Author Topic: Here is a tool that might help identify whats on your machine  (Read 109625 times)

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #45 on: July 22, 2010, 01:57:10 PM »
Can you please attach the file to the post then?
You can click > Additional Options and attach it there, please watch the allowed extension's list.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline baddog941

  • Newbie
  • *
  • Posts: 5
Re: Here is a tool that might help identify whats on your machine
« Reply #46 on: July 22, 2010, 02:19:54 PM »
here's the psc-exam.txt file generated and moved to safe pc via sneakernet


[attachment deleted by admin]

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #47 on: July 22, 2010, 03:08:54 PM »
Can you also post a screenshot of those connections?
You can view them, and it's process on Firewall -> View Active Connections
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #48 on: July 22, 2010, 03:16:16 PM »
This looks suspicious

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
                   Ssusi: rundll32.exe "C:\WINDOWS\ofetamuxudipota.dll",Startup

The first line is the registry location, the second a command to start malware is my guess.

I'd also advise to do a Rootkit scan with GMER (www.gmer.net) and read this post here:
https://forums.comodo.com/virusmalware-removal-assistance/what-to-do-if-youre-infected-experience-rev3-t41380.0.html
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline baddog941

  • Newbie
  • *
  • Posts: 5
Re: Here is a tool that might help identify whats on your machine
« Reply #49 on: July 22, 2010, 03:43:23 PM »
thanks a bunch, i'm on it and will try all your suggestions.  i just googled that .dll and your post was the only hit...

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #50 on: July 22, 2010, 04:03:22 PM »
Probably a random generated one... It's very suspicious.

I'd quarantine the file and upload it to www.virustotal.com to see what they make of it.
It can help you find other leads to this infection.
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline brucine

  • Comodo's Hero
  • *****
  • Posts: 1533
Re: Here is a tool that might help identify whats on your machine
« Reply #51 on: July 22, 2010, 04:28:13 PM »
Quote
ofetamuxudipota.dll

The random alternating vowel/consoun designation is often very typical of the vundo/virtumonde family.

In such an event, you should find not a single, but several such dll files when browsing system32, while temp files are systematically infected upon each reboot and unusual exe files are also present under system32.

Such a situation, like every similar infection, needs to run the "remedy" tools from a non-running partition: if no other solution, booting the gui administrator account might be enough if a non priviliged account was the one infected, but most often one shall need to boot in safe mode or from an external booting device (live bartpe, linux, or dos usb/cd) in order to run mbam and sometimes specific tools (vundofix....).

Even together, such tools are most often not enough to get rid of the malware, and before rebooting the gui, one often needs to manually delete the parasite exe, dll, temp files, malware sys, and registry autorun keys.

If one has the nasty idea to keep windows restore enabled, it should of course before be disabled and its files deleted.

Offline baddog941

  • Newbie
  • *
  • Posts: 5
Re: Here is a tool that might help identify whats on your machine
« Reply #52 on: July 23, 2010, 07:08:21 PM »
i changed the extension on the ofetamuxudipota.dll file to .xxx and deleted the registry entry.  it has settled down a lot but still seeing 70+ outbound connections with system idling without a browser or any apps open.  will upload to virustotal.com. still wonder what it is and why Malwarebytes and SuperAntispyware didn/t flag it.
thanks a bunch for your suggestions.

Offline xj6guy

  • Newbie
  • *
  • Posts: 4
Re: Here is a tool that might help identify whats on your machine
« Reply #53 on: October 12, 2010, 09:45:14 AM »
heres my report,let me know please.

[attachment deleted by admin]

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #54 on: October 12, 2010, 09:59:55 AM »
Hi xj6guy,

Can you please explain what the symptoms are and why you think your infected?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline nmcraft

  • Newbie
  • *
  • Posts: 8
Re: Here is a tool that might help identify whats on your machine
« Reply #55 on: October 12, 2010, 10:14:28 AM »
Here is the psc-exam file.

[attachment deleted by admin]

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #56 on: October 12, 2010, 10:37:35 AM »
Hi nmcraft,

Same question to you as to xj6guy, please post your symptoms and whatever else can help understand what the problem is...

It looks like the both of you are running this service
NetTcpPortSharing: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

Are you aware of any "Port sharing" service you have installed on purpose?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline xj6guy

  • Newbie
  • *
  • Posts: 4
Re: Here is a tool that might help identify whats on your machine
« Reply #57 on: October 12, 2010, 10:42:33 AM »
Hi xj6guy,

Can you please explain what the symptoms are and why you think your infected?

 i have trouble installing things because it wont let me access certain registry files. also as the question below no i do not know of any port sharring. is there a way to turn it off? i need a program that will restoremy regestry while not affecting anything else. for one thing i can not update my adobe reader.

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13541
  • Retired - Volunteer Moderator
Re: Here is a tool that might help identify whats on your machine
« Reply #58 on: October 12, 2010, 10:47:00 AM »
I just noticed that the port sharing thingy is also active on my machine so probably default .NET related.

What "certain" registry-keys and what is the error message you get with what tool are you accessing them?

Did you use any registry cleaning/tweaking tools to "cleanup" or make other changes to the registry and do you have restore-point or a backup of those changes?

What is the error message Adobe Reader gives during install?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline nmcraft

  • Newbie
  • *
  • Posts: 8
Re: Here is a tool that might help identify whats on your machine
« Reply #59 on: October 13, 2010, 01:28:10 PM »
Hi nmcraft,

Same question to you as to xj6guy, please post your symptoms and whatever else can help understand what the problem is...

It looks like the both of you are running this service
NetTcpPortSharing: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

Are you aware of any "Port sharing" service you have installed on purpose?


I cant update my Comodo av database (automatic) always say check my internet connection. maybe because of my ISP is unstable now but I wonder Why i can update other av database (Avira and Norton 360 v4)

using XP sp3. using tuneup ytilities 2010 to tweak.

« Last Edit: October 13, 2010, 01:35:21 PM by nmcraft »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek