Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware disabling admin permissions/program installing + boot.com


  • This topic is locked This topic is locked
2 replies to this topic

#1 Kharski

Kharski

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 28 December 2008 - 07:37 PM

Malware disabling admin permissions/program installing + boot.com

Hello everyone,
I'll get straight to the point, I've never seen a virus so bad on my comp :

Symptoms (by observation order) :
-Slow windows startup, sometimes seems to freeze completely.
-impossibility to access drives through their icons (but ok if opening a sub directory and going up for example) (until action number one, see below)
-visual glitches everywhere (now gone, by itself it seems or maybe after first operation, see below).
-impossibility to install certain programs, namely Symantec Anti-Virus, Kaspersky online and bitdefender online. Sometimes a message "you may not have the administrator priviliges" comes along.
-popups, numerous attacks on different ports, publicity banners on internet sites replaced by adult/other banners.

Defense :
-only ZoneLabs ZoneAlarm, always worked perfect for me.

Actions :
-simple deletion of autorun.inf and boot.com that installed themselves on every drive-> Symptom one and two disappeared
-scan by Ad-Aware 2007, Malwarebyte's Anti-Malware, Flash Desinfector and HijackThis -> Nothing interesting exept maybe "dumprep 0 -k", command "%systemroot%\system32\dumrep 0 -k" . I just deleted that from start-up via msconfig.

Computer Configuration :
Windows XP Pro SP3, running latest IE and latest FireFox.
Dual boot with Grub on Ubuntu, but I don't think that matters.

Attached is my HijackThis log, but I think it's clean. Nothing strange in my running processes either. I'm willing to install ComboFix or whatever, just please keep in mind that I'm not a pro-formater and that I have important data on the PC, and,

Thanks a lot for any help :thumbsup:



DDS log :


DDS (Version 1.1.0) - NTFSx86
Run by Kharski at 1:25:01,14 on 29/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.1527.1013 [GMT 1:00]

FW: ZoneAlarm Firewall *disabled*

============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\system32\svchost.exe -k WudfServiceGroup
C:\WINXP\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\igfxpers.exe
C:\WINXP\system32\igfxsrvc.exe
C:\WINXP\system32\ctfmon.exe
D:\Program Files\ActiveSync\wcescomm.exe
D:\PROGRA~1\ACTIVE~1\rapimgr.exe
E:\Progs\Webshots\webshots.scr
D:\Program Files\FireFox\firefox.exe
C:\WINXP\explorer.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
E:\Progs\Thunderbird\thunderbird.exe
C:\Documents and Settings\Kharski\Bureau\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - d:\program files\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - e:\progs\roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\bin\ssv.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - e:\progs\roboform\roboform.dll
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "d:\program files\activesync\wcescomm.exe"
mRun: [Persistence] c:\winxp\system32\igfxpers.exe
mRun: [IgfxTray] c:\winxp\system32\igfxtray.exe
mRun: [ZoneAlarm Client] "d:\program files\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobereader\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\winxp\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\kharski\menudm~1\progra~1\dmarra~1\webshots.lnk - e:\progs\webshots\Launcher.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: Barre RoboForm - file://e:\progs\roboform\RoboFormComShowToolbar.html
IE: E&xport to Microsoft Excel - e:\progs\office\office11\EXCEL.EXE/3000
IE: Enregistrer le formulaire - file://e:\progs\roboform\RoboFormComSavePass.html
IE: Personnaliser le menu - file://e:\progs\roboform\RoboFormComCustomizeIEMenu.html
IE: Remplir le formulaire - file://e:\progs\roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - e:\progs\roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - e:\progs\roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - e:\progs\roboform\RoboFormComShowToolbar.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - d:\program files\java\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\active~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\active~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progs\office\office11\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kharski\applic~1\mozilla\firefox\profiles\sdlric09.default\
FF - component: e:\progs\roboform\firefox\components\rfproxy_27.dll
FF - plugin: c:\documents and settings\kharski\application data\mozilla\firefox\profiles\sdlric09.default\extensions\{bb628310-0ab7-11db-9cd8-0800200c9a66}\plugins\nphardwaredetection.dll
FF - plugin: d:\program files\adobereader\reader\browser\nppdf32.dll
FF - plugin: d:\program files\firefox\plugins\NPFxViewer.dll
FF - plugin: d:\program files\java\bin\npjava11.dll
FF - plugin: d:\program files\java\bin\npjava12.dll
FF - plugin: d:\program files\java\bin\npjava13.dll
FF - plugin: d:\program files\java\bin\npjava14.dll
FF - plugin: d:\program files\java\bin\npjava32.dll
FF - plugin: d:\program files\java\bin\npjpi160_07.dll
FF - plugin: d:\program files\java\bin\npoji610.dll
FF - plugin: d:\program files\realplayer\netscape6\nppl3260.dll
FF - plugin: d:\program files\realplayer\netscape6\nprjplug.dll
FF - plugin: d:\program files\realplayer\netscape6\nprpjplug.dll
FF - plugin: d:\program files\touslesdrivers\nphardwaredetection.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\progs\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\winxp\system32\drivers\klif.sys [2008-11-24 127768]
R1 mapledxp;mapledxp;c:\winxp\system32\drivers\mapledxp.SYS [2008-9-12 24720]
R1 VBoxDrv;VirtualBox Service;c:\winxp\system32\drivers\VBoxDrv.sys [2008-12-24 100368]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\winxp\system32\drivers\VBoxUSBMon.sys [2008-12-24 41680]
R1 vsdatant;vsdatant;c:\winxp\system32\vsdatant.sys [2008-7-25 394952]
R2 vsmon;TrueVector Internet Monitor;c:\winxp\system32\zonelabs\vsmon.exe -service []
R3 VBoxNetFlt;VBoxNetFlt Service;c:\winxp\system32\drivers\VBoxNetFlt.sys [2008-12-24 81360]
S3 aawservice;Ad-Aware 2007 Service;"d:\program files\adaware\aawservice.exe" [2008-1-4 607576]
S3 BCD2000;Behringer BCD2000 V1.1.1.0;c:\winxp\system32\drivers\BCD2000.SYS [2008-7-26 42400]
S3 BCD2000WDM;Behringer BCD2000WDM V1.1.1.0;c:\winxp\system32\drivers\BCD2000WDM.SYS [2008-7-26 21632]
S3 MADFU;MADFU;c:\winxp\system32\drivers\MADFUXP.sys [2008-11-20 16512]
S3 MAUSBXP;Service for M-Audio Xponent (WDM);c:\winxp\system32\drivers\mausbxp.sys []
S3 MPUSens;MPUSens;c:\winxp\system32\drivers\MPUSens.sys []
S3 PAC207;CIF USB Camera;c:\winxp\system32\drivers\PFC027.SYS [2008-5-6 505984]

=============== Created Last 30 ================

2008-12-29 00:20 <DIR> a-dshr-- C:\autorun.inf
2008-12-28 23:28 <DIR> --d----- c:\docume~1\kharski\applic~1\Malwarebytes
2008-12-28 23:28 15,504 a------- c:\winxp\system32\drivers\mbam.sys
2008-12-28 23:28 38,496 a------- c:\winxp\system32\drivers\mbamswissarmy.sys
2008-12-28 23:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 23:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-28 17:29 <DIR> --d----- c:\winxp\ime
2008-12-28 16:56 <DIR> --d----- c:\program files\Symantec
2008-12-28 16:56 <DIR> --d----- c:\program files\fichiers communs\Symantec Shared
2008-12-28 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-28 02:29 233,472 a------- c:\winxp\system32\rex shared library.dll
2008-12-28 02:29 <DIR> --d----- c:\docume~1\kharski\applic~1\Ableton
2008-12-28 02:29 <DIR> --d----- c:\program files\Ableton
2008-12-25 12:41 <DIR> --d-h--- C:\LG3G
2008-12-24 16:26 <DIR> --d----- c:\documents and settings\kharski\.VirtualBox
2008-12-24 16:25 129,552 a------- c:\winxp\system32\VBoxNetFltNotify.dll
2008-12-24 16:25 81,360 a------- c:\winxp\system32\drivers\VBoxNetFlt.sys
2008-12-24 16:25 41,680 a------- c:\winxp\system32\drivers\VBoxUSBMon.sys
2008-12-24 16:25 100,368 a------- c:\winxp\system32\drivers\VBoxDrv.sys
2008-12-22 16:06 <DIR> --d----- C:\windlx
2008-12-22 13:33 <DIR> --d----- c:\program files\fichiers communs\OverDrive Shared
2008-12-21 22:59 <DIR> --d----- c:\docume~1\kharski\applic~1\Dev-Cpp
2008-12-21 16:22 <DIR> --d----- c:\program files\Siber Systems
2008-12-07 22:59 5,936 a------- c:\documents and settings\kharski\mqdmwhnt.sys
2008-12-07 22:59 92,064 a------- c:\documents and settings\kharski\mqdmmdm.sys
2008-12-07 22:59 79,328 a------- c:\documents and settings\kharski\mqdmserd.sys
2008-12-07 22:59 66,656 a------- c:\documents and settings\kharski\mqdmbus.sys
2008-12-07 22:59 25,600 a------- c:\documents and settings\kharski\usbsermptxp.sys
2008-12-07 22:59 22,768 a------- c:\documents and settings\kharski\usbsermpt.sys
2008-12-07 22:59 9,232 a------- c:\documents and settings\kharski\mqdmmdfl.sys
2008-12-07 22:59 6,208 a------- c:\documents and settings\kharski\mqdmcmnt.sys
2008-12-07 22:59 4,048 a------- c:\documents and settings\kharski\mqdmcr.sys
2008-12-05 21:41 83 a------- c:\winxp\wwp.INI
2008-11-30 22:58 <DIR> --d----- c:\docume~1\kharski\applic~1\LG Electronics

==================== Find3M ====================

2008-12-29 00:20 465,130 a------- c:\winxp\system32\perfh00C.dat
2008-12-29 00:20 73,458 a------- c:\winxp\system32\perfc00C.dat
2008-12-28 02:20 2,576,416 a--sh--- c:\winxp\system32\drivers\fidbox.dat
2008-12-28 02:20 38,576 a--sh--- c:\winxp\system32\drivers\fidbox.idx
2008-11-24 20:31 4,212 ----h--- c:\winxp\system32\zllictbl.dat
2008-10-23 14:00 283,648 a------- c:\winxp\system32\gdi32.dll
2008-10-16 21:18 826,368 a------- c:\winxp\system32\wininet.dll
2008-10-03 11:17 247,326 a------- c:\winxp\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\winxp\system32\msxml4.dll

============= FINISH: 1:25:21,65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Kharski

Kharski
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 06 January 2009 - 05:01 PM

Problem resolved on http://thespykiller.co.uk/index.php/topic,7548.new.html#new

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:44 PM

Posted 08 January 2009 - 12:23 PM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users