Programs Restricted/no desktop/Virtumonde

[Ried]

Hi bajanknight,

From the Admin acct, ensure resident AV and any protective programs are disabled.

Open notepad and copy/paste the text in the code box below into it:

Quote:

Fcopy::
c:\windows\SYSTEM32\DLLCACHE\userinit.exe | c:\windows\SYSTEM32\userinit.exe

Driver::
Otx83
TTUQNRGA

Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that log for review.


Will Safe Mode load up under Steph acct?

[bajanknight]

The processes which show running in Safemode-Admin taskmanager are:

taskmgr.exe
svchost.exe
svchost.exe
svchost.exe
isass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
System
System Idle Process SYSTEM

after gpupdate command, and the windows can't find /idlist popup
explorer.exe is added to the above active processes


I moved the Combofi xx.exe back to the desktop (executable) as you are instructing me to drag instead of using commands to start it.

Before I forget, should I move ComboFi xx.exe back onto c:before a reboot? As the runonce entry is probably still in the reg

Combofix begins runs and I see a brief window that indicates
windows cannot find combofix...

then it disappears …
then I prompt Yes for 'Terms'
Combofix continues its process and I then get a “Windows is running in safemode” popup.

Combofix is rebooting itself, do I force into Safemode-Steph or let it try to go into Normal-Steph

Well, its on the Normal Mode login screen now, what should I do?


On your last post I think you were asking If I was previously able to gain control under Safemode-Steph … and the answer was no. Same response as Normal-Steph with the exception of No Wallpaper.

[bajanknight]

I assumed to try Normal-Steph

Preparing log report
“Do not run any programs until combofix has finished”
RUNDLL
Error loading C:\Windows\System32 something dll

We have Normal-Steph wallpaper,Desktop icons, lower Start/Taskbar, systrem tray!!!
Your computer might be at risk Warning from an application in the system tray that might be McAfee
Combofix is still running so we won't try to stop anything.

Log below:

ComboFix 08-11-14.01 - Administrator 2008-11-16 13:38:06.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1803 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SYSTEM32\DLLCACHE\userinit.exe --> c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OTX83
-------\Legacy_TTUQNRGA
-------\Service_Otx83
-------\Service_TTUQNRGA


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 14:29 . 1980-08-16 19:00 35,840 --a------ c:\windows\SYSTEM32\__c00387E4.dat
2008-11-16 14:29 . 1980-08-16 19:00 22,291 --a------ c:\windows\SYSTEM32\__c0024348.dat
2008-11-15 23:22 . 2008-11-15 23:36 <DIR> d-------- C:\ComboFix
2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix
2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit
2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-16 01:00 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2008-04-26 12:55 8,704 ----a-w c:\documents and settings\ME!\cftmon.exe
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_22.38.53.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 04:54:51 753,664 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-16 05:45:32 3,567,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-11-06 04:54:51 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-16 05:45:32 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 1980-08-17 00:00:00 22,291 ----a-w c:\windows\SYSTEM32\__c0024348.dat
+ 1980-08-17 00:00:00 35,840 ----a-w c:\windows\SYSTEM32\__c00387E4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0024348]
1980-08-16 19:00 22291 c:\windows\SYSTEM32\__c0024348.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00387E4]
1980-08-16 19:00 35840 c:\windows\SYSTEM32\__c00387E4.dat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652]
R3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKCU-Run-A00FF81BBF.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00FF81BBF.exe
HKCU-Run-A00F1DABB4.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00F1DABB4.exe
HKCU-Run-LiveAntispy - c:\program files\LiveAntispy\LiveAntispy.exe
HKCU-Run-BM03ea4254 - c:\windows\system32\oxvqlkrv.dll
HKCU-Run-tdsfjoys - c:\windows\system32\yhmtenkz.exe
HKCU-Run-Sonic RecordNow! - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 14:30:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-16 14:35:07 - machine was rebooted [ME!]
ComboFix-quarantined-files.txt 2008-11-16 19:35:04
ComboFix2.txt 2008-11-16 04:36:08
ComboFix3.txt 2008-11-10 03:39:36

Pre-Run: 63,218,106,368 bytes free
Post-Run: 61,652,594,688 bytes free

128
************* end ***********

I will wait for further instructions at this point

[bajanknight]

Since you had asked for DDS.txt following Combofix.txt in a prior post, in which I was unable to preform due to the lack of booting into Normal mode with desktop control,

I can now run it and here it is:


DDS (Version 1.0) - NTFSx86
Run by ME! at 15:02:20.01 on 2008-11-16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1711 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ME!\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.myspace.com/
mSearch Bar =
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
IE: c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {777B9D40-F35A-471A-A863-F6E7B3FC9751} = 208.67.220.220,208.67.222.222
TCP: {861BEBB0-E147-491F-B363-309EEC201B53} = 208.67.220.220,208.67.222.222
TCP: {9F1519AE-0148-44FB-9E19-8D4A8112F5C6} = 208.67.220.220,208.67.222.222
Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} -
Notify: __c0024348 - c:\windows\system32\__c0024348.dat
Notify: __c00387E4 - c:\windows\system32\__c00387E4.dat
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 IOPort;IOPort;\??\c:\windows\system32\drivers\IOPORT.SYS
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe"
R3 ADM8211;Wireless PC Card;c:\windows\system32\drivers\WLANPCI.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys
S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\wirele~1\WLANNDIS5.SYS

=============== Created Last 30 ================

2008-11-16 14:29 35,840 a------- c:\windows\system32\__c00387E4.dat
2008-11-16 14:29 22,291 a------- c:\windows\system32\__c0024348.dat
2008-11-15 23:22 161,792 a------- c:\windows\SWREG.exe
2008-11-15 23:22 98,816 a------- c:\windows\sed.exe
2008-11-15 23:22 <DIR> --d----- C:\ComboFix
2008-11-15 21:26 <DIR> --d----- C:\Old_ComboFix
2008-11-09 23:26 <DIR> --d----- c:\program files\Trend Micro
2008-11-09 22:26 <DIR> a-dshr-- C:\cmdcons
2008-11-08 16:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-08 15:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-07 22:27 250 a------- c:\windows\gmer.ini
2008-11-07 01:28 <DIR> --d----- c:\windows\pss
2008-11-07 00:23 <DIR> --d----- c:\program files\CCleaner
2008-11-05 22:41 <DIR> --d----- c:\windows\ERUNT
2008-11-05 22:35 <DIR> --d----- C:\SDFix
2008-11-05 22:30 <DIR> --d----- C:\ClamWinPortable
2008-11-05 22:28 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2008-11-05 22:28 21,504 a------- c:\windows\system32\hidserv.dll
2008-11-05 22:28 12,160 a------- c:\windows\system32\drivers\mouhid.sys

==================== Find3M ====================

2008-11-08 16:57 <DIR> a-d----- c:\program files\Lycos
2008-11-07 00:41 <DIR> --d----- c:\program files\Canon
2008-11-06 00:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mralotun
2007-11-20 21:47 <DIR> --d----- c:\docume~1\me!\applic~1\IrfanView
2007-10-19 23:17 <DIR> --d----- c:\docume~1\me!\applic~1\Seekmo
2007-07-05 21:09 <DIR> --d----- c:\docume~1\me!\applic~1\Lexmark Imaging Studio
2007-02-15 22:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Broderbund
2007-01-24 16:31 <DIR> --d----- c:\docume~1\me!\applic~1\Viewpoint
2007-01-24 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-07-23 17:54 <DIR> --d----- c:\docume~1\me!\applic~1\ScanSoft
2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanWizard
2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2006-03-23 00:00 <DIR> --d----- c:\docume~1\me!\applic~1\EbkReader
2005-12-25 23:13 <DIR> --d----- c:\docume~1\me!\applic~1\Azureus
2005-12-25 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2005-09-13 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2005-03-17 18:52 <DIR> --d----- c:\docume~1\me!\applic~1\WeatherBug
2004-10-18 21:37 <DIR> --d----- c:\docume~1\me!\applic~1\Kontiki
2004-06-10 18:54 <DIR> --d----- c:\docume~1\me!\applic~1\Lycos
2004-03-06 03:56 <DIR> --d----- c:\docume~1\me!\applic~1\Jasc Software Inc
2004-03-06 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 15:02:29.06 ===============

[Ried]

Good work.

From the Steph account...

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
c:\windows\SYSTEM32\__c00387E4.dat
c:\windows\SYSTEM32\__c0024348.dat

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt.


--------------------------------------------------------------------

Please run a new scan with gmer.exe. Remeber to save the log, but change the extension from .log to .txt so you can attach it to your next reply.

So, include the following in your next reply:

C:\ComboFix.txt
gmer.txt <--attached to post
Update on system behavior

One more question, is your friend intentionally utilizing OpenDNS for internet access?

[bajanknight]

ComboFix 08-11-14.01 - ME! 2008-11-16 16:12:03.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1687 [GMT -5:00]
Running from: c:\documents and settings\ME!\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\ME!\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\__c0024348.dat
c:\windows\SYSTEM32\__c00387E4.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ME!\cftmon.exe
c:\windows\SYSTEM32\__c0024348.dat
c:\windows\SYSTEM32\__c00387E4.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 23:22 . 2008-11-15 23:36 <DIR> d-------- C:\ComboFix
2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix
2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit
2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-16 01:00 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_22.38.53.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 04:54:51 753,664 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-16 05:45:32 3,567,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-11-06 04:54:51 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-16 05:45:32 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-04-27 23:09:09 24,576 ----a-w c:\windows\SYSTEM32\userinit.exe
+ 2004-08-04 07:56:57 24,576 ----a-w c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652]
R3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c0024348 - c:\windows\system32\__c0024348.dat
Notify-__c00387E4 - c:\windows\system32\__c00387E4.dat



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 16:14:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-11-16 16:19:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 21:19:47
ComboFix2.txt 2008-11-16 19:35:08
ComboFix3.txt 2008-11-16 04:36:08
ComboFix4.txt 2008-11-10 03:39:36

Pre-Run: 61,660,205,056 bytes free
Post-Run: 61,647,704,064 bytes free

115
********* END**********

GMER has scanned and I have attached.

OpenDNS is not something I think is being used intentionally.

Computer is allowing me access to files & folders but I have not given it Internet access yet. I thought that you might want me to run a Virus scan of some sort , I do have ClamWin... should i run it before I step out for a few hours?

[Ried]

No, I'd prefer to get a look from an online scanner.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

----------------------------------------

Run a new scan with dds.scr and post the dds.txt along with the Kaspersky results.

Also--the gmer.txt appears to be the results of the quick scan. Please run it again and let it do a full scan: (takes 15 - 20 minutes)

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

[Ried]

When you get the chance, would you mind carrying out this next CFScript to upload some samples for analysis?

Disable any active protection programs so they do not interfere.



Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/secu...irtumonde.html

Collect::
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\1112.dat.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kcbgtcnu.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oxvqlkrv.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cnmhypvr.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ebkp.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\Otx83.sys.vir
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\userinit.exe.vir

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

[bajanknight]

Script sent from my working computers USB Drive.

Quote:

Programs Restricted/no desktop/Virtumonde

Collect::
K:\Samples.7z

after disabling McAfee , File uploaded successfully

gmer log is still coming up short, it stops scanning after a bit and I have to click on the Save button to get it to make a .txt That gmer.txt is still very short.

I have deleted the executable and re-downloaded a fresh copy and am running again.

Will post shortly.

*** edited to attach final gmer.txt
See Screenshot of when gmer stops scanning.
It never prompts for deepscan

[Ried]

After the initial scan, when it stops. Don't click Save yet. Click the Scan button. That will trigger the full scan, and given the contents of your very first gmer.txt, I'd really like to see a new full scan.

[bajanknight]

After I double click gmer.exe it scans for about 5 seconds and shows nothing within the window pane.

I then select "Scan" and it scans for awhile and gives me a screen like I posted previously.

I then select "Scan" again and it does the same scan over again and shows exactly what it showed before.

It never gives option for a deep scan.

I attached the txt to this post.

Maybe the ClamWin reduced what would have been normally shown?

[Ried]

Alright then, we'll move on.

Now that you can access the necessary files and folders to backup from Steph's account, and given the condition this system was in, I think it would still be prudent of you to go with your original plan of backing up those files and reformatting this system, then reinstall Windows. There's no telling how much file corruption has actually taken place.

Should you/your friend decide to forge ahead with the system as is, then please continue with these final instructions and helpful links:

The following procedure will clear out the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[bajanknight]

Ried,

I will finish up tomorrow and report back.

Thanks

Roger

[Ried]

That'll be fine. Until tomorrow, then. : )

[bajanknight]

Ried,

Rescue of the important files from the PC has been (mission) accomplished!
I was unable to remove some of the last spyware seekmo from the PC but I will be doing a fresh reload of the operating system so it doesn't really matter at this point.

Thank you very much for the time you spent assisting me, I may have had to wait awhile for you help but it would have taken me weeks(months) to learn how to do what we accomplished together in the course of few days after we had started.

I will be reading up on prevention so that I can minimize the chances of catching any of these virus malware processes myself. It will also give me the opportunity to recommend to friends good prevention tools so they don't end up like this PC did.

Thanks again for everything!

Roger

[Ried]

You're quite welcome, Roger. Nice working with you.

Take care.