Infected with atlsystemXXXXXX.exe

Windows XP Professional system is infected with a virus or malware that makes files that start with atlsystem and end with .exe. In between atlsystem and .exe there are random numbers. MalwareBytes detects and says it removes them, but there is some underlying component that isn't removed. The files come back after reboot.

DDS Log Contents:

DDS (Ver_09-02-01.01) - NTFSx86
Run by nreitter at 18:39:59.64 on 2009-02-23
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -5:00]

AV: eTrust ITM *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\nreitter\My Documents\Downloads\DDS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235403139892
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235403130658
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli s t e m 3 2 \ i n o b u . d l

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nreitter\applic~1\mozilla\firefox\profiles\xw51chwf.default\

============= SERVICES / DRIVERS ===============

R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 netmantow;Network Connections.;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem429956.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem663724.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem882754.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem568713.exe
2009-02-23 17:18 131,072 a------- c:\windows\system32\atlsystem66447.exe
2009-02-23 17:18 122,880 a------- c:\windows\system32\atlsystem34844.exe
2009-02-23 17:18 97,792 a------- c:\windows\system32\atlsystem918628.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem461558.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem896885.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem232131.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem9850.exe
2009-02-23 15:40 131,072 a------- c:\windows\system32\atlsystem653661.exe
2009-02-23 15:40 122,880 a------- c:\windows\system32\atlsystem945467.exe
2009-02-23 15:40 97,792 a------- c:\windows\system32\atlsystem805520.exe
2009-02-23 15:36 86,016 a------- c:\windows\system32\u152395931.dll
2009-02-23 15:36 77,824 a------- c:\windows\system32\u1523630.dll
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem488833.exe
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem407560.exe
2009-02-23 14:54 86,016 a------- c:\windows\system32\u142345755.dll
2009-02-23 14:54 77,824 a------- c:\windows\system32\u142395749.dll
2009-02-23 14:12 86,016 a------- c:\windows\system32\u142370424.dll
2009-02-23 14:12 77,824 a------- c:\windows\system32\u142329818.dll
2009-02-23 14:07 <DIR> a-dshr-- C:\cmdcons
2009-02-23 14:06 161,792 a------- c:\windows\SWREG.exe
2009-02-23 14:06 98,816 a------- c:\windows\sed.exe
2009-02-23 13:39 <DIR> --d----- C:\hjt
2009-02-23 12:40 131,072 a------- c:\windows\system32\atlsystem85617.exe
2009-02-23 12:40 122,880 a------- c:\windows\system32\atlsystem71669.exe
2009-02-23 10:33 <DIR> --d----- c:\windows\pss
2009-02-23 10:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-23 10:19 86,016 a------- c:\windows\system32\u10233874.dll
2009-02-23 10:18 77,824 a------- c:\windows\system32\u10237459.dll
2009-02-23 08:21 <DIR> --d----- c:\docume~1\nreitter\applic~1\Malwarebytes
2009-02-23 08:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 08:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 08:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 08:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-23 08:15 86,016 a------- c:\windows\system32\u82357832.dll
2009-02-23 08:15 77,824 a------- c:\windows\system32\u82312528.dll
2009-02-23 06:57 135,168 a------- c:\windows\system32\atlsystem5738.exe
2009-02-22 17:21 86,016 a------- c:\windows\system32\u172275047.dll
2009-02-22 17:21 77,824 a------- c:\windows\system32\u172265645.dll
2009-02-22 17:15 86,016 a------- c:\windows\system32\u172295311.dll
2009-02-22 17:15 77,824 a------- c:\windows\system32\u17229067.dll
2009-02-22 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-22 16:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-22 16:48 <DIR> --d----- c:\docume~1\nreitter\applic~1\SUPERAntiSpyware.com
2009-02-22 16:28 86,016 a------- c:\windows\system32\u16221541.dll
2009-02-22 16:28 77,824 a------- c:\windows\system32\u1622040.dll
2009-02-22 15:41 86,016 a------- c:\windows\system32\u152235944.dll
2009-02-22 15:41 77,824 a------- c:\windows\system32\u152248443.dll
2009-02-21 19:06 86,016 a------- c:\windows\system32\u192185922.dll
2009-02-21 19:06 77,824 a------- c:\windows\system32\u192114019.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der5609488.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der7119346.dll
2009-02-21 12:33 86,016 a------- c:\windows\system32\u122131225.dll
2009-02-21 12:33 77,824 a------- c:\windows\system32\u122135920.dll
2009-02-21 12:32 65,536 a------- c:\windows\system32\der4559674.dll
2009-02-12 15:56 <DIR> --d----- c:\program files\Citrix
2009-02-12 15:56 60,744 a------- c:\documents and settings\nreitter\g2mdlhlpx.exe
2009-02-05 20:41 <DIR> --d----- c:\program files\MJ4120 SERIES
2009-02-05 20:40 <DIR> --d----- c:\program files\CdrPlayBack_MJPEG
2009-02-05 20:39 548,864 a------- c:\windows\system32\J2K_Decode.dll
2009-02-05 20:39 352,256 a------- c:\windows\system32\ijl15.dll
2009-02-05 20:39 327,680 a------- c:\windows\system32\kdu_v45R.dll
2009-02-04 17:08 <DIR> --d----- C:\fc018016df1fe2817d17cc58ff
2009-02-04 17:08 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-29 15:03 132 a------- c:\windows\ODBC.INI
2009-01-29 10:10 <DIR> --d----- C:\crystalreportviewers12
2009-01-29 10:09 42,847 a------t c:\windows\system32\ISUSMsg.rtf

==================== Find3M ====================

2009-02-23 08:18 81,556 a------- c:\windows\system32\nvModes.dat
2009-01-21 16:53 249,856 -------- c:\windows\Setup1.exe
2009-01-21 16:53 73,216 a------- c:\windows\ST6UNST.EXE
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 08:38 35,328 a------- c:\windows\system32\drivers\ax88772.sys
2008-12-26 12:25 123,127 a------- c:\windows\HPHins12.dat
2008-12-25 08:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 18:40:17.27 ===============

Delete your version of ComboFix and download a fresh one from below, then save it on the Desktop.. but DO NOT run it yet..

Link 1
Link 2
Link 3

NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..


1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/205983/infected-with-atlsystemxxxxxxexe/

KillAll::

NetSvc::
softyinforwow1
eq2soft
netmantow

Driver::
softyinforwow1
eq2soft
netmantow

Collect::
c:\windows\system32\atlsystem429956.exe
c:\windows\system32\atlsystem663724.exe
c:\windows\system32\atlsystem882754.exe
c:\windows\system32\atlsystem568713.exe
c:\windows\system32\atlsystem66447.exe
c:\windows\system32\atlsystem34844.exe
c:\windows\system32\atlsystem918628.exe
c:\windows\system32\atlsystem461558.exe
c:\windows\system32\atlsystem896885.exe
c:\windows\system32\atlsystem232131.exe
c:\windows\system32\atlsystem9850.exe
c:\windows\system32\atlsystem653661.exe
c:\windows\system32\atlsystem945467.exe
c:\windows\system32\atlsystem805520.exe
c:\windows\system32\u152395931.dll
c:\windows\system32\u1523630.dll
c:\windows\system32\atlsystem488833.exe
c:\windows\system32\atlsystem407560.exe
c:\windows\system32\u142345755.dll
c:\windows\system32\u142395749.dll
c:\windows\system32\u142370424.dll
c:\windows\system32\u142329818.dll
c:\windows\system32\atlsystem85617.exe
c:\windows\system32\atlsystem71669.exe
c:\windows\system32\u10233874.dll
c:\windows\system32\u10237459.dll
c:\windows\system32\u82357832.dll
c:\windows\system32\u82312528.dll
c:\windows\system32\atlsystem5738.exe
c:\windows\system32\u172275047.dll
c:\windows\system32\u172265645.dll
c:\windows\system32\u172295311.dll
c:\windows\system32\u17229067.dll
c:\windows\system32\u16221541.dll
c:\windows\system32\u1622040.dll
c:\windows\system32\u152235944.dll
c:\windows\system32\u152248443.dll
c:\windows\system32\u192185922.dll
c:\windows\system32\u192114019.dll
c:\windows\system32\der5609488.dll
c:\windows\system32\der7119346.dll
c:\windows\system32\u122131225.dll
c:\windows\system32\u122135920.dll
c:\windows\system32\der4559674.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• Simply follow the instructions to copy/paste/send the requested file.

Edited by fenzodahl512, 25 February 2009 - 02:02 PM.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic