Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ive been infected by samok.vbs


  • This topic is locked This topic is locked
2 replies to this topic

#1 raindrain

raindrain

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 01 January 2010 - 05:06 AM

ive been infected by samok.vbs and i cant use run command i already use the combofix but nothing happens plz help!

i think i already removed the virus but i cant open my flash drive it says can not find script samok.vbs

ComboFix 09-12-28.05 - Administrator 01/01/2010 14:14:04.2.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.819 [GMT 8:00]
Running from: c:documents and settingsAdministratorDesktopComboFix.exe
Command switches used :: c:documents and settingsAdministratorDesktopWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1368 [VPS 000000-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.

2009-12-31 21:33 . 2009-12-31 21:33 -------- d-----w- c:windowssystem32wbemRepository
2009-12-31 21:33 . 2009-12-31 21:33 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataApplicationHistory
2009-12-31 21:33 . 2009-12-31 21:33 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataWindows Live Writer
2009-12-31 21:33 . 2009-12-31 21:33 -------- d-----w- c:documents and settingsAdministratorApplication DataInstallShield
2009-12-31 18:55 . 2009-12-31 21:29 -------- d-----w- C:Qoobox(2)(2)
2009-12-30 19:18 . 2009-12-30 19:18 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataIdentities
2009-12-28 16:55 . 2009-12-28 16:55 -------- d-----w- c:program filesAVG
2009-12-25 14:09 . 2009-12-26 17:43 -------- d-----w- C:myyoutube
2009-12-24 01:04 . 2009-11-24 23:48 23120 ----a-w- c:windowssystem32driversaswRdr.sys
2009-12-24 01:04 . 2009-11-24 23:49 48560 ----a-w- c:windowssystem32driversaswTdi.sys
2009-12-24 01:04 . 2009-11-24 23:47 27408 ----a-w- c:windowssystem32driversaavmker4.sys
2009-12-24 01:04 . 2009-11-24 23:47 97480 ----a-w- c:windowssystem32AvastSS.scr
2009-12-24 01:04 . 2009-11-24 23:50 114768 ----a-w- c:windowssystem32driversaswSP.sys
2009-12-24 01:04 . 2009-11-24 23:50 20560 ----a-w- c:windowssystem32driversaswFsBlk.sys
2009-12-24 01:04 . 2009-11-24 23:51 93424 ----a-w- c:windowssystem32driversaswmon.sys
2009-12-24 01:04 . 2009-11-24 23:50 94160 ----a-w- c:windowssystem32driversaswmon2.sys
2009-12-24 01:03 . 2009-11-24 23:54 1280480 ----a-w- c:windowssystem32aswBoot.exe
2009-12-24 01:03 . 2003-03-18 20:20 1060864 ----a-w- c:windowssystem32MFC71.dll
2009-12-24 01:03 . 2003-03-18 19:14 499712 ----a-w- c:windowssystem32MSVCP71.dll
2009-12-24 01:03 . 2003-02-21 03:42 348160 ----a-w- c:windowssystem32MSVCR71.dll
2009-12-24 01:03 . 2009-12-24 01:03 -------- d-----w- c:program filesAlwil Software
2009-12-23 12:55 . 2009-12-23 12:55 -------- d-----w- c:program filesApplication Updater
2009-12-23 12:38 . 2009-12-23 12:42 -------- d-----w- c:program files1-Click YouTube Downloader
2009-12-20 01:09 . 1999-04-02 08:37 33792 ----a-r- c:windowsNPSExec.exe
2009-12-20 01:08 . 2009-12-20 01:08 -------- d-----w- c:program filesElectronic Arts
2009-12-20 01:04 . 2009-12-20 01:04 -------- d-----w- c:program filesMaxis
2009-12-02 22:10 . 2005-02-25 03:35 22752 ----a-w- c:windowssystem32spupdsvc.exe
2009-12-02 21:54 . 2009-08-06 11:23 215920 ----a-w- c:windowssystem32muweb.dll
2009-12-02 21:54 . 2009-08-06 11:23 274288 ----a-w- c:windowssystem32mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 05:40 . 2009-06-24 05:51 -------- d-----w- c:program filesBitComet
2009-12-31 21:31 . 2009-02-26 16:45 -------- d-----w- c:program filesMicrosoft Works
2009-11-17 04:02 . 2009-11-06 12:54 -------- d-----w- c:documents and settingsAll UsersApplication DataPMB Files
2009-11-14 07:13 . 2009-11-14 07:13 -------- d-----w- c:documents and settingsNetworkServiceApplication DataXfire
2009-11-10 04:07 . 2009-11-10 04:07 664 ----a-w- c:windowssystem32d3d9caps.dat
2009-11-07 05:33 . 2009-11-07 05:33 -------- d-----w- c:program filesCommon FilesDirectX
2009-11-06 10:35 . 2009-11-06 10:35 -------- d-----w- c:program filesPando Networks
2009-11-04 01:47 . 2009-07-10 02:03 -------- d-----w- c:documents and settingsAll UsersApplication DataNOS
2009-11-03 11:42 . 2009-11-03 11:41 1925024 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_Downloadsinstall_flash_player.exe
2009-11-03 11:18 . 2009-01-23 00:32 -------- d-----w- c:program filesWindows Live
2009-11-03 11:16 . 2009-10-21 10:11 -------- d-----w- c:program filesMemento
2009-11-03 11:15 . 2009-10-21 10:26 -------- d-----w- c:program filesDesktop Comics!
2009-10-22 01:53 . 2009-10-22 01:53 552 ----a-w- c:windowssystem32d3d8caps.dat
2009-10-21 10:29 . 2009-10-21 10:26 286720 ------w- c:windowsSetup1.exe
2009-10-21 10:29 . 2009-10-21 10:26 73216 ----a-w- c:windowsST6UNST.EXE
2009-10-20 12:42 . 2009-10-20 12:42 0 ----a-w- c:windowsnsreg.dat
2009-10-19 05:01 . 2009-06-10 22:33 57848 ----a-w- c:documents and settingschaypapilleraLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-10-14 15:19 . 2009-10-14 15:19 32 ----a-w- c:documents and settingsAll UsersApplication Dataezsid.dat
2008-05-07 08:34 . 2009-01-23 00:35 15523560 ----a-w- c:program filesU1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"QuickTime Task"="c:program filesMpcStarCodecsQuickTimeQTSystemqttask.exe" [2009-07-03 413696]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 8.0ReaderReader_sl.exe" [2008-10-14 39792]
"autoMe"="wscript.exe" [2008-05-08 155648]
"avast!"="c:progra~1ALWILS~1Avast4ashDisp.exe" [2009-11-24 81000]

c:documents and settingsAll UsersStart MenuProgramsStartup
SuperHybridEngine.lnk - c:program filesASUSEeePCSuper Hybrid EngineSuperHybridEngine.exe [2009-1-23 376832]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
2008-10-14 17:04 39792 ----a-w- c:program filesAdobeReader 8.0Readerreader_sl.exe

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%Network Diagnosticxpnetdiag.exe"=
"%windir%system32sessmgr.exe"=
"c:Program FilesYahoo!MessengerYahooMessenger.exe"=
"c:Program FilesLimeWireLimeWire.exe"=
"c:Program FilesBitCometBitComet.exe"=
"c:Program FilesPando NetworksMedia BoosterPMB.exe"=
"c:Program FilesSkypePhoneSkype.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"11597:TCP"= 11597:TCP:BitComet 11597 TCP
"11597:UDP"= 11597:UDP:BitComet 11597 UDP
"56682:TCP"= 56682:TCP:Pando Media Booster
"56682:UDP"= 56682:UDP:Pando Media Booster

S0 sptd;sptd;c:windowssystem32driverssptd.sys [7/12/2009 9:08 PM 721904]
S1 aswSP;avast! Self Protection;c:windowssystem32driversaswSP.sys [12/24/2009 9:04 AM 114768]
S2 Application Updater;Application Updater;c:program filesApplication UpdaterApplicationUpdater.exe [12/16/2009 5:38 PM 375296]
S2 aswFsBlk;aswFsBlk;c:windowssystem32driversaswFsBlk.sys [12/24/2009 9:04 AM 20560]
S3 Ambfilt;Ambfilt;c:windowssystem32driversAmbfilt.sys [2/27/2009 12:27 AM 1684736]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:windowssystem32driversrt2860.sys [1/23/2009 8:27 AM 704384]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
IE: Send to &Bluetooth Device... - c:program filesWIDCOMMBluetooth Softwarebtsendto_ie_ctx.htm
IE: Send To Bluetooth - c:program filesWIDCOMMBluetooth Softwarebtsendto_ie.htm
TCP: {F8FF019A-E78E-44C8-A08B-4225BFE9C210} = 203.115.130.72,203.115.130.74
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-01 14:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINEsoftwareAtheros Communications Inc.Atheros Communications Inc. AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftAdvanced INF SetupIEHomePageInfoRegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4Codebases]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4Files]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4References]
@DACL=(02 0000)
@SACL=
"U_KB938464"=""

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624Codebases]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624Files]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINEsoftwareMicrosoftWindowsCurrentVersionSideBySideInstallationsx86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624References]
@DACL=(02 0000)
@SACL=
"U_KB938464"=""

[HKEY_LOCAL_MACHINEsoftwareRealtek Semiconductor Corp.Realtek High Definition Audio Driver]
@DACL=(02 0000)
@SACL=
.
Completion time: 2010-01-01 14:20:44
ComboFix-quarantined-files.txt 2010-01-01 06:20
ComboFix2.txt 2010-01-01 06:11
ComboFix3.txt 2009-12-31 19:33

Pre-Run: 110,560,669,696 bytes free
Post-Run: 110,546,214,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5667066DCB8D63A8EFE1FBCAD1615F7E


EDIT: Since you posted a CF log, I moved your topic back to the HJT forum. Please be patient until a Team member replies to your log ~ Elise

Merge 3 posts. ~ OB

Edited by Orange Blossom, 01 January 2010 - 03:20 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:49 AM

Posted 10 January 2010 - 11:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:49 AM

Posted 01 February 2010 - 12:28 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users