Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with possible Virtumonde, more than one


  • This topic is locked This topic is locked
7 replies to this topic

#1 andrew087

andrew087

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 04 January 2009 - 12:25 PM

I have spoted 3 virtumonde through a malware removal programe, and fort some reason my internet doesnt work. It reads as it is connected but once i press internet explorer or firefox they dont work. Also i have recently had a similar problem and got it fix here but i think in the process lost some files. So i need to remove this malwares, and figure out if i miss plave or lost my files, for example i cant use my camera that comes with the laptop. Also it is running slower than usualy. I would really appreciate all your help as soon as you can, i am working on some projects for work and i cant relly on my computer because of the current situation.

Thank You for listening and here is the logs



DDS (Version 1.1.0) - NTFSx86
Run by Andrew Chiang at 9:08:59.35 on Sun 01/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1578 [GMT -8:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Function Key Controller\FKC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Andrew Chiang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [FunctionKeyCtrl] c:\program files\function key controller\FKC.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
StartupFolder: c:\docume~1\andrew~1\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\oscust.lnk - c:\windows\system32\oem\OSCust.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew~1\applic~1\mozilla\firefox\profiles\wumlpgj0.default\
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-9 99376]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-9 108648]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081227.002\NAVENG.SYS [2008-12-27 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081227.002\NAVEX15.SYS [2008-12-27 876112]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-7-12 1251720]

=============== Created Last 30 ================

2009-01-02 09:18 44,766 a------- c:\windows\War3Unin.dat
2009-01-02 09:18 2,829 a------- c:\windows\War3Unin.pif
2009-01-02 09:18 139,264 a------- c:\windows\War3Unin.exe
2009-01-02 09:14 <DIR> --d----- C:\Warcraft III
2008-12-28 01:11 50,176 a------- c:\windows\system32\iiffGYrR.dll.vir
2008-12-28 01:11 35,328 a------- c:\windows\system32\prunnet.exe
2008-12-24 22:30 <DIR> --d----- c:\docume~1\andrew~1\applic~1\Acreon
2008-12-15 22:05 <DIR> --d----- c:\program files\Steam
2008-12-15 22:02 <DIR> --d----- c:\windows\system32\appmgmt
2008-12-10 14:40 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-12-10 11:59 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-12-10 01:41 <DIR> --d----- c:\docume~1\andrew~1\applic~1\Malwarebytes
2008-12-10 01:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-10 01:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 01:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 01:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-09 03:53 <DIR> a-dshr-- C:\cmdcons
2008-12-07 22:50 <DIR> --d----- c:\program files\DivX
2008-12-06 18:53 <DIR> --d----- c:\program files\Lavasoft
2008-12-06 18:52 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-06 18:36 <DIR> --d----- c:\program files\AVG
2008-12-06 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2008-11-21 13:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 13:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 13:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 13:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 13:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 13:47 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 13:47 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 13:47 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 13:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 13:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 13:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 13:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-09-17 09:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091720080918\index.dat

============= FINISH: 9:09:18.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:56 PM

Posted 11 January 2009 - 06:50 AM

Hello Andrew087 and welcome to Bleeping Computer,

Sorry for the delay, but the forum really has been swamped lately.

Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 andrew087

andrew087
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 11 January 2009 - 12:50 PM

As long as you guys get to me its alright, i understand that you guys are busy. Here is the log, however because of the malware i have on my computer i cant acces internet, or open up my anti virus to deactivated, so i had to run combofix with norton activated unfortunatly. Also there are more porblems, like i cant put my external hardrive in because it says the power is too much for the plug, that never happen before.

Thank You for all the help, hope to hear from you soon.

ComboFix 09-01-10.03 - Andrew Chiang 2009-01-11 9:33:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1560 [GMT -8:00]
Running from: c:\documents and settings\Andrew Chiang\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iiffGYrR.dll.vir
c:\windows\system32\prunnet.exe
F:\rthrw.com

