Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vitrumonde free? symptoms clear; request check of logs


  • Please log in to reply
1 reply to this topic

#1 alimo20

alimo20

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 17 February 2009 - 06:14 PM

I was recently infected with vitrumonde. Did most of the cleaning manually using hjt logs and combofix.
Please let me know if this system appears clean.
Thank you!


DDS (Ver_09-02-01.01) - NTFSx86
Run by xxxx at 18:07:33.39 on 2009-02-17
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1362 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\program files\cscmarimba\tuner\Tuner.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lotus\Notes\ntmulti.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\SupportSoft_AMER_CSCi\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SupportSoft_AMER_CSCi\bin\tgsrvc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\program files\cscmarimba\tuner\lib\minituner.exe
C:\Documents and Settings\aokur\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TpShocks] TpShocks.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SupportSoft_AMER_CSCi] "c:\program files\supportsoft_amer_csci\bin\sprtcmd.exe" /P SupportSoft_AMER_CSCi
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\REALSE~1.LNK -
uPolicies-explorer: GreyMSIAds = 1 (0x1)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: Sametime MRC 651FP1 - hxxps://amer-st09.amer.csc.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} - hxxp://mt202.centra.com/SiteRoots/main/Install/win32/CentraUpdaterAx.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://workplace.amer.csc.com/qp2.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://amer-ml35.amer.csc.com/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229992144015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - hxxps://amer-st09.amer.csc.com/sametime/STMeetingRoomClient/STJNILoader.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - abc
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aokur\applic~1\mozilla\firefox\profiles\ms5uxzqv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.csc.com/
FF - component: c:\documents and settings\aokur\application data\mozilla\firefox\profiles\ms5uxzqv.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\aokur\application data\mozilla\firefox\profiles\ms5uxzqv.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: XUL Cache: {1C0F67CB-3DF5-454B-B239-8D47954D3FED} - c:\documents and settings\aokur\local settings\application data\{1c0f67cb-3df5-454b-b239-8d47954d3fed}\

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-7-16 144704]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-3-2 100656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-6-27 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-6-27 4224]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-7-16 31816]
R2 cscmarimba;cscmarimba;c:\program files\cscmarimba\tuner\Tuner.exe [2007-4-25 36953]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-7-16 54608]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-10-23 1213728]
R2 sprtsvc_supportsoft_amer_csci;SupportSoft Sprocket Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\sprtsvc.exe [2008-10-23 202016]
R2 tgsrvc_supportsoft_amer_csci;SupportSoft Repair Service (supportsoft_amer_csci);c:\program files\supportsoft_amer_csci\bin\tgsrvc.exe [2008-10-23 148768]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-16 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-16 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-16 174952]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]
S0 black;black;c:\windows\system32\drivers\blackdrv.sys [2005-7-25 229367]
S2 BlackICE;BlackICE;c:\program files\iss\isssensors\desktopprotection\blackd.exe [2005-7-25 847872]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-7-25 36676]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\rapnet.sys --> c:\windows\system32\drivers\RapNet.sys [?]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-12-16 103744]

=============== Created Last 30 ================

2009-02-17 16:18 388,608 a------- c:\windows\system32\CF22306.exe
2009-02-17 16:18 <DIR> --d----- C:\ComboFix123
2009-02-13 15:26 99,696 a------- c:\windows\system32\drivers\43b1aa34.sys
2009-02-13 15:26 <DIR> --d----- c:\windows\system32\inf
2009-02-13 14:22 <DIR> --d----- c:\windows\system32\3361
2009-02-13 14:22 99,696 a------- c:\windows\system32\drivers\72a34610.sys
2009-02-13 14:01 <DIR> a-dshr-- C:\cmdcons
2009-02-13 10:32 <DIR> --d----- c:\docume~1\aokur\applic~1\TortoiseSVN
2009-02-12 20:48 <DIR> --d----- C:\Quarantine
2009-02-11 10:39 <DIR> --d----- c:\program files\JXplorer
2009-02-11 10:39 <DIR> --d-h--- c:\documents and settings\aokur\InstallAnywhere
2009-02-09 12:22 <DIR> --d----- c:\program files\GnuWin32
2009-02-09 12:18 91,648 a------- c:\documents and settings\aokur\gzip.exe
2009-02-09 12:01 <DIR> --d----- C:\ant
2009-02-09 11:15 <DIR> --d----- c:\docume~1\aokur\applic~1\Subversion
2009-02-09 10:59 <DIR> --d----- C:\cygwin
2009-02-09 10:48 <DIR> --d----- c:\program files\TortoiseSVN
2009-02-09 10:48 <DIR> --d----- c:\program files\common files\TortoiseOverlays
2009-01-30 14:25 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-30 14:25 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-01-25 01:28 <DIR> --d----- c:\program files\iPod
2009-01-25 01:28 <DIR> --d----- c:\program files\iTunes
2009-01-25 01:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-25 01:27 <DIR> --d----- c:\program files\Bonjour
2009-01-23 15:37 <DIR> --d----- c:\windows\system32\Adobe
2009-01-22 13:34 <DIR> --d----- c:\program files\PeerGuardian2

==================== Find3M ====================

2009-01-07 15:48 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 18:08:19.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:58 PM

Posted 24 February 2009 - 01:13 PM

Hello Alimo20 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users