Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Require Help --- Infected With Win32.worm.yahlover.a And Other Malware


  • Please log in to reply
5 replies to this topic

#1 Krishna Madhav

Krishna Madhav

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 08 June 2008 - 11:16 AM

Hi Team ,

My system is currently infected with Win32.worm.yahlover.a and other viruses/trojans.
The system performance is very slow. The task manager comes disabled,hidden files option not showing up, command prompt not working etc etc.

Also I am not able to run Hijack this log on my system.

Please help to fix the issue.

Regards
Madhav
------------
------------

Mod. Edit: Merged posts. ~ OB

Hi Team,

I ran the anti malware which helped me clean the trojans out of my system.
Here is the DSS log. Please let me know if there are any other infected programs running in my system.

Deckard's System Scanner v20071014.68
Run by Madhav1 on 2008-06-08 22:15:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Madhav1.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:22 PM, on 6/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32winsersec.exe
C:WINNTsystem32Ati2evxx.exe
C:WINNTsystem32svchost.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32Ati2evxx.exe
C:WINNTsystem32spoolsv.exe
C:WINNTExplorer.exe
C:WINNTscvhost.exe
C:WINNTsdaemon.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:WINNTwinwd.exe
C:WINNTsystem32ctfmon.exe
C:WINNTsystem32scvhost.exe
C:PROGRA~1Yahoo!MESSEN~1ymsgr_tray.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINNTsystem32wuauclt.exe
C:WINNTsystem32wuauclt.exe
C:Program FilesMozilla Firefoxfirefox.exe
L:Downloads(2)dss.exe
C:PROGRA~1TRENDM~1HIJACK~1Madhav1.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:Javajre1.5.0_09binssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:Program FilesMegauploadMega ManagerMegaIEMn.dll
O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - C:Program FilesHttpWatchhttpwatchsc.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:PROGRA~1MEGAUP~1MEGAUP~1.DLL
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..Run: [SDaemon] C:WINNTsdaemon.exe
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [SWd] C:WINNTwinwd.exe
O4 - HKLM..Run: [BitDefender Antiphishing Helper] "C:Program FilesBitDefenderBitDefender 2008IEShow.exe"
O4 - HKLM..Run: [BDAgent] "C:Program FilesBitDefenderBitDefender 2008bdagent.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINNTsystem32ctfmon.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:PROGRA~1Yahoo!MESSEN~1YAHOOM~1.EXE" -quiet
O4 - HKUSS-1-5-19..RunOnce: [^SetupICWDesktop] C:Program FilesInternet ExplorerConnection Wizardicwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..RunOnce: [^SetupICWDesktop] C:Program FilesInternet ExplorerConnection Wizardicwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..RunOnce: [^SetupICWDesktop] C:Program FilesInternet ExplorerConnection Wizardicwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [^SetupICWDesktop] C:Program FilesInternet ExplorerConnection Wizardicwconn1.exe /desktop (User 'Default user')
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 - Extra context menu item: Download Link Using Mega Manager... - C:Program FilesMegauploadMega Managermm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:PROGRA~1MICROS~1OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:Javajre1.5.0_09binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:Javajre1.5.0_09binssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:PROGRA~1MICROS~1OFFICE11REFIEBAR.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:Program FilesHttpWatchhttpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:Program FilesHttpWatchhttpwatch.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O17 - HKLMSystemCCSServicesTcpip..{FA3E0BD9-9279-4F7F-A8F1-291A16E286C9}: NameServer = 218.248.240.24 218.248.240.141
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINNTsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINNTsystem32ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Web Console 3.0.2 console - Unknown owner - D:PROGRA~1SunJavaES5shareWEBCON~1binswc.exe (file missing)
O23 - Service: winser - Unknown owner - C:WINNTsystem32winsersec.exe

--
End of file - 5011 bytes

-- Files created between 2008-05-08 and 2008-06-08 -----------------------------

2008-06-08 21:59:48 0 d-------- C:Documents and SettingsMadhav1Application DataMalwarebytes
2008-06-08 21:59:46 0 d-------- C:Program FilesMalwarebytes' Anti-Malware
2008-06-08 21:59:46 0 d-------- C:Documents and SettingsAll UsersApplication DataMalwarebytes
2008-06-08 16:55:36 0 d-------- C:Program FilesRM-X Player V5.2
2008-06-05 07:25:43 0 d-------- C:Program FilesGreatis
2008-06-04 22:37:33 0 d-------- C:WINNTSxsCaPendDel
2008-06-04 13:48:53 104448 -r-hs---- C:gjn2pjlw.exe
2008-06-04 13:48:28 518656 -----n--- C:WINNTsystem32scvhost.exe
2008-06-04 13:48:28 518656 -rahs---- C:WINNTsystem32blastclnnn.exe
2008-06-04 13:48:28 518656 --a------ C:WINNTscvhost.exe
2008-06-04 13:48:28 518656 --a------ C:WINNThinhem.scr
2008-05-20 22:29:33 0 d-------- C:WINNTsystem32appmgmt
2008-05-17 14:15:52 0 dr-h----- C:Documents and SettingsMadhav1Recent


-- Find3M Report ---------------------------------------------------------------

2008-06-08 22:03:25 0 d-------- C:Documents and SettingsMadhav1Application DataMegauploadToolbar
2008-06-04 22:37:06 0 d-------- C:Program FilesBitDefender
2008-05-07 23:53:51 0 d-------- C:Documents and SettingsMadhav1Application DataAdobe
2008-05-01 14:36:56 0 d-------- C:Program FilesHttpWatch
2008-04-29 11:25:30 92 --a------ C:WINNTitlog.dat
2008-04-28 12:24:33 0 d-------- C:Documents and SettingsMadhav1Application DataDivX
2008-04-26 07:33:05 0 d-------- C:Program FilesMicrosoft Silverlight
2008-04-25 23:34:06 0 d-------- C:Program FilesSDE3.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


-- End of Deckard's System Scanner: finished at 2008-06-08 22:15:39 ------------


Regards
Madhav

Edited by Orange Blossom, 08 June 2008 - 01:19 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2008 - 06:05 AM

Hi and Welcome to the forums.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 Krishna Madhav

Krishna Madhav
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 10 June 2008 - 11:33 AM

Hi,

PFB the combofix log and the hijack this logs.

