Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected virtumondo.sdn infection


  • This topic is locked This topic is locked
18 replies to this topic

#1 TylerC

TylerC

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 18 May 2010 - 09:43 PM

Hello, and thank you for taking the time to read this topic. I'm posting because I'm 100% certain there's SOME sort of malware on my pc, just not sure exactly WHAT it is. After running malwarebytes and spybot, malwarebytes detected several corrupted/bad files, and removed/quarantined all of them successfully. however, the popups continued, so I ran a spybot search, and while it only caught one infected file which it quarantined & removed, I noticed the scanner was stuck on "virtumondo.sdn" for quite some time. I did yet another malwarbytes scan after this (the quick one), and it came up clean. However, I am most definitely getting popups while using search engines, and even sometimes just by opening webpages that I frequently use (and have never caused popups before) Thanks for all the help in advance! PLEASE save me, I've already had to reformat before due to this virus, I'm praying it's a false positive, because this time it's not restricting my access to any files/control panel, but the popups are making me paranoid!

***GMER is currently running, however I have to leave, so I'll be allowing it to run overnight, then returning tomorrow to post results. any help that CAN be done with what I've posted so far is appreciated.***

DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler at 21:29:45.95 on Tue 05/18/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1163 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\JMRaidSetup.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Tyler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\tyler\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyler\applic~1\mozilla\firefox\profiles\xg9shucm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-14 218592]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-9 60936]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-9 1684736]

=============== Created Last 30 ================

2010-05-19 00:09:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-19 00:09:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-14 18:45:01 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-05-14 09:52:24 0 d-----w- c:\windows\system32\XPSViewer
2010-05-14 09:51:49 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-05-14 09:51:49 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-05-14 09:51:49 117760 ------w- c:\windows\system32\prntvpt.dll
2010-05-14 09:51:48 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-05-14 09:51:48 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-05-14 09:51:48 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-05-14 09:51:48 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-05-14 09:51:48 0 d-----w- C:\e4df20a1d903e0b3c4d675ee7f
2010-05-14 09:00:33 0 d-----w- c:\docume~1\tyler\applic~1\Malwarebytes
2010-05-14 09:00:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 09:00:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 08:58:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 08:58:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-14 08:45:10 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-14 08:45:10 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-14 08:45:09 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-14 08:45:09 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-14 08:45:09 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-14 08:45:09 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-14 08:45:01 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-14 08:45:01 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-14 08:44:47 0 d-----w- c:\program files\common files\PC Tools
2010-05-14 08:44:47 0 d-----w- c:\docume~1\tyler\applic~1\PC Tools
2010-05-14 08:44:47 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-05-14 07:00:22 0 d-----w- C:\3aa90eaca426463a5290c1
2010-05-14 07:00:19 0 d-----w- C:\9b9d91f63a10c433e642b733
2010-05-12 10:02:24 0 d-----w- c:\program files\Call of Duty Game of the Year Edition
2010-05-12 10:01:42 745 ----a-w- c:\windows\CoD.INI
2010-05-12 09:55:57 0 d-----w- c:\windows\system32\NtmsData
2010-05-12 09:50:20 0 d-sh--w- c:\windows\ftpcache
2010-05-05 00:59:09 0 d-----w- c:\program files\common files\Thraex Software
2010-04-30 06:54:49 0 d-----w- c:\docume~1\tyler\applic~1\Mumble
2010-04-30 06:43:55 0 d-----w- c:\program files\Mumble

==================== Find3M ====================

2010-04-26 17:16:48 87608 ----a-w- c:\docume~1\tyler\applic~1\inst.exe
2010-04-26 17:16:47 47360 ----a-w- c:\docume~1\tyler\applic~1\pcouffin.sys
2010-04-13 16:02:42 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-13 15:51:44 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-13 15:50:09 139152 ----a-w- c:\docume~1\tyler\applic~1\PnkBstrK.sys
2010-04-13 15:49:49 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-13 15:49:49 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-08 06:47:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-24 03:36:47 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 21:30:50.40 ===============


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 19 May 2010 - 04:27 PM

Hi there.

My name is Extremeboy (or EB for short), and I will be helping you with your log.

Please post the GMER log upon completion, if there was an issue or problem trying to perform it, let me know

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 19 May 2010 - 07:33 PM

EB-
I'm currently re-running the gmer scan as apparently leaving it for 18 hours caused it to slow down/lock up when attempting to save :/ last time i left after it scanned for 2 hours, so i guess i'll be waiting until later tonight to post the logs...i just pray this isn't serious malware and is merely a false positive with a popup generator

edit: i have a printscreen of the finished scan, however i dont know if that's all you'll need. if it is, let me know and i'll upload it asap

Edited by TylerC, 19 May 2010 - 07:34 PM.


#4 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 19 May 2010 - 10:13 PM

the scan is still going, has been since 8:30...should i be concerned? i have roughly 230 gigs worth of data on my harddrive.

#5 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 02:47 AM

this time the scan completed, however it took 7 hours. just because i have the best luck ever, the program froze while trying to save results. i have a screen shot of the program after it completed the scan, is this of any help? also, i'll be unable to scan using gmer again, clearly something with my system doesn't like it too much, and its far too time consuming

edit: for the record, malwarbytes comes up clean, and i have a print screen of the gmer quick scan it does at the start if you'd like that, let me know.

Edited by TylerC, 20 May 2010 - 03:16 AM.


#6 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 03:41 PM

sorry for so many replies before you've even had a chance to get back to my thread...but after a full scan by malwarbtes and spybot, spybot comes up clean (however during the scanning when it shows the files that are being scanned... virtumondo.dll and virtumondo.sci pop up for some time, does this mean the file is in my computer or that spybot is searching for it?), whereas malwarbytes caught a Trojan.FakeAlert in my system volume information...I'm not really too sure where to go from here, and I'm ultra paranoid about getting my passwords/sensitive information stolen, hence all my rapid fire posts, which I apologize for sad.gif

#7 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 07:01 PM

some sort of help/guidance as to where to go from here would be nice...

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 20 May 2010 - 07:04 PM

Hello TylerC,

I apologize for the delay.

If you could post the Malwarebytes log that would be helpful, however from what you mentioned it does not seem to be an "active" infection since you mentioned it in the System Volume Information. We will make sure.

Let's start off with Combofix and continue from there. Any problems please let me know.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 07:48 PM

ComboFix 10-05-20.07 - Tyler 05/20/2010 20:34:24.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1651 [GMT -4:00]
Running from: c:\documents and settings\Tyler\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tyler\Application Data\inst.exe

Infected copy of c:\windows\system32\drivers\jraid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-20 17:10 . 2010-05-20 17:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-19 00:09 . 2010-05-19 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-19 00:09 . 2010-05-19 00:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 09:52 . 2010-05-14 09:52 -------- d-----w- c:\windows\system32\XPSViewer
2010-05-14 09:52 . 2010-05-14 09:52 -------- d-----w- c:\program files\Reference Assemblies
2010-05-14 09:52 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-05-14 09:51 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-05-14 09:51 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-05-14 09:51 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-05-14 09:51 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-05-14 09:51 . 2010-05-14 09:52 -------- d-----w- C:\e4df20a1d903e0b3c4d675ee7f
2010-05-14 09:51 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-05-14 09:51 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-05-14 09:51 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-05-14 09:51 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-05-14 09:00 . 2010-05-14 09:00 -------- d-----w- c:\documents and settings\Tyler\Application Data\Malwarebytes
2010-05-14 09:00 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 09:00 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 08:58 . 2010-05-14 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 08:58 . 2010-05-14 08:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 08:45 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-14 08:45 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-14 08:45 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-14 08:45 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-14 08:44 . 2010-05-14 08:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-14 08:44 . 2010-05-14 08:44 -------- d-----w- c:\documents and settings\Tyler\Application Data\PC Tools
2010-05-14 08:44 . 2010-05-14 08:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-14 08:44 . 2010-05-14 08:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-14 08:42 . 2010-05-14 08:42 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-14 08:36 . 2010-05-14 09:45 -------- d-----w- c:\documents and settings\Tyler\Local Settings\Application Data\lbkhddnjr
2010-05-14 07:34 . 2010-05-14 07:34 -------- d--h--w- c:\documents and settings\Tyler\Application Data\ijjigame
2010-05-14 07:00 . 2010-05-14 07:00 -------- d-----w- C:\3aa90eaca426463a5290c1
2010-05-14 07:00 . 2010-05-14 07:00 -------- d-----w- C:\9b9d91f63a10c433e642b733
2010-05-12 10:02 . 2010-05-15 00:50 -------- d-----w- c:\program files\Call of Duty Game of the Year Edition
2010-05-12 09:55 . 2010-05-20 10:16 -------- d-----w- c:\windows\system32\NtmsData
2010-05-12 09:50 . 2010-05-12 09:50 -------- d-sh--w- c:\windows\ftpcache
2010-05-05 00:59 . 2010-05-05 00:59 -------- d-----w- c:\program files\Common Files\Thraex Software
2010-04-30 06:54 . 2010-05-18 01:24 -------- d-----w- c:\documents and settings\Tyler\Application Data\Mumble
2010-04-30 06:43 . 2010-04-30 06:44 -------- d-----w- c:\program files\Mumble

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 00:23 . 2010-03-04 12:16 -------- d-----w- c:\documents and settings\Tyler\Application Data\uTorrent
2010-05-20 23:36 . 2010-02-11 04:52 -------- d-----w- c:\program files\Steam
2010-05-20 07:52 . 2010-02-10 00:16 69616 ----a-w- c:\documents and settings\Tyler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 23:33 . 2010-02-18 10:38 -------- d-----w- c:\documents and settings\Tyler\Application Data\vlc
2010-05-18 04:07 . 2010-02-18 01:37 -------- d-----w- c:\documents and settings\Tyler\Application Data\mIRC
2010-05-18 03:55 . 2010-02-18 01:37 -------- d-----w- c:\program files\mIRC
2010-05-14 22:47 . 2010-02-16 23:34 -------- d-----w- c:\program files\Heroes of Newerth
2010-05-14 09:52 . 2010-02-10 02:21 -------- d-----w- c:\program files\MSBuild
2010-05-14 07:32 . 2010-02-10 00:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 10:44 . 2010-02-18 14:30 -------- d-----w- c:\program files\CSS Demos
2010-05-12 01:13 . 2010-02-10 02:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-10 21:06 . 2010-03-02 08:54 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-27 09:20 . 2010-04-17 00:21 -------- d-----w- c:\documents and settings\Tyler\Application Data\Skype
2010-04-27 09:07 . 2010-04-17 00:22 -------- d-----w- c:\documents and settings\Tyler\Application Data\skypePM
2010-04-26 17:16 . 2010-03-24 03:36 -------- d-----w- c:\program files\VSO
2010-04-26 17:16 . 2010-03-24 03:36 -------- d-----w- c:\documents and settings\Tyler\Application Data\Vso
2010-04-26 17:16 . 2010-03-24 03:36 47360 ----a-w- c:\documents and settings\Tyler\Application Data\pcouffin.sys
2010-04-26 17:16 . 2010-03-24 03:36 47360 ----a-w- c:\documents and settings\Tyler\Application Data\pcouffin.sys
2010-04-17 00:22 . 2010-04-17 00:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-17 00:21 . 2010-04-17 00:21 -------- d-----w- c:\program files\Common Files\Skype
2010-04-17 00:21 . 2010-04-17 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-13 16:02 . 2010-04-08 23:37 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-13 15:51 . 2010-04-08 23:38 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-13 15:50 . 2010-04-13 15:50 139152 ----a-w- c:\documents and settings\Tyler\Application Data\PnkBstrK.sys
2010-04-13 15:50 . 2010-04-13 15:50 139152 ----a-w- c:\documents and settings\Tyler\Application Data\PnkBstrK.sys
2010-04-13 15:49 . 2010-04-13 15:49 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-04-13 15:49 . 2010-04-08 23:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-04-10 00:29 . 2010-04-10 00:29 503808 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-67682138-n\msvcp71.dll
2010-04-10 00:29 . 2010-04-10 00:29 499712 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-67682138-n\jmc.dll
2010-04-10 00:29 . 2010-04-10 00:29 348160 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-67682138-n\msvcr71.dll
2010-04-10 00:29 . 2010-04-10 00:29 61440 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d941dbd-n\decora-sse.dll
2010-04-10 00:29 . 2010-04-10 00:29 12800 ----a-w- c:\documents and settings\Tyler\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d941dbd-n\decora-d3d.dll
2010-04-09 22:22 . 2010-04-09 21:33 -------- d-----w- c:\documents and settings\Tyler\Application Data\dvdcss
2010-04-09 01:43 . 2010-04-08 23:27 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2010-04-08 07:03 . 2010-04-08 07:03 -------- d-----w- c:\documents and settings\Tyler\Application Data\4Media Software Studio
2010-04-08 06:48 . 2010-04-08 06:48 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 06:47 . 2010-04-08 06:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 06:47 . 2010-04-08 06:47 -------- d-----w- c:\program files\Java
2010-04-06 19:48 . 2010-02-10 02:21 -------- d-----w- c:\program files\Microsoft Works
2010-04-02 08:44 . 2010-04-02 08:43 -------- d-----w- c:\documents and settings\Tyler\Application Data\ManyCam
2010-03-26 03:45 . 2010-03-26 03:45 -------- d-----w- c:\documents and settings\Tyler\Application Data\Avira
2010-03-24 04:20 . 2010-03-24 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2010-03-24 03:36 . 2010-03-24 03:36 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-03-09 11:09 . 2006-02-28 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-01 13:05 . 2010-02-10 01:22 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-26 05:43 . 2006-02-28 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-09 319792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-29 18671104]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-31 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-31 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\Tyler\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chapdizzle\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chapdizzle\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\star wars jedi knight\\JK.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\common\\america's army 3\\Binaries\\AA3Game.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\chapdizzle\\counter-strike\\hl.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/14/2010 4:45 AM 218592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/9/2010 9:22 PM 135336]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/9/2010 9:41 PM 1684736]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\documents and settings\Tyler\Application Data\Mozilla\Firefox\Profiles\xg9shucm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-ManyCam - c:\program files\ManyCam 2.4\ManyCam.exe
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-ISTray - c:\program files\Spyware Doctor\pctsTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 20:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-20 20:43:26
ComboFix-quarantined-files.txt 2010-05-21 00:43

