Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde on computer


  • This topic is locked This topic is locked
5 replies to this topic

#1 tiredofmalware

tiredofmalware

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 08 January 2009 - 07:17 PM

Hello,

I contract virtumonde on my laptop and have run several programs including spybot, adaware, AVG, SD fix, dr web and had a friend look at the computer. I think he did the most damage. He stopped some services related the the virus file and deleted some of the registry keys whcih appeared to only have the virus. However, since he did that my network devices are not found, my start toolbar is missing and many of my sutomatic service are not running. Even if I try to srtat them I just get an error 1068.. I also can't drag and drop any files or copy and paste any files. they highlight but don;t drag and will not paste... I ran a DDS log the notes are below.




DDS (Ver_09-01-07.01) - NTFSx86
Run by WPotts at 18:57:15.75 on Thu 01/08/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============


uInternet Settings,ProxyOverride = *.local
BHO: {023B4938-0FE0-45EB-AD51-04ACE04525EF} - No File
BHO: {117F00FD-30D8-4683-880F-F372BA0E9128} - No File
BHO: {27550895-833c-41cc-8c78-5fb1600333ae} - No File
BHO: {482C069E-77C0-4C22-A732-7ED1FEE7743B} - No File
BHO: {8B507386-313D-4B78-8A7F-27E07339491E} - No File
BHO: {A8686CEF-A520-4791-BFFF-08521904877F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CARPService] carpserv.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [eCopy Scan Inbox Monitor] "c:\program files\ecopy\desktop 9.2\bin\InboxMonitor.exe" -run
mRun: [eDP2eD] "c:\program files\ecopy\desktop 9.2\bin\eDP2eD.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: imagistics.com\oraproduction
Trusted Zone: oce.com\self-service
Trusted Zone: oce.com\www.itservicecenter
Trusted Zone: self-service
Trusted Zone: sprintpcs.com\manage
Notify: AtiExtEvent - Ati2evxx.dll
Notify: cbXPiGyV - cbXPiGyV.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wpotts\applic~1\mozilla\firefox\profiles\gslzswl9.default\
FF - prefs.js: browser.startup.homepage - hxxp://macomb.angellearning.com/frames.aspx|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-08 16:59 <DIR> --d----- c:\windows\ERUNT
2009-01-08 16:49 <DIR> --d----- C:\SDFix
2009-01-08 16:06 <DIR> --d----- C:\test
2009-01-07 20:47 <DIR> --d----- c:\documents and settings\wpotts\DoctorWeb
2009-01-07 18:39 708,164 a--sh--- c:\windows\system32\tCMUFfhk.ini2
2009-01-07 18:39 708,164 a--sh--- c:\windows\system32\tCMUFfhk.ini
2009-01-06 14:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-06 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-04 21:55 <DIR> --d----- c:\program files\Lavasoft
2009-01-04 21:54 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-04 20:22 129,024 a------- c:\windows\system32\goyjhs.dll
2009-01-04 20:22 129,024 a------- c:\windows\system32\xduwofsj.dll
2009-01-03 14:58 <DIR> --d----- c:\program files\AVG
2009-01-03 14:56 143 a------- c:\windows\system32\mcrh.tmp
2009-01-03 11:15 22,016 a------- c:\windows\system32\digeste.dll
2008-12-19 09:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-19 09:08 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-19 09:08 <DIR> --d----- c:\program files\iPod
2008-12-19 09:08 <DIR> --d----- c:\program files\iTunes
2008-12-19 09:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 09:08 <DIR> --d----- c:\program files\Bonjour
2008-12-13 21:48 3,632,384 a------- c:\windows\system32\drivers\NETw5x32.sys
2008-12-13 21:48 2,756,608 a------- c:\windows\system32\NETw5r32.dll
2008-12-13 21:48 663,552 a------- c:\windows\system32\NETw5c32.dll
2008-12-13 21:48 <DIR> --d----- c:\program files\common files\Intel
2008-12-13 21:31 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2008-12-04 20:18 104,417 a------- c:\windows\system32\nvModes.dat
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2007-08-13 09:56 56,912 a------- c:\documents and settings\wpotts\g2mdlhlpx.exe

============= FINISH: 18:58:06.41 ===============

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:56 AM

Posted 19 January 2009 - 01:39 PM

Hello Tiredofmalware and welcome to Bleeping Computer,

Looks like your friend didn't really make it any better.
Let's see if we can remove the remaining malware, so you can attempt a repair install if necessary. :thumbsup:

