Page 6 of 13 FirstFirst ... 2345678910 ... LastLast
Results 51 to 60 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #51
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default pciide.sys.vir

    The command line
    copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys
    did not run.

    Message says...
    "Windows cannot find 'copy'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.

    Should there be a ":" after the "c" between quarantine\ & \windows?

  2. #52
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    No, those paths are correct. Input these commands first to make sure you're in c:\windows\system32:
    c:
    cd\windows\system32
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #53
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Sorry

    Sorry! My mistake... I did not first enter and run the "cmd.exe" to get to the dos type prompt.

    When I tried again, I now come to the Black dos screen prompt...

    X:\I386\system32>__ (Is the "X:\" because we're booted from the CD?)

    Should I still type...
    c:
    cd windows\system32
    And Then the command line: copy /y...

  4. #54
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    The command should be runnable from that location too.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #55
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Ok

    I just ran the command from c:\windows\system32
    1 file copied!

    Shutting down now to try normal restart...

  6. #56
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Restart

    Removed CD and shut down then back on...

    Black screen with start mode options... I chose Normal

    Windows started ... long welcome screen... then desktop and icons displayed...

    Then two popup warnings...
    TITLE BAR: RUNDLL
    Error loading c:\windows\system32\diahema.dll
    The specified module cannot be found.
    OK

    and...
    TITLE BAR: RUNDLL
    Error loading kodatewe.dll
    The specified module cannot be found.
    OK


    Normal tray icons appeared but...
    AVG Tray Icon has an Exclamation Point (maybe because updates not current?)

    plus a Red Shield with balloon that says...
    "Your computer might be at risk"
    No firewall is turned on
    AVG Anti-Virus Free is turned off
    Click this balloon to fix this problem


    Please Note: The machine is not connected to the network or internet

    I have not clicked on either of the PopUps or the Balloon
    Tom

  7. #57
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    That sounds normal since we're not finished cleaning yet. The main thing is that system booted now

    Please run dds and post its log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #58
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Run DDS

    Before running DDS,
    Should I first click the OK on the two RUNDLL popups?
    And should I click the Red Shield Ballon re the firewall warning?
    PLMK
    Tom

  9. #59
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    You can close those two popups but ignore firewall related thing for now.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #60
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default new DDS log

    Hi Blade,
    Here is the new DDS log... DDS.txt
    PLMK if you want me to post (or attach) the DDS_Attach.txt ???
    Tom


    DDS (Ver_09-10-26.01) - NTFSx86
    Run by Tom McNeal at 2:41:07.46 on Wed 11/25/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.305 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Tom McNeal\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.aol.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {107563d4-6b90-4055-8501-45cbeb7af0a6} - tevaziva.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [AdaptecDirectCD] c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
    mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [kfqcaekj] c:\documents and settings\tom mcneal\local settings\application data\ogolyy\lwyesysguard.exe
    mRun: [11220814] c:\documents and settings\all users\application data\11220814\11220814.exe
    mRun: [jepedonug] Rundll32.exe "c:\windows\system32\diyahema.dll",a
    mRun: [jokimuruha] Rundll32.exe "kodatewe.dll",s
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: turbotax.com
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1107516386875
    DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107516561703
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230150512703
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {9CA51FD6-A243-4FAF-BC05-EEE2DEFC690E} = 77.74.48.113
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: vuzuwuhif - {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
    SSODL: jumikuwif - {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
    STS: kupuhivus: {68c2902b-c16e-4e9d-a2a2-7c9d461276fa} - c:\windows\system32\dukiyuzu.dll
    STS: kupuhivus: {c1359f34-13f0-48d6-8f95-31a84938bde4} - c:\windows\system32\diyahema.dll
    LSA: Notification Packages = scecli cPRASO.dll kodatewe.dll lofiketo.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 327688]
    R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
    S2 gupdate1c9e522adc4ffec;Google Update Service (gupdate1c9e522adc4ffec);c:\program files\google\update\GoogleUpdate.exe [2009-6-4 133104]
    S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
    S2 JEPPDRIVE;Smart Modular JeppDrive USB Driver;c:\windows\system32\drivers\jeppd.sys --> c:\windows\system32\drivers\JeppD.sys [?]

    =============== Created Last 30 ================

    2009-11-25 02:06:09 3328 ----a-w- c:\windows\system32\drivers\pciide.sys
    2009-11-20 22:30:16 187776 ----a-w- c:\windows\system32\drivers\ACPI_2.sys
    2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\proquota.exe
    2009-11-20 22:24:05 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2009-11-20 22:02:13 0 d-sha-r- C:\cmdcons
    2009-11-20 21:54:56 98816 ----a-w- c:\windows\sed.exe
    2009-11-20 21:54:56 77312 ----a-w- c:\windows\MBR.exe
    2009-11-20 21:54:56 260608 ----a-w- c:\windows\PEV.exe
    2009-11-20 21:54:56 161792 ----a-w- c:\windows\SWREG.exe
    2009-11-20 21:54:19 0 d-s---w- C:\ComboFix
    2009-11-17 21:29:33 1209915 --sh--w- c:\windows\system32\savohofu.exe
    2009-11-11 21:00:25 0 d-----w- c:\program files\Trend Micro
    2009-11-10 19:27:54 6456 ---ha-w- c:\windows\system32\virasuza
    2009-11-10 06:45:05 95 ----a-w- c:\windows\wininit.ini
    2009-11-10 02:58:33 52736 ----a-w- C:\luobk.exe
    2009-11-10 02:58:20 0 --sha-w- C:\15226409
    2009-11-06 19:00:51 0 d-----w- C:\spoolerlogs
    2009-11-05 16:01:25 0 d-----w- c:\program files\NZ Software

    ==================== Find3M ====================

    2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
    2009-08-28 10:28:59 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2008-12-25 09:07:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122520081226\index.dat

    ============= FINISH: 2:43:23.35 ===============

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •