Solve : Laptop infected with W32.Rontokbro@mm?

1.	Solve : Laptop infected with W32.Rontokbro@mm?
Answer» Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\WINDOWS nt\currentversion\winlogon\notify\psfus] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze i did it, here's the latest log: ComboFix 09-02-19.01 - Adeeba 2009-02-22 18:02:12.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3581.2540 [GMT -3:00] Running from: c:\users\Adeeba\Desktop\ComboFix.exe Command switches used :: c:\users\Adeeba\Desktop\CFScript.txt AV: Norton Internet Security On-access scanning disabled (Updated) FW: Norton Internet Security disabled * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 ))))))))))))))))))))))))))))))) . 2009-02-22 17:12 . 2009-02-22 17:12d--------c:\users\All Users\Malwarebytes 2009-02-22 17:12 . 2009-02-22 17:12d--------c:\users\Adeeba\AppData\Roaming\Malwarebytes 2009-02-22 17:12 . 2009-02-22 17:12d--------c:\programdata\Malwarebytes 2009-02-22 17:12 . 2009-02-22 17:12d--------c:\program files\Malwarebytes' Anti-MALWARE 2009-02-22 17:12 . 2009-02-11 10:1938,496--a------c:\windows\System32\drivers\mbamswissarmy.sys 2009-02-22 17:12 . 2009-02-11 10:1915,504--a------c:\windows\System32\drivers\mbam.sys 2009-02-18 13:35 . 2009-02-18 13:46d--------c:\users\Adeeba\AppData\Roaming\Dev-Cpp 2009-02-18 13:34 . 2009-02-18 13:34d--------C:\Dev-Cpp 2009-02-18 10:05 . 2008-12-05 01:261,244,672--a------c:\windows\System32\mcmde.dll 2009-02-18 10:05 . 2008-12-05 01:29428,032--a------c:\windows\System32\EncDec.dll 2009-02-18 10:05 . 2008-12-05 01:28292,352--a------c:\windows\System32\psisdecd.dll 2009-02-18 10:05 . 2008-12-05 01:28217,088--a------c:\windows\System32\psisrndr.ax 2009-02-18 10:05 . 2008-12-05 01:29177,152--a------c:\windows\System32\mpg2splt.ax 2009-02-18 10:05 . 2008-12-05 01:2780,896--a------c:\windows\System32\MSNP.ax 2009-02-18 10:05 . 2008-12-05 01:2768,608--a------c:\windows\System32\Mpeg2Data.ax 2009-02-18 10:05 . 2008-12-05 01:2757,856--a------c:\windows\System32\MSDvbNP.ax 2009-02-11 19:09 . 2009-02-11 19:09118--a------c:\windows\System32\MRT.INI 2009-02-07 23:08 . 2009-02-08 01:10d--------c:\windows\BDOSCAN8 2009-01-24 23:09 . 2009-02-12 20:16d--------c:\users\Adeeba\random . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-22 20:42---------d-----wc:\programdata\Symantec 2009-02-22 18:46---------d-----wc:\programdata\Roxio 2009-02-12 06:00---------d-----wc:\program files\Windows Mail 2009-02-11 19:15---------d-----wc:\users\Adeeba\AppData\Roaming\LimeWire 2009-01-21 23:08---------d-----wc:\programdata\CyberLink 2009-01-15 04:1652,736----a-wc:\windows\AppPatch\iebrshim.dll 2009-01-08 01:3927,934----a-wc:\users\All Users\nvModes.dat 2009-01-08 01:3927,934----a-wc:\programdata\nvModes.dat 2009-01-06 21:35---------d-----wc:\users\Adeeba\AppData\Roaming\DivX 2009-01-06 21:32---------d-----wc:\program files\DivX 2009-01-06 21:32---------d-----wc:\program files\Common Files\PX Storage Engine 2009-01-06 19:23806----a-wc:\windows\system32\drivers\SYMEVENT.INF 2009-01-06 19:23124,464----a-wc:\windows\system32\drivers\SYMEVENT.SYS 2009-01-06 19:2310,635----a-wc:\windows\system32\drivers\SYMEVENT.CAT 2009-01-06 19:23---------d-----wc:\program files\Symantec 2008-12-29 16:20---------d-----wc:\users\Guest\AppData\Roaming\vlc 2008-12-10 19:17174--sha-wc:\program files\desktop.ini 2008-10-05 02:370----a-wc:\users\Adeeba\AppData\Roaming\wklnhst.dat 2008-09-04 22:0076--sh--rc:\windows\CT4CET.bin . ((((((((((((((((((((((((((((( [emailprotected]_15.59.16.77 ))))))))))))))))))))))))))))))))))))))))) . - 2009-02-22 18:55:28262,144--sha-wc:\windows\ServiceProfiles\LocalService\NTUSER.DAT + 2009-02-22 21:06:22262,144--sha-wc:\windows\ServiceProfiles\LocalService\NTUSER.DAT - 2009-02-22 18:55:28262,144--sha-wc:\windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2009-02-22 21:06:22262,144--sha-wc:\windows\ServiceProfiles\NetworkService\NTUSER.DAT - 2009-02-22 18:55:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-02-22 21:06:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2009-02-22 18:55:1232,768--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-02-22 21:06:1232,768--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2009-02-22 18:55:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2009-02-22 21:06:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-02-22 18:56:536,076----a-wc:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin + 2009-02-22 20:48:156,092----a-wc:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin - 2009-02-22 18:56:5372,356----a-wc:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2009-02-22 20:48:1572,356----a-wc:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2009-02-22 17:18:3943,140----a-wc:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-02-22 20:48:1443,140----a-wc:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2007-04-17 01:13721408--a------c:\program files\Fingerprint Reader Suite\farchns.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2007-04-17 01:13721408--a------c:\program files\Fingerprint Reader Suite\farchns.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-05 1232896] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "FactFinder"="c:\program files\Microsoft FactFinder\ff.exe" [2001-06-22 81920] "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280] "WMPNSCFG"="c:\program files\Windows MEDIA Player\WMPNSCFG.exe" [2006-11-02 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864] "NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-09 166432] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-09 13515296] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-09 92704] "NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-04-09 92704] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736] "PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "MRT"="c:\windows\system32\MRT.exe" [2009-02-03 21244864] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2008-09-04 19:12 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification PackagesREG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UacDisableNotify"=dword:00000001 "InternetSettingsDisableNotify"=dword:00000001 "AutoUpdateDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{7B3C4EB0-20B3-4B89-B248-E7810C130E59}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect "{627A842B-3E8F-4799-8213-1861B640F3D1}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program "{AC91ED12-8024-4F90-8F4A-C628C30B6DD7}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine "{0DFC109E-7369-4ADC-9E57-33354C1291D6}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server "{57656B01-03BC-482E-999C-C75AA8FD923B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{9FFA8897-FF49-48DC-A83A-3C507F856C54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{3DDA4CA1-59F3-409D-B5A4-A7C6CA5D3558}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{EF8B4C7D-510D-412C-88FF-0C61E0323733}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{1020596F-1992-4F0B-BC16-78FF0BC3340F}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{E5558807-9126-4799-B51D-94498BC8F93D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{C2D15551-E4C0-49B7-B83F-8A3ACEF8DA08}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{821A94FD-6723-401C-AAE0-1059373787BC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{602E7440-16D9-4512-A78E-980FE6A2406D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722\|UDP:%SystemRoot%\system32\svchost.exe\|Svc=DFSR:Allow inbound TCP traffic\| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090212.002\IDSvix86.sys [2009-02-16 270384] R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-09-04 73728] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-10-27 149352] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-07 99376] R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-09-05 235648] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-09-05 7424] R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008] S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\System32\drivers\cmo_bus.sys [2008-10-05 58352] S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\System32\drivers\cmo_mdfl.sys [2008-10-05 8304] S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\System32\drivers\cmo_mdm.sys [2008-10-05 93904] S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888] S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-09-05 209408] --- Other Services/Drivers In Memory --- NewlyCreated - COMHOST [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc790409-b5e1-11dd-8c0e-002268995227}] \shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2009-01-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Adeeba.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 14:19] 2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{A17C346D-D918-4BF3-888D-B1FAD8D6E04B}.job - c:\windows\system32\msfeedssync.exe [2006-11-02 06:45] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: {8EAB7167-A061-4B3E-95F2-205C02AA3EA6} = 196.3.132.1 196.3.132.4 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 18:06:25 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(652) c:\windows\system32\psqlpwd.dll c:\program files\Fingerprint Reader Suite\homefus2.dll c:\program files\Fingerprint Reader Suite\infra.dll - - - - - - - > 'Explorer.exe'(1952) c:\program files\Fingerprint Reader Suite\farchns.dll c:\program files\Fingerprint Reader Suite\infra.dll c:\program files\Microsoft FactFinder\FFMH.DLL c:\users\Adeeba\AppData\Local\Temp\catchme.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\audiodg.exe c:\program files\Fingerprint Reader Suite\upeksvr.exe c:\windows\System32\WLTRYSVC.EXE c:\windows\System32\BCMWLTRY.EXE c:\windows\System32\wlanext.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\System32\stacsv.exe c:\windows\System32\rundll32.exe c:\windows\System32\rundll32.exe c:\windows\System32\rundll32.exe c:\combofix\hidec.exe c:\program files\DellTPad\ApMsgFwd.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\DellTPad\hidfind.exe c:\program files\DellTPad\ApntEx.exe c:\windows\ehome\ehmsas.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Fingerprint Reader Suite\psqltray.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Dell Support Center\gs_agent\dsc.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\combofix\Catchme.tmp c:\windows\System32\dllhost.exe . ********************************************************************** . Completion time: 2009-02-22 18:11:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-22 21:10:05 ComboFix2.txt 2009-02-22 19:01:42 Pre-Run: 78,872,215,552 bytes free Post-Run: 78,635,069,440 bytes free 242--- E O F ---2009-02-18 17:31:34 thanks Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Use the Kaspersky Lab Online Scanner In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator. Click on SCAN NOW Click Accept. The program will then begin downloading the latest definition files. Once the files have been downloaded locate the Scan Settings and have it scan My Computer. The scan will take a while, so be patient and let it finish. When the scan is done, in the Scan is complete window, any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop. In the File name area use KScan, or something similar. In Save as type: click the drop arrow and select: Text file [.txt]* Then, click: Save Copy and paste the Kaspersky Online Scanner Report in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. i could kick myself for what i've done. i inserted my flash drive (which was the source of the worm) to run Flash Disinfector, but somehow it didn't work, and now i've re-infected the laptop. i even SCANNED the flash drive with Norton Internet Security and it came up clean, i don't understand. i've already uninstalled combofix, but i'll download it again and run it once more. i don't believe it, but i'm back to square one. Run Flash Disinfector first, then install and run ComboFix. hello again sorry for the delay in my response. i ran the Windows Malicious Software Removal Tool, and it seems to have worked. all the symptoms of the worm seem to be gone now. i also ran flash disinfector for my flash drive on another computer that has XP, since i think maybe it doesn't run properly on Vista. but so far so good. thank you immensely for all your help!!

Answer»

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\WINDOWS nt\currentversion\winlogon\notify\psfus]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
i did it, here's the latest log:

ComboFix 09-02-19.01 - Adeeba 2009-02-22 18:02:12.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3581.2540 [GMT -3:00]
Running from: c:\users\Adeeba\Desktop\ComboFix.exe
Command switches used :: c:\users\Adeeba\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 17:12 . 2009-02-22 17:12d--------c:\users\All Users\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12d--------c:\users\Adeeba\AppData\Roaming\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12d--------c:\programdata\Malwarebytes
2009-02-22 17:12 . 2009-02-22 17:12d--------c:\program files\Malwarebytes' Anti-MALWARE
2009-02-22 17:12 . 2009-02-11 10:1938,496--a------c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-22 17:12 . 2009-02-11 10:1915,504--a------c:\windows\System32\drivers\mbam.sys
2009-02-18 13:35 . 2009-02-18 13:46d--------c:\users\Adeeba\AppData\Roaming\Dev-Cpp
2009-02-18 13:34 . 2009-02-18 13:34d--------C:\Dev-Cpp
2009-02-18 10:05 . 2008-12-05 01:261,244,672--a------c:\windows\System32\mcmde.dll
2009-02-18 10:05 . 2008-12-05 01:29428,032--a------c:\windows\System32\EncDec.dll
2009-02-18 10:05 . 2008-12-05 01:28292,352--a------c:\windows\System32\psisdecd.dll
2009-02-18 10:05 . 2008-12-05 01:28217,088--a------c:\windows\System32\psisrndr.ax
2009-02-18 10:05 . 2008-12-05 01:29177,152--a------c:\windows\System32\mpg2splt.ax
2009-02-18 10:05 . 2008-12-05 01:2780,896--a------c:\windows\System32\MSNP.ax
2009-02-18 10:05 . 2008-12-05 01:2768,608--a------c:\windows\System32\Mpeg2Data.ax
2009-02-18 10:05 . 2008-12-05 01:2757,856--a------c:\windows\System32\MSDvbNP.ax
2009-02-11 19:09 . 2009-02-11 19:09118--a------c:\windows\System32\MRT.INI
2009-02-07 23:08 . 2009-02-08 01:10d--------c:\windows\BDOSCAN8
2009-01-24 23:09 . 2009-02-12 20:16d--------c:\users\Adeeba\random