Pre-Run: 64,421,011,456 bytes free
Post-Run: 72,135,970,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 66589DF3B10C654464CD745F18754EFF



**there is 3 malwarebytes' logs there, as you can see it starts off very infected, and dwindles to 0. however, even at 0, i'm still getting redirects, haven't fully tested it since combofix was run, as the popups are random**

i also apologize for my impatience, i just really want to get this fixed so i can do some stuff for school that requires use of passwords and personal information, and obviously have to wait until my pc is clean smile.gif i appreciate the help thus far!

Attached Files


Edited by TylerC, 20 May 2010 - 07:50 PM.


#10 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 08:52 PM

anything else i should be doing? or do the logs look good?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 20 May 2010 - 09:12 PM

Yup, it's looking good alright. Combofix removed the main infection, your PC should be running better however it's not 100% clean. It's getting late here and I need to get up early in the morning, please be patient -I'll get back to you tomorrow as well as others I'm helping as well and review your logs.

Thanks for understanding.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 20 May 2010 - 09:27 PM

QUOTE(extremeboy @ May 20 2010, 10:12 PM) View Post
Yup, it's looking good alright. Combofix removed the main infection, your PC should be running better however it's not 100% clean. It's getting late here and I need to get up early in the morning, please be patient -I'll get back to you tomorrow as well as others I'm helping as well and review your logs.

Thanks for understanding.



sounds good. one quick question, however, am i good to login to a few game accounts? nothing with my ss # or anything else super sensitive, but id prefer to not have my steam account stolen tongue.gif

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 21 May 2010 - 09:57 PM

QUOTE
sounds good. one quick question, however, am i good to login to a few game accounts? nothing with my ss # or anything else super sensitive, but id prefer to not have my steam account stolen

Yes, that should be fine, preferablly a different computer in the meantime.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall





Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 TylerC

TylerC
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 22 May 2010 - 05:57 PM

computer is running better, however the kaspersky log still caught something...i assume this means we're not out of the woods yet?

edit: the internet is definitely running/loading noticeably slower

Attached Files


Edited by TylerC, 22 May 2010 - 06:10 PM.


#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 23 May 2010 - 05:30 PM

Kaspersky just detected a quarantine item from Combofix and another file that is related to a program that is not harmful.

The logs look clean to me, is IE slow the only problem you have? I don't see any infections left.

Update your Java however.

Update Java to Version 6 Update 20

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users