globalroot\systemroot\system32\vsfoceoevocbry.dll

View previous topic View next topic Go down

globalrootsystemrootsystem32vsfoceoevocbry.dll

Post by rose6676 on Sun Aug 09, 2009 10:02 am

Hi Can you help me please....this message shows up everytime I open up a program or file and at start up. A few days ago I had a backdoor.tidserv and I have downloaded malwarebytes and I think it has gone as nothing is showing up now for that. I have been running full system scans and nothing has been showing up. I am at a loss please help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:27 PM, on 9/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Users\Rose\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus CX5500 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAP.EXE /FU "C:\Windows\TEMP\E_S3B93.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSxmlHpr] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSxmlHpr] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7553 bytes

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by Belahzur on Sun Aug 09, 2009 11:27 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Sun Aug 09, 2009 12:01 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2584
Windows 6.0.6001 Service Pack 1

9/08/2009 9:24:57 PM
mbam-log-2009-08-09 (21-24-57).txt

Scan type: Quick Scan
Objects scanned: 81716
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Rose\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


although it found one the message is still coming up

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by Origin on Sun Aug 09, 2009 7:50 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Tue Aug 11, 2009 9:33 am

Hi Part 1

GMER 1.0.15.15020 [8hw03f7v.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-11 18:48:03
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 8564D2D8 ZwEnumerateKey
Code 856542E0 ZwFlushInstructionCache
Code 856EA576 ZwSaveKey
Code 8564E49E ZwSaveKeyEx
Code 85641355 IofCallDriver
Code 853E2BC6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 82050FE2 5 Bytes JMP 853E2BCB
.text ntkrnlpa.exe!IofCallDriver 820D2F6F 5 Bytes JMP 8564135A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821C930B 5 Bytes JMP 856542E4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8221EBA2 5 Bytes JMP 8564D2DC
PAGE ntkrnlpa.exe!ZwSaveKey 8226C523 5 Bytes JMP 856EA57A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8226C62A 5 Bytes JMP 8564E4A2

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\vsfocehmietbkm.sys (*** hidden *** ) [SYSTEM] vsfocexxyhdjnf <-- ROOTKIT !!!

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Tue Aug 11, 2009 9:33 am

Part 2

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main@aid 10261

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Tue Aug 11, 2009 9:34 am

Part 3

rolSet005\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf@imagepath \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main@aid 10261
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main\injector@* vsfocewsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules@vsfocerk.sys \systemroot\system32\drivers\vsfocehmietbkm.sys
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules@vsfocecmd.dll \systemroot\system32\vsfocefxquwctr.dll
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules@vsfocelog.dat \systemroot\system32\vsfocetqyimemb.dat
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules@vsfocewsp.dll \systemroot\system32\vsfoceoevocbry.dll
Reg HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf\modules@vsfoce.dat \systemroot\system32\vsfocersqoveba.dat

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Tue Aug 11, 2009 9:36 am

Part 4

---- Files - GMER 1.0.15 ----

File C:\Users\Rose\AppData\Local\Temp\Low\vsfocecphlwjaqrm.tmp 1654 bytes
File C:\Users\Rose\AppData\Local\Temp\Low\vsfocefmkicakeyn.tmp 196 bytes
File C:\Windows\System32\drivers\vsfocehmietbkm.sys 65536 bytes <-- ROOTKIT !!!
File C:\Windows\System32\vsfocefxquwctr.dll 39936 bytes
File C:\Windows\System32\vsfoceoevocbry.dll 0 bytes
File C:\Windows\System32\vsfocersqoveba.dat 91 bytes
File C:\Windows\System32\vsfocetqyimemb.dat 80707 bytes

---- EOF - GMER 1.0.15 ----


Hope this helps had to run GMER in safe mode and the messages are still appearing....and now the backdoor.tidserv has returned!

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by Belahzur on Tue Aug 11, 2009 1:35 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by rose6676 on Wed Aug 12, 2009 1:35 am

Hi Combo Fix will not run on my computer, I have tried as an administrator and in safe mode but it just freezes up. I have turned off my AV but still not working. Any other suggestions?

rose6676
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-09
OS OS : vista
Points Points : 26749
# Likes # Likes : 0

View user profile

Back to top Go down

Re: globalroot\systemroot\system32\vsfoceoevocbry.dll

Post by Belahzur on Wed Aug 12, 2009 5:22 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
vsfocexxyhdjnf

Drivers to delete:
vsfocexxyhdjnf

Files to delete:
C:\Windows\System32\drivers\vsfocehmietbkm.sys
C:\Windows\System32\vsfocefxquwctr.dll
C:\Windows\System32\vsfoceoevocbry.dll
C:\Windows\System32\vsfocersqoveba.dat
C:\Windows\System32\vsfocetqyimemb.dat

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet002\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet003\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet004\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet005\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet006\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet007\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet008\Services\vsfocexxyhdjnf
HKLM\SYSTEM\ControlSet009\Services\vsfocexxyhdjnf

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum