Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SystemSecurity2009 Fake AV + Unidentified rootkit Installed from vc_red.msi


  • This topic is locked This topic is locked
2 replies to this topic

#1 drinkytheclown

drinkytheclown

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 16 September 2009 - 09:19 PM

after months of visiting mega sites with no virus software and orbit downloader and probably several terabites of video, i caught an ms police pro downloader which i cleaned up in a matter of minutes and was fairly certain i had everything finished.

my assistant came back with a laptop from school with 802.11 and nothing blocking peer to peer and before she could get out of the car, all computers except 1 without file sharing enabled open up a browser with system security 2009 advising me my life could be ruined if my wife found out i was watching porn.

from this point, i think system security began downloading and preparing a rootkit like i've never seen. i believe this file came in the form of c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi. i was plugging each dll coming up and noticed a procedure call to change my boot.ini file to a gif image with relocated code inside the image so i got one machine shut down while in the middle of installing the rootkit and booted to safe mode and got a much better look at it while the other computers xp sp 2 3 and vista all began installing ms update after update.

the first keys that spawened a new os for each of these computers was Microsoft Visual C++ 2008 Redistributable.

this looked like it replaced nt.dll and every other dll driver kernel and user mode as well as injecting bonafied ones until it could get rid of them. the process opened a 5 gig partition and did a silent install of what basically looks like windows 95 from the filelist and dates, but functions like normal.

nothing gets blocked, websites or otherwise. any software runs fine for a few minutes while its hooked with ctfmon.exe and pretty soon a 3meg exe av file turns into 30 meg or so with injected dlls from everywhere. two process monitor perfdata on the registry and all files to allow you to change anything and 5 minutes later or so its back where it was. some virus/spy/rootkit programs end up listing no problems, but the config files have been altered. it downloaded windows defender on its own and uses the def files for itself.

i have now at least 20 or so encrypted and unencrypted bank data files on each computer and notice with an unifected packet sniffer connections to 50+ computers if you try to open a banking site. the virus deletes or rather hides all accounts except for two, a new 'owner' account under administrator and the system account for itself. it installs without using an account by simply querying the registry with a blank account name for a silent install, even if all passwords are in place on all accounts.

its been downloading and 'updating' files for 2 days now, and every package it updates actually places older files on the computer, all of which are signed with the new system certificates on the downloads. I have entire new directorys for a win386 which resembles a 95 or 98 sql server. ports are open for radmin telnet ftp and other access.

the first thing it did after finishing the os installation was a clean uninstall of the virus program that started it.

it left this log file. if someone runs into this software without the rootkit, here is a clean uninstall from the program itself that has left no noticable trace...


Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\systemsecurity2009
Files to delete:
C:\Documents and Settings\All Users\Application Data\11863124\11863124
C:\Documents and Settings\All Users\Application Data\11863124\11863124.exe
C:\Documents and Settings\All Users\Application Data\11863124\Desktop.ini
C:\Documents and Settings\All Users\Application Data\11863124\pc11863124ins
C:\Documents and Settings\kent\Application Data\MSA\mssadv.exe
C:\Documents and Settings\kent\Application Data\MSA\fff.exe
C:\Documents and Settings\kent\Start Menu\Programs\Total Security\Total Security 2009.lnk
C:\Documents and Settings\kent\Desktop\Total Security 2009.lnk
C:\Documents and Settings\kent\Application Data\MSA\msctrl.exe
C:\Documents and Settings\All Users\Application Data\11863124\11863124
C:\Documents and Settings\All Users\Application Data\11863124\11863124.exe
C:\Documents and Settings\All Users\Application Data\11863124\Desktop.ini
C:\Documents and Settings\All Users\Application Data\11863124\pc11863124ins
C:\Documents and Settings\kent\Application Data\MSA\mssadv.exe
C:\Documents and Settings\kent\Application Data\MSA\fff.exe
C:\Documents and Settings\kent\Start Menu\Programs\Total Security\Total Security 2009.lnk
C:\Documents and Settings\kent\Desktop\Total Security 2009.lnk
C:\Documents and Settings\kent\Application Data\MSA\msctrl.exe
Folders to delete:
C:\Documents and Settings\All Users\Application Data\11863124
C:\Documents and Settings\kent\Start Menu\Programs\Total Security


i was able to view an reinstall script for the main rootkit for a few minutes until the system realized there were 2 copies open and restarted the system. i haven't found it again, but it was used to uninstall and reinstall the rootkit on the machine i shut down. the uninstall code was about 30 pages, and the last 3 lines was the call to open the install package and restart. i'm convinced looking at the file the uninstall is still hidden in the computer in the windows directory b/c the structure of where everything was laid out was pretty simple.

new programs that came with it are

microsoft office groove
all other office components have 'mui' added to the names
microsoft c++ vtl
microsoft c++ redistributable

msxml 4.0 (3 copies) various versions
msxml 6.0 sp2

some program called capicom, and security updates for it
vlc media player
google toolbar (3 or 4)


watching through process explorer it looks like theres about 10 basic kernel commands and these get hooked with the 500 or so new windows user programs that downloaded and replaced my windows directory. my windows directory honestly looks like its right out of windows 95, same commands, same icons, etc.

the only reference i see on this on the internet is virtumondefix describes a similar super virtumonde an admin claims to have vnc'ed in for a user and fixed on thier home page.


== Verbose logging started: 9/12/2009 4:50:28 Build type: SHIP UNICODE 3.01.4000.4039 Calling process: c:\7fc8891230bb502166e3d059b9bcb122\install.exe ===
MSI © (B0:D0) [04:50:29:073]: Resetting cached policy values
MSI © (B0:D0) [04:50:29:073]: Machine policy value 'Debug' is 0
MSI © (B0:D0) [04:50:29:073]: ******* RunEngine:
******* Product: c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi
******* Action:
******* CommandLine: **********
MSI © (B0:D0) [04:50:29:104]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (B0:D0) [04:50:29:104]: Grabbed execution mutex.
MSI © (B0:D0) [04:50:30:823]: Cloaking enabled.
MSI © (B0:D0) [04:50:30:823]: Attempting to enable all disabled priveleges before calling Install on Server
MSI © (B0:D0) [04:50:30:823]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (80:48) [04:50:30:917]: Grabbed execution mutex.
MSI (s) (80:50) [04:50:30:917]: Resetting cached policy values
MSI (s) (80:50) [04:50:30:917]: Machine policy value 'Debug' is 0
MSI (s) (80:50) [04:50:30:917]: ******* RunEngine:
******* Product: c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi
******* Action:
******* CommandLine: **********
MSI (s) (80:50) [04:50:30:948]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (80:50) [04:50:32:277]: File will have security applied from OpCode.
MSI (s) (80:50) [04:50:32:277]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi' against software restriction policy
MSI (s) (80:50) [04:50:32:277]: SOFTWARE RESTRICTION POLICY: c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi has a digital signature
MSI (s) (80:50) [04:50:33:589]: SOFTWARE RESTRICTION POLICY: c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (80:50) [04:50:33:589]: End dialog not enabled
MSI (s) (80:50) [04:50:33:589]: Original package ==> c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi
MSI (s) (80:50) [04:50:33:589]: Package we're running from ==> c:\WINDOWS\Installer\2d5af6.msi
MSI (s) (80:50) [04:50:33:605]: APPCOMPAT: looking for appcompat database entry with ProductCode '{9A25302D-30C0-39D9-BD6F-21E6EC160475}'.
MSI (s) (80:50) [04:50:33:605]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (80:50) [04:50:33:605]: MSCOREE not loaded loading copy from system32
MSI (s) (80:50) [04:50:33:636]: Machine policy value 'TransformsSecure' is 0
MSI (s) (80:50) [04:50:33:636]: User policy value 'TransformsAtSource' is 0
MSI (s) (80:50) [04:50:33:636]: Machine policy value 'DisablePatch' is 0
MSI (s) (80:50) [04:50:33:636]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (80:50) [04:50:33:636]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (80:50) [04:50:33:636]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (80:50) [04:50:33:652]: APPCOMPAT: looking for appcompat database entry with ProductCode '{9A25302D-30C0-39D9-BD6F-21E6EC160475}'.
MSI (s) (80:50) [04:50:33:652]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (80:50) [04:50:33:652]: Transforms are not secure.
MSI (s) (80:50) [04:50:33:652]: Note: 1: 2205 2: 3: Control
MSI (s) (80:50) [04:50:33:652]: Command Line: USING_EXUIH_SILENT=1 REBOOT=ReallySuppress FILESINUSETEXT= LOCPRODUCTNAME=Microsoft Visual C++ 2008 Redistributable CURRENTDIRECTORY=c:\7fc8891230bb502166e3d059b9bcb122 CLIENTUILEVEL=3 CLIENTPROCESSID=2480
MSI (s) (80:50) [04:50:33:652]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{49C9E7C6-4A9F-4E6F-AE93-9E014D1ACA93}'.
MSI (s) (80:50) [04:50:33:667]: Product Code passed to Engine.Initialize: ''
MSI (s) (80:50) [04:50:33:667]: Product Code from property table before transforms: '{9A25302D-30C0-39D9-BD6F-21E6EC160475}'
MSI (s) (80:50) [04:50:33:667]: Product Code from property table after transforms: '{9A25302D-30C0-39D9-BD6F-21E6EC160475}'
MSI (s) (80:50) [04:50:33:667]: Product not registered: beginning first-time install
MSI (s) (80:50) [04:50:33:667]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (80:50) [04:50:33:667]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (80:50) [04:50:33:667]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (80:50) [04:50:33:667]: Adding new sources is allowed.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (80:50) [04:50:33:683]: Package name extracted from package path: 'vc_red.msi'
MSI (s) (80:50) [04:50:33:683]: Package to be registered: 'vc_red.msi'
MSI (s) (80:50) [04:50:33:683]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Modifying ALLUSERS property. Its current value is '2'. Its new value: '1'.
MSI (s) (80:50) [04:50:33:683]: Machine policy value 'DisableMsi' is 0
MSI (s) (80:50) [04:50:33:683]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (80:50) [04:50:33:683]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (80:50) [04:50:33:683]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (80:50) [04:50:33:683]: Running product '{9A25302D-30C0-39D9-BD6F-21E6EC160475}' with elevated privileges: Product is assigned.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding USING_EXUIH_SILENT property. Its value is '1'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Modifying REBOOT property. Its current value is 'Suppress'. Its new value: 'ReallySuppress'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Deleting FILESINUSETEXT property. Its current value is 'The following applications should be closed before continuing the install:'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding LOCPRODUCTNAME property. Its value is 'Microsoft Visual C++ 2008 Redistributable'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'c:\7fc8891230bb502166e3d059b9bcb122'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '2480'.
MSI (s) (80:50) [04:50:33:683]: TRANSFORMS property is now:
MSI (s) (80:50) [04:50:33:683]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Application Data
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Favorites
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\NetHood
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\My Documents
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\PrintHood
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Recent
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\SendTo
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Templates
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Local Settings\Application Data
MSI (s) (80:50) [04:50:33:699]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\My Documents\My Pictures
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Start Menu\Programs\Startup
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Start Menu\Programs
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Start Menu
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\Owner\Desktop
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Templates
MSI (s) (80:50) [04:50:33:730]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\Fonts
MSI (s) (80:50) [04:50:33:730]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans Serif 4: 0 5: 16
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
MSI (s) (80:50) [04:50:33:745]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding USERNAME property. Its value is ' '.
MSI (s) (80:50) [04:50:33:745]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding DATABASE property. Its value is 'c:\WINDOWS\Installer\2d5af6.msi'.
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding OriginalDatabase property. Its value is 'c:\7fc8891230bb502166e3d059b9bcb122\vc_red.msi'.
MSI (s) (80:50) [04:50:33:745]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (80:50) [04:50:33:745]: Machine policy value 'DisableRollback' is 0
MSI (s) (80:50) [04:50:33:745]: User policy value 'DisableRollback' is 0
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding UILevel property. Its value is '2'.
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding MsiUISourceResOnly property. Its value is '1'.
=== Logging started: 9/12/2009 4:50:33 ===
MSI (s) (80:50) [04:50:33:745]: PROPERTY CHANGE: Adding ACTION property. Its value is 'INSTALL'.
MSI (s) (80:50) [04:50:33:745]: Doing action: INSTALL
MSI (s) (80:50) [04:50:33:745]: Note: 1: 2205 2: 3: ActionText
MSI (s) (80:50) [04:50:33:792]: Running ExecuteSequence
MSI (s) (80:50) [04:50:33:792]: Skipping action: DDSE_CA_Uninstall_InstallExecuteSequenceStarts_x86 (condition is false)
MSI (s) (80:50) [04:50:33:792]: Doing action: FindRelatedProducts
MSI (s) (80:50) [04:50:33:792]: Note: 1: 2205 2: 3: ActionText
Action start 4:50:33: INSTALL.
Action start 4:50:33: FindRelatedProducts.



above is a few lines of code from the install package that spawned the rootkit. i have the whole file if it helps anyone else.

below is my hijackthis. i ran in whitelist mode b/c its rather inconsequential otherwise. there are 3 entries when not in this mode as the rootkit is completly signed and running just like a normal operating system.


Scan saved at 7:31:31 PM, on 9/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hijack this\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O1 - Hosts: # Copyright © 1993-1999 Microsoft Corp.
O1 - Hosts: #
O1 - Hosts: # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
O1 - Hosts: #
O1 - Hosts: # This file contains the mappings of IP addresses to host names. Each
O1 - Hosts: # entry should be kept on an individual line. The IP address should
O1 - Hosts: # be placed in the first column followed by the corresponding host name.
O1 - Hosts: # The IP address and the host name should be separated by at least one
O1 - Hosts: # space.
O1 - Hosts: #
O1 - Hosts: # Additionally, comments (such as these) may be inserted on individual
O1 - Hosts: # lines or following the machine name denoted by a '#' symbol.
O1 - Hosts: #
O1 - Hosts: # For example:
O1 - Hosts: #
O1 - Hosts: # 102.54.94.97 rhino.acme.com # source server
O1 - Hosts: # 38.25.63.10 x.acme.com # x client host
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: # Start of entries inserted by Spybot - Search & Destroy
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 www.123haustiereundmehr.com
O1 - Hosts: 127.0.0.1 123moviedownload.com
O1 - Hosts: 127.0.0.1 www.123moviedownload.com
O1 - Hosts: 127.0.0.1 www.123simsen.com
O1 - Hosts: 127.0.0.1 123simsen.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 125sms.co.uk
O1 - Hosts: 127.0.0.1 www.125sms.co.uk
O1 - Hosts: 127.0.0.1 125sms.com
O1 - Hosts: 127.0.0.1 www.125sms.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 1337crew.info
O1 - Hosts: 127.0.0.1 www.1337crew.info
O1 - Hosts: 127.0.0.1 www.1337-crew.to
O1 - Hosts: 127.0.0.1 1337-crew.to
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 150freesms.de
O1 - Hosts: 127.0.0.1 www.150freesms.de
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 171203.com
O1 - Hosts: 127.0.0.1 17-plus.com
O1 - Hosts: 127.0.0.1 1800searchonline.com
O1 - Hosts: 127.0.0.1 www.1800searchonline.com
O1 - Hosts: 127.0.0.1 180searchassistant.com
O1 - Hosts: 127.0.0.1 www.180searchassistant.com
O1 - Hosts: 127.0.0.1 180solutions.com
O1 - Hosts: 127.0.0.1 www.180solutions.com
O1 - Hosts: 127.0.0.1 www.181.365soft.info
O1 - Hosts: 127.0.0.1 181.365soft.info
O1 - Hosts: 127.0.0.1 1987324.com
O1 - Hosts: 127.0.0.1 www.1987324.com
O1 - Hosts: 127.0.0.1 1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1-domains-registrations.com
O1 - Hosts: 127.0.0.1 www.1sexparty.com
O1 - Hosts: 127.0.0.1 1sexparty.com
O1 - Hosts: 127.0.0.1 www.1sms.de
O1 - Hosts: 127.0.0.1 1sms.de
O1 - Hosts: 127.0.0.1 www.1stantivirus.com
O1 - Hosts: 127.0.0.1 1stantivirus.com
O1 - Hosts: 127.0.0.1 www.1stpagehere.com
O1 - Hosts: 127.0.0.1 1stpagehere.com
O1 - Hosts: 127.0.0.1 www.1stsearchportal.com
O1 - Hosts: 127.0.0.1 1stsearchportal.com
O1 - Hosts: 127.0.0.1 2.82211.net
O1 - Hosts: 127.0.0.1 2006ooo.com
O1 - Hosts: 127.0.0.1 www.2006ooo.com
O1 - Hosts: 127.0.0.1 2007-download.com
O1 - Hosts: 127.0.0.1 www.2007-download.com
O1 - Hosts: 127.0.0.1 www.2008search-destroy.com
O1 - Hosts: 127.0.0.1 2008search-destroy.com
O1 - Hosts: 127.0.0.1 www.2008-search-destroy.com
O1 - Hosts: 127.0.0.1 2008-search-destroy.com
O1 - Hosts: 127.0.0.1 2009--access.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2293971000-4145922156-724997739-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rsvpsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mswsock.dll
O16 - DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\system32\mscoree.dll
