Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/PEPatch virus & AVG free update problem.


  • This topic is locked This topic is locked
32 replies to this topic

#1 mike=)).

mike=)).

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 01 March 2009 - 02:09 PM

... continuing to attempt to remove a Win32/PEPatch virus and get AVG free antivirus software running properly.

The original topic can be found here:
http://www.bleepingcomputer.com/forums/t/204978/win32pepatch-virus-detected-but-not-removed/

In summary the infection:

Infections
File;"Infection";"Result"
C:\Program Files\COMODO\Firewall\cmdagent.exe (1272);"Virus found Win32/PEPatch";"Infected"
C:\Program Files\COMODO\Firewall\Repair\heur.cav;"Virus found Win32/PEPatch";"Moved to Virus Vault"
C:\Program Files\COMODO\Firewall\SCANNERS\heur.cav;"Virus found Win32/PEPatch";"Infected"
C:\Program Files\COMODO\Firewall\scanners\heur.cav;"Virus found Win32/PEPatch";"Infected"

The AVG problem:
The automatic updater for AVG fails.
Manual updating appears to work, but after completing the required re-boot, and checking the status of the databases, they continue to be out-of-date (17 Feb. 2007). Plus I get an AVG message every few hours: "this system needs a restart" (for the updates to complete installation)

Uninstalling AVG was without success:

Local machine: installation failed
Installation:
Error: Action failed for file avg.snu: creating backup....
Error 0x80070002 %DESTINATION% = "C:\Program Files\AVG\AVG8\avg.snu.install_backup_1", %SOURCE% = "C:\Program Files\AVG\AVG8\avg.snu"


Also, any help in cleaning up of unwanted programs running on the side would be great!!!

Thanks for your help !!!

Michael.

I have run the DDS tool, logs as follows:

DDS (Ver_09-02-01.01) - NTFSx86
Run by test at 19:47:02.20 on Sun 03/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.1535.783 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\IIIUploader\IIIU\IIIU.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Miranda\Miranda IM\miranda32.exe
C:\Documents and Settings\test\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON

Web-To-Page.dll
BHO: EWPP - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON

Web-To-Page.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticee.exe /fu "c:\windows\temp\E_S120.tmp"

/EF "HKCU"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: =
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192314608843
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192313977562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\test\applic~1\mozilla\firefox\profiles\l55ivwdq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla

firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-10-13 26824]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-10 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-10 24336]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-3 231704]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-10-10 700152]
R2 G6FTPServer;Gene6 FTP Server;c:\program files\gene6 ftp server\G6FTPServer.exe [2005-4-4 963584]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite

xii.sp2c\RpcAgentSrv.exe [2008-6-12 98488]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2007-10-13 10368]
RUnknown SASKUTIL;SASKUTIL; [x]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys -->

c:\windows\system32\drivers\hitmanpro3.sys [?]

=============== Created Last 30 ================

2009-02-22 08:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-22 08:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 08:17 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 05:27 --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-02-21 05:27 --d----- c:\program files\SUPERAntiSpyware
2009-02-21 05:27 --d----- c:\docume~1\test\applic~1\SUPERAntiSpyware.com
2009-02-09 00:13 --d----- c:\docume~1\test\applic~1\Malwarebytes

==================== Find3M ====================

2009-02-27 09:38 155,384 a------- c:\windows\system32\guard32.dll
2009-02-27 09:38 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-02-20 01:39 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-12-28 14:29 410,984 a------- c:\windows\system32\deploytk.dll
2007-10-13 05:57 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2007-10-13 05:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\index.dat
2007-10-13 05:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012007101220071013\index.dat
2007-10-13 05:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet

files\content.ie5\index.dat

============= FINISH: 19:48:05.89 ===============

Attached Files


Edited by mike=))., 01 March 2009 - 02:24 PM.


BC AdBot (Login to Remove)

 


#2 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 11 March 2009 - 04:18 PM

Hi mike=)).,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.
I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

You appear to be running a very out to date version of AVG anti-virus. It won't get updates because it is no longer supported.

Please uninstall the one you have and choose one of these current free ones (personally, I think AVG is a resource hog so I like Avast or Avira):

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial user
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Your Java is out of date and you have other old versions still on your computer, those old versions are now a security vulnerability:

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer - Version 6 update 12

Then


Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Posted Image

#3 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 11 March 2009 - 04:58 PM

Hi Tomk_

first a short reply to go thru the preliminaries, and let you know I got and give thanks for your reply!!

I've saved your reply as word doc to my desktop for fast reference.

I cannot un-install AVG. I tried all the usual methods (see previous thread: post #10-11 in this thread: http://www.bleepingcomputer.com/forums/t/204978/win32pepatch-virus-detected-but-not-removed/ ), but none work. I've noticed that it is a resource hog. I do not want two antivirs either. Considering ESET NOD32, which I use on my laptop. Let's try and uninstall AVG first.

I shall update Java asap. Right now, I'm overwhelmed with a lot of work that needs finishing (I run a website and admin a forum, along side a full-time job). Same goes for Kaspersky... might need a few days...

Thanks for your help... bbs

mike=)).

Edited by mike=))., 11 March 2009 - 05:01 PM.


#4 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 11 March 2009 - 05:10 PM

mike=)).,

When you get the chance... Try installing AVG again. If it will re-install, then reboot, and try to uninstall.
Posted Image

#5 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 17 March 2009 - 01:32 PM

mike=)).,

When you get the chance... Try installing AVG again. If it will re-install, then reboot, and try to uninstall.


That worked!!!

I now have Avast! (which I don't like very much, so may switch to something else later)

I've updated Java too. Need to check that maybe, as I'm not sure the last part went as it should.

Running Kaspersky... that will take ages. I do not intend screening the external hdds unless I really have to. (approx. 2,7 TB will take too long right now). Let me know if that should be done.

Thanks!!

#6 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 17 March 2009 - 02:05 PM

..ok the scan blocked at about 27 minutes while scanning the file:
CTTranQU.crl in the directory
C:\Program Files\Creative\Media Source

5 suspect objects and 1 threat were detected, but Kaspersky would not display the threats or save a log.

(I turned off Avast! before running the scan)

#7 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 17 March 2009 - 02:26 PM

mike=)).,

It takes forever. I predict it will take at least 2 hours. If it looks like it froze, just let it set for at least 20 minutes before believing it's not actually working. Odds are, it will continue if your patient. I've found sometimes, it's best to start it before going to bed and just look for results in the morning. :thumbup2:
Posted Image

#8 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 18 March 2009 - 11:45 AM

8,5 hours... i left the PC on the whole day while at work.
(glad i didn't add the external HDD's yet).
Not to sure the java update went ok... need to check that later...

so here ya go....

...and a big question first: Remote Admin, does that mean someone is tampering with my PC?
(I'll PM you why this is important, and may need extra attention)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 18, 2009 00:36:02
Records in database: 1924372
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 335651
Threat name: 6
Infected objects: 14
Suspicious objects: 5
Duration of the scan: 08:23:43


File name / Threat name / Threats count
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{21E995C6-8913-4983-AC02-5540682E6690}\Microsoft\Outlook Express\Postvak IN.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 4
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{21E995C6-8913-4983-AC02-5540682E6690}\Microsoft\Outlook Express\Postvak UIT.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\RealVNC\VNC4\vncclipboard.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
E:\Download manager\fdminst.exe Infected: not-a-virus:AdWare.Win32.NavExcel.h 1
E:\Download manager\fdminst.exe Infected: not-a-virus:AdWare.Win32.NavExcel.m 1
E:\Download manager\fdminst.exe Infected: not-a-virus:AdWare.Win32.NavExcel.r 1
E:\Download manager\fdminst.exe Infected: not-a-virus:AdWare.Win32.NavExcel.t 1
E:\Miranda\Miranda IM\Received Files\812197\RealVNC Enterprise Edition 4.2.5\setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 5
E:\Miranda\Miranda IM\Received Files\812197\RealVNC Enterprise Edition 4.2.5\vnc-E4_2_5-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

Edited by mike=))., 18 March 2009 - 11:51 AM.


#9 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 18 March 2009 - 06:46 PM

mike=)).,

In this case, the Remote Admin warning is just telling you that if your allow someone to control your computer using your installed VNC program, well... they will be able to control your computer right up to admin rights. I doubt that someone could/would be running VNC on your computer without your knowledge and I hope that you don't take risks with VPN's so this isn't really an issue.

The trickier part of that information is that you have some contaminated files in your outlook express folder. These will probably be contaminated emails from (hopefully) someone you don't know. I do not have any way to tell which emails are the culprits. Please go through all of your emails in all of your folders. Delete all that you don't need or recognize. Odds are that the "bad" one's will have either a hyperlink or an attachment. Please do not open any attachments or click on any links unless you know what they are and are positive that they are safe. Once you've done that, please delete all files in your deleted items folder.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    
    :Files
    E:\Download manager\fdminst.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Then please give me another DDS log.
Posted Image

#10 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 19 March 2009 - 01:31 PM

DDS log coming asap

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
E:\Download manager\fdminst.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\test\LOCALS~1\Temp\VBE\MSForms.exd scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\test\LOCALS~1\Temp\~DF6B26.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\test\LOCALS~1\Temp\~DFEC13.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\test\LOCALS~1\Temp\~DFEE48.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\test\LOCALS~1\Temp\~DFFB8C.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_444.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4d0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_644.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03192009_192302

Files moved on Reboot...
C:\DOCUME~1\test\LOCALS~1\Temp\VBE\MSForms.exd moved successfully.
File C:\DOCUME~1\test\LOCALS~1\Temp\~DF6B26.tmp not found!
File C:\DOCUME~1\test\LOCALS~1\Temp\~DFEC13.tmp not found!
File C:\DOCUME~1\test\LOCALS~1\Temp\~DFEE48.tmp not found!
File C:\DOCUME~1\test\LOCALS~1\Temp\~DFFB8C.tmp not found!
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_444.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_4d0.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_644.dat moved successfully.

#11 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 19 March 2009 - 01:44 PM

DDS log attached

Attached Files



#12 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 19 March 2009 - 02:50 PM

mike=)).,

I'd like to run one more scan.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#13 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 30 March 2009 - 11:25 AM

Hi Tom,

finally managed to get the Combofix scan plus log done.
(I did not disconnect the external HDD's).
I was not prompted to install the recovery mode, and as the log states, it appears to be missing.
Guessing the line with all the ???????'s is cyrillic, and unsupported by the editor.

the log:

ComboFix 09-03-29.02 - test 2009-03-30 9:27:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.1535.942 [GMT 2:00]
Running from: c:\documents and settings\test\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090329-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\test\Application Data\.#
H:\Autorun.inf
I:\Autorun.inf
K:\Autorun.inf
M:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-19 20:23 . 2009-03-19 20:23 <DIR> d-------- C:\_OTMoveIt
2009-03-12 19:25 . 2009-03-12 19:25 <DIR> d-------- c:\program files\Alwil Software
2009-03-12 19:25 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-12 00:14 . 2009-03-17 20:14 <DIR> d-------- c:\documents and settings\test\.SunDownloadManager
2009-02-22 09:17 . 2009-02-22 09:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 09:17 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 09:17 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 06:27 . 2009-03-02 18:28 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-21 06:27 . 2009-03-01 08:06 <DIR> d-------- c:\documents and settings\test\Application Data\SUPERAntiSpyware.com
2009-02-21 06:27 . 2009-02-21 06:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-02-09 01:13 . 2009-02-09 01:13 <DIR> d-------- c:\documents and settings\test\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 20:32 --------- d-----w c:\program files\FlashFXP
2009-03-12 16:45 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-03-11 22:05 --------- d-----w c:\program files\Java
2009-02-27 08:38 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-27 08:38 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-20 00:43 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2009-02-20 00:39 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2008-12-28 13:29 410,984 ----a-w c:\windows\system32\deploytk.dll
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\7.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\6.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\4.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\3.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\1.dat
2009-03-26 13:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-26 13:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-26 13:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-26 13:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-26 13:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-05 04:46 0 --sha-w c:\windows\system32\sys_drv.dat
2007-10-13 04:57 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-10-13 04:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-10-13 04:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101220071013\index.dat
2007-10-13 04:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus DX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-08-13 40960]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-27 1851128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-27 1851128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"CTHelper"="CTHELPER.EXE" [2002-09-03 c:\windows\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-30 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"e:\\Miranda\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-12 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-10 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-10 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-12 20560]
R2 G6FTPServer;Gene6 FTP Server;c:\program files\Gene6 FTP Server\G6FTPServer.exe [2005-04-04 963584]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-06-12 98488]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2007-10-13 10368]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2e41c4-a20c-11dc-b6a5-0001020905ad}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
.
------- Supplementary Scan -------
.
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\l55ivwdq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 09:34:30
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

? [20784]
? [30044]
scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?j??wd???:??w?????????4??????h?@?x??????wD??????sx??s?y??????y??w????@@@????|D@@?????>??w?????;4?H??????|???|???????|L(?s?;4??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ШЂ|яяяяЂ| Фw*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\guard32.dll
.
Completion time: 2009-03-30 9:37:10
ComboFix-quarantined-files.txt 2009-03-30 07:37:06
ComboFix2.txt 2008-02-20 03:22:38
ComboFix3.txt 2007-10-04 16:11:39

Pre-Run: 7,495,299,072 bytes free
Post-Run: 7,547,326,464 bytes free

159 --- E O F --- 2008-11-12 14:41:25

Edited by mike=))., 30 March 2009 - 11:50 AM.


#14 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 30 March 2009 - 01:19 PM

mike=)).,

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "JRE 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon. Posted Image
  • Under Temporary Internet Files, click the Settings... button
  • click the Delete Files button.
  • There are two options in the window to clear the cache - Leave both Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.
Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\documents and settings\Michael\1.dat <===this file

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    
    Folder::
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b2e41c4-a20c-11dc-b6a5-0001020905ad}]
    
    REGNULL::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ШЂ|яяяяЂ| Фw*]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

How are things running now?
Posted Image

#15 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:07:34 AM

Posted 31 March 2009 - 07:57 PM

Old versions of Java removed and most recent version installed as per instructions.

here's the virusscan jotti report on the c:\documents and settings\Michael\1.dat file:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Note: there are 5-6 similar files 3.dat 6.dat etc at that location.

Here's the new combofix log. There was an indication that it is no longer the most recent version of Combofix.
I let you know later how things are running, after sleeping and using ;)

Thanks, again.

ComboFix 09-03-29.02 - test 2009-04-01 2:40:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.1535.1114 [GMT 2:00]
Running from: c:\documents and settings\test\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\test\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090331-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-04-01 02:26 . 2009-04-01 02:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-01 02:25 . 2009-04-01 02:25 <DIR> d-------- c:\program files\Java
2009-04-01 02:19 . 2009-04-01 02:19 0 --a------ c:\windows\system32\RENF.tmp
2009-04-01 02:19 . 2009-04-01 02:19 0 --a------ c:\windows\system32\RENE.tmp
2009-04-01 02:19 . 2009-04-01 02:19 0 --a------ c:\windows\system32\REN10.tmp
2009-03-19 20:23 . 2009-03-19 20:23 <DIR> d-------- C:\_OTMoveIt
2009-03-12 19:25 . 2009-03-12 19:25 <DIR> d-------- c:\program files\Alwil Software
2009-03-12 19:25 . 2003-03-18 22:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-03-12 00:14 . 2009-03-17 20:14 <DIR> d-------- c:\documents and settings\test\.SunDownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 00:26 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-18 20:32 --------- d-----w c:\program files\FlashFXP
2009-03-12 16:45 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-03-02 16:28 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-01 06:06 --------- d-----w c:\documents and settings\test\Application Data\SUPERAntiSpyware.com
2009-02-27 08:38 155,384 ----a-w c:\windows\system32\guard32.dll
2009-02-27 08:38 110,992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-02-22 07:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-21 04:27 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-02-20 00:43 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2009-02-20 00:39 24,336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-08 23:13 --------- d-----w c:\documents and settings\test\Application Data\Malwarebytes
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\7.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\6.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\4.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\3.dat
2005-01-22 16:52 0 -c--a-w c:\documents and settings\Michael\1.dat
2009-03-26 13:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-26 13:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-26 13:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-26 13:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-26 13:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-05 04:46 0 --sha-w c:\windows\system32\sys_drv.dat
2007-10-13 04:57 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-10-13 04:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-10-13 04:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007101220071013\index.dat
2007-10-13 04:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EPSON Stylus DX8400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE" [2007-04-12 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 53248]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-08-13 40960]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTStartup"="c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" [2002-09-13 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-27 1851128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-02-27 1851128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888]
"CTHelper"="CTHELPER.EXE" [2002-09-03 c:\windows\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"IE7-11"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-30 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"e:\\Miranda\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-12 114768]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-10-10 110992]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-10-10 24336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-12 20560]
R2 G6FTPServer;Gene6 FTP Server;c:\program files\Gene6 FTP Server\G6FTPServer.exe [2005-04-04 963584]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-06-12 98488]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2007-10-13 10368]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\test\Application Data\Mozilla\Firefox\Profiles\l55ivwdq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 02:44:45
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = "c:\program files\Creative\Splash Screen\CTEaxSpl.EXE" /run?j??wd???:??w????????????????h?@?x??????wD??????sx??s????????y??w????@@@????|D@@?????>??w?????94?H??????|???|???????|L(?s?94??????/?s????????D???????????????????,????????????+?s@@@?D???`|?w??????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ШЂ|яяяяЂ| Фw*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\guard32.dll
.
Completion time: 2009-04-01 2:47:19
ComboFix-quarantined-files.txt 2009-04-01 00:47:15
ComboFix2.txt 2009-03-30 07:37:13
ComboFix3.txt 2008-02-20 03:22:38
ComboFix4.txt 2007-10-04 16:11:39

Pre-Run: 7,407,603,712 bytes free
Post-Run: 7,416,168,448 bytes free

142 --- E O F --- 2008-11-12 14:41:25

Edited by mike=))., 31 March 2009 - 08:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users