Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP Creates Autorun.inf In Thumbdrive


  • Please log in to reply
11 replies to this topic

#1 kelvinchaw

kelvinchaw

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 March 2009 - 09:38 AM

Hello. First of all, my apologies to DaChew, for I didn't read the rules when I used another thread for posting.

So here's my problem: I got this rootkit/malware from my thumbdrive from another infected computer. So now, my win XP creates "Autorun.inf" file and a "RECYCLER" folder in my thumbdrive everytime I plugged it in. I could not see these files from my win XP, and could only detect them when I booted up my Ubuntu and looked into my thumbdrive.

Another symptom is that, I couldn't access any of the Antivirus websites (AVG, NOD32...) and Microsoft sites as well.

Any suggestions on how to go about this? Thanks!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 29 March 2009 - 09:56 AM

I am relatively inexperienced with rootkits like the one you posted

Let's start over from the beginning

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

As an advanced user, feel free to improvise like renaming installers or execuatables to get them to work
Chewy

No. Try not. Do... or do not. There is no try.

#3 kelvinchaw

kelvinchaw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 March 2009 - 10:10 AM

OK. I've installed it and done the removal process, and restarted the comp as well. Note that I wasn't able to update my MBAM. Also, I still can't connect to any of the Antivirus and Microsoft sites.

Here's the log dump:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

3/29/2009 8:00:38 PM
mbam-log-2009-03-29 (20-00-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 104933
Time elapsed: 13 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 29 March 2009 - 10:33 AM

Run rootrepeal

http://rootrepeal.googlepages.com/

Use the report tab and scan button

Check drivers and files
Chewy

No. Try not. Do... or do not. There is no try.

#5 kelvinchaw

kelvinchaw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 March 2009 - 10:58 AM

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/29 23:53

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xABFF4000 Size: 98304 File Visible: No

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5C2000 Size: 8192 File Visible: No

Status: -



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9C1C000 Size: 45056 File Visible: No

Status: -



Hidden/Locked Files

-------------------

Path: D:\Personal\C2500L Camera\C2500l~1.pdf

Status: Allocation size mismatch (API: 282624, Raw: 1286144)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 29 March 2009 - 11:05 AM

Would you do the remaining 3 next?
Chewy

No. Try not. Do... or do not. There is no try.

#7 kelvinchaw

kelvinchaw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 March 2009 - 11:10 AM

No problem. Here's the other four.

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/30 00:08

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================



Stealth Objects

-------------------

Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]

Process: MOM.exe (PID: 328) Address: 0x00d60000 Size: 69632



Object: Hidden Module [Name: LOG.Foundation.DLL]

Process: MOM.exe (PID: 328) Address: 0x00ce0000 Size: 45056



Object: Hidden Module [Name: MOM.Implementation.DLL]

Process: MOM.exe (PID: 328) Address: 0x00cb0000 Size: 118784



Object: Hidden Module [Name: LOG.Foundation.Private.DLL]

Process: MOM.exe (PID: 328) Address: 0x00d50000 Size: 45056



Object: Hidden Module [Name: MOM.Foundation.DLL]

Process: MOM.exe (PID: 328) Address: 0x00e80000 Size: 28672



Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]

Process: MOM.exe (PID: 328) Address: 0x010b0000 Size: 28672



Object: Hidden Module [Name: CCC.Implementation.DLL]

Process: MOM.exe (PID: 328) Address: 0x01200000 Size: 36864



Object: Hidden Module [Name: NEWAEM.Foundation.DLL]

Process: MOM.exe (PID: 328) Address: 0x01210000 Size: 36864



Object: Hidden Module [Name: atixclib.DLL]

Process: ccc.exe (PID: 724) Address: 0x05790000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04720000 Size: 53248



Object: Hidden Module [Name: AEM.Actions.CCAA.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04440000 Size: 28672



Object: Hidden Module [Name: DEM.OS.DLL]

Process: ccc.exe (PID: 724) Address: 0x043a0000 Size: 28672



Object: Hidden Module [Name: NEWAEM.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x03670000 Size: 36864



Object: Hidden Module [Name: AxInterop.WBOCXLib.DLL]

Process: ccc.exe (PID: 724) Address: 0x035b0000 Size: 36864



Object: Hidden Module [Name: MOM.Implementation.DLL]

Process: ccc.exe (PID: 724) Address: 0x034e0000 Size: 118784



Object: Hidden Module [Name: LOG.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x00cd0000 Size: 45056



Object: Hidden Module [Name: CCC.Implementation.DLL]

Process: ccc.exe (PID: 724) Address: 0x00cb0000 Size: 36864



Object: Hidden Module [Name: CLI.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x00cf0000 Size: 61440



Object: Hidden Module [Name: MOM.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x00ce0000 Size: 28672



Object: Hidden Module [Name: LOG.Foundation.Implementation.DLL]

Process: ccc.exe (PID: 724) Address: 0x00d10000 Size: 69632



Object: Hidden Module [Name: LOG.Foundation.Implementation.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x00d00000 Size: 28672



Object: Hidden Module [Name: LOG.Foundation.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x00d40000 Size: 45056



Object: Hidden Module [Name: CLI.Component.SkinFactory.DLL]

Process: ccc.exe (PID: 724) Address: 0x03510000 Size: 61440



Object: Hidden Module [Name: CLI.Foundation.XManifest.DLL]

Process: ccc.exe (PID: 724) Address: 0x03520000 Size: 36864



Object: Hidden Module [Name: LOCALIZATION.Foundation.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x03580000 Size: 28672



Object: Hidden Module [Name: CLI.Component.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x03570000 Size: 61440



Object: Hidden Module [Name: CLI.Component.Runtime.Shared.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x03590000 Size: 53248



Object: Hidden Module [Name: ATICCCom.DLL]

Process: ccc.exe (PID: 724) Address: 0x035f0000 Size: 45056



Object: Hidden Module [Name: CLI.Foundation.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x035c0000 Size: 53248



Object: Hidden Module [Name: CLI.Component.Runtime.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x035e0000 Size: 28672



Object: Hidden Module [Name: AEM.Server.DLL]

Process: ccc.exe (PID: 724) Address: 0x03660000 Size: 53248



Object: Hidden Module [Name: Interop.WBOCXLib.DLL]

Process: ccc.exe (PID: 724) Address: 0x03750000 Size: 36864



Object: Hidden Module [Name: AEM.Server.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x03950000 Size: 28672



Object: Hidden Module [Name: AEM.Plugin.Source.Kit.Server.DLL]

Process: ccc.exe (PID: 724) Address: 0x03960000 Size: 53248



Object: Hidden Module [Name: AEM.Plugin.DPPE.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x03980000 Size: 28672



Object: Hidden Module [Name: AEM.Plugin.Hotkeys.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x039b0000 Size: 28672



Object: Hidden Module [Name: LOCALIZATION.Foundation.Implementation.DLL]

Process: ccc.exe (PID: 724) Address: 0x03ad0000 Size: 36864



Object: Hidden Module [Name: AEM.Plugin.WinMessages.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x03af0000 Size: 28672



Object: Hidden Module [Name: DEM.Graphics.I0601.DLL]

Process: ccc.exe (PID: 724) Address: 0x03ae0000 Size: 53248



Object: Hidden Module [Name: ATIDEMGX.dll]

Process: ccc.exe (PID: 724) Address: 0x03f60000 Size: 430080



Object: Hidden Module [Name: DEM.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x03f50000 Size: 28672



Object: Hidden Module [Name: DEM.Graphics.DLL]

Process: ccc.exe (PID: 724) Address: 0x03f40000 Size: 28672



Object: Hidden Module [Name: CLI.Caste.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04370000 Size: 61440



Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04310000 Size: 282624



Object: Hidden Module [Name: DEM.OS.I0602.DLL]

Process: ccc.exe (PID: 724) Address: 0x04390000 Size: 28672



Object: Hidden Module [Name: ACE.Graphics.DisplaysManager.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04380000 Size: 36864



Object: Hidden Module [Name: ATIDEMOS.DLL]

Process: ccc.exe (PID: 724) Address: 0x043d0000 Size: 77824



Object: Hidden Module [Name: DEM.Graphics.I0709.dll]

Process: ccc.exe (PID: 724) Address: 0x043c0000 Size: 28672



Object: Hidden Module [Name: AEM.Plugin.GD.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04430000 Size: 28672



Object: Hidden Module [Name: DEM.Graphics.I0804.dll]

Process: ccc.exe (PID: 724) Address: 0x04460000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x046e0000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x046d0000 Size: 28672



Object: Hidden Module [Name: CLI.Caste.Graphics.Runtime.Shared.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x04710000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x046f0000 Size: 77824



Object: Hidden Module [Name: DEM.Graphics.I0805.dll]

Process: ccc.exe (PID: 724) Address: 0x04770000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04730000 Size: 45056



Object: Hidden Module [Name: CLI.Aspect.CustomFormats.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04750000 Size: 36864



Object: Hidden Module [Name: CLI.Aspect.DeviceProperty.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x047a0000 Size: 45056



Object: Hidden Module [Name: DEM.Graphics.I0706.DLL]

Process: ccc.exe (PID: 724) Address: 0x04790000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x047f0000 Size: 77824



Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x047c0000 Size: 86016



Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04810000 Size: 53248



Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04820000 Size: 36864



Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04840000 Size: 45056



Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04990000 Size: 61440



Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04960000 Size: 36864



Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04980000 Size: 53248



Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04a10000 Size: 61440



Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x049e0000 Size: 36864



Object: Hidden Module [Name: CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x049d0000 Size: 45056



Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x049f0000 Size: 69632



Object: Hidden Module [Name: DEM.Graphics.I0712.dll]

Process: ccc.exe (PID: 724) Address: 0x04a20000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04a40000 Size: 36864



Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04a50000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04a60000 Size: 61440



Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04a80000 Size: 69632



Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04af0000 Size: 61440



Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Runtime.DLL]

Process: ccc.exe (PID: 724) Address: 0x04ad0000 Size: 86016



Object: Hidden Module [Name: APM.Foundation.DLL]

Process: ccc.exe (PID: 724) Address: 0x04c40000 Size: 28672



Object: Hidden Module [Name: APM.Server.DLL]

Process: ccc.exe (PID: 724) Address: 0x04c20000 Size: 69632



Object: Hidden Module [Name: CLI.Component.Runtime.Extension.EEU.DLL]

Process: ccc.exe (PID: 724) Address: 0x04e90000 Size: 28672



Object: Hidden Module [Name: AEM.Plugin.EEU.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x04e80000 Size: 28672



Object: Hidden Module [Name: CLI.Component.Client.Shared.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x04eb0000 Size: 53248



Object: Hidden Module [Name: CLI.Component.Wizard.Shared.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x04ec0000 Size: 36864



Object: Hidden Module [Name: CLI.Component.Client.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x051e0000 Size: 28672



Object: Hidden Module [Name: CLI.Component.Systemtray.DLL]

Process: ccc.exe (PID: 724) Address: 0x05000000 Size: 430080



Object: Hidden Module [Name: Branding.dll]

Process: ccc.exe (PID: 724) Address: 0x04ff0000 Size: 28672



Object: Hidden Module [Name: CLI.Component.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05170000 Size: 405504



Object: Hidden Module [Name: CLI.Component.Wizard.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x051f0000 Size: 28672



Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x05320000 Size: 28672



Object: Hidden Module [Name: CLI.Caste.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05310000 Size: 53248



Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05730000 Size: 217088



Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x053d0000 Size: 102400



Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05350000 Size: 495616



Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05590000 Size: 1699840



Object: Hidden Module [Name: CLI.Aspect.TransCode.Graphics.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x05770000 Size: 53248



Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.Private.DLL]

Process: ccc.exe (PID: 724) Address: 0x05cf0000 Size: 28672



Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05a30000 Size: 700416



Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x058b0000 Size: 413696



Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Wizard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05920000 Size: 372736



Object: Hidden Module [Name: CLI.Component.Dashboard.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x05ce0000 Size: 28672



Object: Hidden Module [Name: CLI.Component.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05be0000 Size: 1003520



Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.Shared.DLL]

Process: ccc.exe (PID: 724) Address: 0x05e30000 Size: 28672



Object: Hidden Module [Name: CLI.Caste.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05e00000 Size: 86016



Object: Hidden Module [Name: CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05eb0000 Size: 446464



Object: Hidden Module [Name: CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05e70000 Size: 233472



Object: Hidden Module [Name: CLI.Aspect.Welcome.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05e40000 Size: 143360



Object: Hidden Module [Name: CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05f20000 Size: 126976



Object: Hidden Module [Name: CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05f50000 Size: 389120



Object: Hidden Module [Name: CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x06070000 Size: 675840



Object: Hidden Module [Name: CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x05fd0000 Size: 462848



Object: Hidden Module [Name: CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x062a0000 Size: 806912



Object: Hidden Module [Name: CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x06370000 Size: 356352



Object: Hidden Module [Name: CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x063d0000 Size: 593920



Object: Hidden Module [Name: CLI.Aspect.MMVideo.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x06540000 Size: 815104



Object: Hidden Module [Name: CLI.Aspect.VPURecover.Graphics.Dashboard.DLL]

Process: ccc.exe (PID: 724) Address: 0x06710000 Size: 110592



Hidden Services

-------------------

Service Name: cldfj

Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 29 March 2009 - 11:29 AM

Service Name: cldfj

Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs


There she is again

I'll need to consult with this one.
Chewy

No. Try not. Do... or do not. There is no try.

#9 kelvinchaw

kelvinchaw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 March 2009 - 11:31 AM

No problem, I'll wait. BTW Thanks for your help.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 29 March 2009 - 12:52 PM

Hello.

I'll explain. I actually haven't seen this one recently. Thanks for bringing this up Da Chew.

The file svchost.exe itself is NOT bad but the service (cldfj) IS bad. It's "abusing" the legitimate file svchost.exe and that is why it's detecting it as a rootkit. That legitimate svchost.exe should not be removed.

If you want to make sure the svchost.exe is not infected, you can upload it to VirusTotal or VirScan below.

VirusTotal Online Scanner or VirSCAN.

Nevertheless, the rootkit service needs to be removed. However, you may wish to format the computer as it's compromised. Information on Rootkit.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 kelvinchaw

kelvinchaw
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 30 March 2009 - 01:06 AM

Extremeboy & Chewy,

Thanks so much for your help. I think I'm going to format my win xp partition as advised. Wouldn't want to clean it, and later get paranoid about having something lying around the system undetected. What about the other partitions in my hard drive? Would it be possibly infected as well?

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:11 PM

Posted 30 March 2009 - 01:23 AM

After formating and reinstalling I would immediately scan that partition(data?) with a good resident antivirus and another online one.

Many programs like MBAM are designed for detecting installed malware, not malware installers

I would definitely not trust any archived drivers or executables

The fact that you have a relatively unknown rootkit/backdoor trojan would lead me to exercise extreme caution
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users