Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Prunnet.exe/Virtumonde/Vundo Trojans


  • This topic is locked This topic is locked
14 replies to this topic

#1 VVG

VVG

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 10 January 2009 - 06:54 PM

I recently (about four days ago) go infected by a series of Trojans that I have been battling for the past several days. Initially, I could not update my Norton antivirus program (whenever I tried, it said all of the files were up to date, but the definition file was dated December 14), after reinstalling Norton I could update it, but it would say "scan complete" after scanning only 877 files. When attempting to run McAfee antivirus, half way through my computer would give me a Win32 error, and force a restart of windows. Whenever spybot would run it would find re-occurring instances of Virtumonde and Vundo Trojans, which it would successfully clean, only to find them again after restarting my computer. I ran several online virus scans, one of which gave me a prunnet.exe infection, and the symantec online virus scan pointed out two .dll files as viruses that were created at the time I initially noticed the infection. After manually deleting the two .dll infections and cleanly reinstalling all Norton End-Protection, I was able to update and run all of the programs. Norton caught over 14 trojans and deleted them. My system appeared to have been cleaned and ran well, however, I lost control over the Terminal Services and Remote Procedure Protocol Services (as in the option for startup type as well as start, stop, pause, and resume buttons were greyed out). I was able to regain control over terminal services by forcing a disable in safe mode. However, RPC options are still all greyed out. I also periodically hear my computer make a noise as if an error window pops open, though no window appears, and I noticed the noise corresponds to a second rundll32.exe process starting on my computer (which I then end). My computer is also making a lot of noise as if it is working something, even when I am only using firefox or microsoft word. I'm worried that my computer is still infected with something, and that in time it will just download more viruses and I will have to spend days getting rid of them all over again. Please help!!

Thanks!



DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 18:29:47.62 on Sat 01/10/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1441 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {584983AA-F7C8-4DE7-8F32-CA89DCF40E6F} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: {d0637c55-da0b-46e9-b6ea-d5ef0da3ff82} - c:\windows\system32\khfEtRJC.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ATI Launchpad]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: KATRACK.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dr8dydl6.default\
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {F6CADF43-80E8-403D-91C4-A8393C60F2BF} - c:\windows\system32\config\systemprofile\local settings\application data\{f6cadf43-80e8-403d-91c4-a8393c60f2bf}\

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-8 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090110.003\NAVENG.SYS [2009-1-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090110.003\NAVEX15.SYS [2009-1-10 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2007-9-15 110304]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-9 65536]
R4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2008-12-10 88576]
R4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-01-08 23:56 <DIR> --d----- C:\VundoFix Backups
2009-01-08 16:25 120 a--sh--- c:\windows\system32\xrsydkwf.ini
2009-01-08 13:52 92,488 a------- c:\windows\system32\drivers\SysPlant.sys
2009-01-08 13:51 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 13:51 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-08 13:51 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 13:51 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 04:12 143 a------- c:\windows\system32\mcrh.tmp
2009-01-07 23:43 <DIR> --d----- C:\QUARANTINE
2009-01-07 21:31 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2009-01-07 21:31 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-01-07 16:23 120 a--sh--- c:\windows\system32\rsqmdasb.ini
2009-01-07 16:22 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 16:06 <DIR> --d----- c:\windows\Internet Logs
2009-01-07 16:04 110,080 a------- c:\windows\system32\drivers\dne2000.sys
2009-01-07 16:04 94,720 a------- c:\windows\system32\dneinobj.dll
2009-01-07 16:04 <DIR> --d----- c:\program files\common files\Deterministic Networks
2009-01-07 16:04 <DIR> --d----- c:\program files\Cisco Systems
2009-01-07 16:04 1,592 a------- c:\windows\VPNInstall.MIF
2009-01-07 16:03 <DIR> --d----- c:\temp\MU_Secure_Download
2009-01-06 22:03 2,206 a------- c:\windows\system32\tmp.reg
2009-01-06 20:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-06 20:09 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-01-06 17:22 93 a------- c:\windows\wininit.ini
2009-01-06 14:22 0 a------- c:\windows\system32\drivers\seneka.sys
2009-01-06 14:04 59 a------- c:\windows\system32\seneka.dat
2009-01-06 14:04 3 a------- c:\windows\system32\senekadf.dat
2009-01-06 13:59 123,852 a------- c:\windows\system32\senekalog.dat
2009-01-05 19:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sling Media
2009-01-05 19:54 <DIR> --d----- c:\program files\Sling Media

==================== Find3M ====================

2008-12-16 14:34 55,024 a------- c:\windows\War3Unin.dat
2008-12-16 14:32 2,829 a------- c:\windows\War3Unin.pif
2008-12-16 14:32 139,264 a------- c:\windows\War3Unin.exe
2008-12-08 21:43 42,312 a------- c:\windows\system32\drivers\WPSDRVnt.sys
2008-12-08 21:43 357,704 a------- c:\windows\system32\sysfer.dll
2008-12-08 21:43 107,848 a------- c:\windows\system32\SymVPN.dll
2008-12-08 21:42 49,480 a------- c:\windows\system32\FwsVpn.dll
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-18 18:17 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys
2008-11-18 18:01 10,537 a------- c:\windows\system32\drivers\coh_mon.cat
2008-11-18 18:01 706 a------- c:\windows\system32\drivers\COH_Mon.inf
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll

============= FINISH: 18:30:59.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 10 January 2009 - 09:23 PM

Hi, VVG :thumbsup:

Welcome.

Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Do not run it yet
Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Scan with Hijackthis and save the log.
  • Please post the "C:\ComboFix.txt" along with a HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 10 January 2009 - 10:19 PM

Hi JSntgRvr,

Thank you so much for your help. I really appreciate it.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.32
Database version: 1640
Windows 5.1.2600 Service Pack 3

1/10/2009 9:46:00 PM
mbam-log-2009-01-10 (21-46-00).txt

Scan type: Quick Scan
Objects scanned: 56289
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

I'm also attaching the ComboFix.txt and HijackThis log.

I wasn't able to install the recovery tool for ComboFix, because when I clicked to install it now, it said that my computer did not have an internet connection. Should I install it now, after ComboFix finished running? Also, I wasn't sure whether I was suppose to once again turn on my antivirus and antimalware programs, so I did prior to going online to post.

Thanks again for your help! I am awaiting your reply :thumbsup:

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 11 January 2009 - 01:35 AM

Hi, VVG :thumbsup:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Collect::c:\windows\system32\ffkuz.dllFile::c:\windows\Tasks\liqwgbfi.jobDirLook::c:\temp\MU_Secure_Download

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 11 January 2009 - 01:52 PM

Hi JSntgRvr,

I did as you said. I'm pasting the ComboFix report and the Kaspersky WebScanner results, and attaching the HijackThis Log. In case you were wondering about the MU_Secure_Download file, its on my computer because I used the University of Missouri (MU) to download a fresh copy of Symantec Endpoing. Thanks so much for your help! I'm not deleting any of the files found by Kaspersky, and am awaiting further instructions! One thing that does concern me is that the Kaspersky scanner only scanned some 150,000 files, and I know I have over 300,000 on my computer. I'm not sure if that means anything?

ComboFix 09-01-10.02 - Owner 2009-01-11 1:56:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1474 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\liqwgbfi.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ffkuz.dll
c:\windows\Tasks\liqwgbfi.job

