Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Virtumonde

  1. 2008-07-17, 05:56 #11
    gmoney
    gmoney is offline
    Junior Member
    Join Date
    Jul 2008
    Posts
    9

    Thumbs up Getting Better

    Phil,

    My PC is running much better. Thank you for your help. I eagerly await your instructions. It is not exhibiting any unusual behavior. Below are the Malwarebytes log and Highjackthis log.

    Malwarebytes' Anti-Malware 1.20
    Database version: 960
    Windows 5.1.2600 Service Pack 2

    11:03:04 PM 2008-07-16
    mbam-log-7-16-2008 (23-03-04).txt

    Scan type: Full Scan (C:\|D:\|J:\|L:\|)
    Objects scanned: 166892
    Time elapsed: 1 hour(s), 48 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 21

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc91vj0ec51 (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhc91vj0ec51 (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

    Files Infected:
    C:\QooBox\Quarantine\C\WINDOWS\system32\cxhniwwj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\dfyyaqwy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\eexvuaqc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\iivsnv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\ncmyuc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\phefgseb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlkiiG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\stssaurp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\sukizd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\vvoofq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wjpdibli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wrftft.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wvbfjbuq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Gayle.OFFICEVAIO\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Garron\Application Data\msadcx43.dll (Trojan.Agent) -> Quarantined and deleted successfully.


    Malwarebytes' Anti-Malware 1.20
    Database version: 960
    Windows 5.1.2600 Service Pack 2

    11:03:04 PM 2008-07-16
    mbam-log-7-16-2008 (23-03-04).txt

    Scan type: Full Scan (C:\|D:\|J:\|L:\|)
    Objects scanned: 166892
    Time elapsed: 1 hour(s), 48 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 21

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc91vj0ec51 (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\rhc91vj0ec51 (Rogue.Multiple) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\downloader.downloaderctrl.1 (Adware.2020search) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

    Files Infected:
    C:\QooBox\Quarantine\C\WINDOWS\system32\cxhniwwj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\dfyyaqwy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\eexvuaqc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\iivsnv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\ncmyuc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\phefgseb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlkiiG.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\stssaurp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\sukizd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\vvoofq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wjpdibli.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wrftft.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\WINDOWS\system32\wvbfjbuq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Gayle.OFFICEVAIO\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Garron\Application Data\msadcx43.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  2. 2008-07-17, 05:59 #12
    gmoney
    gmoney is offline
    Junior Member
    Join Date
    Jul 2008
    Posts
    9

    Thumbs up

    Quote Originally Posted by pskelley View Post

    Navigate to the here:
    C:\WINDOWS\system32\eqwiiysn.tmp <<< delete that file
    C:\WINDOWS\system32\eqwiiysn.ini <<< delete that file
    You may need to unhide files and folders?
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    Phil,
    After unhinding system files I couldn't find these files to delete them.

    Thanks,

    Garron
  3. 2008-07-17, 14:29 #13
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    After unhinding system files I couldn't find these files to delete them.
    OK, let's see if combofix can delete those for us:

    Open notepad and copy/paste the text in the codebox below into it:

    Code:
    File::
C:\WINDOWS\system32\eqwiiysn.tmp
C:\WINDOWS\system32\eqwiiysn.ini
    Save this as CFScript



    Referring to the picture above, drag CFScript into ComboFix.exe.

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  4. 2008-07-18, 10:48 #14
    gmoney
    gmoney is offline
    Junior Member
    Join Date
    Jul 2008
    Posts
    9

    Default Combofix log

    ComboFix 08-07-14.2 - Garron 2008-07-18 4:39:22.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.932 [GMT -4:00]
    Running from: C:\Documents and Settings\Garron\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Garron\Desktop\cfscript.txt

    FILE ::
    C:\WINDOWS\system32\eqwiiysn.ini
    C:\WINDOWS\system32\eqwiiysn.tmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\eqwiiysn.ini
    C:\WINDOWS\system32\eqwiiysn.tmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
    .

    2008-07-17 07:43 . 2008-07-17 07:59 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-07-17 00:32 . 2008-07-17 00:32 <DIR> d-------- C:\WINDOWS\LastGood
    2008-07-16 20:59 . 2008-07-16 20:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-16 20:59 . 2008-07-16 20:59 <DIR> d-------- C:\Documents and Settings\Garron\Application Data\Malwarebytes
    2008-07-16 20:59 . 2008-07-16 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-16 20:59 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
    2008-07-16 20:59 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-12 21:11 . 2008-07-12 21:11 <DIR> d-------- C:\temp\PendMove
    2008-07-12 17:57 . 2008-07-12 20:42 <DIR> d-------- C:\Program Files\Process Explorer
    2008-07-12 17:22 . 2008-07-12 17:23 <DIR> d-------- C:\temp\ListDLLS
    2008-07-12 17:22 . 2008-07-12 17:22 <DIR> d-------- C:\New Folder
    2008-07-10 20:52 . 2008-07-10 20:52 <DIR> d-------- C:\Program Files\Trend Micro
    2008-07-10 18:30 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-07-09 20:05 . 2008-07-09 20:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-07-09 20:05 . 2008-07-10 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-07-07 22:10 . 2003-08-15 15:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
    2008-07-07 22:10 . 2003-08-15 22:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
    2008-07-07 22:10 . 2008-07-07 22:10 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-07-07 22:02 . 2008-07-07 22:11 <DIR> d-------- C:\SDAT
    2008-07-07 21:43 . 2008-07-07 21:36 53,689,558 --a------ C:\sdat5333.exe
    2008-07-07 21:01 . 2008-07-07 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
    2008-07-07 20:35 . 2008-07-07 20:35 61,224 --a------ C:\Documents and Settings\Gayle.OFFICEVAIO\GoToAssistDownloadHelper.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-07-18 08:33 --------- d-----w C:\Documents and Settings\Garron\Application Data\SiteAdvisor
    2008-07-17 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
    2008-07-17 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-07-16 11:09 --------- d-----w C:\Documents and Settings\Garron\Application Data\U3
    2008-07-16 03:13 --------- d-----w C:\Documents and Settings\Garron\Application Data\GoodSync
    2008-07-10 22:31 --------- d-----w C:\Program Files\Java
    2008-07-01 19:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-07-01 19:50 --------- d-----w C:\Program Files\Quicken
    2008-06-27 22:15 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-06-27 22:13 --------- d-----w C:\Documents and Settings\Garron\Application Data\AdobeUM
    2008-06-27 19:04 --------- d-----w C:\Program Files\McAfee
    2008-06-27 17:43 --------- d-----w C:\Program Files\Common Files\McAfee
    2008-06-16 02:34 86,048 -c--a-w C:\Documents and Settings\Garron\Application Data\GDIPFONTCACHEV1.DAT
    2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
    2008-06-08 01:57 --------- d-----w C:\Program Files\Siber Systems
    2008-06-05 22:17 86,048 -c--a-w C:\Documents and Settings\Gayle.OFFICEVAIO\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-20 13:07 --------- d-----w C:\Documents and Settings\Garron\Application Data\Juniper Networks
    2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-02-29 01:46 64,920 -c--a-w C:\Documents and Settings\Kids.OFFICEVAIO\Application Data\GDIPFONTCACHEV1.DAT
    2008-02-08 19:05 8 --sh--r C:\WINDOWS\system32\8439840EA6.sys
    2008-02-08 19:05 11,270 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-07-16_ 8.07.22.40 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-07-16 11:34:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-07-18 07:33:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-07-16 11:34:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2008-07-18 07:33:09 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-10-11 18:12:48 1,468,968 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
    + 2008-03-20 22:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
    - 2008-03-09 17:06:20 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2008-07-16 11:57:32 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2008-03-09 17:06:20 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2008-07-16 11:57:33 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2008-07-16 11:52:18 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
    + 2008-07-17 03:44:52 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
    - 2008-07-16 11:52:18 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
    + 2008-07-17 03:44:52 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
    + 2008-07-17 03:45:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_200.dat
    + 2008-07-17 04:13:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6a0.dat
    + 2008-07-17 03:44:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ae4.dat
    - 2008-07-16 11:52:18 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2008-07-17 03:44:52 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 16:52 68856]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
    "Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02 471040]
    "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-06-08 08:46 160832]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-16 14:22 4743168]
    "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
    "ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 20:32 1409024]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-06 16:01 335872]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19 155648]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07 114688]
    "VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
    "vdrdpup"="C:\WINDOWS\System32\vdrdpup.dll" [2004-05-26 08:46 71680]
    "FD_SAP"="C:\WINDOWS\System32\Drivers\SAP\FD.exe" [2005-01-23 16:07 202240]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 04:40 218032]
    "ShopSafe"="C:\Program Files\ShopSafe\ShopSafe.exe" [2006-06-13 13:15 208896]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 04:40 86960]
    "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-09-27 06:59 81920]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15 600896]
    "AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 01:11 24576]
    "ArcSoft Connection Service"="C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-12-12 10:11 72192]
    "CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 21:01 644696]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 21:50 1603152]
    "WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480]
    "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
    "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "nwiz"="nwiz.exe" [2003-07-16 14:22 323584 C:\WINDOWS\system32\nwiz.exe]
    "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 14:38 88361 C:\WINDOWS\AGRSMMSG.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\system32\narrator.exe]

    C:\Documents and Settings\Gayle.OFFICEVAIO\Start Menu\Programs\Startup\
    D-Link DSM320 Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2004-09-16 17:05:54 692224]
    PowerReg Scheduler.exe [2006-09-14 14:11:48 256000]

    C:\Documents and Settings\Garron\Start Menu\Programs\Startup\
    D-Link Media Server.lnk - C:\Program Files\D-Link Media Server\MediaGUI.exe [2004-09-16 17:05:54 692224]
    HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2004-06-09 15:27:34 471040]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
    Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 22:16:46 24576]
    Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2004-02-23 22:08:01 442368]
    HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:27:34 471040]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
    Remocon Driver.lnk - C:\Program Files\sony\usbsircs\usbsircs.exe [2003-12-28 09:21:02 208896]
    Timer Recording Manager.lnk - C:\Program Files\Sony\giga pocket\ReserveModule.exe [2003-12-28 09:21:12 262144]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
    "MSACM.CEGSM"= mobilev.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

    R2 ACDaemon;ArcSoft Connect Daemon;C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [2007-12-12 10:11]
    R2 VAIOMediaDBSyncService;VAIO Media DB Sync Service;C:\Program Files\Sony\VAIO Media Integrated Server\GPDBWatcher.exe [2006-02-20 19:33]
    S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys [2005-01-13 23:48]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
    \Shell\AutoRun\command - L:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d29eec3-6c94-11d9-8d9f-000c6ed5ce6c}]
    \Shell\AutoRun\command - PortableRoboForm.exe
    \Shell\Pass2Go\command - PortableRoboForm.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2d91ae0-3379-11db-8fba-000c6ed5ce6c}]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-07-15 05:05:54 C:\WINDOWS\Tasks\McDefragTask.job"
    - c:\program files\mcafee\mqc\QcConsol.exe'
    "2008-02-23 18:22:00 C:\WINDOWS\Tasks\McQcTask.job"
    - c:\program files\mcafee\mqc\QcConsol.exe.8206 0
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-07-18 04:41:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-07-18 4:45:16
    ComboFix-quarantined-files.txt 2008-07-18 08:44:12
    ComboFix2.txt 2008-07-16 12:08:09

    Pre-Run: 259,551,232 bytes free
    Post-Run: 241,758,208 bytes free

    189 --- E O F --- 2008-06-27 17:51:44
  5. 2008-07-18, 16:30 #15
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    If you are not having malware problems, proceed like this.

    Remove combofix from your computer:
    Click START then RUN
    Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.



    Clean infected System Restore files:
    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    Give MBAM another run to make sure we got it all, no need to post a clean scan.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  6. 2008-07-19, 03:06 #16
    gmoney
    gmoney is offline
    Junior Member
    Join Date
    Jul 2008
    Posts
    9

    Default Thanks

    Malwarebytes came back clean. Thank you very much. You have provided a tremendous service to me and my family. Thanks again.
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules