01-04 18:54 <DIR> d-------- C:\Program Files\Microsoft Office Communicator
2008-01-04 18:53 . 2008-01-11 15:41 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-04 18:49 . 2008-01-11 15:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-04 18:49 . 2008-01-22 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-04 18:48 . 2008-01-04 18:48 <DIR> dr-h----- C:\MSOCache
2008-01-04 18:46 . 2008-01-04 18:46 <DIR> d-------- C:\Program Files\SigmaTel
2008-01-04 18:46 . 2008-01-04 18:46 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-01-04 18:43 . 2008-01-04 18:43 <DIR> d-------- C:\Program Files\CONEXANT
2008-01-04 18:42 . 2005-12-01 01:40 936,960 --a------ C:\WINDOWS\system32\drivers\HSX_DPV.sys
2008-01-04 18:42 . 2005-12-01 01:40 669,696 --a------ C:\WINDOWS\system32\drivers\HSX_CNXT.sys
2008-01-04 18:42 . 2005-12-01 01:40 192,512 --a------ C:\WINDOWS\system32\drivers\HSXHWAZL.sys
2008-01-04 18:42 . 2005-11-30 23:39 141,497 --a------ C:\WINDOWS\system32\drivers\del1028.cty
2008-01-04 18:42 . 2005-11-15 23:41 114,688 --a------ C:\WINDOWS\system32\Uci32103.dll
2008-01-04 18:41 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-01-04 18:41 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-01-04 18:41 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-01-04 18:41 . 2008-01-04 18:41 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Intel
2008-01-04 18:41 . 2008-01-04 18:41 319,488 --a------ C:\WINDOWS\system32\AegisI5Installer.exe
2008-01-04 18:41 . 2008-01-04 18:41 21,425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-01-04 18:40 . 2008-01-04 18:40 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Intel
2008-01-04 18:40 . 2008-01-04 18:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-01-04 18:40 . 2006-10-19 09:31 2,732,032 --a------ C:\WINDOWS\system32\NETw3r32.dll
2008-01-04 18:40 . 2006-10-17 11:55 1,711,104 --a------ C:\WINDOWS\system32\drivers\NETw3x32.sys
2008-01-04 18:40 . 2006-10-19 09:30 561,152 --a------ C:\WINDOWS\system32\NETw3c32.dll
2008-01-04 18:38 . 2005-12-13 17:40 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2008-01-04 18:36 . 2008-01-04 18:36 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-01-04 18:26 . 2008-01-04 18:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-04 18:25 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-01-04 18:24 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-04 18:23 . 2008-01-04 18:23 <DIR> d-------- C:\WINDOWS\EHome
2008-01-04 18:11 . 2008-01-25 15:47 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-01-04 18:11 . 2004-08-03 23:07 119,936 --a------ C:\WINDOWS\system32\drivers\pcmcia.sys
2008-01-04 18:09 . 2008-01-04 18:40 <DIR> d-------- C:\Program Files\Intel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 12:23 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-14 06:02 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [2005-12-13 17:44 98304]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [2005-12-13 17:41 77824]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [2005-12-13 17:45 118784]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 18:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 17:58 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 21:27 407632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 17:23 118784]
"ISTray"="E:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 12:40 4167376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-04 18:52:46 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"1"= \\ctpadc001\\netlogon\safeimp.vbs
"2"= \\ctpadc001\netlogon\bcp.exe
"3"= \\ctpadc001\netlogon\ctp-profile.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=%logonserver%\NETLOGON\AVADMIN.CMD

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=\\cscadc001\netlogon\lptp-ladmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=%logonserver%\NETLOGON\AVADMIN.CMD

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-16 03:00]
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-08 03:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 15:34:56
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
E:\Program Files\Spyware Doctor\pctsAuxs.exe
E:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\DWRCST.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrustITM\ppcl.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\WINDOWS\system32\userinit.exe
.
**************************************************************************
.
Completion time: 2008-02-02 15:35:57 - machine was rebooted
.
2008-02-02 06:20:43 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 02 February 2008 - 09:05 AM

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


=================



Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.


==================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 February 2008 - 08:19 AM

After following further instructions and doing the needful, Kaspersky gave a verdict that my computer is infected and below is the log file generated by the online scanner.

Truly appreciate your help thus far.

KASPERSKY ONLINE SCANNER REPORT
2008-02-03 18:40
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546327


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 27157
Number of viruses found 1
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:34:00

Infected Object Name Virus Name Last Action
C:\7680d12e2732912c7572f33b6b9917\admparse.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\admparse.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\advpack.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\advpack.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\browseui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\corpol.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\custsat.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\dxtmsft.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\dxtrans.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\extmgr.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\extmgr.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\feeddisc.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\hmmapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\hmmapi.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\html.iec Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\html.iec.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icardie.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icardie.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icrav03.rat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ie4uinit.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ie4uinit.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakeng.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakeng.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakmmc.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieaksie.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieaksie.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakui.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieapfltr.dat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieapfltr.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedkcs32.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedkcs32.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedw.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedw.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieencode.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieeula.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieframe.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieframe.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iepeers.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iepeers.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieproxy.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iernonce.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iernonce.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iertutil.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesetup.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesetup.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesupp.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieudinit.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieui.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieuinit.inf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieunatt.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\imgutil.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcorp.iem Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcpl.cpl Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcpl.cpl.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetres.adm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetset.iem Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\infobar.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inseng.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inseng.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\install.ins Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\jscript.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\jsproxy.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\licmgr10.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\licmgr10.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeeds.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeeds.mof Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.mof Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedssync.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshta.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshta.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.tlb Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmled.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmled.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmler.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmler.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msls31.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msrating.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msrating.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mstime.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\navstart.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.ini Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\pngfilt.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\popupblk.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\shdocvw.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\shlwapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spmsg.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spuninst.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spupdsvc.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\tdc.ocx Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\eula.rtf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\idndl.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\ie7.cat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iecustom.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iereseticons.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iesetup.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\legitlibm.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\nlsdl.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.exe.manifest Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.inf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.ver Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\updspapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\xmllitesetup.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\url.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\urlmon.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\urlmon.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\vbscript.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\vgx.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.ini Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\winfxdocobj.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\winfxdocobj.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\wininet.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\wininet.dll.mui Object is locked skipped

C:\Documents and Settings\ag55749\Application Data\Microsoft\Templates\Normal.dotm Object is locked skipped

C:\Documents and Settings\ag55749\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Desktop\Virtumonde - Reply 2.docx Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\History\History.IE5\MSHist012008020320080204\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\AntiPhishing\2997C193-A464-4307-88C9-F9C00083CD16.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\Content.Word\~WRS{254D9926-A16E-4000-AAE5-659B5F5D4739}.tmp Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\Content.Word\~WRS{2989FC27-D56F-4056-8A5C-061DE111506E}.tmp Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\Content.Word\~WRS{FA850677-B6E7-47C9-9CB4-E7F4EA262134}.tmp Object is locked skipped

C:\Documents and Settings\ag55749\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ag55749\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\CA\eTrustITM\DB\rtmaster.dbf Object is locked skipped

C:\Program Files\CA\eTrustITM\DB\rtmaster.ntx Object is locked skipped

C:\Program Files\CA\eTrustITM\RPCMtDB\jobserv.dbf Object is locked skipped

C:\Program Files\CA\eTrustITM\RPCMtDB\jobserv.ntx Object is locked skipped

C:\Program Files\CA\SharedComponents\PPRealtime\logs\2008-02-03.csv Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6ACD62D5-8935-455F-A8E6-14E3F84BD4ED}\RP1\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{1A7736EF-40F4-45D3-B163-A996FA8DBCF6}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\My Documents\Software\Nero\8.2.8.0\Nero-8.2.8.0_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

E:\My Documents\Software\Nero\8.2.8.0\Nero-8.2.8.0_eng_update.exe 7-Zip: infected - 1 skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{6ACD62D5-8935-455F-A8E6-14E3F84BD4ED}\RP1\change.log Object is locked skipped

Scan process completed.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 03 February 2008 - 10:14 AM

That scan doesn't show an active infection on your computer, but you can delete this file just to be safe.

E:\My Documents\Software\Nero\8.2.8.0\Nero-8.2.8.0_eng_update.exe

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 February 2008 - 11:55 AM

I have deleted the entire files and folder "E:\My Documents\Software\Nero\8.2.8.0\Nero-8.2.8.0_eng_update.exe" and repeated the steps from "Turn off System Restore" and then created a system restore point again. After this I ran the "Kaspersky Online Scanner" and it showed that there were no more Malware identified/detected on my computer. I am sending you the log report just in case.

I am assuming from now on there will not be any recurrance problem with Virtumonde trojan. I feel that my system is working fast and like before.

Please let me know if everything looks alright from the log report and wheter I can continue work as usual. Also would care for a bit of advice from you on the PC security that I should adopt. Currently, I have eTrust Antivirus Software Installed and I have "PC Tools Spyware Doctor" and "Ad-Aware" to help me out with the inital scans. Is there something which I might be missing that'd help make security on my PC a bit better. Please comment.

-----------
KASPERSKY ONLINE SCANNER REPORT
2008-02-03 20:47
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/02/2008
Kaspersky Anti-Virus database records: 546374


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 27218
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:32:35

Infected Object Name Virus Name Last Action
C:\7680d12e2732912c7572f33b6b9917\admparse.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\admparse.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\advpack.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\advpack.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\browseui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\corpol.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\custsat.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\dxtmsft.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\dxtrans.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\extmgr.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\extmgr.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\feeddisc.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\hmmapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\hmmapi.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\html.iec Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\html.iec.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icardie.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icardie.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\icrav03.rat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ie4uinit.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ie4uinit.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakeng.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakeng.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakmmc.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieaksie.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieaksie.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieakui.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieapfltr.dat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieapfltr.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedkcs32.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedkcs32.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedw.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iedw.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieencode.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieeula.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieframe.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieframe.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iepeers.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iepeers.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieproxy.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iernonce.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iernonce.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iertutil.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesetup.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesetup.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iesupp.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieudinit.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieui.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieui.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieuinit.inf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\ieunatt.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.chm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\iexplore.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\imgutil.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcorp.iem Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcpl.cpl Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetcpl.cpl.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetres.adm Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inetset.iem Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\infobar.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inseng.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\inseng.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\install.ins Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\jscript.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\jsproxy.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\licmgr10.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\licmgr10.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeeds.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeeds.mof Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedsbs.mof Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msfeedssync.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshta.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshta.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtml.tlb Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmled.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmled.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmler.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mshtmler.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msls31.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msrating.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\msrating.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\mstime.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\navstart.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\occache.ini Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\pngfilt.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\popupblk.wav Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\shdocvw.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\shlwapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spmsg.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spuninst.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\spupdsvc.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\tdc.ocx Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\eula.rtf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\idndl.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\ie7.cat Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iecustom.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iereseticons.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\iesetup.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\legitlibm.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\nlsdl.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.exe.manifest Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.inf Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\update.ver Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\updspapi.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\update\xmllitesetup.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\url.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\urlmon.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\urlmon.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\vbscript.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\vgx.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.dll.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\webcheck.ini Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\winfxdocobj.exe Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\winfxdocobj.exe.mui Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\wininet.dll Object is locked skipped

C:\7680d12e2732912c7572f33b6b9917\wininet.dll.mui Object is locked skipped

C:\Documents and Settings\ag55749\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\History\History.IE5\MSHist012008020320080204\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\AntiPhishing\2997C193-A464-4307-88C9-F9C00083CD16.dat Object is locked skipped

C:\Documents and Settings\ag55749\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ag55749\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\ag55749\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\CA\eTrustITM\DB\rtmaster.dbf Object is locked skipped

C:\Program Files\CA\eTrustITM\DB\rtmaster.ntx Object is locked skipped

C:\Program Files\CA\eTrustITM\RPCMtDB\jobserv.dbf Object is locked skipped

C:\Program Files\CA\eTrustITM\RPCMtDB\jobserv.ntx Object is locked skipped

C:\Program Files\CA\SharedComponents\PPRealtime\logs\2008-02-03.csv Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6ACD62D5-8935-455F-A8E6-14E3F84BD4ED}\RP1\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\Netlogon.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{51DFAD14-4D85-47D9-91CE-2064B2990B25}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 03 February 2008 - 11:59 PM

Looks good to me! :thumbsup:
You will want to get your recovery console installed. Check this link for info on how to do that.

http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


================



And finally, let's get rid of Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

=================


Here are some steps you can take to prevent reinfection.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:wacko: :blink:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 February 2008 - 11:09 AM

Thanks a lot for your valuable advice. I will ensure the same and strictly adhere to it.

By the way, when I tried uninstalling Combofix as per the steps described, the system is not able to find the file. Possibly because I have moved the location to another drive. And when I tried to copy it back to my desktop and tried the command "Combofix /u" a prompt appeared to "Run" / "Cancel" when I clicked RUN in anticipation that a disclaimer will be shown so as to facilitate me to select 2, then to my surprise the disclamier did not appear, however, a message popped up on my "PC Tools Spyware Doctor" stating that "Torjan.NirCmd" was detected and that Spyware Doctor has blocked an applicaiton attempting to access the file. I have attaced a snapshot of the infection in the word document that I am sending.

Also, in the first snapshot you will find the list of files/folders which showed up when I did a search for "Combofix". Hope this helps to assess whether my computer is again re-infected with another kind of Trojan or if I'm ok.

Also please describe as to how I can uninstall "Combofix"

Best Regards
Ashok

Attached Files



#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 05 February 2008 - 08:48 AM

You can just delete the file - combofix.exe

Spyware Doctor and a few others programs will falsely detect combofix as suspicious. It's well documented and not anything to be concerned about. You're ok. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 06 February 2008 - 01:51 PM

I'm truly grateful to the advice and help I received all along that helped get rid of a problem that was making my life miserable on the net.

I have now understood the problem and the deep menace a lot of innocent users face over the internet and I request you to please accept my modest donation to keep the good cause going. It is no way a true recognition of the service you are extending to a community on the web which is I'm sure is bringing back smiles to a lot of ignorant people like me out there, however, I'd strongly urge you to carry on with this noble cause.

I wish you all the best in your endeavors.

Have a nice day. :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 06 February 2008 - 10:21 PM

Thank you. Your donation and kind words are both very much appreciated.
I will keep your thread open for a couple weeks just in case you run into any problems.

Take care! :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:33 PM

Posted 01 March 2008 - 08:02 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users