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-10 21:41 . 2009-01-10 21:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 21:41 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 21:41 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-10 21:40 . 2009-01-10 21:40 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 23:56 . 2009-01-08 23:56 <DIR> d-------- C:\VundoFix Backups
2009-01-08 15:30 . 2009-01-08 15:30 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-08 13:52 . 2008-12-08 21:45 92,488 --a------ c:\windows\system32\drivers\SysPlant.sys
2009-01-08 13:51 . 2009-01-08 13:52 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 13:51 . 2009-01-08 13:52 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-08 13:51 . 2009-01-08 13:52 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 13:51 . 2009-01-08 13:52 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 23:43 . 2009-01-09 03:13 <DIR> d-------- C:\QUARANTINE
2009-01-07 21:31 . 2009-01-07 21:31 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-01-07 21:31 . 2006-12-19 15:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-01-07 16:06 . 2009-01-07 16:06 <DIR> d-------- c:\windows\Internet Logs
2009-01-07 16:04 . 2009-01-07 16:04 <DIR> d-------- c:\program files\Common Files\Deterministic Networks
2009-01-07 16:04 . 2009-01-07 16:04 <DIR> d-------- c:\program files\Cisco Systems
2009-01-07 16:04 . 2005-08-18 19:22 110,080 --a------ c:\windows\system32\drivers\dne2000.sys
2009-01-07 16:04 . 2005-08-18 19:22 94,720 --a------ c:\windows\system32\dneinobj.dll
2009-01-07 16:04 . 2009-01-07 16:06 1,592 --a------ c:\windows\VPNInstall.MIF
2009-01-07 16:03 . 2009-01-07 16:19 <DIR> d-------- c:\temp\MU_Secure_Download
2009-01-06 23:12 . 2009-01-08 15:30 <DIR> d-------- c:\documents and settings\Administrator
2009-01-06 20:10 . 2009-01-06 20:09 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-06 20:09 . 2009-01-06 20:10 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2009-01-06 17:22 . 2009-01-06 17:22 93 --a------ c:\windows\wininit.ini
2009-01-05 19:55 . 2009-01-05 19:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sling Media
2009-01-05 19:54 . 2009-01-05 19:55 <DIR> d-------- c:\program files\Sling Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 08:19 --------- d-----w c:\program files\SPSS
2009-01-08 18:53 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-08 18:52 --------- d-----w c:\program files\Symantec
2009-01-08 02:26 --------- d-----w c:\program files\Symantec AntiVirus
2009-01-07 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-07 08:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-07 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 05:50 --------- d-----w c:\program files\Lavasoft
2009-01-07 05:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-07 02:59 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-06 19:12 --------- d-----w c:\documents and settings\Owner\Application Data\dvdcss
2009-01-05 04:56 --------- d-----w c:\program files\DivX
2008-12-16 19:44 --------- d-----w c:\program files\Warcraft III
2008-12-16 19:32 2,829 ----a-w c:\windows\War3Unin.pif
2008-12-16 19:32 139,264 ----a-w c:\windows\War3Unin.exe
2008-12-09 09:07 --------- d-----w c:\program files\Sure Delete
2008-12-09 02:43 42,312 ----a-w c:\windows\system32\drivers\WPSDRVnt.sys
2008-12-09 02:43 357,704 ----a-w c:\windows\system32\sysfer.dll
2008-12-09 02:43 107,848 ----a-w c:\windows\system32\SymVPN.dll
2008-12-09 02:42 49,480 ----a-w c:\windows\system32\FwsVpn.dll
2008-11-27 02:50 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-18 23:17 23,888 ----a-w c:\windows\system32\drivers\COH_Mon.sys
2008-11-18 23:01 706 ----a-w c:\windows\system32\drivers\COH_Mon.inf
2008-11-18 23:01 10,537 ----a-w c:\windows\system32\drivers\coh_mon.cat
2008-11-12 08:08 --------- d-----w c:\program files\Project64 1.6
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\temp\MU_Secure_Download ----

