|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-15-2008, 09:46 PM
|
#21 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
 |
Re: Programs Restricted/no desktop/Virtumonde
Ok, what my problem was is that I had two folders on my USB Drive, one which apparently was an older folder and the other containing the newer download copy.
I was inadvertently copying over the older ComboFix.exe Now the right one is on the desktop, and has processed. During the processing I did have a window pop up "windows is running is safe mode" but the ComboFix script continued seemingly without interruption. The PC rebooted on its own, I forced F8 Safemode Selected Administrator user Got the regular complete Black screen "Safemode" CTRL ALT DEL gives me task manager File Run gpupdate returns desktop, and apparently is allowing ComboFix to finish Got the Desktop popup window again indicating "Windows is running in Safe Mode, to proceed in safe mode press Yes" Except I can see & hear that combofix is having a buffet of the hard drive so I figure I will wait until it's blue screen in the background indicates it's done before I click Yes to proceed in Safemode ....... The Log.txt screen has popped up, and my safemode box has disappeared along with my desktop. I close the Log.txt and CTL ALT DEL and gpupdate and the desktop returns along with a recurring error box that reads. /idlist,:428:1356,c:\windows\system32 Windows cannot find /idlist,:428:1356,c:\windows\system32 Make sure you typed ...... ComboFix 08-11-14.01 - Administrator 2008-11-15 23:22:57.2 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1787 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt FILE :: c:\windows\SYSTEM32\1112.dat c:\windows\SYSTEM32\cnmhypvr.dll c:\windows\system32\Drivers\Otx83.sys c:\windows\SYSTEM32\ebkp.dll c:\windows\system32\kcbgtcnu.dll c:\windows\system32\mlljg.dll c:\windows\SYSTEM32\oxvqlkrv.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\LiveAntispy c:\program files\LiveAntispy\LiveAntispy.lic c:\windows\SYSTEM32\1112.dat c:\windows\SYSTEM32\cnmhypvr.dll c:\windows\system32\Drivers\Otx83.sys c:\windows\SYSTEM32\ebkp.dll c:\windows\system32\kcbgtcnu.dll c:\windows\SYSTEM32\oxvqlkrv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSISERVER -------\Service_MSIServer ((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 ))))))))))))))))))))))))))))))) . 2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix 2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit 2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt 2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini 2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner 2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT 2008-11-05 22:35 . 2008-11-07 00:23 <DIR> d-------- C:\SDFix 2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable 2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll 2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys 2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-08 21:57 --------- d---a-w c:\program files\Lycos 2008-11-07 05:41 --------- d-----w c:\program files\Canon 2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun 2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] --a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2] --a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= S0 Otx83;Otx83;c:\windows\system32\Drivers\Otx83.sys [] S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104] S2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144] S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service [] S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652] S3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656] S3 TTUQNRGA;TTUQNRGA;c:\docume~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe [] S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872] . - - - - ORPHANS REMOVED - - - - BHO-{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F} - c:\windows\system32\mlljg.dll BHO-{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77} - c:\windows\system32\kcbgtcnu.dll MSConfigStartUp-00d971c8 - c:\windows\system32\cnmhypvr.dll MSConfigStartUp-BM03ea4254 - c:\windows\system32\oxvqlkrv.dll ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-15 23:31:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-11-15 23:36:07 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-16 04:36:04 ComboFix2.txt 2008-11-10 03:39:36 Pre-Run: 63,227,719,680 bytes free Post-Run: 63,219,433,472 bytes free 111 |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-15-2008, 10:01 PM
|
#22 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
It would have been best not to force ComboFix's reboot back into Safe Mode. Have you tried booting into Normal Mode yet?
|
|
|
|
|
11-15-2008, 10:07 PM
|
#23 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
All previous attempts to allow the boot into normal mode, under the computer's normal users id, have resulted in the desktop wallpaper showing with no Icons or Start/Taskbar. Nor would CTRL ALT DEL allow me into Taskmanager.
I would have to cycle the power to get out of it. This may not be the case now? How would you like me to proceed. |
|
|
|
|
11-15-2008, 10:16 PM
|
#25 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
Restart
Selected User loading personal settings.... I can see the desktop wallpaper but nothing else. No action on Windows Key When Ctrl Alt Del, I get: Task Manager Task Manager has been disabled by your administrator. [OK] |
|
|
|
|
11-15-2008, 10:19 PM
|
#26 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
I see you have SDFix onboard. Boot into Safe Mode and run SDFix again.
Allow it to reboot into Normal Mode. If all is well, run dds.scr and post the info.txt along with the C:\SDFix\Report.txt If Normal Mode is still messed up, reboot into Safe Mode and run dds.scr and post the info.txt along with the Report.txt from SDFix. Last edited by Ried; 11-15-2008 at 10:20 PM. |
|
|
|
|
11-15-2008, 10:30 PM
|
#27 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
SDFix Executable does not exist on the desktop, although its folder is on the c: drive.
Shall I copy the SDFix.EXE over to the desktop again and double click? ** nevermind** didn't read far enough into instructions for tool. Clicking on runthis.bat file. will reply when it's done Last edited by bajanknight; 11-15-2008 at 10:49 PM. |
|
|
|
|
11-15-2008, 11:16 PM
|
#29 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
Rebooting into normal user mode...
Have Wallpaper but nothing else, Windows key inactive Task Manager disabled by administrator. Rebooting into Safe mode, Run gpupdate to get Desktop SDFIX is finishing... running dds.scr posting DDS.TXT (not info.txt that's RSIT) DDS (Version 1.0) - NTFSx86 MINIMAL Run by Administrator at 1:01:48.15 on Sun 11/16/2008 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1789 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Psuedo HJT Report =============== uStart Page = hxxp://www.dell4me.com/myway mSearch Bar = BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\npjpi160_05.dll IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe TCP: {777B9D40-F35A-471A-A863-F6E7B3FC9751} = 208.67.220.220,208.67.222.222 TCP: {861BEBB0-E147-491F-B363-309EEC201B53} = 208.67.220.220,208.67.222.222 TCP: {9F1519AE-0148-44FB-9E19-8D4A8112F5C6} = 208.67.220.220,208.67.222.222 Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== S0 Otx83;Otx83;c:\windows\system32\drivers\Otx83.sys S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys S2 IOPort;IOPort;\??\c:\windows\system32\drivers\IOPORT.SYS S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" S3 ADM8211;Wireless PC Card;c:\windows\system32\drivers\WLANPCI.sys S3 TTUQNRGA;TTUQNRGA;c:\docume~1\admini~1\locals~1\temp\TTUQNRGA.exe S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\wirele~1\WLANNDIS5.SYS =============== Created Last 30 ================ 2008-11-15 23:22 161,792 a------- c:\windows\SWREG.exe 2008-11-15 23:22 98,816 a------- c:\windows\sed.exe 2008-11-15 23:22 <DIR> --d----- C:\ComboFix 2008-11-15 21:26 <DIR> --d----- C:\Old_ComboFix 2008-11-09 23:26 <DIR> --d----- c:\program files\Trend Micro 2008-11-09 22:26 <DIR> a-dshr-- C:\cmdcons 2008-11-08 17:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\TrueCrypt 2008-11-08 16:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2008-11-08 16:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2008-11-08 15:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2008-11-07 22:27 250 a------- c:\windows\gmer.ini 2008-11-07 01:28 <DIR> --d----- c:\windows\pss 2008-11-07 00:23 <DIR> --d----- c:\program files\CCleaner 2008-11-05 22:41 <DIR> --d----- c:\windows\ERUNT 2008-11-05 22:35 <DIR> --d----- C:\SDFix 2008-11-05 22:30 <DIR> --d----- C:\ClamWinPortable 2008-11-05 22:28 14,848 a------- c:\windows\system32\drivers\kbdhid.sys 2008-11-05 22:28 21,504 a------- c:\windows\system32\hidserv.dll 2008-11-05 22:28 12,160 a------- c:\windows\system32\drivers\mouhid.sys ==================== Find3M ==================== 2008-11-08 16:57 <DIR> a-d----- c:\program files\Lycos 2008-11-07 00:41 <DIR> --d----- c:\program files\Canon 2008-11-06 00:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mralotun 2007-02-15 22:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Broderbund 2007-01-24 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint 2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanWizard 2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir 2005-12-25 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com 2005-09-13 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell 2004-06-12 13:56 <DIR> --d----- c:\docume~1\admini~1\applic~1\Jasc Software Inc 2004-03-06 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI ============= FINISH: 1:02:01.01 =============== Posting Report.txt SDFix: Version 1.240 Run by Administrator on Sun 11/16/2008 at 12:48 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-16 00:57:56 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Fri 29 Feb 2008 1,240,622 ..SH. --- "C:\WINDOWS\SYSTEM32\logxhcco.tmp" Wed 14 Feb 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 5 Feb 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Tue 22 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Tue 22 Jan 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Finished! |
|
|
|
|
11-15-2008, 11:38 PM
|
#30 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
I'd really like to see a scan from Normal Mode. Since you at least have the Start button, see if you can launch explorer.exe from there.
Click Start>Run and copy/paste the following into the Run box and click OK: C:\Windows\explorer.exe If that was successful, run a new scan with dds.scr and post the new dds.txt If the Run command is not working either, please navigate to C:\Qoobox\ and post the contents of the ComboFix-quarantined-files. txt |
|
|
|
|
11-15-2008, 11:53 PM
|
#31 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
I don't have the start button when attempting to boot into normal mode. I have nothing except wallpaper and a Dialog box that pops up when I CTRL ALT Del that says Taskmanager has been disabled by administrator.
2002-08-29 06:00:00 A------- 4,096 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\1112.dat.vir 2003-01-30 13:52:48 A------- 12,073 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\FAD.sys.vir 2004-03-12 17:34:17 A------- 10 C:\Qoobox\Quarantine\C\WINDOWS\smdat32m.sys.vir 2004-03-12 18:05:22 A------- 2,314,017 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab.vir 2004-03-12 20:25:17 A------- 1,024 C:\Qoobox\Quarantine\C\Program Files\MyWay\myBar\History\search.vir 2004-03-12 20:26:08 A------- 57,203 C:\Qoobox\Quarantine\C\Program Files\MyWay\myBar\Settings\prevcfg.htm.vir 2004-03-13 11:40:50 A------- 2,314,957 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.vir 2004-03-14 12:33:26 A------- 79,754 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab.vir 2004-03-14 12:34:21 A------- 307 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab.vir 2004-03-14 12:35:13 A------- 70,406 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab.vir 2004-03-14 12:36:05 A------- 147 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab.vir 2004-03-15 17:27:03 A------- 14,578 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab.vir 2004-03-15 17:27:28 A------- 79,528 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab.vir 2004-03-17 13:02:30 A------- 80,595 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab.vir 2004-03-17 13:08:11 A------- 76,170 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab.vir 2004-03-17 13:08:47 A------- 1,817 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab.vir 2004-03-17 13:08:54 A------- 30,681 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab.vir 2004-03-17 13:09:32 A------- 147 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\update.cab.vir 2004-03-20 21:11:03 A------- 1,769 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\java.cab.vir 2004-03-20 21:11:39 A------- 30,461 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab.vir 2004-03-26 18:03:41 A------- 15,709 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab.vir 2004-03-29 17:34:50 A------- 1,564 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mbox.xmd.cab.vir 2004-03-29 17:34:56 A------- 21,958 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab.vir 2004-03-30 19:23:15 A------- 16,334 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab.vir 2004-03-30 19:25:54 A------- 3,907 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\iso.xmd.cab.vir 2004-03-31 21:30:12 A------- 77,525 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab.vir 2004-04-02 22:23:23 A------- 22,290 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab.vir 2004-04-05 20:14:41 A------- 77,595 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\ve.cab.vir 2004-04-05 20:15:57 A------- 15,343 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab.vir 2004-04-06 10:59:46 A------- 6,273 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab.vir 2004-04-06 11:01:11 A------- 4,799 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab.vir 2004-04-12 17:07:16 A------- 6,347 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab.vir 2004-04-14 17:15:33 A------- 611,349 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab.vir 2004-04-14 17:20:37 A------- 57,546 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab.vir 2004-04-14 17:20:57 A------- 8,732 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab.vir 2004-04-16 16:08:23 A------- 704 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab.vir 2004-04-16 16:08:37 A------- 66,158 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab.vir 2004-04-20 18:57:41 A------- 66,140 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab.vir 2004-04-20 18:58:30 A------- 45,661 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab.vir 2004-04-22 10:48:39 A------- 1,390 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab.vir 2004-04-28 15:02:47 A------- 6,418 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab.vir 2004-04-28 15:04:36 A------- 713 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab.vir 2004-04-29 16:27:08 A------- 12,131 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab.vir 2004-05-19 17:01:25 A------- 5,370 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\pst.xmd.cab.vir 2004-05-20 20:33:40 A------- 10,319 C:\Qoobox\Quarantine\C\Program Files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab.vir 2004-06-12 20:24:49 A------- 3,484 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Tvm.log.vir 2004-09-29 16:35:15 A------- 18 C:\Qoobox\Quarantine\C\Program Files\MyWay\myBar\Settings\settings.dat.vir 2004-09-29 16:35:15 A------- 56 C:\Qoobox\Quarantine\C\Program Files\MyWay\myBar\Settings\settings.htm.vir 2005-12-25 20:29:48 A------- 62,464 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bszip.dll.vir 2006-03-23 00:00:38 A------- 25,088 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ebkp.dll.vir 2008-01-01 23:00:22 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c008AF55.dat.vir 2008-01-07 22:40:00 A------- 1,391 C:\Qoobox\Quarantine\C\xcrashdump.dat.vir 2008-01-10 20:39:13 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c001E284.dat.vir 2008-01-20 17:01:07 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00C322B.dat.vir 2008-01-22 19:34:36 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c0048819.dat.vir 2008-01-24 19:34:18 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00C1414.dat.vir 2008-02-04 22:28:03 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c007FDDE.dat.vir 2008-02-05 12:21:09 A------- 6,041 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjllm.ini.vir 2008-02-05 12:21:10 A------- 6,041 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gjllm.ini2.vir 2008-02-14 20:25:58 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00EEB10.dat.vir 2008-02-17 20:20:13 A------- 143 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mcrh.tmp.vir 2008-02-19 22:23:18 A------- 1,244,643 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pdtcigyt.ini.vir 2008-02-20 22:26:23 A------- 1,254,899 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mqqmctmd.ini.vir 2008-02-21 22:27:50 A------- 1,254,659 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\namuwfws.ini.vir 2008-02-22 22:29:35 A------- 1,253,714 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\seusttsd.ini.vir 2008-02-23 22:29:24 A------- 1,260,287 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\arcbhpap.ini.vir 2008-02-25 09:54:28 A------- 1,260,407 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sgkjsnfr.ini.vir 2008-02-26 22:53:16 A------- 102,891 C:\Qoobox\Quarantine\C\WINDOWS\BM03ea4254.txt.vir 2008-02-26 22:53:20 A------- 109,111 C:\Qoobox\Quarantine\C\WINDOWS\BM03ea4254.xml.vir 2008-02-26 22:56:15 A------- 1,247,149 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gtrtgwqp.ini.vir 2008-02-27 22:58:34 A------- 1,243,619 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\typuwend.ini.vir 2008-02-29 22:51:19 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00189E6.dat.vir 2008-02-29 22:54:52 A------- 1,240,622 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\logxhcco.ini.vir 2008-02-29 23:00:43 A------- 1,219,608 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\knmtjpaj.ini.vir 2008-03-02 13:22:13 A------- 1,219,728 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\loudmcji.ini.vir 2008-03-05 22:34:53 A------- 1,043,933 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\drpbfjdw.ini.vir 2008-03-06 22:40:53 A------- 1,002,026 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tllxxvmd.ini.vir 2008-03-09 19:08:31 A------- 1,130,155 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wmxtkmuh.ini.vir 2008-03-09 19:50:15 A------- 86 C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir 2008-03-11 11:19:21 A------- 1,092,356 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qnphsdci.ini.vir 2008-03-13 20:47:45 A------- 1,189,161 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mwreiscx.ini.vir 2008-03-14 20:49:37 A------- 1,136,649 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jsobtrin.ini.vir 2008-03-19 18:59:51 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00E797C.dat.vir 2008-03-25 09:22:43 A------- 92,672 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00160DE.dat.vir 2008-03-30 12:46:00 A------- 92,672 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00B8840.dat.vir 2008-04-02 19:01:48 A------- 706,231 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xpgnrboq.ini.vir 2008-04-02 19:23:29 A------- 35,840 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c0083504.dat.vir 2008-04-04 20:15:49 A------- 706,329 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\owferbls.ini.vir 2008-04-06 08:29:26 A------- 720,407 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\datgeppv.ini.vir 2008-04-07 08:32:29 A------- 720,467 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lhajxjxs.ini.vir 2008-04-07 09:34:16 A------- 751,991 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\srkcdpbp.ini.vir 2008-04-08 09:37:14 A------- 896,999 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ynkbubfr.ini.vir 2008-04-11 12:02:16 A------- 873,581 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bcnagfpm.ini.vir 2008-04-12 12:11:06 A------- 873,701 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fmbdgnbw.ini.vir 2008-04-14 12:08:43 A------- 935,823 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vbalqrtr.ini.vir 2008-04-15 21:09:39 A------- 1,002,576 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fgrohnjr.ini.vir 2008-04-21 20:31:16 A------- 86,016 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c004C19B.dat.vir 2008-04-22 20:45:58 A------- 945,113 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vhjutprc.ini.vir 2008-04-23 20:43:37 A------- 1,013,261 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ixfagyqt.ini.vir 2008-04-25 07:04:11 A------- 986,424 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\lbsdywmo.ini.vir 2008-04-25 07  27 A------- 37,636 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00AE885.exe.vir2008-04-25 07 40 A------- 100 C:\Qoobox\Quarantine\C\Program Files\LiveAntispy\LiveAntispy.lic.vir2008-04-25 07:08:40 A------- 98,880 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kcbgtcnu.dll.vir 2008-04-26 07:02:09 A------- 106,048 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oxvqlkrv.dll.vir 2008-04-26 18:07:47 A------- 24,448 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Otx83.sys.vir 2008-04-26 18:07:55 A------- 87,104 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cnmhypvr.dll.vir 2008-04-26 18:07:57 A------- 980,653 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rvpyhmnc.ini.vir 2008-04-27 07:10:20 A------- 37,636 C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c00DC8B6.exe.vir 2008-11-09 22:19:46 A------- 232 C:\Qoobox\Quarantine\catchme.log 2008-11-09 22:29:49 A------- 9,940 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-11-09 22:30:08 A------- 796 C:\Qoobox\Quarantine\Registry_backups\Legacy_IPRIP.reg.dat 2008-11-09 22:30:08 A------- 878 C:\Qoobox\Quarantine\Registry_backups\Legacy_JQVM465HMYGEBKPP6.reg.dat 2008-11-09 22:30:08 A------- 3,674 C:\Qoobox\Quarantine\Registry_backups\Service_Iprip.reg.dat 2008-11-09 22:30:09 A------- 2,862 C:\Qoobox\Quarantine\Registry_backups\Service_jqvm465hmygebkpp6.reg.dat 2008-11-09 22:38:53 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-11-09 22:38:53 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-11-09 22:38:53 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-11-09 22:39:04 A------- 554 C:\Qoobox\Quarantine\Registry_backups\Notify-__c001076A.reg.dat 2008-11-15 23:24:46 A------- 830 C:\Qoobox\Quarantine\Registry_backups\Legacy_MSISERVER.reg.dat 2008-11-15 23:24:46 A------- 3,180 C:\Qoobox\Quarantine\Registry_backups\Service_MSIServer.reg.dat 2008-11-15 23:35:31 A------- 371 C:\Qoobox\Quarantine\Registry_backups\BHO-{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}.reg.dat 2008-11-15 23:35:31 A------- 418 C:\Qoobox\Quarantine\Registry_backups\BHO-{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}.reg.dat 2008-11-15 23:35:40 A------- 610 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-00d971c8.reg.dat 2008-11-15 23:35:40 A------- 614 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BM03ea4254.reg.dat I also have some ClamWin Virus logs that I ran before finding TSF, it did detect and remove some viruses. Let me know if you would like to see. |
|
|
|
|
11-15-2008, 11:57 PM
|
#32 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
Quick question before I give the next set of instructions...
Does Windows load properly into Normal Mode from the Administrator acct? |
|
|
|
|
11-16-2008, 12:02 AM
|
#33 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
The accounts I have to choose from in Safemode are Administrator and Steph
The accounts I have to choose from in Normal mode are Steph and Guest The normal mode user is Steph, I would have to assume has admin rights under normal mode. I don't think I have tried Safemode user Steph. Windows does not load normally under Steph |
|
|
|
|
11-16-2008, 12:04 AM
|
#35 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
Correct
I should say that attempting to sign into Steph under normal mode does not have any control. Only Desktop wallpaper Taskmanager disabled Last edited by bajanknight; 11-16-2008 at 12:07 AM. |
|
|
|
|
11-16-2008, 12:10 AM
|
#36 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
Ok, this is what I'd like you to do.
Move or copy ComboFix.exe from the desktop of the Administrator account that you've been running it from, directly to the C: drive Next, still from the Administrator acct, click Start>Run and copy/paste the following text in the quote box below, into the Run box and click OK: Quote:
You may see a quick flash of a black box. That is normal. Now, reboot the system, but boot into Steph's acct. ComboFix should begin to run automatically on that account. Post the C:\ComboFix.txt |
|
|
|
|
|
11-16-2008, 12:29 AM
|
#37 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
I will assume you meant to attempt to reboot into Normal mode Steph.
After running the Reg change I tried to reboot into Normal mode Steph. I could not detect Combofix running, nor did I have any more control than previous. The Combofix.txt header confirms that the last time it ran was from the desktop, so we didn't get a fresh log on c: Is there a way to verify that the runonce reg string has actually been added? regedit works in safemode administrator ------ Or should I try to boot to Safemode Steph? |
|
|
|
|
11-16-2008, 12:43 AM
|
#39 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,580
OS: WinXP and Vista
|
Re: Programs Restricted/no desktop/Virtumonde
Thanks. Please ensure the ComboFix.exe on the C: drive is indeed ComboFix.exe and not a shortcut to Combofix.exe. If it has that little arrow on the icon--it's a shortcut and won't run. The most accurate way to get it to C: from the desktop is to right click it, select 'Send To'>My Documents. Then, from My Documents, single click ComboFix.exe and on the panel to your left, click 'Move' and select C: from that dialog box.
If ComboFix.exe is on C: drive, (and not a shortcut) rename ComboFix.exe to ComboFxx.exe and try again **edit** If you rename ComboFix, you'll have to run the reg command again. Replace the combofix.exe portion with combofxx.exe like this: Quote:
Last edited by Ried; 11-16-2008 at 12:47 AM. |
|
|
|
|
|
11-16-2008, 01:18 AM
|
#40 (permalink) |
|
I helped the forums.
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2
|
Re: Programs Restricted/no desktop/Virtumonde
I cut and pasted, and double checked c: and it is the executable on the c: drive.
I changed the combofxx and updated the reg command, and verified it took in the registry. Rebooted, and still didn't make a difference. Still no new ComboFix.txt I tried rebooting to safemode Steph instead of Admin and I see a box come up and disappear very fast. I think is said c:\windows\system32\userinit.exe Taskmanager is still disabled |
|
|
|
| Thread Tools | |
|
|
