Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing rootkits TDSS/UAC


  • This topic is locked This topic is locked
18 replies to this topic

#1 migal

migal

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 15 March 2009 - 09:49 AM

Chewy on the "Am I Infected?/What do I do?" forum has identified these rootkits on my computer. I have run Dr. Web, ATF Cleaner and Malwarebytes. I am using Windows XP Home SP3. The only browsers I use are Chrome and IE7.

My previous thread on the "Am I Infected?/What do I do?" forum is here "http://www.bleepingcomputer.com/forums/t/210341/anitvirus-360-pop-up-slow-computer-registry-infected-moved/?p=1175876".

Following is my DDS.txt contents


DDS (Ver_09-02-01.01) - NTFSx86
Run by Carmen at 10:33:22.67 on Sun 03/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.602 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carmen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.finance.yahoo.com/p?k=pf_2
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236517113187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236517215765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\fedozuta.dll
LSA: Notification Packages = scecli c:\windows\system32\gebokabu.dll

============= SERVICES / DRIVERS ===============

S1 c1a37049;c1a37049;c:\windows\system32\drivers\c1a37049.sys [2009-3-8 0]
S2 gupdate1c9993d5b67a546;Google Update Service (gupdate1c9993d5b67a546);c:\program files\google\update\GoogleUpdate.exe [2009-2-27 133104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-7-10 32512]

=============== Created Last 30 ================

2009-03-13 06:44 --d----- c:\docume~1\carmen\applic~1\Malwarebytes
2009-03-13 06:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-13 06:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 17:58 --d----- c:\documents and settings\carmen\DoctorWeb
2009-03-12 17:53 12,989,208 a------- c:\temp\drweb-cureit.exe
2009-03-11 17:36 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 17:36 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-08 19:14 --d----- c:\program files\AVG
2009-03-08 19:14 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-08 16:51 0 a------- c:\windows\system32\drivers\c1a37049.sys
2009-03-08 16:51 2 a------- C:\277090770
2009-03-08 04:51 1,835,122 ---sh--- c:\windows\system32\iwahezis.ini
2009-03-08 04:51 141,824 a---h--- c:\windows\system32\bujdms.dll
2009-03-06 05:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-28 11:42 --d----- c:\program files\Sketchpad

==================== Find3M ====================

2009-03-08 16:51 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 16:51 102,400 a--sh--- c:\windows\system32\suhibuwe.dll
2009-03-08 04:51 141,824 a--sh--- c:\windows\system32\lekefoji.dll
2009-03-06 05:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-23 19:43 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-03-20 19:25 2,027,029 a------- c:\windows\inf\Rar.exe
2006-06-23 01:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 10:33:37.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 16 March 2009 - 11:19 PM

Hello migal,

Download Security Check by screen317 from here or here and save it to your Desktop.
Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Please post a fresh DDS log so I can see if anything has changed.

Edited by SifuMike, 16 March 2009 - 11:25 PM.
typo and spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 17 March 2009 - 07:51 AM

Hello SifuMike

My checkup.txt contents.

Results of screen317's Security Check version 0.98.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 12
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 30 seconds.
`````````End of Log```````````




My DDS.txt contents.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Carmen at 8:46:16.70 on Tue 03/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.519 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.finance.yahoo.com/p?k=pf_2
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236517113187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236517215765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\fedozuta.dll
LSA: Notification Packages = scecli c:\windows\system32\gebokabu.dll

============= SERVICES / DRIVERS ===============

S1 c1a37049;c1a37049;c:\windows\system32\drivers\c1a37049.sys [2009-3-8 0]
S2 gupdate1c9993d5b67a546;Google Update Service (gupdate1c9993d5b67a546);c:\program files\google\update\GoogleUpdate.exe [2009-2-27 133104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-7-10 32512]

=============== Created Last 30 ================

2009-03-13 06:44 <DIR> --d----- c:\docume~1\carmen\applic~1\Malwarebytes
2009-03-13 06:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-13 06:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 17:58 <DIR> --d----- c:\documents and settings\carmen\DoctorWeb
2009-03-12 17:53 12,989,208 a------- c:\temp\drweb-cureit.exe
2009-03-11 17:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-08 19:14 <DIR> --d----- c:\program files\AVG
2009-03-08 19:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-08 16:51 0 a------- c:\windows\system32\drivers\c1a37049.sys
2009-03-08 16:51 2 a------- C:\277090770
2009-03-08 04:51 1,835,122 ---sh--- c:\windows\system32\iwahezis.ini
2009-03-08 04:51 141,824 a---h--- c:\windows\system32\bujdms.dll
2009-03-06 05:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-28 11:42 <DIR> --d----- c:\program files\Sketchpad

==================== Find3M ====================

2009-03-08 16:51 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 16:51 102,400 a--sh--- c:\windows\system32\suhibuwe.dll
2009-03-08 04:51 141,824 a--sh--- c:\windows\system32\lekefoji.dll
2009-03-06 05:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-23 19:43 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-03-20 19:25 2,027,029 a------- c:\windows\inf\Rar.exe
2006-06-23 01:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 8:46:24.82 ===============

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 17 March 2009 - 10:02 AM

Hi migal,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new DDS log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antiviru sscan is not present which should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 17 March 2009 - 10:03 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 17 March 2009 - 11:40 AM

My Avira Report file contents.

Avira AntiVir Personal
Report file date: Tuesday, March 17, 2009 12:04

Scanning for 1304949 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: CC

Version information:
BUILD.DAT : 8.2.0.347 16934 Bytes 3/16/2009 14:45:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 17:03:30
ANTIVIR2.VDF : 7.1.2.152 749568 Bytes 3/11/2009 17:03:33
ANTIVIR3.VDF : 7.1.2.182 183296 Bytes 3/17/2009 17:03:34
Engineversion : 8.2.0.116
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/17/2009 17:03:48
AESCRIPT.DLL : 8.1.1.63 364923 Bytes 3/17/2009 17:03:46
AESCN.DLL : 8.1.1.8 127346 Bytes 3/17/2009 17:03:44
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/17/2009 17:03:43
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/17/2009 17:03:41
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/17/2009 17:03:40
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/17/2009 17:03:37
AEGEN.DLL : 8.1.1.29 336245 Bytes 3/17/2009 17:03:36
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/17/2009 17:03:35
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:, E:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, March 17, 2009 12:04

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '46' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Carmen\Application Data\Sun\Java\Deployment\cache\6.0\32\50c2ce60-3cb1cfe7
[0] Archive type: ZIP
--> Dnnny.class
[DETECTION] Contains recognition pattern of the JAVA/Exploit.Bytverify.5 Java virus
--> Den.class
[DETECTION] Is the TR/Exploit.Bytverify Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Carmen\DoctorWeb\Quarantine\22.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090308-071209-323.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090308-072925-761.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{1AF38679-DC47-490D-A75A-1BD71187C70B}\RP3\A0000196.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{1AF38679-DC47-490D-A75A-1BD71187C70B}\RP3\A0000197.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\bujdms.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\lekefoji.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\suhibuwe.dll
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was deleted!
Begin scan in 'D:\' <Local Disk>
Begin scan in 'E:\'
E:\System Volume Information\_restore{1AF38679-DC47-490D-A75A-1BD71187C70B}\RP1\A0000047.exe
[DETECTION] Is the TR/Renaz.132289 Trojan
[NOTE] The file was deleted!


End of the scan: Tuesday, March 17, 2009 12:27
Used time: 22:53 Minute(s)

The scan has been done completely.

5200 Scanning directories
151659 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
10 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
151647 Files not concerned
857 Archives were scanned
1 Warnings
10 Notes


My DDS.txt contents.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Carmen at 12:36:44.48 on Tue 03/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.finance.yahoo.com/p?k=pf_2
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236517113187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236517215765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\fedozuta.dll
LSA: Notification Packages = scecli c:\windows\system32\gebokabu.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-3-17 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-17 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-17 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-3-17 52032]
S1 c1a37049;c1a37049;c:\windows\system32\drivers\c1a37049.sys [2009-3-8 0]
S2 gupdate1c9993d5b67a546;Google Update Service (gupdate1c9993d5b67a546);c:\program files\google\update\GoogleUpdate.exe [2009-2-27 133104]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-7-10 32512]

=============== Created Last 30 ================

2009-03-17 12:02 <DIR> --d----- c:\program files\Avira
2009-03-17 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-13 06:44 <DIR> --d----- c:\docume~1\carmen\applic~1\Malwarebytes
2009-03-13 06:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-13 06:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 17:58 <DIR> --d----- c:\documents and settings\carmen\DoctorWeb
2009-03-12 17:53 12,989,208 a------- c:\temp\drweb-cureit.exe
2009-03-11 17:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-08 19:14 <DIR> --d----- c:\program files\AVG
2009-03-08 19:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-08 16:51 0 a------- c:\windows\system32\drivers\c1a37049.sys
2009-03-08 16:51 2 a------- C:\277090770
2009-03-08 04:51 1,835,122 ---sh--- c:\windows\system32\iwahezis.ini
2009-03-06 05:33 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-28 11:42 <DIR> --d----- c:\program files\Sketchpad

==================== Find3M ====================

2009-03-08 16:51 14,336 a------- c:\windows\system32\svchost.exe
2009-03-06 05:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-23 19:43 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2007-03-20 19:25 2,027,029 a------- c:\windows\inf\Rar.exe
2006-06-23 01:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 12:37:02.32 ===============

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 17 March 2009 - 02:18 PM

Hi migal,

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • GMER's Log


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read  Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Disconnect your internet connection cable from the computer while running ComboFix.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Disconnect your internet connection cable from the computer while running ComboFix.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 17 March 2009 - 03:25 PM

Hi SifuMike.

During the ComboFix scan, after completing several stages and before creating the log file, (don't know the exact point) the computer rebooted. Immediately after I logged in ComboFix generated the log file. Without my prompting.

My GMER log contents.

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-17 16:00:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT F7BDC8DC ZwCreateThread
SSDT F7BDC8C8 ZwOpenProcess
SSDT F7BDC8CD ZwOpenThread
SSDT F7BDC8D7 ZwTerminateProcess
SSDT F7BDC8D2 ZwWriteVirtualMemory

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABBCBEC-3317-7A81-7B8F-3146185A01ED}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABBCBEC-3317-7A81-7B8F-3146185A01ED}@abnaimpndapkdekofcggljioaeigbmfbmc 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABBCBEC-3317-7A81-7B8F-3146185A01ED}@maebbmdhkddjnchedpjpmljjfb 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

My ComboFix log contents.

ComboFix 09-03-15.01 - Carmen 2009-03-17 16:10:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.697 [GMT -5:00]
Running from: c:\documents and settings\Carmen\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\iwahezis.ini
c:\windows\system32\Packet.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CTL_W32
-------\Legacy_icf
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 12:02 . 2009-03-17 12:02 <DIR> d-------- c:\program files\Avira
2009-03-17 12:02 . 2009-03-17 12:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-13 06:44 . 2009-03-13 06:44 <DIR> d-------- c:\documents and settings\Carmen\Application Data\Malwarebytes
2009-03-13 06:44 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 06:44 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 17:58 . 2009-03-12 18:00 <DIR> d-------- c:\documents and settings\Carmen\DoctorWeb
2009-03-12 17:53 . 2009-03-12 17:53 12,989,208 --a------ c:\temp\drweb-cureit.exe
2009-03-11 17:36 . 2009-03-13 06:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 17:36 . 2009-03-11 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 19:14 . 2009-03-08 19:14 <DIR> d-------- c:\program files\AVG
2009-03-08 19:14 . 2009-03-11 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-08 18:35 . 2009-03-11 20:14 <DIR> d-------- c:\documents and settings\Administrator
2009-03-08 16:51 . 2009-03-08 16:51 2 --a------ C:\277090770
2009-03-08 16:51 . 2009-03-08 21:02 0 --a------ c:\windows\system32\drivers\c1a37049.sys
2009-03-06 05:33 . 2009-03-06 05:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-28 11:42 . 2009-02-28 11:42 <DIR> d-------- c:\program files\Sketchpad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 20:43 --------- d-----w c:\documents and settings\Carmen\Application Data\uTorrent
2009-03-08 23:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-08 19:00 --------- d-----w c:\program files\Google
2009-03-06 10:33 --------- d-----w c:\program files\Java
2009-02-04 21:43 --------- d-----w c:\program files\MathType
2009-02-04 21:43 --------- d-----w c:\documents and settings\Carmen\Application Data\Design Science
2009-01-31 23:23 --------- d-----w c:\program files\Boilsoft Video Splitter
2009-01-28 18:33 --------- d-----w c:\program files\Ultra Video Splitter
2009-01-28 16:19 --------- d-----w c:\documents and settings\Carmen\Application Data\Shareaza
2009-01-25 22:28 --------- d-----w c:\documents and settings\Carmen\Application Data\ZoomBrowser EX
2009-01-25 12:08 --------- d-----w c:\documents and settings\Carmen\Application Data\vlc
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-18 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\fedozuta.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S1 c1a37049;c1a37049;c:\windows\system32\drivers\c1a37049.sys [2009-03-08 0]
S2 gupdate1c9993d5b67a546;Google Update Service (gupdate1c9993d5b67a546);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\At1.job
- c:\windows\system32\fgspvcm.dll []

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 19:41]

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1935655697-725345543-1004.job
- c:\documents and settings\Carmen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.finance.yahoo.com/p?k=pf_2
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 16:12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1935655697-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABBCBEC-3317-7A81-7B8F-3146185A01ED}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnaimpndapkdekofcggljioaeigbmfbmc"=hex:61,61,00,00
"maebbmdhkddjnchedpjpmljjfb"=hex:61,61,00,00
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-03-17 16:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 21:14:33

Pre-Run: 21,176,180,736 bytes free
Post-Run: 21,114,138,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

138

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 17 March 2009 - 04:11 PM

Hi migal,

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\c1a37049.sys
C:\277090770
c:\windows\Tasks\At1.job
c:\windows\system32\fedozuta.dll

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Driver:: 
c1a37049


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 17 March 2009 - 04:54 PM

My ComboFix log contents.

ComboFix 09-03-15.01 - Carmen 2009-03-17 17:44:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.731 [GMT -5:00]
Running from: c:\documents and settings\Carmen\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carmen\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\277090770
c:\windows\system32\drivers\c1a37049.sys
c:\windows\system32\fedozuta.dll
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\277090770
c:\windows\system32\drivers\c1a37049.sys
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_c1a37049


((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 12:02 . 2009-03-17 12:02 <DIR> d-------- c:\program files\Avira
2009-03-17 12:02 . 2009-03-17 12:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-03-13 06:44 . 2009-03-13 06:44 <DIR> d-------- c:\documents and settings\Carmen\Application Data\Malwarebytes
2009-03-13 06:44 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 06:44 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-12 17:58 . 2009-03-12 18:00 <DIR> d-------- c:\documents and settings\Carmen\DoctorWeb
2009-03-12 17:53 . 2009-03-12 17:53 12,989,208 --a------ c:\temp\drweb-cureit.exe
2009-03-11 17:36 . 2009-03-13 06:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 17:36 . 2009-03-11 17:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 19:14 . 2009-03-11 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-08 18:35 . 2009-03-11 20:14 <DIR> d-------- c:\documents and settings\Administrator
2009-03-06 05:33 . 2009-03-06 05:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-28 11:42 . 2009-02-28 11:42 <DIR> d-------- c:\program files\Sketchpad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 20:43 --------- d-----w c:\documents and settings\Carmen\Application Data\uTorrent
2009-03-08 23:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-08 19:00 --------- d-----w c:\program files\Google
2009-03-06 10:33 --------- d-----w c:\program files\Java
2009-02-04 21:43 --------- d-----w c:\program files\MathType
2009-02-04 21:43 --------- d-----w c:\documents and settings\Carmen\Application Data\Design Science
2009-01-31 23:23 --------- d-----w c:\program files\Boilsoft Video Splitter
2009-01-28 18:33 --------- d-----w c:\program files\Ultra Video Splitter
2009-01-28 16:19 --------- d-----w c:\documents and settings\Carmen\Application Data\Shareaza
2009-01-25 22:28 --------- d-----w c:\documents and settings\Carmen\Application Data\ZoomBrowser EX
2009-01-25 12:08 --------- d-----w c:\documents and settings\Carmen\Application Data\vlc
.

((((((((((((((((((((((((((((( SnapShot@2009-03-17_16.13.58.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-17 22:45:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-18 7561216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-18 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S2 gupdate1c9993d5b67a546;Google Update Service (gupdate1c9993d5b67a546);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-27 19:41]

2009-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-1935655697-725345543-1004.job
- c:\documents and settings\Carmen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 16:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.finance.yahoo.com/p?k=pf_2
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 17:46:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-1935655697-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2ABBCBEC-3317-7A81-7B8F-3146185A01ED}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnaimpndapkdekofcggljioaeigbmfbmc"=hex:61,61,00,00
"maebbmdhkddjnchedpjpmljjfb"=hex:61,61,00,00
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-03-17 17:48:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-17 22:48:21
ComboFix2.txt 2009-03-17 21:14:39

Pre-Run: 21,112,311,808 bytes free
Post-Run: 21,102,682,112 bytes free

129


My HJT log contents.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:03 PM, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Carmen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.finance.yahoo.com/p?k=pf_2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1236517113187
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236517215765
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c9993d5b67a546) (gupdate1c9993d5b67a546) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4772 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 17 March 2009 - 06:43 PM

Hi migal,

So far it looks good. Now we check for lingering malware.

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.

Edited by SifuMike, 17 March 2009 - 06:44 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 17 March 2009 - 08:20 PM

Hello SifuMike.

I ran Kaspersky and it did not detect any malware. The scan report was empty.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 17 March 2009 - 09:45 PM

Hi migal,

Please post the Kaspersky log.

Edited by SifuMike, 17 March 2009 - 09:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 18 March 2009 - 07:08 AM

My Kaspersky report contents.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 18, 2009 10:23:19
Records in database: 1927001
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 53422
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:35:29

No malware has been detected. The scan area is clean.

The selected area was scanned.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:23 AM

Posted 18 March 2009 - 07:29 AM

Hi migal,

Everything looks good. :thumbup2: How is the computer running?

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 migal

migal
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 18 March 2009 - 08:09 AM

Hi SifuMike,

My computer is running great.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users