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 20:42---------d-----wc:\programdata\Symantec
2009-02-22 18:46---------d-----wc:\programdata\Roxio
2009-02-12 06:00---------d-----wc:\program files\Windows Mail
2009-02-11 19:15---------d-----wc:\users\Adeeba\AppData\Roaming\LimeWire
2009-01-21 23:08---------d-----wc:\programdata\CyberLink
2009-01-15 04:1652,736----a-wc:\windows\AppPatch\iebrshim.dll
2009-01-08 01:3927,934----a-wc:\users\All Users\nvModes.dat
2009-01-08 01:3927,934----a-wc:\programdata\nvModes.dat
2009-01-06 21:35---------d-----wc:\users\Adeeba\AppData\Roaming\DivX
2009-01-06 21:32---------d-----wc:\program files\DivX
2009-01-06 21:32---------d-----wc:\program files\Common Files\PX Storage Engine
2009-01-06 19:23806----a-wc:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 19:23124,464----a-wc:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:2310,635----a-wc:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:23---------d-----wc:\program files\Symantec
2008-12-29 16:20---------d-----wc:\users\Guest\AppData\Roaming\vlc
2008-12-10 19:17174--sha-wc:\program files\desktop.ini
2008-10-05 02:370----a-wc:\users\Adeeba\AppData\Roaming\wklnhst.dat
2008-09-04 22:0076--sh--rc:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((( [emailprotected]_15.59.16.77 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 18:55:28262,144--sha-wc:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-22 21:06:22262,144--sha-wc:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-22 18:55:28262,144--sha-wc:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-22 21:06:22262,144--sha-wc:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-22 18:55:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-22 21:06:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-22 18:55:1232,768--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-22 21:06:1232,768--sha-wc:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-22 18:55:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-22 21:06:1216,384--sha-wc:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-22 18:56:536,076----a-wc:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin
+ 2009-02-22 20:48:156,092----a-wc:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1626518161-2929080396-116505275-1000_UserData.bin
- 2009-02-22 18:56:5372,356----a-wc:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-22 20:48:1572,356----a-wc:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-22 17:18:3943,140----a-wc:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-22 20:48:1443,140----a-wc:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 01:13721408--a------c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 01:13721408--a------c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-09-05 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"FactFinder"="c:\program files\Microsoft FactFinder\ff.exe" [2001-06-22 81920]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"WMPNSCFG"="c:\program files\Windows MEDIA Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-04-09 166432]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-09 13515296]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-09 92704]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2008-04-09 92704]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-16 3444736]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-19 185872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MRT"="c:\windows\system32\MRT.exe" [2009-02-03 21244864]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-02-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-04 19:12 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification PackagesREG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7B3C4EB0-20B3-4B89-B248-E7810C130E59}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{627A842B-3E8F-4799-8213-1861B640F3D1}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{AC91ED12-8024-4F90-8F4A-C628C30B6DD7}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{0DFC109E-7369-4ADC-9E57-33354C1291D6}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{57656B01-03BC-482E-999C-C75AA8FD923B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9FFA8897-FF49-48DC-A83A-3C507F856C54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3DDA4CA1-59F3-409D-B5A4-A7C6CA5D3558}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{EF8B4C7D-510D-412C-88FF-0C61E0323733}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1020596F-1992-4F0B-BC16-78FF0BC3340F}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E5558807-9126-4799-B51D-94498BC8F93D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{C2D15551-E4C0-49B7-B83F-8A3ACEF8DA08}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{821A94FD-6723-401C-AAE0-1059373787BC}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{602E7440-16D9-4512-A78E-980FE6A2406D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090212.002\IDSvix86.sys [2009-02-16 270384]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-09-04 73728]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-10-27 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-07 99376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [2008-09-05 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [2008-09-05 7424]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
S3 cmo_bus;Data Modem @ CDMA Composite Device driver (WDM);c:\windows\System32\drivers\cmo_bus.sys [2008-10-05 58352]
S3 cmo_mdfl;Data Modem @ CDMA Filter;c:\windows\System32\drivers\cmo_mdfl.sys [2008-10-05 8304]
S3 cmo_mdm;Data Modem @ CDMA Drivers;c:\windows\System32\drivers\cmo_mdm.sys [2008-10-05 93904]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [2008-09-05 209408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc790409-b5e1-11dd-8c0e-002268995227}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Adeeba.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 14:19]

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{A17C346D-D918-4BF3-888D-B1FAD8D6E04B}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 06:45]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {8EAB7167-A061-4B3E-95F2-205C02AA3EA6} = 196.3.132.1 196.3.132.4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 18:06:25
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(1952)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Microsoft FactFinder\FFMH.DLL
c:\users\Adeeba\AppData\Local\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\combofix\hidec.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Fingerprint Reader Suite\psqltray.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\combofix\Catchme.tmp
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-22 18:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-22 21:10:05
ComboFix2.txt 2009-02-22 19:01:42

Pre-Run: 78,872,215,552 bytes free
Post-Run: 78,635,069,440 bytes free

242--- E O F ---2009-02-18 17:31:34

thanks

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

i could kick myself for what i've done. i inserted my flash drive (which was the source of the worm) to run Flash Disinfector, but somehow it didn't work, and now i've re-infected the laptop. i even SCANNED the flash drive with Norton Internet Security and it came up clean, i don't understand.

i've already uninstalled combofix, but i'll download it again and run it once more. i don't believe it, but i'm back to square one.

Run Flash Disinfector first, then install and run ComboFix.
hello again

sorry for the delay in my response. i ran the Windows Malicious Software Removal Tool, and it seems to have worked. all the symptoms of the worm seem to be gone now. i also ran flash disinfector for my flash drive on another computer that has XP, since i think maybe it doesn't run properly on Vista. but so far so good.

thank you immensely for all your help!!

Solve : Laptop infected with W32.Rontokbro@mm?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment