Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Rootkit.tncore/trace


  • This topic is locked This topic is locked
13 replies to this topic

#1 Wrathchild

Wrathchild

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 18 February 2008 - 08:53 AM

I'm helping a friend with a dinosaur of a PC (233MHz processor, 96MB RAM) that somehow runs Windows XP Pro. It's also been running for several months connected to high-speed DSL without any sort of firewall, no anti-spyware software, and an out-dated McAfee anti-virus.

The biggest difficulty is getting things to run on this. Spybot S&D and Ad-Aware both found a few things, but couldn't clean them because of insufficient memory. Scanning anything takes hours.

<added>There's also something causing a lot of pop-ups when using Internet Explorer</added>

What I have been able to do:

<added>Windows had apparently never been patched, so applied all of the critical security patches that I could without installing SP2.</added>

Installed avast! It found a couple of Trojans, but is reporting clean now.

I also used CCleaner to clean up the registry and also shutdown some obvious malware services.

AVG Anti-Spyware found a bunch of adware, but was only partly successful. SuperAnti-Spyware has been more successful.

However, SAS has not yet been able to remove RootKit.TnCore/Trace

Please help!

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:02 AM, on 2/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203187785108
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O24 - Desktop Component 0: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 1: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 2: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 3: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 4: (no name) - http://netservices.verizon.net/portal/msa/...v_email_off.gif

--
End of file - 4128 bytes

Edited by Wrathchild, 18 February 2008 - 03:32 PM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 21 February 2008 - 03:21 AM

Hi,

Sorry for delay. We have been swamped.

If you still need assistance please do the following:

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 21 February 2008 - 07:04 PM

Sorry for delay. We have been swamped.


I understand completely. Thank you for your help.

Main.txt:


Deckard's System Scanner v20071014.68
Run by Jacquie on 2008-02-21 18:45:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
145: 2008-02-21 23:46:16 UTC - RP501 - Deckard's System Scanner Restore Point
144: 2008-02-21 18:58:30 UTC - RP500 - System Checkpoint
143: 2008-02-20 17:58:24 UTC - RP499 - System Checkpoint
142: 2008-02-19 17:57:08 UTC - RP498 - System Checkpoint
141: 2008-02-18 17:10:46 UTC - RP497 - System Checkpoint


-- First Restore Point --
1: 2007-11-30 00:26:23 UTC - RP357 - Shockwave Player


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 96 MiB (512 MiB recommended).


-- HijackThis (run as Jacquie.exe) ---------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-21 18:51:01
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\Jacquie\Application Data\U3\0001577060B1308C\LaunchPad.exe
C:\Documents and Settings\Jacquie\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - SITEguard - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203187785108
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O24 - Desktop Component 0: - http://netmail.verizon.net/webmail/servlet...ition=inlineO24 - Desktop Component 1: - http://netmail.verizon.net/webmail/servlet...ition=inlineO24 - Desktop Component 2: - http://netmail.verizon.net/webmail/servlet...ition=inlineO24 - Desktop Component 3: - http://netmail.verizon.net/webmail/servlet...ition=inlineO24 - Desktop Component 4: - http://netservices.verizon.net/portal/msa/...v_email_off.gif

--
End of file - 5697 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080217-014034-238 O2 - BHO: (no name) - {0F3A5030-1694-4B36-A55D-B5158739ED3C} - (no file)
backup-20080217-014034-262 O2 - BHO: (no name) - {6AB5B3F9-579C-4A03-8D28-38702CF10CB3} - (no file)
backup-20080217-014034-706 O2 - BHO: (no name) - {413499C3-762B-55D0-0260-5A00B6BD819C} - C:\WINDOWS\System32\uzepqq.dll (file missing)
backup-20080217-014034-719 O2 - BHO: 0 - {A3C16D8B-B996-450D-76B1-0A4F0B555481} - (no file)
backup-20080217-014034-836 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
backup-20080217-202011-427 O4 - HKCU\..\Run: [Tela] "C:\WINDOWS\CROSOF~1\attrib.exe" -vt ndrv
backup-20080217-202011-842 O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
backup-20080217-202011-859 O4 - HKCU\..\Run: [Icnx] C:\WINDOWS\system32\??crosoft.NET\arpa.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 rndismpp - c:\windows\system32\drivers\rndismpp.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 TnIDriver - c:\docume~1\jacquie\locals~1\temp\tnif.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm


-- Scheduled Tasks -------------------------------------------------------------

2008-02-20 10:15:34 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-21 and 2008-02-21 -----------------------------

2008-02-17 09:32:44 0 d-------- C:\WINDOWS\System32\NtmsData
2008-02-17 07:54:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-17 07:53:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-17 07:53:23 0 d-------- C:\Documents and Settings\Jacquie\Application Data\SUPERAntiSpyware.com
2008-02-17 01:35:06 0 d-------- C:\Program Files\Trend Micro
2008-02-16 23:22:02 0 d-------- C:\Program Files\Alwil Software
2008-02-16 19:58:41 0 dr-h----- C:\Documents and Settings\Jacquie\Recent
2008-02-16 19:19:39 0 d-------- C:\Program Files\CCleaner
2008-02-16 15:48:25 26112 --a------ C:\WINDOWS\System32\xpsp1hfm.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-16 15:43:27 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:43:26 171280 --a------ C:\WINDOWS\System32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:43:25 139536 --a------ C:\WINDOWS\System32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:43:25 6550 --a------ C:\WINDOWS\jautoexp.dat
2008-02-16 15:43:24 313856 --a------ C:\WINDOWS\System32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-02-16 15:42:58 113 --a------ C:\WINDOWS\System32\zonedon.reg
2008-02-16 15:42:57 113 --a------ C:\WINDOWS\System32\zonedoff.reg
2008-02-16 15:42:56 171792 --a------ C:\WINDOWS\System32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:56 286992 --a------ C:\WINDOWS\System32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:55 21264 --a------ C:\WINDOWS\System32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:52 947472 --a------ C:\WINDOWS\System32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:51 154384 --a------ C:\WINDOWS\System32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:50 172304 --a------ C:\WINDOWS\System32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:50 15120 --a------ C:\WINDOWS\System32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:48 404752 --a------ C:\WINDOWS\System32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:48 63248 --a------ C:\WINDOWS\System32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:47 187152 --a------ C:\WINDOWS\System32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 15:42:39 49424 --a------ C:\WINDOWS\System32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-02-16 14:05:23 0 d-------- C:\WINDOWS\System32\PreInstall
2008-02-16 14:05:06 0 d--h----- C:\WINDOWS\$hf_mig$
2008-02-16 14:04:05 0 d-------- C:\WINDOWS\System32\bits
2008-02-16 13:50:57 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-02-16 13:49:56 0 d-------- C:\Documents and Settings\Jacquie\Application Data\Help
2008-02-16 13:15:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-02-14 21:54:55 0 d-------- C:\Documents and Settings\Jacquie\Application Data\Grisoft
2008-02-14 20:31:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-10 08:25:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 07:35:42 0 d-------- C:\3COM
2008-02-08 09:14:51 390144 --a------ C:\WINDOWS\System32\ldrA.exe
2008-02-08 09:14:51 390144 --a------ C:\WINDOWS\System32\ldr9.exe
2008-02-07 19:58:23 390144 --a------ C:\WINDOWS\System32\ldr8.exe
2008-02-07 19:58:23 390144 --a------ C:\WINDOWS\System32\ldr7.exe
2008-02-06 16:39:51 390144 --a------ C:\WINDOWS\System32\ldrC.exe
2008-02-06 16:39:50 390144 --a------ C:\WINDOWS\System32\ldrB.exe
2008-02-06 15:53:17 390144 --a------ C:\WINDOWS\System32\ldr6.exe
2008-02-06 15:53:17 390144 --a------ C:\WINDOWS\System32\ldr5.exe
2008-02-06 13:26:27 390144 --a------ C:\WINDOWS\System32\ldr4.exe
2008-02-06 13:26:27 390144 --a------ C:\WINDOWS\System32\ldr1.exe
2008-02-06 12:39:18 390144 --a------ C:\WINDOWS\System32\ldr3.exe
2008-02-06 12:39:18 390144 --a------ C:\WINDOWS\System32\ldr2.exe
2008-02-06 12:12:40 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-02-06 11:59:46 390144 --a------ C:\WINDOWS\System32\ldr31.exe
2008-02-06 11:59:41 390144 --a------ C:\WINDOWS\System32\ldr30.exe
2008-02-06 11:59:06 390144 --a------ C:\WINDOWS\System32\ldr2F.exe
2008-02-06 11:58:45 25600 --a------ C:\Documents and Settings\Jacquie\~tmp1147.exe
2008-02-06 11:55:53 0 d-------- C:\Program Files\Temporary
2008-02-06 11:50:37 86016 --a------ C:\WINDOWS\System32\drivers\rndismpp.sys
2008-02-06 11:50:19 0 d-------- C:\WINDOWS\System32\cz6
2008-02-06 11:50:18 0 d-------- C:\WINDOWS\System32\rp4
2008-02-06 11:50:18 0 d-------- C:\WINDOWS\System32\ps5
2008-02-06 11:50:18 0 d-------- C:\WINDOWS\System32\bm1
2008-02-06 11:50:16 0 d-------- C:\WINDOWS\??crosoft
2008-02-06 11:49:56 0 d-------- C:\Temp
2008-01-21 17:20:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft


-- Find3M Report ---------------------------------------------------------------

2008-02-21 18:44:07 0 d-------- C:\Documents and Settings\Jacquie\Application Data\U3
2008-02-17 20:19:48 1397 --a------ C:\Program Files\MyWebSearch.zip
2008-02-17 07:52:36 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 01:07:04 0 d-------- C:\Program Files\Common Files
2008-02-16 15:51:31 0 d-------- C:\Program Files\Messenger
2008-02-16 13:52:16 0 d--h----- C:\Program Files\WindowsUpdate
2008-02-14 20:32:07 0 d-------- C:\Program Files\Lavasoft
2008-02-14 20:29:13 0 d-------- C:\Documents and Settings\Jacquie\Application Data\Lavasoft
2008-01-31 15:55:58 0 d-------- C:\Program Files\QuickTime
2008-01-24 11:18:06 0 d-------- C:\Program Files\Common Files\SupportSoft
2008-01-19 19:19:18 0 d-------- C:\Program Files\Google
2008-01-03 12:23:09 0 d-------- C:\Program Files\S4F
2008-01-03 12:20:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-04 00:34:10 768 --a------ C:\WINDOWS\System32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [04/21/2007 11:36 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [1/9/2002 8:53:14 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b0b7d60-d731-11dc-ba17-006008c09b4d}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-02-21 18:55:41 ------------

Attached Files



#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 21 February 2008 - 07:34 PM

Hi,

Thanks for the logs.

You have more going on than "RootKit.TnCore/Trace"
Looks like several other downloaders and your QuickTime will need repairs. Possibly other programs.

Please follow instructions on this page for using ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log it makes.

Notes:

--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.

Let me know how machine is running.
There will be more work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 21 February 2008 - 08:16 PM

You have more going on than "RootKit.TnCore/Trace"
Looks like several other downloaders and your QuickTime will need repairs. Possibly other programs.

I'm not surprised.

I haven't seen any browser pop-ups yet.

Here's the log:

ComboFix 08-02-22 - Jacquie 2008-02-21 19:55:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.10 [GMT -5:00]
Running from: C:\Documents and Settings\Jacquie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jacquie\~tmp1147.exe
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1\??crosoft\
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\rndismpp.sys
C:\WINDOWS\system32\ldr1.tmp
C:\WINDOWS\system32\ldr2.tmp
C:\WINDOWS\system32\ldr3.tmp
C:\WINDOWS\system32\ldr4.tmp
C:\WINDOWS\system32\ldr5.tmp
C:\WINDOWS\system32\ldr6.tmp
C:\WINDOWS\system32\ldr7.tmp
C:\WINDOWS\system32\ldr8.tmp
C:\WINDOWS\system32\ldr9.tmp
C:\WINDOWS\system32\ldrA.tmp
C:\WINDOWS\system32\ldrB.tmp
C:\WINDOWS\system32\ldrC.tmp
C:\WINDOWS\system32\ldrD.tmp
C:\WINDOWS\system32\ldrE.tmp
C:\WINDOWS\system32\ldrF.tmp
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RNDISMPP
-------\rndismpp


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 18:45 . 2008-02-21 18:45 <DIR> d-------- C:\Deckard
2008-02-21 18:45 . 2008-02-21 18:45 0 --a------ C:\LOGA.tmp
2008-02-19 19:19 . 2008-02-19 19:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 17:02 . 2001-08-17 22:36 112,640 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-02-18 17:02 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-02-18 17:01 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-02-18 17:01 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-02-18 17:01 . 2001-08-17 12:49 18,688 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-02-18 17:01 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-02-18 17:01 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-02-18 17:01 . 2001-08-17 12:49 12,160 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-02-18 17:01 . 2001-08-17 22:36 7,680 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-02-18 17:01 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-02-18 17:00 . 2002-08-28 22:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-02-18 17:00 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-02-18 17:00 . 2001-08-17 13:58 8,064 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-02-18 16:59 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-02-18 16:59 . 2001-08-17 13:28 701,386 --a--c--- C:\WINDOWS\system32\dllcache\wdhaalba.sys
2008-02-18 16:59 . 2001-08-17 22:36 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2008-02-18 16:59 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-02-18 16:59 . 2001-08-17 12:10 35,871 --a--c--- C:\WINDOWS\system32\dllcache\wbfirdma.sys
2008-02-18 16:59 . 2001-08-17 14:03 30,208 --a--c--- C:\WINDOWS\system32\dllcache\wceusbsh.sys
2008-02-18 16:59 . 2001-08-17 12:49 23,680 --a--c--- C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2008-02-18 16:57 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-02-18 16:56 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-02-18 16:55 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-02-18 16:54 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-02-18 16:52 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-02-18 16:52 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-02-18 16:52 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-18 16:52 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-02-18 16:52 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-02-18 16:52 . 2001-08-17 22:36 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-02-18 16:52 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-02-18 16:51 . 2001-08-17 22:36 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-02-18 16:51 . 2001-08-17 22:36 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-02-18 16:51 . 2001-08-17 13:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-02-18 16:51 . 2001-08-17 12:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-02-18 16:51 . 2001-08-17 12:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-02-18 16:51 . 2001-08-17 14:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-02-18 16:51 . 2001-08-17 13:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-02-18 16:51 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-02-18 16:51 . 2001-08-17 13:52 7,296 --a--c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-02-18 16:51 . 2001-08-17 13:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-02-18 16:45 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-02-18 16:44 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-02-18 16:43 . 2001-08-17 14:56 245,632 --a--c--- C:\WINDOWS\system32\dllcache\s3savmx.dll
2008-02-18 16:42 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-02-18 16:42 . 2001-08-17 13:28 714,762 --a--c--- C:\WINDOWS\system32\dllcache\r2mdmkxx.sys
2008-02-18 16:42 . 2001-08-17 22:36 86,097 --a--c--- C:\WINDOWS\system32\dllcache\reslog32.dll
2008-02-18 16:42 . 2001-08-17 13:50 75,008 --a--c--- C:\WINDOWS\system32\dllcache\rocket.sys
2008-02-18 16:42 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\qvusd.dll
2008-02-18 16:42 . 2001-08-17 12:12 37,563 --a--c--- C:\WINDOWS\system32\dllcache\rlnet5.sys
2008-02-18 16:42 . 2001-08-17 13:51 19,584 --a--c--- C:\WINDOWS\system32\dllcache\rasirda.sys
2008-02-18 16:42 . 2001-08-17 22:36 9,216 --a--c--- C:\WINDOWS\system32\dllcache\rsmgrstr.dll
2008-02-18 16:42 . 2001-08-17 12:19 3,840 --a--c--- C:\WINDOWS\system32\dllcache\rpfun.sys
2008-02-18 16:42 . 2001-08-17 13:53 3,328 --a--c--- C:\WINDOWS\system32\dllcache\qv2kux.sys
2008-02-18 16:40 . 2002-08-29 03:40 252,672 --a--c--- C:\WINDOWS\system32\dllcache\perm3dd.dll
2008-02-18 16:39 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-02-18 16:38 . 2001-08-17 12:50 198,144 --a--c--- C:\WINDOWS\system32\dllcache\nv3.sys
2008-02-18 16:38 . 2001-08-17 22:36 123,776 --a--c--- C:\WINDOWS\system32\dllcache\nv3.dll
2008-02-18 16:38 . 2001-08-17 12:49 51,552 --a--c--- C:\WINDOWS\system32\dllcache\ntgrip.sys
2008-02-18 16:38 . 2001-08-17 13:51 23,552 --a--c--- C:\WINDOWS\system32\dllcache\nscirda.sys
2008-02-18 16:38 . 2001-08-17 13:53 7,552 --a--c--- C:\WINDOWS\system32\dllcache\nsmmc.sys
2008-02-18 16:37 . 2002-08-28 22:59 132,695 --a--c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-02-18 16:37 . 2001-08-17 12:20 126,080 --a--c--- C:\WINDOWS\system32\dllcache\nm5a2wdm.sys
2008-02-18 16:37 . 2001-08-17 12:20 87,040 --a--c--- C:\WINDOWS\system32\dllcache\nm6wdm.sys
2008-02-18 16:37 . 2001-08-17 12:11 65,278 --a--c--- C:\WINDOWS\system32\dllcache\netflx3.sys
2008-02-18 16:37 . 2001-08-17 22:36 60,480 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.dll
2008-02-18 16:37 . 2001-08-17 12:50 39,264 --a--c--- C:\WINDOWS\system32\dllcache\neo20xx.sys
2008-02-18 16:37 . 2001-08-17 12:12 32,840 --a--c--- C:\WINDOWS\system32\dllcache\ngrpci.sys
2008-02-18 16:37 . 2001-08-17 13:49 15,872 --a--c--- C:\WINDOWS\system32\dllcache\ne2000.sys
2008-02-18 16:35 . 2001-08-17 14:06 47,616 --a--c--- C:\WINDOWS\system32\dllcache\mstape.sys
2008-02-18 16:35 . 2001-08-17 13:51 20,096 --a--c--- C:\WINDOWS\system32\dllcache\msircomm.sys
2008-02-18 16:35 . 2001-08-17 13:48 12,416 --a--c--- C:\WINDOWS\system32\dllcache\msriffwv.sys
2008-02-18 16:35 . 2001-08-17 14:00 2,944 --a--c--- C:\WINDOWS\system32\dllcache\msmpu401.sys
2008-02-18 16:34 . 2001-08-17 14:06 52,096 --a--c--- C:\WINDOWS\system32\dllcache\msdv.sys
2008-02-18 16:34 . 2001-08-17 22:37 42,496 --a--c--- C:\WINDOWS\system32\dllcache\msdvbnp.ax
2008-02-18 16:34 . 2001-08-17 14:02 35,200 --a--c--- C:\WINDOWS\system32\dllcache\msgame.sys
2008-02-18 16:34 . 2001-08-17 13:48 6,016 --a--c--- C:\WINDOWS\system32\dllcache\msfsio.sys
2008-02-18 16:33 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-02-18 16:33 . 2001-08-17 13:52 17,280 --a--c--- C:\WINDOWS\system32\dllcache\mraid35x.sys
2008-02-18 16:33 . 2001-08-17 14:07 14,336 --a--c--- C:\WINDOWS\system32\dllcache\mpe.sys
2008-02-18 16:33 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-02-18 16:33 . 2001-08-17 13:52 6,528 --a--c--- C:\WINDOWS\system32\dllcache\miniqic.sys
2008-02-18 16:31 . 2001-08-17 13:28 727,786 --a--c--- C:\WINDOWS\system32\dllcache\ltck000c.sys
2008-02-18 16:30 . 2001-08-17 22:36 242,176 --a--c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-02-18 16:30 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\kdsui.dll
2008-02-18 16:30 . 2001-08-17 13:48 13,952 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-02-18 16:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-02-18 16:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-02-18 16:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-02-18 16:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-02-18 16:28 . 2001-08-17 13:50 38,784 --a--c--- C:\WINDOWS\system32\dllcache\io8.sys
2008-02-18 16:28 . 2001-08-17 13:52 16,000 --a--c--- C:\WINDOWS\system32\dllcache\ini910u.sys
2008-02-18 16:28 . 2001-08-17 13:47 13,056 --a--c--- C:\WINDOWS\system32\dllcache\inport.sys
2008-02-18 16:25 . 2002-06-25 14:10 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-18 16:23 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-02-18 16:22 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-02-18 16:22 . 2001-08-17 14:56 470,144 --a--c--- C:\WINDOWS\system32\dllcache\g200d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 23:58 --------- d-----w C:\Documents and Settings\Jacquie\Application Data\U3
2008-02-17 12:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-15 01:32 --------- d-----w C:\Program Files\Lavasoft
2008-02-15 01:29 --------- d-----w C:\Documents and Settings\Jacquie\Application Data\Lavasoft
2008-01-31 20:55 --------- d-----w C:\Program Files\QuickTime
2008-01-24 16:18 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-01-21 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-20 00:19 --------- d-----w C:\Program Files\Google
2008-01-18 04:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-17 16:33 389,120 ----a-w C:\WINDOWS\java\GoToAssist_phone__268_en.exe
2008-01-03 17:23 --------- d-----w C:\Program Files\S4F
2008-01-03 17:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2006-08-20 18:35 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [2007-04-21 23:36 77824]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"combofix"="C:\WINDOWS\system32\kmd.exe" [2001-08-23 07:00 375808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 20:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 0 (0x0)
"ForceActiveDesktopOn"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

R3 AtiBt829;WDM Video Capture For AIW (AtiBt829);C:\WINDOWS\System32\DRIVERS\AtiBt829.sys [2001-08-17 07:49]
R3 atirage;atirage;C:\WINDOWS\System32\DRIVERS\atiragem.sys [2001-08-17 07:48]
R3 ATITVAUDIO;WDM TVAudio (ATITVSnd);C:\WINDOWS\System32\DRIVERS\atitvsnd.sys [2001-08-17 07:49]
R3 ATIXBAR;ATI Video Audio Crossbar (ATIXBar);C:\WINDOWS\System32\DRIVERS\atixbar.sys [2001-08-17 07:49]
R3 wdm_opl3sax;YAMAHA OPL3-SAx Audio Driver (WDM);C:\WINDOWS\System32\drivers\opl3sax.sys [2001-08-17 07:20]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-08-17 08:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-20 15:15:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 20:06:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Completion time: 2008-02-21 20:12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 01:12:43
.
2008-02-16 19:24:21 --- E O F ---

#6 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 21 February 2008 - 08:19 PM

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

I followed the instructions to drop the Microsoft file for the Recovery Console onto the ComboFix icon. It seemed to work.

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 21 February 2008 - 11:57 PM

Hi,

Looking better.

Post the contents of this file please:

C:\CF-RC.txt please.

Also new Hijackthis log.

And a log from this app:

Download FindAWF from here and save it to the desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Post the contents of log here please.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 22 February 2008 - 06:34 PM

No CF-RC.txt in C:\ or elsewhere. I haven't deleted any files. What creates that?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:25 PM, on 2/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203187785108
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O24 - Desktop Component 0: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 1: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 2: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 3: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 4: (no name) - http://netservices.verizon.net/portal/msa/...v_email_off.gif

--
End of file - 4202 bytes



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 02/22/2008
The current time is: 18:31:15.76


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

04/21/2007 11:36 PM 77,824 qttask.exe
1 File(s) 77,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Apr 21 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
77824 Apr 21 2007 "C:\Program Files\QuickTime\bak\bak\qttask.exe"


end of report

#9 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 27 February 2008 - 08:09 AM

I don't want to be pushy, but I can see we're tantalizingly close to being done. I'd really like to get this computer back to these people. What else do I need to do?

Edited by Wrathchild, 27 February 2008 - 02:39 PM.


#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 28 February 2008 - 06:53 PM

Hi,

Sorry for delay. I had some internet issues.

No CF-RC.txt in C:\ or elsewhere. I haven't deleted any files. What creates that?


Combofix would have created that if you did install the Recovery Console using Combofix.
It may have been later moved to C:\qoobox.

Copy the following text to a new notepad file.
Save as file name fix.bat as file types: all files and save it to the desktop.

move "C:\Program Files\QuickTime\bak\bak\qttask.exe" "c:\program files\quicktime"
reg delete HKLM\software\Microsoft\Windows\currentVersion\Run /v "QuickTime Task" /f

Once saved right click the Quicktime icon by clock> choose "exit"
Then double click fix.bat and let it run.
A "dos" window will pop up and be gone. This is normal.

What we did there was move qttask.exe back to its origional location nad removed the wrong pointer in registry for it.
Simply running QuickTime again will re-write the proper registry value.

Now run FindAWF again.
If you get a security prompt, please allow.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Then delete this folder:

C:\Program files\Quicktime\bak

Post fresh hijackthis log please and let me know how system is running.

Thanks and sorry again for the delay.

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 29 February 2008 - 12:06 AM

Sorry for delay.

No problem. I just want to give these people their computer back.

It seems to be running fine.

New HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:18 AM, on 2/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.verizon.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203187785108
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O24 - Desktop Component 0: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 1: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 2: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 3: (no name) - http://netmail.verizon.net/webmail/servlet...position=inline
O24 - Desktop Component 4: (no name) - http://netservices.verizon.net/portal/msa/...v_email_off.gif

--
End of file - 4107 bytes

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 29 February 2008 - 03:22 PM

Hi,

Log looks OK.

Click start> run> type combofix /u and hit enter.
Follow the prompts.

This will uninstall Combofix, along with files & folders it dropped, removes dss.exe along with files & folders it dropped.
It will also reset your system restore.
You can delete FindAWF and fix.bat.

Since the HJT log is clean, here is some great information to help you stay clean and safe online:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://forums.spywareinfo.com/index.php?sh...mp;#entry549685
http://www.bleepingcomputer.com/forums/topict2520.html

Take care & surf safe!

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 Wrathchild

Wrathchild
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:51 AM

Posted 29 February 2008 - 03:49 PM

Thank you SO much. You've been a great help.

#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 01 March 2008 - 07:42 AM

You're very welcome.
Glad we could help.

Take care & surf safe!

Blender

Edited by Blender, 01 March 2008 - 07:43 AM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users