Question

How to remove WORM/Conficker.M from network and cure the symptoms caused by it?

Asked by: gpitd

Hi all,

Is there anyone knows exactly what this worm does to system/network? I've been searching online and only found Conficker of variation A-E, no information about Conficker.M.. and is there any cure for it?
For previous variation of 'Conficker', Microsoft support had suggested Malicious Software Removal Tools and Windows update. I have done so but it haven't solve the issue.

The symptoms are as follow:

1. System cannot run windows update. The error message as follow appeared:
<<Internet Explorer - Security Warning
Windows has found a problem with this file.
Name: wuweb_site.cab?1248750417858
Publisher: Unknown Publisher>>

2. Domain user accounts are constantly being locked out automatically.

Please help. Thanks!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-30 at 22:42:36ID24615864
Tags

Windows XP

Topics

Latest Threats

,

Windows XP Operating System

Participating Experts
3
Points
500
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Blaster Worm not being cured by normal Microsoft solution …
    It seems that I have the W32.Blaster worm in that I get the message shortly after I have logged on to the Internet "svchost.exe has generated errors and will be closed by Windows". However, I follow the advice given by Symantic/Norton but find that the Microsoft fix...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: JonveePosted on 2009-07-30 at 23:00:17ID: 24986614

No mention of Conficker.M but this package removes Conficker from PCs in a Network >

"Remove Downadup(or Conficker) from infected computers":
http://www.bdtools.net/

 

by: xtreminatorPosted on 2009-07-31 at 01:03:43ID: 24987056

F-secure removal tool can help for this

check below link

http://www.f-secure.com/weblog/archives/00001588.html

download F-Downadup tool

start u r computer in safe mode with networking > unplug network cable.
and run the tool. ( dont forget to read readme.txt or help file from tool which have special command to disinfect the work like f-downadup.exe -d)

 

by: JonveePosted on 2009-08-09 at 14:22:57ID: 25056040

Hi gpitd,
Have you been able to resolve your problem using the comments above?
Maybe you could update us both please ...

 

by: gpitdPosted on 2009-08-10 at 19:11:07ID: 25065698

Hi Jonvee and xtreminator,
Thanks for your replies and sorry for my late response. I can remove Conficker.M remotely by using bdtools(network), but not all can be remove remotely, some others I need to remove it using single PC removal tool... just that it only remove it for a while, then the Conficker.M keep coming back over and over again.
        As for the second solution(f-secure), I'll update with you a bit later since I'm still working on it. Thanks!

 

by: gpitdPosted on 2009-08-10 at 19:11:09ID: 25065699

Hi Jonvee and xtreminator,
Thanks for your replies and sorry for my late response. I can remove Conficker.M remotely by using bdtools(network), but not all can be remove remotely, some others I need to remove it using single PC removal tool... just that it only remove it for a while, then the Conficker.M keep coming back over and over again.
        As for the second solution(f-secure), I'll update with you a bit later since I'm still working on it. Thanks!

 

by: JonveePosted on 2009-08-11 at 03:22:40ID: 25067497

Ok thanks.  If you are not successful with the second solution(f-secure) may i suggest you try running Combofix.   Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.

Also it may be necessary to rename ComboFix.exe to Combo-Fix.exe (for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another computer, then into a USB memory stick (or equivalent).  Rename it and connect to all the infected machines, as appropriate.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.
Ideally ComboFix should be run in normal mode, although it will work in safe mode.

 

by: gpitdPosted on 2009-08-12 at 01:38:12ID: 25076705

Thanks for the suggestion. I have run ComboFix on one of the infected PC.
The content of the ComboFix.txt is as follow:

ComboFix 09-08-10.06 - latiffahw 12/08/2009 16:03.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3063.2520 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ARK8.tmp
c:\recycler\S-1-5-21-1675229751-1870806962-725480079-500
c:\windows\Installer\1d51dc.msp

.
(((((((((((((((((((((((((   Files Created from 2009-07-12 to 2009-08-12  )))))))))))))))))))))))))))))))
.

2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:20 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-06-18 02:45 . 2009-06-15 08:50      --------      d-----w-      c:\program files\Common Files\Adobe
2009-06-16 06:38 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager Data
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2009-05-18 00:00 . 2009-06-04 23:56      389497      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aescript.dll
2009-05-18 00:00 . 2009-06-04 23:56      127347      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aescn.dll
2009-05-18 00:00 . 2009-06-04 23:56      1761655      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aeheur.dll
2009-05-18 00:00 . 2009-06-04 23:56      348532      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aegen.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
S2 jvlrngukc;Microsoft Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S2 upocvzmq;Driver Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-08-12 16:10
ComboFix-quarantined-files.txt  2009-08-12 08:10

Pre-Run: 20,335,386,624 bytes free
Post-Run: 25,195,130,880 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
169



While HJT log is as follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:00, on 12/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\SkyTel.EXE
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa2006.grandperfect.com:8080
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160105041411
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249979063081
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\Software\..\Telephony: DomainName = gp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{820483FB-23FF-4C81-9947-532726C3BFAF}: NameServer = 172.17.125.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = gp.local
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: Lync USB Auditor Service (LyncUSBServ) - Lync Software Pty Ltd - C:\WINDOWS\system32\lyncusb.exe

--
End of file - 7755 bytes

 

by: gpitdPosted on 2009-08-12 at 01:38:19ID: 25076707

Thanks for the suggestion. I have run ComboFix on one of the infected PC.
The content of the ComboFix.txt is as follow:

ComboFix 09-08-10.06 - latiffahw 12/08/2009 16:03.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3063.2520 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ARK8.tmp
c:\recycler\S-1-5-21-1675229751-1870806962-725480079-500
c:\windows\Installer\1d51dc.msp

.
(((((((((((((((((((((((((   Files Created from 2009-07-12 to 2009-08-12  )))))))))))))))))))))))))))))))
.

2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 05:20 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-06-18 02:45 . 2009-06-15 08:50      --------      d-----w-      c:\program files\Common Files\Adobe
2009-06-16 06:38 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager Data
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2009-05-18 00:00 . 2009-06-04 23:56      389497      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aescript.dll
2009-05-18 00:00 . 2009-06-04 23:56      127347      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aescn.dll
2009-05-18 00:00 . 2009-06-04 23:56      1761655      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aeheur.dll
2009-05-18 00:00 . 2009-06-04 23:56      348532      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aegen.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
S2 jvlrngukc;Microsoft Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S2 upocvzmq;Driver Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 16:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-08-12 16:10
ComboFix-quarantined-files.txt  2009-08-12 08:10

Pre-Run: 20,335,386,624 bytes free
Post-Run: 25,195,130,880 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
169



While HJT log is as follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:00, on 12/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\WINDOWS\system32\lyncusb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\SkyTel.EXE
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa2006.grandperfect.com:8080
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\WINDOWS\system32\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160105041411
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249979063081
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\Software\..\Telephony: DomainName = gp.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{820483FB-23FF-4C81-9947-532726C3BFAF}: NameServer = 172.17.125.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = gp.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = gp.local
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: Lync USB Auditor Service (LyncUSBServ) - Lync Software Pty Ltd - C:\WINDOWS\system32\lyncusb.exe

--
End of file - 7755 bytes

 

by: JonveePosted on 2009-08-13 at 11:24:34ID: 25091286

From your HJT log you can Fix this>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa2006.grandperfect.com:8080

You probably know this IP or Domain (172.17.125.1} ? If you don't you can 'fix' it > 
O17 - HKLM\System\CCS\Services\Tcpip\..\{820483FB-23FF-4C81-9947-532726C3BFAF}: NameServer = 172.17.125.1

Working on your CF log but it'll take a while ...

 

by: JonveePosted on 2009-08-14 at 00:37:48ID: 25095865

After closer inspection of the CF log have found what appears to be further infection.
Please run combofix again on that same infected PC, using the following script >>


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
=========================================================

File::
c:\windows\system32\vvifycbk.dll
c:\program files\Movie Maker\vvifycbk.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix, & hopefully the problem is removed.

5. Finally, please attach the newComboFix logfile.

 

by: gpitdPosted on 2009-08-17 at 18:21:17ID: 25119591

Hi, here's the logfile after I follow the instructions given:

ComboFix 09-08-10.06 - latiffahw 18/08/2009  8:58.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3063.2598 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\latiffahw\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\Movie Maker\vvifycbk.dll"
"c:\windows\system32\vvifycbk.dll"
.

(((((((((((((((((((((((((   Files Created from 2009-07-18 to 2009-08-18  )))))))))))))))))))))))))))))))
.

2009-08-12 08:12 . 2009-08-12 08:12      --------      d-----w-      c:\program files\Trend Micro
2009-08-12 07:59 . 2009-08-12 08:10      --------      d-s---w-      C:\Combo-Fix
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 00:56 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-12_08.09.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 23:54 . 2009-08-12 23:54      16384              c:\windows\temp\Perflib_Perfdata_60c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com.my/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-18  9:03
ComboFix-quarantined-files.txt  2009-08-18 01:03
ComboFix2.txt  2009-08-12 08:10

Pre-Run: 25,198,206,976 bytes free
Post-Run: 25,162,502,144 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
172

Thanks.

 

by: gpitdPosted on 2009-08-17 at 18:21:20ID: 25119593

Hi, here's the logfile after I follow the instructions given:

ComboFix 09-08-10.06 - latiffahw 18/08/2009  8:58.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3063.2598 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\latiffahw\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\Movie Maker\vvifycbk.dll"
"c:\windows\system32\vvifycbk.dll"
.

(((((((((((((((((((((((((   Files Created from 2009-07-18 to 2009-08-18  )))))))))))))))))))))))))))))))
.

2009-08-12 08:12 . 2009-08-12 08:12      --------      d-----w-      c:\program files\Trend Micro
2009-08-12 07:59 . 2009-08-12 08:10      --------      d-s---w-      C:\Combo-Fix
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 00:56 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-12_08.09.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-12 23:54 . 2009-08-12 23:54      16384              c:\windows\temp\Perflib_Perfdata_60c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com.my/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-18  9:03
ComboFix-quarantined-files.txt  2009-08-18 01:03
ComboFix2.txt  2009-08-12 08:10

Pre-Run: 25,198,206,976 bytes free
Post-Run: 25,162,502,144 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
172

Thanks.

 

by: JonveePosted on 2009-08-19 at 03:25:31ID: 25131091

Now that you have run ComboFix, could you confirm whether you can now run windows update, and are the Domain User accounts still being locked out?

If you are still having a problem, it may well be related to the vvifycbk.dll file.  As it's proving difficult to remove would you try running this additional script on the same infected PC and reporting back please?  


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
=========================================================

File::
c:\windows\system32\vvifycbk.dll
c:\program files\Movie Maker\vvifycbk.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="-

[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="-


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix.
5. Finally, please attach the newComboFix logfile.


If that doesn't do the trick would you like to consider posting your question in more than one zone?  You could click on this link to select "Asking Questions", then see Step 3: Select One or More Zones >
http://www.experts-exchange.com/help.jsp
Here you are able to select or deselect any zone. Most questions can be posted in three zones.
Recommend you try this one first >
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/

Will continue to monitor and investigate further, & wait for your report back ...

 

by: gpitdPosted on 2009-08-19 at 23:34:05ID: 25139751

Hi, the Domain User accounts still locked out automatically. After second time running it with script you've given, the WORM\Conficker.M seems not coming back anymore but another variant of conficker appeared, which is WORM\Conficker.Z.30. For Windows Update, the previous error message did not appear anymore but still cannot go through the update as the following message appear:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Files required to use Microsoft Update are no longer registered or installed on your computer. To continue:
- Register or reinstall the files for me now (Recommended)
- Let me read about more steps that might be required to solve the problem.

I continued with the first option and the following error occur:
Error number: 0x8007041D
The website has encountered a problem and cannot display display the page you are trying to view.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

Our Active Directory server also infected with conficker. Is it safe to run ComboFix on it?

Here is the new ComboFix log from the same infected PC:
============================================================================
ComboFix 09-08-10.06 - latiffahw 20/08/2009 11:27.4.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3063.2552 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\latiffahw\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\program files\Movie Maker\vvifycbk.dll"
"c:\windows\system32\vvifycbk.dll"
.

(((((((((((((((((((((((((   Files Created from 2009-07-20 to 2009-08-20  )))))))))))))))))))))))))))))))
.

2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 00:56 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-08-12 08:12 . 2009-08-12 08:12      --------      d-----w-      c:\program files\Trend Micro
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-12_08.09.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 23:57 . 2009-08-19 23:57      16384              c:\windows\temp\Perflib_Perfdata_5f8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
S2 jvlrngukc;Microsoft Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S2 upocvzmq;Driver Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com.my/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 11:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-20 11:28
ComboFix-quarantined-files.txt  2009-08-20 03:28
ComboFix2.txt  2009-08-20 03:21
ComboFix3.txt  2009-08-18 01:03
ComboFix4.txt  2009-08-12 08:10

Pre-Run: 25,473,261,568 bytes free
Post-Run: 25,451,413,504 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
175

=========================================================================

Thanks!

 

by: gpitdPosted on 2009-08-19 at 23:34:08ID: 25139752

Hi, the Domain User accounts still locked out automatically. After second time running it with script you've given, the WORM\Conficker.M seems not coming back anymore but another variant of conficker appeared, which is WORM\Conficker.Z.30. For Windows Update, the previous error message did not appear anymore but still cannot go through the update as the following message appear:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Files required to use Microsoft Update are no longer registered or installed on your computer. To continue:
- Register or reinstall the files for me now (Recommended)
- Let me read about more steps that might be required to solve the problem.

I continued with the first option and the following error occur:
Error number: 0x8007041D
The website has encountered a problem and cannot display display the page you are trying to view.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

Our Active Directory server also infected with conficker. Is it safe to run ComboFix on it?

Here is the new ComboFix log from the same infected PC:
============================================================================
ComboFix 09-08-10.06 - latiffahw 20/08/2009 11:27.4.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3063.2552 [GMT 8:00]
Running from: c:\documents and settings\latiffahw\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\latiffahw\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\program files\Movie Maker\vvifycbk.dll"
"c:\windows\system32\vvifycbk.dll"
.

(((((((((((((((((((((((((   Files Created from 2009-07-20 to 2009-08-20  )))))))))))))))))))))))))))))))
.

2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\msxml6.dll
2009-07-30 02:45 . 2008-04-13 21:42      1306624      ------w-      c:\windows\system32\dllcache\msxml6.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\msxml6r.dll
2009-07-30 02:45 . 2008-04-13 14:57      79872      ------w-      c:\windows\system32\dllcache\msxml6r.dll
2009-07-30 02:43 . 2009-07-30 02:45      --------      d-----w-      c:\windows\ServicePackFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 00:56 . 2009-06-16 06:38      --------      d-----w-      c:\program files\Vehicle Fleet Manager
2009-08-12 08:12 . 2009-08-12 08:12      --------      d-----w-      c:\program files\Trend Micro
2009-07-30 02:46 . 2005-11-27 12:42      86327      ----a-w-      c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-07 01:00 . 2009-07-07 01:00      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\4000002f99b702i\FramePhotoEditor.exe
2009-07-02 08:40 . 2009-07-02 08:40      7680      ----a-w-      c:\documents and settings\latiffahw\Application Data\Thinstall\FramePhotoEditor\300000003400002i\dwwin.exe
2009-07-02 08:17 . 2009-07-02 08:17      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\Thinstall
2009-06-26 05:37 . 2009-06-26 01:02      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\MagicEffect Photo
2009-06-26 01:40 . 2009-06-26 01:39      --------      d-----w-      c:\program files\K-Lite Codec Pack
2009-06-26 01:33 . 2009-06-26 01:33      --------      d-----w-      c:\documents and settings\latiffahw\Application Data\GRETECH
2009-06-26 00:23 . 2005-11-27 13:06      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-06-22 03:40 . 2009-01-21 06:20      60      ----a-w-      c:\windows\wpd99.drv
2009-06-22 03:40 . 2009-01-21 06:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\pdf995
2009-05-27 23:59 . 2009-02-25 05:23      75096      ----a-w-      c:\windows\system32\drivers\avipbb.sys
2009-05-27 23:59 . 2009-06-04 23:56      401783      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aepack.dll
2009-05-27 23:59 . 2009-06-04 23:56      180599      ----a-w-      c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4a285f1c\validationdir\aecore.dll
2008-02-21 06:48 . 2008-02-21 06:48      1689638      ----a-w-      c:\program files\pdemoh.exe
2008-02-21 06:41 . 2008-02-21 06:41      1139254      ----a-w-      c:\program files\wintwins23.exe
2007-08-24 08:14 . 2007-08-24 08:14      4291      ----a-w-      c:\program files\blogsofnote.blogspot[1]
2007-08-13 06:45 . 2007-08-13 06:45      1606064      ----a-w-      c:\program files\googletalk-setup.exe
.

(((((((((((((((((((((((((((((   SnapShot@2009-08-12_08.09.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 23:57 . 2009-08-19 23:57      16384              c:\windows\temp\Perflib_Perfdata_5f8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2009-03-07 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2009-03-07 03:00      66912      ----a-w-      c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-19 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-04-22 16384]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2006-04-18 1301504]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-11-10 249927]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2005-06-06 544768]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

c:\documents and settings\latiffahw\Start Menu\Programs\Startup\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-10-5 794624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylockeduserid"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:AdminWorks UDP Port
"2804:TCP"= 2804:TCP:AdminWorks TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [7/18/2006 9:50 AM 16384]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [7/18/2006 9:50 AM 85248]
R2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
S2 jvlrngukc;Microsoft Task;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S2 upocvzmq;Driver Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 1:00 PM 14336]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/16/2003 6:57 AM 3456]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jvlrngukc
upocvzmq
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com.my/
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local;*.grandperfect.com;172.*;<local>
uInternet Settings,ProxyServer = isa2006.grandperfect.com:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client\wspwsp.dll
TCP: {820483FB-23FF-4C81-9947-532726C3BFAF} = 172.17.125.1
FF - ProfilePath - c:\documents and settings\latiffahw\Application Data\Mozilla\Firefox\Profiles\2j2ywd16.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - isa2006.grandperfect.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 11:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jvlrngukc]
"ServiceDll"="c:\windows\system32\vvifycbk.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upocvzmq]
"ServiceDll"="c:\program files\Movie Maker\vvifycbk.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-20 11:28
ComboFix-quarantined-files.txt  2009-08-20 03:28
ComboFix2.txt  2009-08-20 03:21
ComboFix3.txt  2009-08-18 01:03
ComboFix4.txt  2009-08-12 08:10

Pre-Run: 25,473,261,568 bytes free
Post-Run: 25,451,413,504 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
175

=========================================================================

Thanks!

 

by: demazterPosted on 2009-08-19 at 23:45:22ID: 25139788

I am not sure what stage you are at but having had to deal with this virus at a large school I can tell you the best tool to help with this is this one:
http://www.sophos.com/products/free-tools/conficker-removal-tool.html

Also if you want to stop it spreading use a group policy and apply the settings I have attached to disable the task scheduler service, remove permissions allowing anyone/thing to create a task.

Policy used attached you will need to rename it to .htm

 

by: JonveePosted on 2009-08-20 at 00:12:14ID: 25139896

Hi gpitd, thanks.
An initial check of your ComboFix log seems to show an improvement, but i'll continue to study it ...

Meanwhile, the suggestion from demazter looks promising ..

However, *if* between us we are still unable to clean your infected machine, and clean your Active Directory server, may i suggest you still copy this question to the HijackThis forum for additional help; there are some excellent people there, particularly rpggamergirl:
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/

 

by: gpitdPosted on 2009-08-24 at 19:25:59ID: 25174169

demazter: Thanks for the suggestion, we still running sophos on some of our machines using the standalone version and saw it can detect and clean the malware. May I ask how the network version work? Can it be run on any machine in the network and clean other pc from there? I have tried to install it but not sure how to run the software after that.
Jonvee: I'll post my question to HijackThis forum as you suggested. Meanwhile we've decided to focus more on curing our servers first. Attached is HijackThis log from one of our server which is also infected and the print screen of the log from avast antivirus. Thanks.

 

by: demazterPosted on 2009-08-25 at 00:30:41ID: 25175186

Have you disabled the task scheduler as I suggested in my previous post?
This will stop it from spreading.

 

by: JonveePosted on 2009-08-25 at 00:51:18ID: 25175244

This entry can be fixed with HijackThis as can the entries i've stated below, but they're likely to "regenerate" >>   
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isa2006.grandperfect.com:8080

If you do not know this IP or Domain, you can fix this entry>
O17 - HKLM\System\CCS\Services\Tcpip\..\{91B86ED0-09A5-449C-946C-3BB524EDF553}: NameServer = 172.17.125.1,172.0.0.1

There are also a number of "023 - Servive:  ..... Unknown owner - C:\WINDOWS\system32\xxxxx.exe (file missing)" entries which look suspicious, but hopefully ComboFix can deal with these.

Therefore i recommend you run ComboFix on this server, as well as investigating demazter's suggestion >

 

by: JonveePosted on 2009-08-25 at 00:52:59ID: 25175250

Sorry, "023 - Servive"  should read  "023 - Service".

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...