I think I'm infected with a virus!

Money_Grabber13579

Money_Grabber13579 wrote: »

And did you delete all that stuff as well? Those scans were fairly quick as well. Do you not have many files on your computer? There seems to be very few items being scanned.

Got me again, didn't notice the post about all the stuff being on a USB drive.

aliEnRIK

well something keeps creating this dodgy trojan ~
C:\WINDOWS\SYSTEM32\VCMGCD32.DLL
as both SAS and combofix have deleted 6 of them now!

Also ~ your usb stick is almost certainly going to be infected (Which means your back to square one as soon as you insert it)


Open notepad and copy/paste the text in RED below

File::
c:\windows\system32\khmx0.dll

Driver::
c:\windows\system32\drivers\ lrntmn.sys


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (Temp files are infected)
Then run the REGISTRY scan (Backup the registry when it asks)

Then id really suggest a run of KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1245225406761
Please post the complete log it creates (This only SCANS it DOESNT delete anything, so we'd need to see anything it finds)

Jas0n_2

Just out of curiousity I ran the Malwarebytes again

Malwarebytes' Anti-Malware 1.38
Database version: 2333
Windows 5.1.2600 Service Pack 2
25/06/2009 17:08:31
mbam-log-2009-06-25 (17-08-31).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 84609
Time elapsed: 5 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\vcmgcd32.dll (Virus.Sality) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\vcmgcd32.dll (Virus.Sality) -> Delete on reboot.
c:\Qoobox\quarantine\C\WINDOWS\system32\vcmgcd32.dll.vir (Virus.Sality) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\ksi32sk.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bd51a955-c178-472e-a872-0712038d27ec}\RP14\A0000532.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vcmgcd32.dl_ (Virus.Sality) -> Quarantined and deleted successfully.

I will do the CFScript thing now

Jas0n_2

files/248556291/log.txt.html for the log of the CFScript and combofix

(rapidshare again )

Right, I'm off to do a scan with kaspersky, or maybe not it says
<H1 id=textSection1 style="FONT: 13pt/15pt verdana; COLOR: black">The page cannot be displayed

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.</H1>

Jas0n_2

Thank you all for your help so far but I can't get onto the kaspersky online scanner...

Money_Grabber13579

Jas0n wrote: »

Thank you all for your help so far but I can't get onto the kaspersky online scanner...

Ok I'll try and see if it's working

Money_Grabber13579

If you pick the scanner out of this link:

http://www.kaspersky.co.uk/virusscanner

Does that work? Are you using internet explorer? It should work in that and probably firefox as well.

Jas0n_2

Money_Grabber13579 wrote: »

If you pick the scanner out of this link:


Does that work? Are you using internet explorer? It should work in that and probably firefox as well.

Nope, it says cannot find server, yeah I'm using internet explorer

Money_Grabber13579

Jas0n wrote: »

Nope, it says cannot find server, yeah I'm using internet explorer

Ok, that's probably a sure sign that this virus is still infecting your computer. Other's will be able to help more than I can, however another thing that we could try is Spyware Doctor.

Go here and download just spyware doctor. It can be removed after you're finished with it as it can be a resource hog!

Update and run the fullest scan there is. When I had a tricky virus, this program help to get rid of it. It may not do any good in your case, but anything's worth a try in my book!

Donnie

If there are so few files on the PC, I would just re-install XP.