Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Vundo / Virtumonde and Other Malware Removal


  • This topic is locked This topic is locked
7 replies to this topic

#1 James2314

James2314

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 10 March 2009 - 12:12 PM

Hello,
A few weeks ago my computer was attacked by various malware. I asked for help on the "Am I Infected, What do I do?" forum, (http://www.bleepingcomputer.com/forums/topic205881.html), but the moderator assisting me suggested that I post here for more advanced help. Currently, the main symptoms I detect on the computer is that when I restart in normal mode, I get a "cli.exe" error message (for more detailed symptoms please follow the thread from the link above). I highly suspect that my computer is not fully clean of malware, since each step I took in the process recommended by the moderator lead to more detections. Also, I believe that my external usb data storage that I used to backup files may be infected (although I'm not worried about losing any data).

I followed the guide for posting in this forum, and the DDS log is pasted below, and the attach log is attached. Please help, and thanks in advance!


DDS (Ver_09-02-01.01) - NTFSx86 MINIMAL
Run by Invisible Jim at 2:16:58.59 on Tue 03/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.804 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Invisible Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchAssistant = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [EPSON Stylus Photo 960] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
mRun: [PrintServer Diagnostic] c:\program files\print server\ptp\PSDiagnostic.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
dRun: [nidle] "c:\documents and settings\invisible jim\application data\nidle\nidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\invisi~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcCrQGV

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\invisi~1\applic~1\mozilla\firefox\profiles\ofgtjyxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\documents and settings\invisible jim\application data\mozilla\firefox\profiles\ofgtjyxh.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S1 nugcdnpk;nugcdnpk;\??\c:\windows\system32\drivers\nugcdnpk.sys --> c:\windows\system32\drivers\nugcdnpk.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S2 gupdate1c988dd5481ab2;Google Update Service (gupdate1c988dd5481ab2);c:\program files\google\update\GoogleUpdate.exe [2009-2-6 133104]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-7-3 147456]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-7-3 139264]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-7-3 266240]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-7-3 114464]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-3 822424]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-03-09 01:51 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-03-09 01:51 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-03-09 01:51 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-03-09 01:51 571,392 ac------ c:\windows\system32\dllcache\tintlgnt.ime
2009-03-09 01:51 10,240 ac------ c:\windows\system32\dllcache\tmigrate.dll
2009-03-09 01:51 185,344 ac------ c:\windows\system32\dllcache\thawbrkr.dll
2009-03-09 01:51 21,896 ac------ c:\windows\system32\dllcache\tdipx.sys
2009-03-09 01:51 19,464 ac------ c:\windows\system32\dllcache\tdspx.sys
2009-03-09 01:51 13,192 ac------ c:\windows\system32\dllcache\tdasync.sys
2009-03-09 01:51 101,376 ac------ c:\windows\system32\dllcache\srusbusd.dll
2009-03-09 01:51 7,168 ac------ c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-03-09 01:49 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-03-09 01:48 54,528 ac------ c:\windows\system32\dllcache\cap7146.sys
2009-03-09 01:45 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-09 01:45 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-09 01:45 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-09 01:45 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-09 01:45 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-09 01:36 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-03-09 01:36 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-03-09 01:36 24,661 a------- c:\windows\system32\spxcoins.dll
2009-03-09 01:36 13,312 a------- c:\windows\system32\irclass.dll
2009-03-08 10:40 <DIR> --d----- c:\program files\Jcore
2009-03-08 10:40 0 a------- c:\windows\mqcd.dbt
2009-03-08 10:39 <DIR> --d----- c:\docume~1\invisi~1\applic~1\nidle
2009-03-08 09:39 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-03-08 09:39 32,768 a------- c:\windows\system32\odjan.wa
2009-03-08 09:39 32,768 a------- c:\windows\system32\kei1w.an
2009-03-08 09:39 77,312 a------- c:\windows\system32\rkoq.pxf
2009-03-08 09:39 28,672 a------- c:\windows\system32\doqkm.zt
2009-03-07 00:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-07 00:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-07 00:35 <DIR> --d----- c:\docume~1\invisi~1\applic~1\SUPERAntiSpyware.com
2009-03-05 01:33 <DIR> --d----- c:\program files\Online Services
2009-03-05 01:32 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll
2009-03-05 01:21 7,334 ac------ c:\windows\system32\dllcache\wmerrenu.cat
2009-03-05 01:21 22,339 a----r-- c:\windows\SETBE.tmp
2009-03-05 01:21 10,559 a----r-- c:\windows\SETBF.tmp
2009-03-05 01:21 13,753 a----r-- c:\windows\SET8B.tmp
2009-03-05 01:21 1,086,058 a----r-- c:\windows\SET7F.tmp
2009-03-05 01:21 1,042,903 a----r-- c:\windows\SET7C.tmp
2009-03-04 20:09 <DIR> --d----- c:\windows\mui
2009-03-04 20:09 <DIR> --d----- c:\windows\dell
2009-02-27 00:08 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-02-24 21:39 <DIR> --d----- c:\windows\ERUNT
2009-02-24 21:37 <DIR> --d----- C:\SDFix
2009-02-23 23:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 23:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 23:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 01:51 433 a------- c:\windows\xccwinsys.ini
2009-02-23 01:51 <DIR> --d----- c:\windows\system32\inf
2009-02-23 01:43 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-23 01:29 1,104 a------- c:\windows\ruhzgtzq
2009-02-20 14:24 <DIR> --d----- c:\docume~1\invisi~1\applic~1\Azureus
2009-02-14 12:12 387,580 a------- c:\windows\setupapi.old

