Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans and Rootkits


  • This topic is locked This topic is locked
5 replies to this topic

#1 bcallam

bcallam

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 24 January 2009 - 01:18 PM

I downloaded a maptool for a video game (risky I know). As soon as I did Symantec Endpoint Protection caught about 13 malicious processes. I ran the full system scan and 'successfully' removed all threats. Rebooted and I picked the same ones up again. I rebooted in safe mode, ran the scan again along with an Ad-Aware scan and a Spy-Bot scan. All cleaning as I went along. Rebooted and still am having problems.

In the text is the DDS file. I tried to do a kaspersky scan but it wouldn't work with teh online scan...
I've also attached a hijackthis log.

Thanks for any help/advice you all can give. I am on XP with all latest updates installed. I've also got all operating system disks to re-install if neccessary.

Thanks,
Brian



DDS (Ver_09-01-19.01) - NTFSx86
Run by Owner at 23:44:00.50 on Fri 01/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.866 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
"C:\Documents and Settings\Owner\Application Data\svchost.exe"
C:\Documents and Settings\Owner\Application Data\_77918b96c0f3e097ec33460f63769808\down\im000.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
C:\Program Files\MSN\Toolbar\3.0.0983.0\msntask.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://us8.hpwis.com/
uSearch Page = hxxp://srch-us8.hpwis.com/
uDefault_Page_URL = hxxp://us8.hpwis.com/
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
uSearch Bar = hxxp://srch-us8.hpwis.com/
mSearch Bar = hxxp://srch-us8.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: c:\windows\system32\hgdfeeeh4fdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfeeeh4fdg.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ttool] c:\windows\9129837.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\docume~1\owner\locals~1\temp\csrssc.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [*svchostBoot] "c:\documents and settings\owner\application data\svchost.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: SpSubLSP.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hgdfeeeh4fdg.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hgdfeeeh4fdg.dll

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-1-23 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090123.003\NAVENG.SYS [2009-1-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090123.003\NAVEX15.SYS [2009-1-23 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-26 108392]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-26 108392]
R4 EraserSvc10824;Symantec Eraser Service;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-9-26 108392]
R4 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-26 2436536]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-12 24652]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-9-26 23888]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi7.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI7.sys [?]
S3 new_drv;!!!!;\??\c:\windows\new_drv.sys --> c:\windows\new_drv.sys [?]
S4 mrtRate;mrtRate; [x]

=============== Created Last 30 ================

2009-01-23 23:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-23 23:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-23 23:33 <DIR> --d----- c:\program files\Trend Micro
2009-01-23 23:13 46,640 a------- c:\windows\system32\msln.exe
2009-01-23 20:44 9,728 a------- C:\bakpg.exe
2009-01-23 20:44 56,832 a------- c:\windows\system32\gaopdxmymyqlgs.dll
2009-01-23 20:44 71,168 a------- c:\windows\system32\drivers\gaopdxxjexmpjw.sys
2009-01-23 20:44 37,888 a------- C:\avudn.exe
2009-01-23 20:43 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-01-23 20:43 35,840 a------- c:\windows\system32\senekaqipmpdvb.dll
2009-01-23 20:43 15,360 a------- c:\windows\system32\senekabfagxwho.dll
2009-01-23 20:43 217 a------- c:\windows\system32\senekawesrtlmw.dat
2009-01-23 20:43 53,248 a------- c:\windows\system32\drivers\senekaipuyqxsi.sys
2009-01-23 18:34 33 a------- c:\docume~1\owner\applic~1\__t.bin
2009-01-23 18:33 792,381 a------- c:\docume~1\owner\applic~1\svchost.exe
2009-01-23 18:33 <DIR> --d----- c:\docume~1\owner\applic~1\_77918b96c0f3e097ec33460f63769808
2009-01-23 18:33 2 a------- C:\1354475888
2009-01-23 18:32 20,480 a------- C:\jhqlrof.exe
2009-01-23 18:32 15,000 a------- c:\windows\system32\hgdfeeeh4fdg.dll
2009-01-23 18:25 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-17 19:07 <DIR> --d----- c:\documents and settings\owner\.idlerc
2008-12-28 00:13 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2008-12-28 00:13 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-28 00:13 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2008-12-28 00:13 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-01-07 21:54 35,742 a------- c:\windows\DIIUnin.dat
2009-01-07 21:53 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-01-07 21:53 17,212 a------t c:\windows\system32\SIntf32.dll
2009-01-07 21:53 12,067 a------t c:\windows\system32\SIntf16.dll
2008-12-22 01:11 94,208 a------- c:\windows\DIIUnin.exe
2008-12-22 01:11 2,829 a------- c:\windows\DIIUnin.pif
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-14 19:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat

============= FINISH: 23:48:59.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:08 PM

Posted 25 January 2009 - 09:04 AM

Hello bcallam,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm and everything will be just alright.

I will be analyzing your log. I will get back to you with instructions after it is approved.

With Regards,
mas_pogi

#3 bcallam

bcallam
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 26 January 2009 - 08:51 AM

thanks mas_pogi

I look forward to hearing back from you.

#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:08 PM

Posted 27 January 2009 - 04:30 PM

hi.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to proceed, please follow the
instructions below;

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Posted Image



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt and C:\QooBox\Add-Remove Programs.txt in your next reply.

  • Download GMER from here:
    http://www.gmer.net/files.php

    Unzip it to the desktop.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
    Click on Scan.
    When the scan has run click Copy and paste the results (if any) into this thread.

  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt
Kaspersky scan result
GMER result


Mark

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:08 PM

Posted 29 January 2009 - 06:47 AM

hi.

Do you still need help?

Mark

#6 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 02 February 2009 - 10:54 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users