Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with atlsystemXXXXXX.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 homecomputeraid

homecomputeraid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Rochester area, New York, USA
  • Local time:07:59 AM

Posted 23 February 2009 - 06:49 PM

Windows XP Professional system is infected with a virus or malware that makes files that start with atlsystem and end with .exe. In between atlsystem and .exe there are random numbers. MalwareBytes detects and says it removes them, but there is some underlying component that isn't removed. The files come back after reboot.

DDS Log Contents:

DDS (Ver_09-02-01.01) - NTFSx86
Run by nreitter at 18:39:59.64 on 2009-02-23
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -5:00]

AV: eTrust ITM *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nreitter\My Documents\Downloads\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235403139892
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235403130658
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli s t e m 3 2 \ i n o b u . d l

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nreitter\applic~1\mozilla\firefox\profiles\xw51chwf.default\

============= SERVICES / DRIVERS ===============

R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 netmantow;Network Connections.;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem429956.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem663724.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem882754.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem568713.exe
2009-02-23 17:18 131,072 a------- c:\windows\system32\atlsystem66447.exe
2009-02-23 17:18 122,880 a------- c:\windows\system32\atlsystem34844.exe
2009-02-23 17:18 97,792 a------- c:\windows\system32\atlsystem918628.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem461558.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem896885.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem232131.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem9850.exe
2009-02-23 15:40 131,072 a------- c:\windows\system32\atlsystem653661.exe
2009-02-23 15:40 122,880 a------- c:\windows\system32\atlsystem945467.exe
2009-02-23 15:40 97,792 a------- c:\windows\system32\atlsystem805520.exe
2009-02-23 15:36 86,016 a------- c:\windows\system32\u152395931.dll
2009-02-23 15:36 77,824 a------- c:\windows\system32\u1523630.dll
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem488833.exe
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem407560.exe
2009-02-23 14:54 86,016 a------- c:\windows\system32\u142345755.dll
2009-02-23 14:54 77,824 a------- c:\windows\system32\u142395749.dll
2009-02-23 14:12 86,016 a------- c:\windows\system32\u142370424.dll
2009-02-23 14:12 77,824 a------- c:\windows\system32\u142329818.dll
2009-02-23 14:07 <DIR> a-dshr-- C:\cmdcons
2009-02-23 14:06 161,792 a------- c:\windows\SWREG.exe
2009-02-23 14:06 98,816 a------- c:\windows\sed.exe
2009-02-23 13:39 <DIR> --d----- C:\hjt
2009-02-23 12:40 131,072 a------- c:\windows\system32\atlsystem85617.exe
2009-02-23 12:40 122,880 a------- c:\windows\system32\atlsystem71669.exe
2009-02-23 10:33 <DIR> --d----- c:\windows\pss
2009-02-23 10:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-23 10:19 86,016 a------- c:\windows\system32\u10233874.dll
2009-02-23 10:18 77,824 a------- c:\windows\system32\u10237459.dll
2009-02-23 08:21 <DIR> --d----- c:\docume~1\nreitter\applic~1\Malwarebytes
2009-02-23 08:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 08:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 08:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 08:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-23 08:15 86,016 a------- c:\windows\system32\u82357832.dll
2009-02-23 08:15 77,824 a------- c:\windows\system32\u82312528.dll
2009-02-23 06:57 135,168 a------- c:\windows\system32\atlsystem5738.exe
2009-02-22 17:21 86,016 a------- c:\windows\system32\u172275047.dll
2009-02-22 17:21 77,824 a------- c:\windows\system32\u172265645.dll
2009-02-22 17:15 86,016 a------- c:\windows\system32\u172295311.dll
2009-02-22 17:15 77,824 a------- c:\windows\system32\u17229067.dll
2009-02-22 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-22 16:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-22 16:48 <DIR> --d----- c:\docume~1\nreitter\applic~1\SUPERAntiSpyware.com
2009-02-22 16:28 86,016 a------- c:\windows\system32\u16221541.dll
2009-02-22 16:28 77,824 a------- c:\windows\system32\u1622040.dll
2009-02-22 15:41 86,016 a------- c:\windows\system32\u152235944.dll
2009-02-22 15:41 77,824 a------- c:\windows\system32\u152248443.dll
2009-02-21 19:06 86,016 a------- c:\windows\system32\u192185922.dll
2009-02-21 19:06 77,824 a------- c:\windows\system32\u192114019.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der5609488.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der7119346.dll
2009-02-21 12:33 86,016 a------- c:\windows\system32\u122131225.dll
2009-02-21 12:33 77,824 a------- c:\windows\system32\u122135920.dll
2009-02-21 12:32 65,536 a------- c:\windows\system32\der4559674.dll
2009-02-12 15:56 <DIR> --d----- c:\program files\Citrix
2009-02-12 15:56 60,744 a------- c:\documents and settings\nreitter\g2mdlhlpx.exe
2009-02-05 20:41 <DIR> --d----- c:\program files\MJ4120 SERIES
2009-02-05 20:40 <DIR> --d----- c:\program files\CdrPlayBack_MJPEG
2009-02-05 20:39 548,864 a------- c:\windows\system32\J2K_Decode.dll
2009-02-05 20:39 352,256 a------- c:\windows\system32\ijl15.dll
2009-02-05 20:39 327,680 a------- c:\windows\system32\kdu_v45R.dll
2009-02-04 17:08 <DIR> --d----- C:\fc018016df1fe2817d17cc58ff
2009-02-04 17:08 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-29 15:03 132 a------- c:\windows\ODBC.INI
2009-01-29 10:10 <DIR> --d----- C:\crystalreportviewers12
2009-01-29 10:09 42,847 a------t c:\windows\system32\ISUSMsg.rtf

==================== Find3M ====================

2009-02-23 08:18 81,556 a------- c:\windows\system32\nvModes.dat
2009-01-21 16:53 249,856 -------- c:\windows\Setup1.exe
2009-01-21 16:53 73,216 a------- c:\windows\ST6UNST.EXE
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 08:38 35,328 a------- c:\windows\system32\drivers\ax88772.sys
2008-12-26 12:25 123,127 a------- c:\windows\HPHins12.dat
2008-12-25 08:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 18:40:17.27 ===============

Attached Files


Ted LeRoy
MCSE(NT/2000), CCNA, A+

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 25 February 2009 - 02:00 PM

Delete your version of ComboFix and download a fresh one from below, then save it on the Desktop.. but DO NOT run it yet..

Link 1
Link 2
Link 3




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/205983/infected-with-atlsystemxxxxxxexe/

KillAll::

NetSvc::
softyinforwow1
eq2soft
netmantow

Driver::
softyinforwow1
eq2soft
netmantow

Collect::
c:\windows\system32\atlsystem429956.exe
c:\windows\system32\atlsystem663724.exe
c:\windows\system32\atlsystem882754.exe
c:\windows\system32\atlsystem568713.exe
c:\windows\system32\atlsystem66447.exe
c:\windows\system32\atlsystem34844.exe
c:\windows\system32\atlsystem918628.exe
c:\windows\system32\atlsystem461558.exe
c:\windows\system32\atlsystem896885.exe
c:\windows\system32\atlsystem232131.exe
c:\windows\system32\atlsystem9850.exe
c:\windows\system32\atlsystem653661.exe
c:\windows\system32\atlsystem945467.exe
c:\windows\system32\atlsystem805520.exe
c:\windows\system32\u152395931.dll
c:\windows\system32\u1523630.dll
c:\windows\system32\atlsystem488833.exe
c:\windows\system32\atlsystem407560.exe
c:\windows\system32\u142345755.dll
c:\windows\system32\u142395749.dll
c:\windows\system32\u142370424.dll
c:\windows\system32\u142329818.dll
c:\windows\system32\atlsystem85617.exe
c:\windows\system32\atlsystem71669.exe
c:\windows\system32\u10233874.dll
c:\windows\system32\u10237459.dll
c:\windows\system32\u82357832.dll
c:\windows\system32\u82312528.dll
c:\windows\system32\atlsystem5738.exe
c:\windows\system32\u172275047.dll
c:\windows\system32\u172265645.dll
c:\windows\system32\u172295311.dll
c:\windows\system32\u17229067.dll
c:\windows\system32\u16221541.dll
c:\windows\system32\u1622040.dll
c:\windows\system32\u152235944.dll
c:\windows\system32\u152248443.dll
c:\windows\system32\u192185922.dll
c:\windows\system32\u192114019.dll
c:\windows\system32\der5609488.dll
c:\windows\system32\der7119346.dll
c:\windows\system32\u122131225.dll
c:\windows\system32\u122135920.dll
c:\windows\system32\der4559674.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Edited by fenzodahl512, 25 February 2009 - 02:02 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 04 March 2009 - 04:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users