Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PAKES trojan/rootkit and possibly other unknown malware


  • Please log in to reply
1 reply to this topic

#1 Phox

Phox

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 13 February 2009 - 04:17 PM

==== Installed Programs ======================

µTorrent
7-Zip 4.65
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Blender (remove only)
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Choice Guard
Dual-Core Optimizer
Dystopia
Eternal Silence
GoldWave v5.25
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Mozilla Firefox (3.0.6)
MSVCRT
NVIDIA Drivers
Open Command Prompt Shell Extension (x86-32)
PDF Settings
PowerMenu 1.51
Python 2.6.1
QuickTime
Radeon Omega Drivers v4.8.442 Setup Files and Tools
SecondLifeReleaseCandidate (remove only)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB958687)
Segoe UI
Skins
Skypeā„¢ 4.0
Spybot - Search & Destroy
SwarmPlayer (remove only)
Update for Windows XP (KB943729)
Update for Windows XP (KB955839)
VLC media player 0.9.8a
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime

==== End Of File ===========================


DDS (Ver_09-02-01.01) - NTFSx86
Run by Phoxy at 16:08:10.87 on Fri 02/13/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [CTHelper] CTHELPER.EXE
mRun: [AtiPTA] atiptaxx.exe
mRun: [amd_dc_opt] d:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [StartCCC] "d:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [hdllsbdi.exe] d:\windows\hdllsbdi.exe
dRun: [reader_s] d:\documents and settings\phoxy\reader_s.exe
dRun: [ntqvvvxx.exe] d:\windows\ntqvvvxx.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\phoxy\applic~1\mozilla\firefox\profiles\a2id2mfi.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: d:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-13 16:06 31,744 a---h--- d:\documents and settings\phoxy\smpkuv.exe
2009-02-13 16:06 164,292 a------- d:\windows\system32\A.tmp
2009-02-13 16:06 132 a------- d:\windows\system32\9.tmp
2009-02-13 16:05 31,744 a---h--- d:\documents and settings\phoxy\ufygi.exe
2009-02-13 16:05 53,248 a------- d:\windows\system32\drivers\ndisio.sys
2009-02-13 16:05 137,920 a------- d:\windows\system32\drivers\ethkfltn.sys
2009-02-13 16:05 47,104 a------- d:\windows\system32\reader_s.exe
2009-02-13 16:05 3,584 a------- d:\windows\ntqvvvxx.exe
2009-02-13 16:02 164,292 a------- d:\windows\system32\5.tmp
2009-02-13 16:02 132 a------- d:\windows\system32\4.tmp
2009-02-13 15:47 47,616 a------- d:\documents and settings\phoxy\reader_s.exe
2009-02-13 15:44 132 a------- d:\windows\system32\3.tmp
2009-02-13 15:36 2 a--shrot d:\windows\winstart.bat
2009-02-13 15:36 <DIR> --d----- d:\program files\UnHackMe
2009-02-13 15:13 <DIR> --d----- d:\program files\Trend Micro
2009-02-13 14:18 <DIR> --d----- d:\windows\pss
2009-02-13 14:17 <DIR> --d----- d:\docume~1\phoxy\applic~1\Malwarebytes
2009-02-13 14:17 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-02-13 14:17 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 14:17 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-02-13 14:17 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 14:06 182,656 a------- d:\windows\system32\dllcache\ndis.sys
2009-02-13 14:06 67,072 ----h--- d:\windows\system32\secupdat.dat
2009-02-13 00:07 <DIR> --d----- d:\docume~1\phoxy\applic~1\.SwarmPlayer
2009-02-13 00:07 <DIR> --d----- d:\docume~1\phoxy\applic~1\.Tribler
2009-02-13 00:06 <DIR> --d----- d:\program files\SwarmPlayer
2009-02-12 01:29 3,550,592 a------- d:\program files\procexp.exe
2009-02-11 16:56 1,428 a------- d:\windows\system32\drivers\nvphy.bin
2009-02-11 16:51 34,304 a------- d:\windows\system32\drivers\AmdLLD.sys
2009-02-11 16:51 <DIR> --d----- d:\program files\AMD
2009-02-11 16:40 <DIR> --d----- D:\Python26
2009-02-11 16:31 <DIR> --d----- d:\program files\Blender Foundation
2009-02-11 16:10 <DIR> --d----- d:\program files\GoldWave
2009-02-11 15:43 <DIR> --d----- d:\docume~1\phoxy\applic~1\atitray
2009-02-11 14:08 136,272 a------- d:\windows\system32\atmenuxx.hlp
2009-02-11 14:08 40,651 a------- d:\windows\system32\attenuxx.hlp
2009-02-11 14:08 23,224 a------- d:\windows\system32\atfenuxx.hlp
2009-02-11 08:54 614,400 -------- d:\windows\system32\ati2sgag.exe
2009-02-11 08:50 10 a------- d:\windows\WININIT.INI
2009-02-11 08:43 3,227,648 a------- d:\windows\system32\Amdcaldd.dll
2009-02-11 08:43 577,536 a------- d:\windows\system32\ati2cqag.dll
2009-02-11 08:43 48,640 a------- d:\windows\system32\amdpcom32.dll
2009-02-11 08:43 45,056 a------- d:\windows\system32\amdcalrt.dll
2009-02-11 08:43 45,056 a------- d:\windows\system32\amdcalcl.dll
2009-02-10 18:17 <DIR> --d----- d:\docume~1\phoxy\applic~1\Imprudence
2009-02-10 16:11 <DIR> --d----- d:\program files\Bonjour
2009-02-10 16:07 <DIR> --d----- d:\program files\common files\Macrovision Shared
2009-02-10 12:44 <DIR> --d----- D:\ATI
2009-02-10 10:42 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Messenger Plus!
2009-02-10 08:47 <DIR> --d----- d:\program files\VideoLAN
2009-02-10 08:20 <DIR> --d----- d:\program files\uTorrent
2009-02-10 08:20 <DIR> --d----- d:\docume~1\phoxy\applic~1\uTorrent
2009-02-10 08:18 <DIR> --d-h--- d:\windows\PIF
2009-02-10 08:04 1,964,816 a------- d:\windows\system32\drivers\VX3000.sys
2009-02-10 08:04 721,936 a------- d:\windows\vVX3000.exe
2009-02-10 08:04 566,288 a------- d:\windows\system32\LcProxy.ax
2009-02-10 08:04 218,128 a------- d:\windows\vVX3000.dll
2009-02-10 08:04 189,456 a------- d:\windows\system32\cVX3000.dll
2009-02-10 08:04 185,360 a------- d:\windows\system32\LCCoin20.dll
2009-02-10 08:04 111,632 a------- d:\windows\VX3000.dll
2009-02-10 08:04 15,498 a------- d:\windows\VX3000.ini
2009-02-10 08:04 13,023 a------- d:\windows\VX3000.src
2009-02-10 08:04 <DIR> --d----- d:\program files\Microsoft LifeCam
2009-02-10 08:03 316,640 a------- d:\windows\WMSysPr9.prx
2009-02-10 08:03 3,727,720 a------- d:\windows\system32\d3dx9_35.dll
2009-02-10 08:03 <DIR> --d----- d:\windows\system32\DirectX
2009-02-10 08:00 <DIR> --d----- d:\program files\Messenger Plus! Live
2009-02-10 07:40 <DIR> --d----- d:\program files\Windows Live SkyDrive
2009-02-10 07:38 <DIR> --d----- d:\windows\system32\appmgmt
2009-02-10 07:27 <DIR> --d--r-- d:\program files\Skype
2009-02-10 07:17 <DIR> --d----- d:\program files\PowerMenu
2009-02-10 07:10 <DIR> --d----- d:\documents and settings\phoxy\Tracing
2009-02-10 07:08 <DIR> --d----- d:\program files\Microsoft
2009-02-10 07:05 <DIR> --d----- d:\program files\common files\Windows Live
2009-02-10 07:03 5,504 a------- d:\windows\system32\drivers\MSTEE.sys
2009-02-10 07:03 15,232 a------- d:\windows\system32\drivers\MPE.sys
2009-02-10 07:00 171,520 a------- d:\windows\system32\drivers\atinavt2.sys
2009-02-10 07:00 106,496 a------- d:\windows\system32\atinppt2.ax
2009-02-10 07:00 64,352 a------- d:\windows\system32\drivers\ativmc01.cod
2009-02-10 07:00 <DIR> --d----- d:\program files\ATI Technologies
2009-02-10 06:42 <DIR> --d----- d:\program files\Spybot - Search & Destroy
2009-02-10 06:42 <DIR> --d----- d:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-10 06:36 4,958,588 a------- d:\windows\{00000001-00000000-00000007-00001102-00000004-10071102}.BAK
2009-02-10 06:35 31,056 a------- d:\windows\system32\BMXStateBkp-{00000001-00000000-00000007-00001102-00000004-10071102}.rfx
2009-02-10 06:35 31,056 a------- d:\windows\system32\BMXState-{00000001-00000000-00000007-00001102-00000004-10071102}.rfx
2009-02-10 06:35 30,528 a------- d:\windows\system32\BMXCtrlState-{00000001-00000000-00000007-00001102-00000004-10071102}.rfx
2009-02-10 06:35 30,528 a------- d:\windows\system32\BMXBkpCtrlState-{00000001-00000000-00000007-00001102-00000004-10071102}.rfx
2009-02-10 06:35 11,564 a------- d:\windows\system32\DVCState-{00000001-00000000-00000007-00001102-00000004-10071102}.rfx
2009-02-09 20:00 <DIR> --d----- d:\windows\system32\XPSViewer
2009-02-09 20:00 614,400 -------- d:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-09 20:00 117,760 -------- d:\windows\system32\prntvpt.dll
2009-02-09 20:00 89,088 -------- d:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-09 20:00 575,488 -------- d:\windows\system32\xpsshhdr.dll
2009-02-09 20:00 575,488 -------- d:\windows\system32\dllcache\xpsshhdr.dll
2009-02-09 20:00 1,676,288 -------- d:\windows\system32\xpssvcs.dll
2009-02-09 20:00 1,676,288 -------- d:\windows\system32\dllcache\xpssvcs.dll
2009-02-09 19:53 26,488 a------- d:\windows\system32\spupdsvc.exe
2009-02-09 19:46 <DIR> --d----- d:\windows\system32\ReinstallBackups
2009-02-09 19:46 4,958,588 a------- d:\windows\{00000001-00000000-00000007-00001102-00000004-10071102}.CDF
2009-02-09 19:46 86,016 a------- d:\windows\system32\cttele.dll
2009-02-09 19:46 409,600 a------- d:\windows\system32\wrap_oal.dll
2009-02-09 19:46 114,688 a------- d:\windows\system32\OpenAL32.dll
2009-02-09 19:45 <DIR> --d----- d:\windows\system32\data
2009-02-09 19:45 <DIR> --d----- d:\windows\system32\URTTemp
2009-02-09 19:40 333,952 -------- d:\windows\system32\dllcache\srv.sys
2009-02-09 19:40 361,600 -------- d:\windows\system32\dllcache\tcpip.sys
2009-02-09 19:40 245,248 -------- d:\windows\system32\dllcache\mswsock.dll
2009-02-09 19:40 225,856 -------- d:\windows\system32\dllcache\tcpip6.sys
2009-02-09 19:40 147,968 -------- d:\windows\system32\dllcache\dnsapi.dll
2009-02-09 19:40 138,496 -------- d:\windows\system32\dllcache\afd.sys
2009-02-09 19:37 <DIR> --d----- d:\documents and settings\phoxy\Contacts
2009-02-09 19:36 <DIR> --d----- d:\docume~1\phoxy\applic~1\tor
2009-02-09 19:36 22,328 a------- d:\docume~1\phoxy\applic~1\PnkBstrK.sys
2009-02-09 19:36 31,768 a------- d:\windows\system32\wucltui.dll.mui
2009-02-09 19:36 23,576 a------- d:\windows\system32\wuaucpl.cpl.mui
2009-02-09 19:36 23,576 a------- d:\windows\system32\wuapi.dll.mui
2009-02-09 19:36 18,456 a------- d:\windows\system32\wuaueng.dll.mui
2009-02-09 19:36 <DIR> --d----- d:\windows\system32\SoftwareDistribution
2009-02-09 19:35 <DIR> --dsh--- d:\documents and settings\phoxy\UserData
2009-02-09 19:34 <DIR> --d----- d:\documents and settings\Phoxy
2009-02-09 19:32 5,810 a----r-- d:\windows\system32\drivers\ASACPI.sys
2009-02-09 19:32 24,991 a------- d:\windows\Ascd_tmp.ini
2009-02-09 19:32 5,824 a------- d:\windows\system32\drivers\ASUSHWIO.SYS
2009-02-09 19:32 <DIR> --ds---- d:\windows\system32\Microsoft
2009-02-09 19:31 <DIR> --d-h--- d:\windows\$hf_mig$
2009-02-09 19:30 <DIR> --d-h--- d:\program files\WindowsUpdate
2009-02-09 19:30 <DIR> --d----- d:\program files\common files\MSSoap
2009-02-09 19:29 <DIR> --d----- d:\program files\Windows NT
2009-02-09 13:25 <DIR> --d----- d:\program files\common files\ODBC
2009-02-09 13:25 <DIR> --d--r-- d:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-13 14:06 182,656 a------- d:\windows\system32\drivers\ndis.sys
2009-02-11 16:47 90,112 a------- d:\windows\DUMP255a.tmp
2009-02-11 16:38 90,112 a------- d:\windows\DUMP2480.tmp
2009-02-11 15:39 90,112 a------- d:\windows\DUMP247f.tmp
2009-02-11 13:47 94,208 a------- d:\windows\DUMP2e82.tmp
2009-02-11 13:27 94,208 a------- d:\windows\DUMP3325.tmp
2009-02-11 12:27 94,208 a------- d:\windows\DUMP24be.tmp
2009-02-09 19:29 21,640 a------- d:\windows\system32\emptyregdb.dat
2008-12-13 20:49 2,023,936 a------- d:\windows\system32\ntkrnlpa.exe
2008-12-13 20:49 483,840 a------- d:\windows\system32\wzcsvc.dll
2008-12-13 20:49 52,736 a------- d:\windows\system32\wzcsapi.dll
2008-12-13 20:49 52,224 a------- d:\windows\system32\dmutil.dll
2008-12-13 20:49 35,328 a------- d:\windows\system32\pid.dll
2008-12-13 20:49 23,552 a------- d:\windows\system32\wdmaud.drv
2008-12-13 20:49 20,992 a------- d:\windows\system32\hid.dll
2008-12-13 20:49 15,104 a------- d:\windows\system32\usbscan.sys
2008-12-13 20:49 72,192 a------- d:\windows\system32\dvdplay.exe
2008-12-13 20:49 8,192 a------- d:\windows\system32\streamci.dll
2008-12-13 20:49 5,632 a------- d:\windows\system32\ptpusb.dll
2008-12-13 20:48 218,624 a------- d:\windows\system32\uxtheme.dll
2008-12-13 20:48 140,288 a------- d:\windows\system32\sfc_os.dll
2008-12-13 20:48 990,208 a------- d:\windows\system32\syssetup.dll
2008-12-13 00:40 3,593,216 -------- d:\windows\system32\dllcache\mshtml.dll
2008-12-04 16:52 2,131,968 a------- d:\windows\system32\python26.dll
2008-12-02 22:37 49,480 a------- d:\windows\system32\sirenacm.dll

============= FINISH: 16:08:24.71 ===============

Here are the logs, I ran spybot and malwarebytes to attempt a fix before posting here, as well as autoruns to try to remove the infected files, but I believe the rootkit has added itself to winlogon.exe, as it keeps loading random .tmp files and creating extra svchost.exe processes as soon as I connect to the internet. Windows firewall is active.

I appreciate any help I can get, a full scan with malwarebytes revealed trojan.agent, rootkit.agent and I also have a file named reader_s.exe that keeps coming back even after I delete it.

Just wanted to mention, I tried posting a gmer log, but it won't run.

Edited by Phox, 13 February 2009 - 08:44 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 AM

Posted 23 February 2009 - 06:26 PM

Hello.

Very nasty infection you have. You may want to consider formating/reinstall. If you don't, let me know and we will begin the disinfection process.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users