O18 - Filter: Class Install Handler - {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll
O18 - Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\SHELL32.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Application Layer Gateway Service (ALG) - Microsoft Corporation - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Microsoft Corporation - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: Windows Audio (AudioSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Indexing Service (CiSvc) - Microsoft Corporation - C:\WINDOWS\system32\cisvc.exe
O23 - Service: COM+ System Application (COMSysApp) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support (helpsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Microsoft Corporation - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Server (lanmanserver) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Microsoft Office Groove Audit Service - Microsoft Corporation - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Microsoft Corporation - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Microsoft Corporation - C:\WINDOWS\system32\msdtc.exe
O23 - Service: Windows Installer (MSIServer) - Microsoft Corporation - C:\WINDOWS\system32\msiexec.exe
O23 - Service: Network DDE (NetDDE) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Microsoft Corporation - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
O23 - Service: Office Source Engine (ose) - Microsoft Corporation - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
O23 - Service: Plug and Play (PlugPlay) - Microsoft Corporation - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Microsoft Corporation - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Microsoft Corporation - C:\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: QoS RSVP (RSVP) - Microsoft Corporation - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Security Accounts Manager (SamSs) - Microsoft Corporation - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card (SCardSvr) - Microsoft Corporation - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Microsoft Corporation - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Microsoft Corporation - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Microsoft Corporation - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Microsoft Corporation - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Microsoft Corporation - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Microsoft Corporation - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Microsoft Corporation - C:\Program Files\Windows Media Player\WMPNetwk.exe
O23 - Service: Security Center (wscsvc) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Microsoft Corporation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Microsoft Corporation - C:\WINDOWS\System32\svchost.exe

--
End of file - 20239 bytes



please forgive the long post, this is my first time and any search on the internet appears i have more infections of this at home than are currently in the wild. i also thought it might help others seeing similar resiliant strains of virtumonde on the front page of several sites.

BC AdBot (Login to Remove)

 


#2 SpySentinel

SpySentinel

  • Members
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:01:13 PM

Posted 02 October 2009 - 10:38 AM

Hi drinkytheclown,

Welcome to Bleeping Computer. My name is SpySentinel and I will be helping you fix your computer problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

#3 SpySentinel

SpySentinel

  • Members
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:01:13 PM

Posted 08 October 2009 - 09:57 PM

Due to lack of feedback this topic has been closed.

If you need this topic reopened, please PM Me or another Moderator with the link to this thread.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users