2009-01-06 09:03 65360959 --a------ c:\temp\MU_Secure_Download\SEP_11_M4_x32_Unmanaged.exe
2006-02-20 17:20 10939132 --a------ c:\temp\MU_Secure_Download\CiscoVPNClient4.8.00.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-04-08 7081984]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-14 286720]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 113664]
VPN Client.lnk - c:\windows\Installer\{24C67B54-0718-445E-B663-3138D9246BD1}\Icon3E5562ED7.ico [2009-01-07 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=KATRACK.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-01-11 18:54 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeyAccess]
--a------ 2006-10-09 13:00 552960 c:\windows\keyacc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-06-20 12:49 451872 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-30 23:16 1271032 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TabletService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376]
R4 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2007-09-15 110304]
R4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-09 65536]
R4 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2008-12-10 88576]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{160a40a8-9baf-11dc-bfce-00132094ee27}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f65925a-8132-11dd-8038-00132094ee27}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{37baa650-bb74-11dd-8057-00132094ee27}]
\Shell\AutoRun\command - f:\wd_windows_tools\WDSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{584983AA-F7C8-4DE7-8F32-CA89DCF40E6F} - (no file)
BHO-{D0637C55-DA0B-46E9-B6EA-D5EF0DA3FF82} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dr8dydl6.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 01:57:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-11 1:59:41
ComboFix-quarantined-files.txt 2009-01-11 06:59:39
ComboFix2.txt 2009-01-11 03:06:16

Pre-Run: 169,050,456,064 bytes free
Post-Run: 169,038,450,688 bytes free

231 --- E O F --- 2009-01-09 08:00:11


KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 06:22:22
Records in database: 1601316
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 159358
Threat name 4
Infected objects 4
Suspicious objects 0
Duration of the scan 02:21:56

File name Threat name Threats count
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\hgGywVlL.dll.bac_a01380 Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\prunnet.exe.bac_a01380 Infected: Trojan.Win32.Agent.bcbh 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-11@1.56.zip Infected: Trojan-Downloader.Win32.Murlo.vn 1
C:\UBCD4Win\BartPE\PROGRAMS\ultravnc\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
The selected area was scanned.

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 11 January 2009 - 04:30 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 11 January 2009 - 04:41 PM

Hi JSntgRvr,

Here is the log!

GooredFix v1.8 by jpshortstuff
Log created at 16:40 on 11/01/2009 running Option #1 (Owner)
Firefox version 3.0.4 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\"

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 11 January 2009 - 07:06 PM

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 11 January 2009 - 07:47 PM

Hi JSntgRvr,

Here is the log:

GooredFix v1.8 by jpshortstuff
Log created at 19:39 on 11/01/2009 running Option #2 (Owner)
Firefox version 3.0.4 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{F6CADF43-80E8-403D-91C4-A8393C60F2BF}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{F6CADF43-80E8-403D-91C4-A8393C60F2BF}\
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.4\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

=====Reboot=====

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 11 January 2009 - 09:21 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 11 January 2009 - 09:37 PM

Hi JSntgRvr,

Everything seems to be running smoothly :thumbsup:, Thank you!!

I still do not have the ability to change options in the Remote Procedure Call process under administrative tools, but I don't if I'm meant to have that option. However, since that last fix, I have not noticed the computer making any noise or starting extra rundll32 processes. Is it okay for me to delete the viruses that are in the different quarantine folders pointed out by the Kaspersky Webscanner?

Thanks again for your help. I'm glad very glad to have my computer back in working order!

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 11 January 2009 - 09:57 PM

Hi, VVG :thumbsup:

Lets do some housekeeping.

Open TrenMicro and remove the Quarantined Files.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The Remote Procedure Call should be set to Automatic and all button are greyed by default. Without it most Windows' functions wont work, thus it is protected.

How is it set in the computer?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 VVG

VVG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 11 January 2009 - 10:12 PM

Thanks JSntgRvr,

I have performed all of the steps. The Remote Procedure Call is set to Automatic and everything is greyed out, so everything seems to check out fine. I was a little surprised that this infection happened, as I had Spy-Bot and Symantec running the entire time and did not manually execute any files. Do you have any suggestions on any software I should download to prevent further attacks in the future? (I'm running the default Windows Firewall, so I don't know how effective that is...)

Thanks again. You guys perform a wonderful service, and I'm trully grateful for your help!

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 12 January 2009 - 03:32 PM

Hi, VVG :thumbsup:

There is no defense against new variants. Only by observing good practices while online you will be able to protect yourself.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,700 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:35 AM

Posted 18 January 2009 - 04:16 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users