ComboFix 08-06-09.7 - Madhav1 2008-06-10 21:50:06.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.795 [GMT 5.5:30]
Running from: L:\Downloads(2)\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\scvhost.exe
C:\WINNT\system32\autorun.ini
C:\WINNT\system32\blastclnnn.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\setting.ini
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 10:57 . 2008-06-09 10:57 <DIR> d-------- C:\WINNT\system32\Adobe
2008-06-08 21:59 . 2008-06-08 21:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-08 21:59 . 2008-06-08 21:59 <DIR> d-------- C:\Documents and Settings\Madhav1\Application Data\Malwarebytes
2008-06-08 21:59 . 2008-06-08 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-08 21:59 . 2008-06-05 16:04 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-08 21:59 . 2008-06-05 16:04 15,864 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-08 16:55 . 2008-06-08 16:57 <DIR> d-------- C:\Program Files\RM-X Player V5.2
2008-06-05 07:26 . C:\WINNT\(2) C:\ComboFix\winstart.bat
2008-06-05 07:25 . 2008-06-05 07:25 <DIR> d-------- C:\Program Files\Greatis
2008-06-05 07:25 . 2003-09-06 15:55 57,556 --a------ C:\WINNT\guard.bmp
2008-06-04 22:37 . 2008-06-08 21:55 <DIR> d-------- C:\WINNT\SxsCaPendDel
2008-06-04 13:48 . 2007-10-29 22:07 518,656 --a------ C:\WINNT\hinhem.scr
2008-06-04 13:48 . 2008-04-01 12:27 104,448 -r-hs---- C:\gjn2pjlw.exe
2008-05-31 10:19 . 2008-06-09 11:38 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-05-31 10:19 . 2008-05-31 10:19 1,409 --a------ C:\WINNT\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-09 14:59 --------- d-----w C:\Documents and Settings\Madhav1\Application Data\MegauploadToolbar
2008-06-04 17:07 --------- d-----w C:\Program Files\BitDefender
2008-05-01 09:06 --------- d-----w C:\Program Files\HttpWatch
2008-04-28 06:54 --------- d-----w C:\Documents and Settings\Madhav1\Application Data\DivX
2008-04-26 02:03 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-25 18:04 --------- d-----w C:\Program Files\SDE3.0
2008-01-25 14:48 271 --sh--w C:\Program Files\desktop.ini
2008-01-25 14:48 21,952 ---ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-03 22:26 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2004-08-03 22:26 143360 C:\WINNT\system32\mobsync.exe]
"SDaemon"="C:\WINNT\sdaemon.exe" [2005-04-19 03:27 111104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 22:27 180269]
"SWd"="C:\WINNT\winwd.exe" [2005-04-19 03:26 26624]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [ ]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-03 22:26 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-03 20:29 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\option]
UseAlternateShell REG_DWORD 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"= cmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2006-01-12 15:40 155648 C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2005-10-15 07:21 14864384 C:\WINNT\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDaemon]
--a------ 2005-04-19 03:27 111104 C:\WINNT\sdaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWd]
--a------ 2005-04-19 03:26 26624 C:\WINNT\winwd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-28 22:27 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"18A7898C"=2 (0x2)
"sockd-server1"=3 (0x3)
"proxy-server1"=3 (0x3)
"proxy-admserv404"=3 (0x3)
"MQ3.7UR1_Broker"=2 (0x2)
"https-localhost"=3 (0x3)
"https-admserv70"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R0 WINSEC;WINSEC;C:\WINNT\system32\drivers\WINSEC.SYS [2005-04-19 03:27]
S0 Partizan;Partizan;C:\WINNT\system32\drivers\Partizan.sys []
S2 Web Console 3.0.2 console;Web Console 3.0.2 console;"D:\PROGRA~1\Sun\JavaES5\share\WEBCON~1\bin\swc.exe" []
S2 winser;winser;C:\WINNT\system32\winsersec.exe [2005-04-14 04:07]
S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 00:09]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 16:12:06 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\blastclnnn.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 21:54:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-10 21:57:50
ComboFix-quarantined-files.txt 2008-06-10 16:27:29
ComboFix2.txt 2008-01-29 14:07:42

Pre-Run: 5,099,008,000 bytes free
Post-Run: 5,088,620,544 bytes free

134 --- E O F --- 2008-01-25 17:14:45



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:01, on 2008-06-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\winsersec.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\sdaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\winwd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchsc.dll
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SDaemon] C:\WINNT\sdaemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SWd] C:\WINNT\winwd.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Web Console 3.0.2 console - Unknown owner - D:\PROGRA~1\Sun\JavaES5\share\WEBCON~1\bin\swc.exe (file missing)
O23 - Service: winser - Unknown owner - C:\WINNT\system32\winsersec.exe

--
End of file - 4935 bytes


Regards
Madhav

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2008 - 07:50 AM

Locate and delete this item please--> C:\WINNT\Tasks\At1.job

If you will,upload these files to the site below
http://www.uploadmalware.com

C:\gjn2pjlw.exe
C:\WINNT\system32\winsersec.exe

Also,if you dont mind,scan both files at http://www.virustotal.com and copy the results into the next reply,please.

Is this PC accessed or admined remotely?