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-02 09:18 . 2009-01-02 09:24 139,264 --a------ c:\windows\War3Unin.exe
2009-01-02 09:18 . 2009-01-02 09:24 44,766 --a------ c:\windows\War3Unin.dat
2009-01-02 09:18 . 2009-01-02 09:24 2,829 --a------ c:\windows\War3Unin.pif
2009-01-02 09:14 . 2009-01-03 20:48 <DIR> d-------- C:\Warcraft III
2008-12-26 01:50 . 2008-12-26 01:50 <DIR> d-------- c:\documents and settings\Andrew Chiang\Application Data\DivX
2008-12-24 22:30 . 2008-12-24 22:30 <DIR> d-------- c:\documents and settings\Andrew Chiang\Application Data\Acreon
2008-12-15 22:05 . 2008-12-28 07:07 <DIR> d-------- c:\program files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 17:09 --------- d-----w c:\program files\Warcraft III
2008-12-28 15:06 --------- d-----w c:\documents and settings\Andrew Chiang\Application Data\OpenOffice.org2
2008-12-28 05:58 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-25 04:55 --------- d-----w c:\program files\World of Warcraft
2008-12-19 20:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 09:54 --------- d-----w c:\program files\Yahoo!
2008-12-12 09:54 --------- d-----w c:\documents and settings\Andrew Chiang\Application Data\Yahoo!
2008-12-12 09:54 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-12 08:47 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-10 22:15 --------- d-----w c:\program files\EsetOnlineScanner
2008-12-10 09:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-10 09:41 --------- d-----w c:\documents and settings\Andrew Chiang\Application Data\Malwarebytes
2008-12-10 09:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 09:38 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-10 09:17 --------- d-----w c:\program files\trend micro
2008-12-08 06:50 --------- d-----w c:\program files\DivX
2008-12-07 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-07 02:53 --------- d-----w c:\program files\Lavasoft
2008-12-07 02:52 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-07 02:36 --------- d-----w c:\program files\AVG
2008-12-04 03:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-29 13:47 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-28 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-11-27 19:47 --------- d-----w c:\documents and settings\Andrew Chiang\Application Data\uTorrent
2008-11-22 08:52 --------- d-----w c:\program files\headus UVLayout
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-19 19:01 --------- d-----w c:\documents and settings\Andrew Chiang\Application Data\headus
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-17 17:43 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091720080918\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-04-19 484904]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-11 794714]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-30 8515584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-30 81920]
"FunctionKeyCtrl"="c:\program files\Function Key Controller\FKC.exe" [2006-05-25 49152]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-21 185896]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2007-08-30 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\Andrew Chiang\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-09-19 3450608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
OSCust.lnk - c:\windows\system32\oem\OSCust.exe [2007-08-17 67072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew Chiang^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Andrew Chiang\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew Chiang^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Andrew Chiang\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 15:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 18:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 19:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 07:21 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 04:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-06 23:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 11:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-12-15 22:05 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-08-21 10:59 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 13:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-09 99376]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 08:34]

2009-01-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 11:54]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Andrew Chiang\Application Data\Mozilla\Firefox\Profiles\wumlpgj0.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 09:37:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-11 9:38:46
ComboFix-quarantined-files.txt 2009-01-11 17:38:44

Pre-Run: 9,358,696,448 bytes free
Post-Run: 9,383,710,720 bytes free

221 --- E O F --- 2008-12-18 11:01:01

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:56 PM

Posted 11 January 2009 - 01:30 PM

Hello Andrew,

After removal of that Backdoor Trojan and other malware by ComboFix,
do your problems still persist ?

Your log looks fine now. :thumbsup:

Do you know what external media device was assigned the F: drive letter ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 andrew087

andrew087
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 11 January 2009 - 05:01 PM

well my computer seams to not be able to go on the internet, also i cant opensome programs. It reads the internet but it doesnt connect. I dont know if it got deleted by malware but somethings wrong with it.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:56 PM

Posted 11 January 2009 - 06:05 PM

Hello Andrew,

Have you tried disabeling your Symantec firewall ?
Just in case some incorrect rule slipped in ?

If that doesn't help, try flushing your DNS and see if that helps.

How to flush your DNS Cache

Please open your command prompt. To do that follow the instructions below.
  • Go to Start>>Run>>In the open field type in "cmd" (without the quotes)
  • This will open the Command Prompt, a tutorial on opening the cmd can be found here
  • In the command prompt please type in "ipconfig /flushdns" (without the quotes)
    Note: Please note the space after the g of ipconfig and / of flushdns.
  • Now press enter and you should recieve a message saying something similar to "Successfully flushed the DNS cache"
  • Exit out Command Prompt by typing in "Exit" (without quotes)
How is your computer now?

If that still doesn't work, try running Winsockfix.

Download and Run WinsockFix
  • Download WinsockXPFix and save it to your desktop.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot afterwards.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 andrew087

andrew087
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 13 January 2009 - 12:25 AM

I did as told but it didnt work so i completly restorded my computer, so its working now. Thank You for all your help.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:56 PM

Posted 13 January 2009 - 05:29 AM

OK Andrew,

That's another way of solving the problem. :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users