Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo / Virtumonde (and possibly Windows Enterprise Suite and others) Infection


  • This topic is locked This topic is locked
25 replies to this topic

#16 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 30 December 2009 - 11:59 AM

Here are the results of the GMER scan:



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-30 11:58:20
Windows 5.1.2600 Service Pack 3
Running: q7s5z8ul.exe; Driver: C:\DOCUME~1\TBIZZL~1\LOCALS~1\Temp\kwtdipog.sys


---- System - GMER 1.0.15 ----

SSDT F7B42CFE ZwCreateKey
SSDT F7B42CF4 ZwCreateThread
SSDT F7B42D03 ZwDeleteKey
SSDT F7B42D0D ZwDeleteValueKey
SSDT F7B42D12 ZwLoadKey
SSDT F7B42CE0 ZwOpenProcess
SSDT F7B42CE5 ZwOpenThread
SSDT F7B42D1C ZwReplaceKey
SSDT F7B42D17 ZwRestoreKey
SSDT F7B42D08 ZwSetValueKey
SSDT F7B42CEF ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A97A3D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#17 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:09 PM

Posted 02 January 2010 - 03:42 AM

Hi mbressman,

A couple of things still present there :( .

Download ComboFix again to your desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
[-HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]

Driver::
SPService

NetSvc::
SPService

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#18 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 02 January 2010 - 10:27 AM

Elle,

Happy New Year!

Here are the results of ComboFix:


ComboFix 10-01-01.02 - T Bizzle 01/02/2010 9:44.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.480 [GMT -5:00]
Running from: c:\documents and settings\T Bizzle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\T Bizzle\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2009-12-02 to 2010-01-02 )))))))))))))))))))))))))))))))
.

2009-12-30 14:11 . 2009-12-30 14:11 -------- d-----w- c:\program files\RealVNC
2009-12-23 01:55 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-23 01:55 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-12-12 03:48 . 2009-12-12 03:48 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 14:40 . 2009-03-11 01:28 -------- d-----w- c:\program files\LogMeIn
2009-12-19 12:44 . 2009-04-29 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-12-10 03:11 . 2009-12-10 03:11 382 ----a-w- c:\program files\Shortcut to Program Files.lnk
2009-12-09 21:34 . 2009-11-30 05:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 21:12 . 2009-11-24 01:50 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 21:14 . 2009-11-30 05:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-11-30 05:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 13:37 . 2009-11-24 13:37 -------- d-----w- c:\documents and settings\E Rizzle\Application Data\Malwarebytes
2009-11-24 03:24 . 2007-02-09 15:52 -------- d-----w- c:\program files\Symantec
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\program files\Avira
2009-11-24 01:50 . 2009-11-24 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-24 01:49 . 2007-02-09 15:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 01:40 . 2007-02-09 16:17 -------- d-----w- c:\program files\Windows Defender
2009-11-24 01:39 . 2007-02-09 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-24 01:38 . 2007-02-09 15:52 -------- d-----w- c:\program files\Norton SystemWorks
2009-11-23 23:00 . 2009-11-23 23:00 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\TeamViewer
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\Malwarebytes
2009-11-23 19:46 . 2009-11-23 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-23 19:42 . 2009-03-11 01:28 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-11-23 19:42 . 2009-03-11 01:28 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-11-23 19:42 . 2008-10-17 00:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-11-23 19:42 . 2008-10-17 00:35 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-11-23 19:42 . 2009-03-11 01:28 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-11-23 18:58 . 2007-02-09 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-23 18:57 . 2009-11-23 18:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 16:52 . 2009-11-18 16:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-18 16:51 . 2009-11-18 16:51 -------- d-----w- c:\program files\Java
2009-11-18 16:51 . 2009-11-18 16:51 152576 ----a-w- c:\documents and settings\E Rizzle\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-11-08 15:26 . 2007-07-08 22:53 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\uTorrent
2009-11-08 15:05 . 2009-11-02 04:42 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\DVD Flick
2009-11-08 14:56 . 2009-11-02 04:33 -------- d-----w- c:\documents and settings\T Bizzle\Application Data\ImgBurn
2009-11-03 01:42 . 2009-10-02 17:11 195456 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-11-23 19:42 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avnotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9458:TCP"= 9458:TCP:*:Disabled:spport
"27623:TCP"= 27623:TCP:*:Disabled:spport
"21897:TCP"= 21897:TCP:*:Disabled:spport
"20491:TCP"= 20491:TCP:*:Disabled:spport
"29466:TCP"= 29466:TCP:*:Disabled:spport
"20432:TCP"= 20432:TCP:*:Disabled:spport
"20926:TCP"= 20926:TCP:*:Disabled:spport
"5900:TCP"= 5900:TCP:VNC

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/23/2009 8:50 PM 108289]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/10/2009 8:28 PM 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/29/2009 6:45 PM 24652]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 5:45 PM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\T Bizzle\Application Data\Mozilla\Firefox\Profiles\zpxc303z.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 09:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3032)
c:\windows\system32\WININET.dll
c:\docume~1\TBIZZL~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-02 10:06:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-02 15:06
ComboFix2.txt 2009-12-23 02:13
ComboFix3.txt 2009-12-19 01:03

Pre-Run: 52,530,114,560 bytes free
Post-Run: 52,549,992,448 bytes free

- - End Of File - - 7E54C86987C7BE93A46182B781CCB7AB

#19 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:09 PM

Posted 02 January 2010 - 01:59 PM

Hi mbressman,

Happy New Year to you too! :(



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.




Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#20 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 02 January 2010 - 09:35 PM

Elle,

According to that website, the Kaspersky Online Scanner is not available currently. Is there something different I should try?

Thanks.

#21 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:09 PM

Posted 03 January 2010 - 01:40 PM

Hi mbressman,

Changed link :( .Sorry.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Don't forget about that firewall!



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#22 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 03 January 2010 - 06:11 PM

Elle,

I ran the scan in Firefox, so it used Java instead of ActiveX (I had to download and install Java as per Firefox's request).

Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, January 3, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, January 03, 2010 18:57:58
Records in database: 3364773
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan statistics:
Objects scanned: 141165
Threats found: 5
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 03:05:12


File name / Threat / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\Documents and Settings\All Users\Application Data\acccore\sp.dll_ Infected: Trojan-Proxy.Win32.Agent.byn 1
C:\Documents and Settings\T Bizzle\Local Settings\Application Data\Mozilla\Firefox\Profiles\zpxc303z.default\Cache\26EDB3B4d01 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DD27172.exe Infected: not-a-virus:FraudTool.Win32.SpyDawn.a 1
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1E314B01.wmf Infected: Exploit.Win32.IMG-WMF.v 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\System Volume Information\_restore{FFEBDF1F-A6BE-463C-A34E-A09F6BF411D3}\RP1\A0003364.sys Infected: Rootkit.Win32.TDSS.y 1
C:\System Volume Information\_restore{FFEBDF1F-A6BE-463C-A34E-A09F6BF411D3}\RP1\A0004378.sys Infected: Rootkit.Win32.TDSS.y 1
C:\System Volume Information\_restore{FFEBDF1F-A6BE-463C-A34E-A09F6BF411D3}\RP1\A0004758.DLL Infected: Trojan-Proxy.Win32.Agent.byn 1
C:\System Volume Information\_restore{FFEBDF1F-A6BE-463C-A34E-A09F6BF411D3}\RP9\A0009965.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2

Selected area has been scanned.



It definitely appears as if there are still infections on the machine, so I wasn't sure if I should download and set-up a firewall yet. Let me know how you want me to proceed regarding the infections and the firewall software. Thanks again.

#23 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:09 PM

Posted 05 January 2010 - 02:22 PM

Hi mbressman,

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Go to Start->Run->type "explorer" and hit Enter.

Find and delete this file if it's still present.

C:\Documents and Settings\All Users\Application Data\acccore\sp.dll_

Let me know when you have deleted it.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#24 mbressman

mbressman
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 05 January 2010 - 04:12 PM

Deleted... :(

#25 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:09 PM

Posted 06 January 2010 - 06:34 AM

Hi,
Congrats! Your log looks clean. :(

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in "Combofix /Uninstall" in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  • This will uninstall Combofix and anything associated with it.



Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.



Please also, now that you are clean don't forget about the firewall.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.



Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, I would recommend the download and installation of some or all of the following programs, and the updating of them regularly


Install SUPERAntiSpyware - Install and download SUPERAntiSpyware .
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* Information on installing & using this product can be found here:
* Click here for more info -->SUPERAntiSpyware official site



Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.


If you have any addition questions just ask...


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#26 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 10 January 2010 - 07:05 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users