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 tiredofmalware

tiredofmalware
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 20 January 2009 - 04:24 PM

ComboFix 09-01-19.03 - WPotts 2009-01-20 16:05:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1393 [GMT -5:00]
Running from: c:\documents and settings\WPotts\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\Cache
c:\windows\system32\mcrh.tmp
c:\windows\system32\tCMUFfhk.ini
c:\windows\system32\tCMUFfhk.ini2
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 20:57 . 2009-01-19 20:57 <DIR> d-------- C:\VundoFix Backups
2009-01-12 09:13 . 2009-01-20 08:38 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-12 09:12 . 2008-06-13 08:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-12 09:08 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-12 09:08 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-12 09:08 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-12 09:08 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-12 09:04 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-10 15:17 . 2009-01-10 15:17 <DIR> d-------- c:\windows\ms
2009-01-10 15:02 . 2004-08-04 07:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-01-10 15:01 . 2004-08-04 07:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-10 15:00 . 2004-08-04 07:00 1,817,687 --a--c--- c:\windows\system32\dllcache\bckgres.dll
2009-01-10 14:58 . 2009-01-10 14:58 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-10 14:57 . 2004-08-04 07:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-10 14:57 . 2009-01-10 14:57 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-10 14:57 . 2009-01-10 14:57 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-10 14:57 . 2009-01-10 14:57 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-10 14:57 . 2009-01-10 14:57 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-10 14:57 . 2009-01-10 14:57 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-10 14:54 . 2004-08-04 00:56 152,576 --a------ c:\windows\system32\irftp.exe
2009-01-10 14:54 . 2004-08-03 23:00 87,424 --a------ c:\windows\system32\drivers\irda.sys
2009-01-10 14:54 . 2004-08-04 00:56 27,136 --a------ c:\windows\system32\irmon.dll
2009-01-10 14:54 . 2004-08-04 00:56 8,192 --a------ c:\windows\system32\wshirda.dll
2009-01-10 14:44 . 2001-08-17 13:51 19,584 --a------ c:\windows\system32\drivers\rasirda.sys
2009-01-10 14:40 . 2004-08-04 07:00 1,086,058 -ra------ c:\windows\SET15B.tmp
2009-01-10 14:40 . 2004-08-04 07:00 1,042,903 -ra------ c:\windows\SET158.tmp
2009-01-10 14:40 . 2004-08-04 07:00 13,753 -ra------ c:\windows\SET167.tmp
2009-01-10 09:29 . 2009-01-10 09:29 <DIR> d-------- c:\windows\system32\wins
2009-01-08 16:59 . 2009-01-08 16:59 <DIR> d-------- c:\windows\ERUNT
2009-01-08 16:52 . 2009-01-08 16:52 <DIR> d-------- c:\documents and settings\ADMINCGI\DoctorWeb
2009-01-08 16:49 . 2009-01-08 17:19 <DIR> d-------- C:\SDFix
2009-01-08 16:06 . 2009-01-08 16:06 <DIR> d-------- C:\test
2009-01-07 20:47 . 2009-01-07 20:51 <DIR> d-------- c:\documents and settings\WPotts\DoctorWeb
2009-01-07 20:47 . 2009-01-07 20:51 <DIR> d-------- c:\documents and settings\WPotts\DoctorWeb
2009-01-06 14:18 . 2009-01-08 18:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 14:18 . 2009-01-08 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 14:58 . 2009-01-03 14:58 <DIR> d-------- c:\program files\AVG
2009-01-03 14:55 . 2009-01-08 07:41 8,192 --a------ c:\documents and settings\user1
2009-01-03 14:55 . 2009-01-08 07:41 8,192 --a------ c:\documents and settings\JoUser

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 14:08 --------- d-----w c:\program files\QuickTime
2008-12-19 14:08 --------- d-----w c:\program files\iTunes
2008-12-19 14:08 --------- d-----w c:\program files\iPod
2008-12-19 14:08 --------- d-----w c:\program files\Common Files\Apple
2008-12-19 14:08 --------- d-----w c:\program files\Bonjour
2008-12-19 14:08 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 14:07 --------- d-----w c:\program files\Apple Software Update
2008-12-19 14:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-14 02:49 --------- d-----w c:\documents and settings\LocalService\Application Data\Intel
2008-12-14 02:48 --------- d-----w c:\program files\Intel
2008-12-14 02:48 --------- d-----w c:\program files\Common Files\Intel
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2007-08-13 14:56 56,912 ----a-w c:\documents and settings\WPotts\g2mdlhlpx.exe
2008-04-07 06:59 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"eCopy Scan Inbox Monitor"="c:\program files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" [2008-01-29 79112]
"eDP2eD"="c:\program files\eCopy\Desktop 9.2\Bin\eDP2eD.exe" [2008-01-29 144648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"CARPService"="carpserv.exe" [2002-10-17 c:\windows\system32\carpserv.exe]
"nwiz"="nwiz.exe" [2006-05-01 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-05-01 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\WPotts\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2008-06-29 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=AddSuffixes.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=rights-usoce.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-8915387-33426756-934288641-32643\Scripts\Logon\0\0]
"Script"=mailnew.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-8915387-33426756-934288641-32643\Scripts\Logon\1\0]
"Script"=exConfig.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\eCopy\\Desktop 9.2\\Bin\\eCopyDesktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-10-19 58464]
R4 MarimbaProductionClient;MarimbaProductionClient;c:\program files\MarimbaProdClient\Castanet Tuner\Tuner.exe [2007-11-02 36952]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [2004-01-27 33847]
S3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-02-06 59328]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2004-05-03 80384]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2003-07-23 54272]
S4 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\ousbehci.sys [2003-07-23 39296]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
*Deregistered* - uphcleanhlp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{023B4938-0FE0-45EB-AD51-04ACE04525EF} - (no file)
BHO-{117F00FD-30D8-4683-880F-F372BA0E9128} - (no file)
BHO-{27550895-833c-41cc-8c78-5fb1600333ae} - (no file)
BHO-{482C069E-77C0-4C22-A732-7ED1FEE7743B} - (no file)
BHO-{8B507386-313D-4B78-8A7F-27E07339491E} - (no file)
BHO-{A8686CEF-A520-4791-BFFF-08521904877F} - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
Notify-cbXPiGyV - cbXPiGyV.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ocelinkamerica.oceusa.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: oraproduction.imagistics.com
Trusted Zone: self-service.oce.com
Trusted Zone: www.itservicecenter.oce.com
Trusted Zone: *.self-service
Trusted Zone: manage.sprintpcs.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - hxxp://plato.acad.macomb.edu/Pathways/pway_iis.dll/PWLN/02050119/fullcab/pwlninst.cab
FF - ProfilePath - c:\documents and settings\WPotts\Application Data\Mozilla\Firefox\Profiles\gslzswl9.default\
FF - prefs.js: browser.startup.homepage - hxxp://macomb.angellearning.com/frames.aspx|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 16:08:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-01-20 16:10:10
ComboFix-quarantined-files.txt 2009-01-20 21:10:07

Pre-Run: 59,539,333,120 bytes free
Post-Run: 59,765,166,080 bytes free

203 --- E O F --- 2009-01-20 13:28:01

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:56 AM

Posted 21 January 2009 - 03:54 PM

Hello Tiredofmalware,

Apparently all visible malware is gone now. :thumbsup:

Any idea where these batch and script files come from ? :
AddSuffixes.vbs, rights-usoce.bat, mailnew.vbs and exConfig.bat
Anything you or your friend cooked up ?

Download and unzip Dial-a-Fix to its own folder on your desktop:Open the Dial-a-Fix folder, launch the program by clicking on the blue cog-wheel icon.
First, click the "Policies..." button on the bottom.
If anything is found, make sure it's checked and then, click the "Remove" button and click the "Close" button to close that window.
Now click the green, double check icon (Check all) on the bottom.
Then click on 'GO' at the bottom.
Click "Exit" and restart your pc when Dial-a-Fix has done.
If problems still persist, it might be time to do a systemfile check (Go to Start > Run and type, or copy/padte : sfc /scannow)
Make sure you have a Windows installation CD handy.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 tiredofmalware

tiredofmalware
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:56 AM

Posted 21 January 2009 - 07:44 PM

this is actually my work cpu and these scripts are bacth files. We won;t worry about those. Don't want to eye in the sky to know I have been hacking into the cpu. Donation will be coming your way. Thanks for the help bro

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:56 AM

Posted 22 January 2009 - 03:54 AM

Glad we could help, Tiredofmalware :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users