Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it a virus?


  • This topic is locked This topic is locked
21 replies to this topic

#16 ezooone

ezooone
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:11:57 PM

Posted 13 June 2010 - 10:57 PM

Hello again blade..

ok..I can view the hidden file..

Here the virus total url..

c:\windows\system32\winlogon.exe

http://www.virustotal.com/analisis/92275d71e6bdafd0c6694b0d71893f4ea4d0978e63dcbe5a20a78821b6cb7c9d-1275251707

c:\windows\system32\ctfmon.exe

http://www.virustotal.com/analisis/d6389e630dc7cb5cbccff4174ca6b28083a8e364175fe808d9086a483466de50-1275537363

c:\windows\system32\comctl32.dll

http://www.virustotal.com/analisis/97f9414d23854991cf7277691a931986cf1af1d39ad283ccbdd7af268e74214d-1266551587


Combofixlog

ComboFix 10-06-10.03 - user 06/14/2010 11:26:28.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1980.1464 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\renamed.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt.txt
AV: avast! antivirus 4.8.1335 [VPS 100613-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\midimap.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-11 03:02 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-11 03:02 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-11 03:02 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-11 03:02 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-11 03:02 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-11 03:02 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-11 03:02 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-11 03:02 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-06-11 03:01 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-11 02:47 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-06-11 02:47 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-06-11 02:47 . 2009-11-27 17:11 1291776 -c----w- c:\windows\system32\dllcache\quartz.dll
2010-06-11 02:47 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2010-06-02 04:12 . 2007-07-27 15:11 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-06-02 03:45 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-06-02 03:45 . 2009-11-27 16:07 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-02 03:45 . 2009-11-27 16:07 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-06-02 03:45 . 2009-11-27 16:07 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-06-02 03:45 . 2009-11-27 16:07 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-02 03:45 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-06-02 03:44 . 2010-01-29 15:01 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-06-02 03:44 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-06-02 03:44 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2010-06-02 03:44 . 2009-09-11 14:13 136704 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2010-06-02 03:44 . 2009-06-25 08:41 56832 -c----w- c:\windows\system32\dllcache\secur32.dll
2010-06-02 03:44 . 2009-06-25 08:41 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2010-06-02 03:44 . 2009-06-25 08:41 147456 -c----w- c:\windows\system32\dllcache\schannel.dll
2010-06-02 03:44 . 2009-06-25 08:41 301568 -c----w- c:\windows\system32\dllcache\kerberos.dll
2010-06-02 03:44 . 2009-06-24 10:28 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2010-06-02 03:43 . 2009-12-31 16:50 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-02 03:43 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-02 03:43 . 2010-02-16 13:25 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-02 03:43 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-02 03:42 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-02 03:41 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-02 03:38 . 2009-10-15 16:39 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-02 03:38 . 2009-10-15 16:39 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-06-02 03:38 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-02 03:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-02 03:32 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-02 03:29 . 2009-08-13 15:16 512000 -c----w- c:\windows\system32\dllcache\jscript.dll
2010-06-02 03:25 . 2009-12-24 06:59 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-06-02 03:25 . 2010-01-13 14:01 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-06-02 03:23 . 2010-06-02 03:23 -------- d-----w- c:\program files\ESET
2010-06-02 03:09 . 2009-08-06 11:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-02 03:03 . 2009-10-12 07:21 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-06-02 03:03 . 2010-06-02 03:08 -------- d-----w- c:\program files\Celcom Broadband Manager
2010-05-20 04:24 . 2010-05-20 04:24 -------- d-----w- c:\program files\Alwil Software
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-05-20 03:55 . 2009-01-14 08:11 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 03:55 . 2009-01-14 08:11 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 03:55 . 2010-05-20 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 02:53 . 2010-03-23 14:04 -------- d-----w- c:\program files\WinFlip
2010-06-11 02:56 . 2010-03-23 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 10:02 . 2010-05-02 12:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-11 13:41 . 2010-03-22 20:18 -------- d-----w- c:\program files\Mobile Partner
2010-04-22 04:42 . 2010-03-25 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-22 04:38 . 2010-04-22 04:38 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-22 04:21 . 2010-04-22 04:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-22 04:16 . 2010-03-27 17:14 -------- d-----w- c:\documents and settings\user\Application Data\CBS Interactive
2010-03-27 06:51 . 2010-03-23 14:07 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-23 14:35 . 2010-03-23 14:21 68848 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-23 14:19 . 2010-03-23 14:19 0 ----a-w- c:\windows\nsreg.dat
2010-03-23 14:05 . 2010-03-23 14:05 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2009-07-16 . 3D1ABDC3009D6B7CA7F9E66769C126CA . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2009-07-16 . EA032FC150B9C6276C98EB3DED3B75C6 . 652800 . . [5.82] . . c:\windows\system32\comctl32.dll

[-] 2009-07-16 . 8C578971B2F1A27B961A99CE5D2EFD7D . 3378176 . . [6.00.2900.5803] . . c:\windows\system32\mshtml.dll

[-] 2009-07-16 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2009-07-16 . CC2883E0A1EBBBAAE185D811720C66B3 . 757248 . . [6.00.2900.5803] . . c:\windows\system32\wininet.dll

[-] 2009-07-16 . E382F43EEAB770932F2727B65BD888B4 . 1723904 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2009-07-16 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-06-11_02.52.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-14 02:53 . 2010-06-14 02:53 16384 c:\windows\temp\Perflib_Perfdata_690.dat
+ 2008-04-14 14:00 . 2010-06-14 02:58 41238 c:\windows\system32\perfc009.dat
- 2008-04-14 14:00 . 2010-06-11 02:47 41238 c:\windows\system32\perfc009.dat
+ 2008-04-14 03:42 . 2009-11-27 17:11 17920 c:\windows\system32\msyuv.dll
+ 2008-04-14 14:00 . 2009-09-04 21:03 58880 c:\windows\system32\msasn1.dll
+ 2008-04-14 14:00 . 2009-07-17 19:01 58880 c:\windows\system32\atl.dll
- 2008-04-14 14:00 . 2008-04-14 14:00 58880 c:\windows\system32\atl.dll
+ 2010-03-23 14:26 . 2010-06-11 02:56 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-06-11 02:47 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2010-06-11 14:22 . 2010-06-11 14:22 2186 c:\windows\SoftwareDistribution\EventCache\{6E90D7BE-2E73-41CF-86E6-25C309BEC126}.bin
- 2008-04-14 14:00 . 2010-06-11 02:47 315076 c:\windows\system32\perfh009.dat
+ 2008-04-14 14:00 . 2010-06-14 02:58 315076 c:\windows\system32\perfh009.dat
- 2010-03-23 14:26 . 2010-06-02 04:15 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-07-14 22:17 . 2010-04-08 06:03 2113536 c:\windows\system32\WMVCore.dll
+ 2009-07-16 13:02 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2009-05-26 08:53 . 2010-04-08 06:03 2113536 c:\windows\system32\dllcache\WMVCore.dll
+ 2010-05-18 15:35 . 2010-05-18 15:35 5023744 c:\windows\Installer\bfc13.msp
- 2010-03-23 14:26 . 2010-06-02 04:15 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-03-23 14:26 . 2010-06-11 02:56 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2010-03-23 14:26 . 2010-06-02 04:15 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-25 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-25 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-25 136192]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"WINFLIP"="c:\program files\WinFlip\WinFlip.exe" [2008-05-21 483328]
"VisualTooltip"="c:\program files\Utilities\VisualTooltip\VisualToolTip.exe" [2007-04-25 956928]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2009-04-18 417761]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-01-14 399504]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-17 159744]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-27 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoShellSearchButto"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/11/2010 11:02 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/11/2010 11:02 AM 20560]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/20/2010 11:55 AM 170640]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [6/2/2010 11:03 AM 100736]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/20/2010 11:55 AM 15504]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [5/11/2010 9:41 PM 114432]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 PM 227232]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bdlsfim7.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.bramjnet.com/vb/
FF - prefs.js: network.proxy.ftp - :8181
FF - prefs.js: network.proxy.gopher - :8181
FF - prefs.js: network.proxy.http - :8181
FF - prefs.js: network.proxy.socks - :8181
FF - prefs.js: network.proxy.ssl - :8181
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\wdigest.dll
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\SHDOCVW.dll
c:\program files\Utilities\VisualTooltip\VisualTooltip.dll
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\MSVCP60.dll
.
Completion time: 2010-06-14 11:30:21
ComboFix-quarantined-files.txt 2010-06-14 03:30
ComboFix2.txt 2010-06-11 02:53

Pre-Run: 94,550,945,792 bytes free
Post-Run: 94,533,574,656 bytes free

- - End Of File - - C73B96634224EDA591C09F504176DC70


The laptop is back to normal..However when I pluged in a pendrive..The laptop won't autoplay anymore..Can we make the laptop to autoplay again when I insert a pendrive?Another thing is about the keyboard..about the keyboard problem, I already post it in external hardware topic..

BC AdBot (Login to Remove)

 


#17 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:57 AM

Posted 15 June 2010 - 08:55 AM

Hello.

QUOTE
However when I pluged in a pendrive..The laptop won't autoplay anymore..Can we make the laptop to autoplay again when I insert a pendrive?


Autorun was disabled by Combofix as a security measure. I would recommend you leave it as such. Many modern malware infections have the capability to spread themselves via pen drives using the Autorun system. Pen drive Autorun is almost universally considered to be a serious security risk. If you really want to enable it. . . please reply letting me know.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#18 ezooone

ezooone
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:11:57 PM

Posted 15 June 2010 - 10:33 AM

If I were her..I just let it be..My desktop also had run the combofix last year..I'm ok with the changes..

Anyway..this is not my laptop..so I think we should enable the autorun back because the owner of this laptop feel that her laptop not yet perfect..hehe..



#19 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:57 AM

Posted 17 June 2010 - 11:19 PM

Hello ezoone

Let's try this.

For getting the autoplay function back, please do the following -

Copy the text below into a Notepad (Go to Start > Run, type Notepad and hit Enter) document:

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000149
"NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:00000149
"NoDriveTypeAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000001

Note: Make sure there is no blank line before REGEDIT4 and one blank line at the end.

Go to File >> Save As:. Save the file as "Fix.reg" (Including the quotes) and save it to your desktop.

From your desktop...double-click on Fix.reg. When asked if you want to merge the file with the registry, click Yes.

Restart your computer.

~Blade

Edited by Blade Zephon, 17 June 2010 - 11:19 PM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#20 ezooone

ezooone
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Penang, Malaysia
  • Local time:11:57 PM

Posted 20 June 2010 - 11:06 PM

Hai Blade..

Thank you very much..the laptop is back to normal now..

Blade the training school from bleeping computer is close right now..If know any news about the training in the mean time please pm me.

Anyway thanks very much blade.. smile.gif

#21 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:57 AM

Posted 21 June 2010 - 02:36 AM

Hello.

QUOTE
Blade the training school from bleeping computer is close right now


There are only a limited number of slots, and they fill up quickly when new ones become available. My advice is to check that link at least once a day.

***************************************************
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfection
I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#22 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:57 AM

Posted 14 July 2010 - 10:26 AM

Since this issue appears to be resolved ... this Topic has been closed.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users