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 Krishna Madhav

Krishna Madhav
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:38 AM

Posted 12 June 2008 - 09:14 PM

Hi,

1.Uploaded the said files to upload malware
2.Scanning result in virustotal

C:\gjn2pjlw.exe

MD5: d5c820a04efd088d9b73b6fcaed3b87c
First received: 06.11.2008 11:50:02 (CET)
Date: 06.11.2008 11:50:02 (CET) [<1D]
Results: 26/33
Permalink: analisis/26d35dba1a90578377757ccd9d9c14a4




MD5: 62f4fef16963eac06bea0a4e9fa3f726
First received: 12.15.2007 02:41:50 (CET)
Date: 06.11.2008 14:49:36 (CET) [<1D]
Results: 0/32
Permalink: analisis/9545af0f4ce7fe88b3b2dd950c006364


3.The PC is not being accessed.admined remotely. It is completely stand alone system.

4.Result of online virus scan.

Scanning Report
Friday, June 13, 2008 05:52:24 - 07:40:00
Computer name: MADHAV
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ N:\


--------------------------------------------------------------------------------

Result: 20 malware found
Trojan-PSW.Win32.OnLineGames (virus)
System
Trojan-PSW.Win32.OnLineGames.aoxd (virus)
C:\GJN2PJLW.EXE
D:\GJN2PJLW.EXE (Renamed & Submitted)
E:\GJN2PJLW.EXE (Renamed & Submitted)
F:\GJN2PJLW.EXE (Renamed & Submitted)
G:\GJN2PJLW.EXE (Renamed & Submitted)
H:\GJN2PJLW.EXE (Renamed & Submitted)
I:\GJN2PJLW.EXE (Renamed & Submitted)
J:\GJN2PJLW.EXE (Renamed & Submitted)
K:\GJN2PJLW.EXE (Renamed & Submitted)
L:\GJN2PJLW.EXE (Renamed & Submitted)
N:\GJN2PJLW.EXE (Renamed & Submitted)
Trojan-PSW.Win32.OnLineGames.oob (virus)
J:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000045.INF (Renamed & Submitted)
K:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000046.INF (Renamed & Submitted)
L:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000047.INF (Renamed & Submitted)
N:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000048.INF (Renamed & Submitted)
Virus.Win32.AutoRun.mg (virus)
E:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000066.INF (Submitted)
G:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000068.INF (Submitted)
H:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000069.INF (Submitted)
I:\SYSTEM VOLUME INFORMATION\_RESTORE{A655AC54-3B74-4C11-A215-315DFB3AE50E}\RP2\A0000070.INF (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 156823
System: 2999
Not scanned: 6
Actions:
Disinfected: 0
Renamed: 14
Deleted: 0
None: 6
Submitted: 18
Files not scanned:
C:\PAGEFILE.SYS
C:\WINNT\SYSTEM32\CONFIG\DEFAULT
C:\WINNT\SYSTEM32\CONFIG\SAM
C:\WINNT\SYSTEM32\CONFIG\SECURITY
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE
C:\WINNT\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-06-12
F-Secure AVP: 7.0.171, 2008-06-12
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure Blacklight: 1.0.68
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 June 2008 - 05:46 AM

See if you call locate all the files F-Secure renamed

C:\GJN2PJLW.0XE<--- They probably look like that now.
D:\GJN2PJLW.EXE (Renamed & Submitted)
E:\GJN2PJLW.EXE (Renamed & Submitted)
F:\GJN2PJLW.EXE (Renamed & Submitted)
G:\GJN2PJLW.EXE (Renamed & Submitted)
H:\GJN2PJLW.EXE (Renamed & Submitted)
I:\GJN2PJLW.EXE (Renamed & Submitted)
J:\GJN2PJLW.EXE (Renamed & Submitted)
K:\GJN2PJLW.EXE (Renamed & Submitted)
L:\GJN2PJLW.EXE (Renamed & Submitted)
N:\GJN2PJLW.EXE (Renamed & Submitted)

Since its a Password Stealer,be sure you have changed any logins and passwords from a different clean computer,no telling what was sent out.

You need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
The go to the Secunia Software Inspector and scan your system for outdated or vulnerable software.

Go to start--> run--> type in combofix /u to uninstall ComboFix.

Run one more online scan,Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users