==================== Find3M ====================

2009-03-09 01:44 23,428 a------- c:\windows\system32\emptyregdb.dat
2009-02-23 02:55 90,112 a------- c:\windows\DUMP7649.tmp
2008-12-18 15:31 48,396 a------- c:\windows\UninstVeetleTVPlayer.exe

============= FINISH: 2:17:35.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:00 AM

Posted 10 March 2009 - 01:44 PM

Hello, James2314

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:00 AM

Posted 10 March 2009 - 05:40 PM

Hello, looks like we are dealing with a rootkit. Please do the following.

ComboFix

Please download ComboFix from one of these locations (if you already have ComboFix, then delete it and download again) :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

NOTE**ComboFix was intended to be used under the supervision of a helper, not for general use. This is a powerful tool which can permanently damage your computer.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 James2314

James2314
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 11 March 2009 - 11:25 AM

Hello.
This is the log ComboFix produced:

ComboFix 09-03-10.01 - Invisible Jim 2009-03-11 1:14:28.4 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.819 [GMT -5:00]
Running from: c:\documents and settings\Invisible Jim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\Install.txt
c:\windows\system32\tmp.reg
c:\windows\xccwinsys.ini

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROTECT


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-09 01:51 . 2004-08-04 05:00 571,392 --a--c--- c:\windows\system32\dllcache\tintlgnt.ime
2009-03-09 01:51 . 2004-08-04 05:00 185,344 --a--c--- c:\windows\system32\dllcache\thawbrkr.dll
2009-03-09 01:51 . 2004-08-04 05:00 101,376 --a--c--- c:\windows\system32\dllcache\srusbusd.dll
2009-03-09 01:51 . 2004-08-04 05:00 48,256 --a--c--- c:\windows\system32\dllcache\w32.dll
2009-03-09 01:51 . 2004-08-04 05:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2009-03-09 01:51 . 2004-08-04 05:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2009-03-09 01:51 . 2004-08-04 05:00 21,896 --a--c--- c:\windows\system32\dllcache\tdipx.sys
2009-03-09 01:51 . 2004-08-04 05:00 19,464 --a--c--- c:\windows\system32\dllcache\tdspx.sys
2009-03-09 01:51 . 2004-08-04 05:00 13,192 --a--c--- c:\windows\system32\dllcache\tdasync.sys
2009-03-09 01:51 . 2004-08-04 05:00 10,240 --a--c--- c:\windows\system32\dllcache\tmigrate.dll
2009-03-09 01:51 . 2001-08-17 22:36 7,168 --a--c--- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2009-03-09 01:49 . 2004-08-04 05:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll
2009-03-09 01:48 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll
2009-03-09 01:45 . 2009-03-09 01:45 749 -rah----- c:\windows\WindowsShell.Manifest
2009-03-09 01:45 . 2009-03-09 01:45 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-09 01:45 . 2009-03-09 01:45 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-03-09 01:45 . 2009-03-09 01:45 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-03-09 01:45 . 2009-03-09 01:45 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-03-09 01:36 . 2004-08-04 05:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-03-09 01:36 . 2004-08-04 05:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-03-09 01:36 . 2004-08-04 05:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-03-09 01:36 . 2004-08-04 05:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-03-08 10:40 . 2009-03-09 02:11 <DIR> d-------- c:\program files\Jcore
2009-03-08 10:40 . 2009-03-08 10:40 0 --a------ c:\windows\mqcd.dbt
2009-03-08 10:39 . 2009-03-08 10:39 <DIR> d-------- c:\documents and settings\Invisible Jim\Application Data\nidle
2009-03-08 09:39 . 2009-03-08 09:39 77,312 --a------ c:\windows\system32\rkoq.pxf
2009-03-08 09:39 . 2009-03-08 09:39 32,768 --a------ c:\windows\system32\odjan.wa
2009-03-08 09:39 . 2009-03-08 09:39 32,768 --a------ c:\windows\system32\kei1w.an
2009-03-08 09:39 . 2009-03-08 09:39 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-03-08 09:39 . 2009-03-08 09:39 28,672 --a------ c:\windows\system32\doqkm.zt
2009-03-07 00:35 . 2009-03-07 00:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-07 00:35 . 2009-03-07 00:35 <DIR> d-------- c:\documents and settings\Invisible Jim\Application Data\SUPERAntiSpyware.com
2009-03-07 00:35 . 2009-03-07 00:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 01:47 . 2009-03-05 01:47 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\McAfee.com Personal Firewall
2009-03-05 01:32 . 2004-08-04 05:00 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll
2009-03-05 01:21 . 2004-08-04 05:00 1,086,058 -ra------ c:\windows\SET7F.tmp
2009-03-05 01:21 . 2004-08-04 05:00 1,042,903 -ra------ c:\windows\SET7C.tmp
2009-03-05 01:21 . 2006-03-30 05:03 22,339 -ra------ c:\windows\SETBE.tmp
2009-03-05 01:21 . 2004-08-04 05:00 13,753 -ra------ c:\windows\SET8B.tmp
2009-03-05 01:21 . 2005-03-30 12:54 10,559 -ra------ c:\windows\SETBF.tmp
2009-03-05 01:21 . 2004-08-04 05:00 7,334 --a--c--- c:\windows\system32\dllcache\wmerrenu.cat
2009-03-04 20:09 . 2009-03-04 20:09 <DIR> d-------- c:\windows\mui
2009-03-04 20:09 . 2009-03-04 20:09 <DIR> d-------- c:\windows\dell
2009-02-27 00:08 . 2009-02-27 00:08 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-02-24 21:39 . 2009-02-24 21:39 <DIR> d-------- c:\windows\ERUNT
2009-02-24 21:37 . 2009-03-05 02:16 <DIR> d-------- C:\SDFix
2009-02-23 23:09 . 2009-02-23 23:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 23:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 23:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-23 01:51 . 2009-03-11 01:16 <DIR> d-------- c:\windows\system32\inf
2009-02-23 01:43 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-23 01:29 . 2009-03-05 01:55 1,104 --a------ c:\windows\ruhzgtzq
2009-02-20 14:24 . 2009-02-23 01:25 <DIR> d-------- c:\documents and settings\Invisible Jim\Application Data\Azureus
2009-02-14 12:12 . 2009-03-08 10:42 387,580 --a------ c:\windows\setupapi.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 05:34 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 02:04 --------- d-----w c:\program files\Veetle
2009-02-23 07:55 90,112 ----a-w c:\windows\DUMP7649.tmp
2009-02-23 06:27 --------- d-----w c:\program files\Trillian Pro
2009-02-13 20:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 03:53 --------- d-----w c:\program files\Google
2009-02-07 18:21 --------- d-----w c:\program files\Flickr Uploadr
2009-01-30 02:37 --------- d-----w c:\program files\Azureus
2008-12-18 20:31 48,396 ----a-w c:\windows\UninstVeetleTVPlayer.exe
.

------- Sigcheck -------

2004-08-04 05:00 31232 3b21f976f7c1445dec9c141c51ff1c04 c:\windows\system32\svchost.exe
2004-08-04 05:00 31744 5e3271d87669ea8b88471ca93957bb28 c:\windows\system32\dllcache\svchost.exe

2004-08-04 05:00 1049088 0a22e760f3eea9e07f3799ae860f8fd4 c:\windows\explorer.exe
2007-06-13 06:26 1050112 45a287a6cbea3e27028c812c53a38d13 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:00 1049088 3c8d15ded80d08c820dfbd65d8063e46 c:\windows\$NtUninstallKB938828$\explorer.exe

2004-08-04 05:00 32256 416d91e0d9de7f63107fd27b8b32b0df c:\windows\system32\ctfmon.exe
2004-08-04 05:00 32256 58cd9761617f0f12cbe29230e123c949 c:\windows\system32\dllcache\ctfmon.exe

2005-06-10 19:17 74752 e6c31bccaaf5770fc938b6c8c45deec5 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 05:00 75264 3da0b91593bf9316552a8af689daa740 c:\windows\system32\spoolsv.exe

2004-08-04 05:00 128000 0e96fdbed4962bcedf37b3159bddbb59 c:\windows\system32\wuauclt.exe

2004-08-04 05:00 41472 887ea1f53d2db2516e3fd12a149a5216 c:\windows\system32\userinit.exe
2004-08-04 05:00 41984 bfc096e4b84facbc464ab65c296b5148 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 688198]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 622662]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 782427]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 65536]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 69632]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 270336]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 172032]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 73728]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 323584]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 233472]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1138688]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 131072]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 184320]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 503808]
"EPSON Stylus Photo 960"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-06-30 91648]
"PrintServer Diagnostic"="c:\program files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 286720]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 229432]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"nidle"="c:\documents and settings\Invisible Jim\Application Data\nidle\nidle.exe" [2009-03-08 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 61440]

c:\documents and settings\Invisible Jim\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2007-12-11 3767336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-07-08 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-08 131072]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 11000]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-07-03 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.vp31"= vp31vfw.dll
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 16:05 1537696 c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Trillian Pro\\trillian.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
S1 nugcdnpk;nugcdnpk;\??\c:\windows\system32\drivers\nugcdnpk.sys --> c:\windows\system32\drivers\nugcdnpk.sys [?]
S2 gupdate1c988dd5481ab2;Google Update Service (gupdate1c988dd5481ab2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1052b16c-098e-11dd-8cee-0015c517f841}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91a3a00f-f177-11dc-8ce5-0015c517f841}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4449e7f-c326-11dc-8cc6-0015c517f841}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa25b8f9-784c-11dc-a6d7-0015c517f841}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1810a24-ea32-11db-a6bc-0015c517f841}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 23:31]

2009-03-11 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (CRISPYMCNIPPLES-Invisible Jim).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2005-07-08 17:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
HKLM-Run-MSPY2002 - c:\windows\system32\IME\PINTLGNT\ImScInst.exe
HKLM-Run-PHIME2002ASync - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-reader_s - c:\windows\System32\reader_s.exe
MSConfigStartUp-asc32 - c:\program files\ASC 2.1\asc 2.1.exe
MSConfigStartUp-AUTORUN_VAL - c:\program files\ASC 2.1\asc 2.1.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Invisible Jim\Application Data\Mozilla\Firefox\Profiles\ofgtjyxh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - component: c:\documents and settings\Invisible Jim\Application Data\Mozilla\Firefox\Profiles\ofgtjyxh.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 01:21:54
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\gearsec.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-03-11 1:26:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-11 06:26:12

Pre-Run: 7,018,180,608 bytes free
Post-Run: 6,963,879,936 bytes free

287 --- E O F --- 2009-03-08 15:42:29

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:00 AM

Posted 11 March 2009 - 05:39 PM

:thumbup2: VIRUT :)

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

What this means is we cannot proceed with any sort of fix as your legitimate files have already been corrupted and this action is, unfortunately, irreversible. I apologize but there is nothing else I can do or advise to completely clear your machine. You must reformat your pc to rid yourself of this deadly virus.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 James2314

James2314
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 11 March 2009 - 06:59 PM

Oh dear! Well I guess I'll have to reformat then...
How were you able to tell based on the log that it is Virut?
And what steps can I take to ensure that my backup external USB data isn't infected, or if it is, what steps can I take to clean those before I copy them onto a clean, reformatted machine?

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:00 AM

Posted 12 March 2009 - 01:18 PM

The ComboFix log alerted me that legitimate files were infected - typical of the Virut trojan.

Virut will probably not infect your usb drive, as it usually latches to Windows files. It is possible for USB drives to be infected by other malware, however.

The best way is just doing a full scan with a standard scanner (or an online scanner) and selected the USB drive as a target area, and seeing what the scans return.

If you see something being detected then let us know.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:00 PM

Posted 12 March 2009 - 09:37 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users