Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Windows Xp Home Edition


  • This topic is locked This topic is locked
10 replies to this topic

#1 FutureMarine

FutureMarine

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 09 June 2008 - 02:26 AM

Hi Everybody.

I recently have ran a program and it basically installed trojans or virus I don't know. Most which I already got rid of. But I guess went delete crazy, and well...it started acting weirdly. When I tried to open System from controlpanel it said something about rundll32.exe. And also, anything that had .exe didn't work right. Like Mozilla Firefox, when I click on it, it asks what program to open it with. But I could access cmd.exe by right-clicking and running as and unchecking protect from virus etc. I found two remaining programs installed by them, it was csrssc.exe and spools.exe; which aren't the ones that windows uses, at least I don't think so.

I deleted spools.exe, it was in the system32 folder, but it wasn't the spoolsv.exe that windows uses so I thought I was good. But still, the darn .exe's wouldn't open right. And during this time I couldn't get into the "Folder Options" and also edit the registry. So trying to think like a smart person, I went ahead and searched alternates for Regedit.exe, but none showed up when I searched "regedit alternatives" on google. So, I thought maybe it renamed it, so I used "dir reg*.exe" on command prompt at the systems32 directory. And I found regedt32.exe and regwiz.exe but no Regedit.exe. I tried to find one, found none. Again trying to think smart, I thought maybe I deleted a process of some sort, so I searched for something to recover files, and stumbled upon combofix and afterwards this site and the combofix tutorial.

I used it, even tho on the top I can see, I guess I'm not qualified to use it...anyways, I got this log :

ComboFix 08-06-08.5 - Owner 2008-06-08 20:10:34.1 - NTFSx86 MINIMAL

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\winxpsp1_en_hom_bf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\DriveCleaner 2006 Free
C:\Documents and Settings\Owner\Application Data\DriveCleaner 2006 Free\Logs\update.log
C:\WINDOWS\BM53ed09c1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\bzsqlpa.sys
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\dqsnoonl.ini
C:\WINDOWS\system32\drvtot.dll
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\ssqOIBQh.dll
C:\WINDOWS\system32\WDgNqBeg.ini
C:\WINDOWS\system32\WDgNqBeg.ini2
C:\WINDOWS\system32\wtgdsusw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bzsqlpa


((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))
.

2008-06-08 19:18 . 2004-08-04 12:00 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-06-08 19:06 . 2004-08-04 12:00 3,584 --a------ C:\WINDOWS\system32\regedit32.exe
2008-06-08 09:35 . 2008-06-08 09:35 <DIR> d--h----- C:\WINDOWS\PIF
2008-06-08 09:17 . 2008-06-08 09:17 82,944 --a------ C:\WINDOWS\system32\lnoonsqd.dll
2008-06-08 09:14 . 2008-06-08 09:14 96,256 --a------ C:\WINDOWS\system32\mibfjgdn.dll
2008-06-08 09:14 . 2008-06-08 09:14 91,648 --a------ C:\WINDOWS\system32\oklgemvk.dll
2008-06-07 20:59 . 2008-06-07 20:59 82,944 --a------ C:\WINDOWS\system32\wsusdgtw.dll
2008-06-07 20:55 . 2008-06-07 12:34 7,680 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-06-07 20:22 . 2008-06-07 20:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-07 12:39 . 2008-06-07 12:39 281,088 --a------ C:\WINDOWS\system32\geBqNgDW.dll
2008-06-07 12:34 . 2008-06-07 12:34 31,744 --a------ C:\WINDOWS\system32\winkve32.dll
2008-06-07 12:34 . 2008-06-07 12:34 10,000 --a------ C:\WINDOWS\system32\jfiehayd.dll
2008-06-07 12:34 . 2008-06-07 12:34 145 --a------ C:\WINDOWS\system32\winver.bat
2008-06-06 20:30 . 2008-06-06 20:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-06-06 20:26 . 2008-06-06 20:27 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\acccore
2008-06-06 20:22 . 2008-06-06 20:22 <DIR> d-------- C:\Program Files\Tencent
2008-06-06 20:20 . 2008-06-06 22:19 <DIR> d-------- C:\Program Files\AIMTunes
2008-06-06 20:20 . 2008-06-06 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-06 20:20 . 2008-06-06 20:20 21 --a------ C:\WINDOWS\atid.ini
2008-06-06 20:18 . 2008-06-06 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-06 20:17 . 2008-06-06 20:27 <DIR> d-------- C:\Program Files\AIM6
2008-06-05 13:48 . 2008-06-05 13:48 713 --a------ C:\Change_files_to_text.bat
2008-06-01 14:05 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-01 13:52 . 2008-06-01 13:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Sony Setup
2008-05-27 21:03 . 2008-05-27 21:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\IMVU
2008-05-27 21:02 . 2008-05-27 21:07 <DIR> d-------- C:\Program Files\IMVU
2008-05-27 19:00 . 2008-06-07 11:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-27 19:00 . 2008-05-27 19:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 10:13 . 2008-05-26 10:13 <DIR> d-------- C:\Program Files\ASCII
2008-05-26 10:13 . 2001-04-11 04:47 80,384 --a------ C:\WINDOWS\gamedelete.exe
2008-05-18 05:26 . 2008-05-18 05:26 265,728 --a------ C:\WINDOWS\system32\MSCOMCTL.oca
2008-05-18 05:26 . 2008-05-18 05:26 28,672 --a------ C:\WINDOWS\system32\ChameleonButton.oca
2008-05-13 21:28 . 2008-05-13 21:28 <DIR> d-------- C:\WINDOWS\2BE9075D2CB6451094A328E72290FC60.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 21:19 --------- d-----w C:\Program Files\Pure Networks
2008-06-07 03:18 --------- d-----w C:\Program Files\Viewpoint
2008-06-07 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-07 03:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-06 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-06-04 23:41 --------- d-----w C:\Program Files\MoparScape
2008-05-31 23:55 7,748 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-05-26 17:28 --------- d-----w C:\Program Files\LimeWire
2008-05-19 05:03 --------- d-----w C:\Program Files\Audacity
2008-05-15 00:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-15 00:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-14 04:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 00:54 --------- d-----w C:\Program Files\Paint.NET
2008-04-30 22:52 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-30 22:51 --------- d-----w C:\Program Files\Common Files\Real
2008-04-27 03:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-18 04:56 --------- d-----w C:\Program Files\SCAR 3.15
2008-04-18 04:03 --------- d-----w C:\Program Files\SCAR 3.13
2008-04-15 00:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2006-12-02 21:53 890 ----a-w C:\Documents and Settings\Luvas r coo!\Application Data\wklnhst.dat
2006-11-29 15:56 778 ----a-w C:\Documents and Settings\jethro\Application Data\wklnhst.dat
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41B95375-EEC4-4E4E-AA58-077FA86FE4D1}]
2008-06-07 12:39 281088 --a------ C:\WINDOWS\system32\geBqNgDW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc0d0042-56d0-4156-bacd-e76685c31eef}]
2008-06-08 09:14 96256 --a------ C:\WINDOWS\system32\mibfjgdn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvcpldaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 09:32 7204864]
"mskagentexe"="C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe" [2005-09-26 11:26 110592]
"mcupdateexe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 15:26 212992]
"mcagentexe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-07-01 20:22 303104]
"50de3a5d"="C:\WINDOWS\system32\lnoonsqd.dll" [2008-06-08 09:17 82944]
"BM53ed09c1"="C:\WINDOWS\system32\oklgemvk.dll" [2008-06-08 09:14 91648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 12:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2006-06-18 20:59:36 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe [2006-11-14 11:29:23 335979]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-02-01 02:31:24 2168360]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-01-13 23:32:35 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winkve32]
winkve32.dll 2008-06-07 12:34 31744 C:\WINDOWS\system32\winkve32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd]
C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\mcafeefirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EliteSwitch\\EliteSwitch.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1138786303\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\2Wire 802.11g Wireless\\PRISMCFG.exe"=
"C:\\Program Files\\2Wire\\2PortalMon.exe"=
"C:\\Program Files\\Covey Inc\\EliteSwitch\\EliteSwitch.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"43594:TCP"= 43594:TCP:Server
"45394:TCP"= 45394:TCP:SmokeyScape


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fb21758-00f2-11dc-b325-0060b34c793d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fb21759-00f2-11dc-b325-0060b34c793d}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a388d45-c476-11da-a434-806d6172696f}]
\shell\autorun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a388d46-c476-11da-a434-806d6172696f}]
\shell\autorun\command - E:\autorun.exe
\shell\readit\command - notepad readme.doc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc3e7da9-9a4e-11da-831d-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 10:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-07 18:47:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 22:00:21 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-06-08 17:14:50 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2008-05-26 10:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.ex
- C:\Program Files\SpywareBot
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 20:26:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\dqsnoonl.ini

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winkve32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\PRISMSVR.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-06-08 20:39:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-09 03:38:31

Pre-Run: 28,737,531,904 bytes free
Post-Run: 30,995,664,896 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

237 --- E O F --- 2008-05-28 04:53:31






And well...after running it, I don't see anymore devices when I go to the Device manger. And I don't see the network connections or even anything about networks, like the thing for me to repair, it ain't there. Also firefox.exe doesn't work, I click on it and it does nothing. Umm...what else, oh right, and when I open internet explorer it says that it can't connect to the internet. Those are so-far what I REALLY need help with. Because, I got no sound, no internet on that computer, this laptop is way tooo slooow for me. If there's anything you guys need more info on, just tell me. Add my MSN Kandymann1@hotmail.com if you guys could.

BC AdBot (Login to Remove)

 


#2 cornzey

cornzey

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 AM

Posted 09 June 2008 - 04:24 AM

Did you back up the files you deleted?

If not check the recycle bin if you just deleted them via windows. If you find the files you deleted restore them so you can start over, hopefully problem free.

However, i'm not an expert on this and it could be an effect of the trojan/virus your infected with or a result of your deleted files.

Hope this helps.

Posted Image

If I'm giving you help and I don't reply within 24 hours PM me with the topic link.



Avast Anti-Virus - Zone Alarm Firewall
Stay Protected.


#3 FutureMarine

FutureMarine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 09 June 2008 - 10:09 PM

Hello again.


I got everything back and working. But there's only one problem tho...I open Firefox, and it won't load sites, like Myspace, and google toolbar doesn't work, or any searchng doesn't work.. Any suggestions on how to fix it? I have tried putting the value of the network.dns.Ipv6 to true. And still didn't fix it.

And also, I try it on Internet Explorer and it loads, but at a slower rate. And the pictures don't show for some odd reason. And I'm here using the computer that had the virus on it, but not using Firefox, I'm using a browser that came with a program I use to play Runescape. And it's experiencing the same problem as the Internet Explorer, pictures not loading.

Is there a fix to both of these problems? Get back at me please.

Edited by FutureMarine, 09 June 2008 - 10:17 PM.


#4 FutureMarine

FutureMarine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 10 June 2008 - 09:34 PM

I've tried using SUPERAntispyware. And currently about to use Ad-Aware to scan my computer. I have run the scanner of SSD and SAS and both deleted something called Virtumonde. A quick search on it and I thik that this is what's causing my problems. I've downloaded Vundofix for this. I'll post back again if anything new comes up, please help.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:27 AM

Posted 10 June 2008 - 10:46 PM

Any posts containing CF Logs will be ignored


that what it says at the top of all parts of this subforum

:thumbsup:

Let me save you some time, I fought an infection similar to this that came off limewire

I threw the kitchen sink at it, ran windows as a repair disk twice, without the 6-12 months formal training in a malware school it was way beyond my ability, I did not even try combo fix for that reason

After wasting a couple of days on and off I just threw in the towel and reinstalled windows, my client said don't worry about Limewire anymore.

She and comcast support had fought it for 2 days

The infection is intended to trash your computer if you attempt to remove it

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Edited by DaChew, 10 June 2008 - 10:50 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 FutureMarine

FutureMarine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 11 June 2008 - 02:25 AM

Ugh, that makes me feel good....There's only one problem left and it has got to be the most annoying one. Stupid Vundo variant, keeps coming back.

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:27 AM

Posted 11 June 2008 - 08:54 AM

If your infection is slightly older, the newer detection rules in our standard programs might remove that variant, however
some rootkits are almost impossible to find without advanced tools and training
Chewy

No. Try not. Do... or do not. There is no try.

#8 FutureMarine

FutureMarine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 11 June 2008 - 03:30 PM

It's always these two when I run SUPERAntiSpyware. Here's a log of the most recent, and oddly enough after running it and *not* rebooting it let me go to this site. Usually it doesn't do that. Would it be better if I just started a new thread? Or continuing on this one?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:27 AM

Posted 11 June 2008 - 03:43 PM

You need to find and kill the rootkit that's reloading those files after reboot?

Starting a new thread never solves anything

You might use MBAM, sdfix, smitfraud in combination with SAS after disconnecting from the internet and kill the infection

or

Do the HJT preperations and wait for an expert

or reload
Chewy

No. Try not. Do... or do not. There is no try.

#10 FutureMarine

FutureMarine
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 11 June 2008 - 07:35 PM

K, so once I've got the preparations for that Hijack stuff done, should I post them here right after?

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:27 AM

Posted 12 June 2008 - 08:50 PM

Hello FutureMarine and welcome to BC :thumbsup:

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

I also see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/151855/re-occuring-adwarevundo-variantrel/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

I have edited your HJT topic so it contains the link to this thread.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users