Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Cryptor, Trojan/Sheur.2, downloaders


  • This topic is locked This topic is locked
12 replies to this topic

#1 Larnek

Larnek

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 01 April 2009 - 03:35 PM

Got some sort of nastiness from a .Doc or .Pdf file a few days ago. AVG is calling them Win/32Cryptor, Trojan/Sheur.2, also have had other downloaders although I've got them gone for right now. Also system services seem to have been infected by something that usually has no name on the AVG readout, winlogin.exe, iexplore.exe, svchost.exe, lsass.exe, services.exe. Also have running in my task manager a 3448584324.exe. Note I am in Safe Mode right now. I am unable to get Malwarebytes Anti-Malware to run at all, no matter if I rename, change extension etc. Also My computer is locked in a dumbed down mode where I am unable to rename extensions, but I am still able to run cmd and rename thru the DOS prompt. Regardless, it hasn't worked. I'm calling in the big guns (IE you guys) now because nothing I've got will even run, nevermind work. Also, when initially infected I was unable to get anything to work, constantly would get iexplore.exe errors, saying Windows is shutting down this program, send message to Microsoft blah blah and would constantly cycle and appear to restart explorer. I was able to get those out for the most part with AVG in safe mode but in my past few days of trying to my fixes with redownloading and reinstalling AVG and MBAM it would occasionally come back and start doing the same iexplore crashing again and would require AVG runs again to remove, unfortunately to don't have those logs. Also have the browser redirect problems I've seen on here numerously where searching on yahoo or google gets redirected to random pages. But here is the DDS logs as requested to get started.

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Administrator at 15:20:46.10 on Wed 04/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1500 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3448584324.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=11&sid=v3058
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: c:\windows\system32\nhser43uhjnefr.dll: {c2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\nhser43uhjnefr.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Diagnostic Manager] c:\docume~1\admini~1\locals~1\temp\3448584324.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Ncozer] rundll32.exe "c:\windows\asiyafiseq.dll",e
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175134884750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: tuvVLeFx - tuvVLeFx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\nhser43uhjnefr.dll: {c2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\nhser43uhjnefr.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\tuvVLeFx.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcASjiF
LSA: Notification Packages = scecli desten.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\14uui9tq.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: {3959A5F6-F70D-43AC-A796-744D1068B9EF} - c:\documents and settings\jason\local settings\application data\{3959A5F6-F70D-43AC-A796-744D1068B9EF}
FF - HiddenExtension: XUL Cache: {A2EA4A74-0069-4A4E-94A7-FA1993452C82} - c:\documents and settings\administrator\local settings\application data\{A2EA4A74-0069-4A4E-94A7-FA1993452C82}

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 108552]
S1 85a0414a;85a0414a;c:\windows\system32\drivers\85a0414a.sys --> c:\windows\system32\drivers\85a0414a.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 325640]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-31 27656]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-31 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-31 298264]
S3 botdrv;botdrv;\??\c:\windows\system32\driver.sys --> c:\windows\system32\driver.sys [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-12-31 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-12-31 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-12-31 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-12-31 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-12-31 98568]

=============== Created Last 30 ================

2009-03-31 21:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-31 21:08 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-31 21:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-31 21:08 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-31 21:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-29 17:28 28,986 a--sh--- c:\windows\system32\FijSAcfe.ini2
2009-03-29 17:28 28,986 a--sh--- c:\windows\system32\FijSAcfe.ini
2009-03-29 17:27 15,000 a------- c:\windows\system32\nhser43uhjnefr.dll
2009-03-29 17:27 45,056 a------- C:\wtwriam.exe
2009-03-26 18:07 32,272 a------- c:\windows\ATMREG.ATM
2009-03-26 18:07 15,360 a------- c:\windows\system32\ATMsrvc.exe
2009-03-26 18:07 <DIR> --d----- C:\PSFONTS
2009-03-26 18:06 299,520 a------- c:\windows\uninst.exe
2009-03-26 18:06 <DIR> --d----- c:\temp\adobe
2009-03-23 17:29 <DIR> --d----- c:\program files\THQ
2009-03-04 20:02 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-03-04 20:02 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-03-04 20:02 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2009-03-04 20:02 514,384 a------- c:\windows\system32\XAudio2_3.dll
2009-03-04 20:02 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2009-03-04 20:02 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-03-04 20:02 23,376 a------- c:\windows\system32\X3DAudio1_5.dll

==================== Find3M ====================

2009-03-29 17:29 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-24 22:47 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-02-14 01:23 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-14 01:20 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-15 19:44 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 15:21:56.84 ===============

Attached Files


Edited by Larnek, 01 April 2009 - 03:36 PM.


BC AdBot (Login to Remove)

 


#2 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 02 April 2009 - 06:41 PM

After much frustration I went and followed another similar thread, used combofix, which removed a rootkit UACwxdunwmc.sys among other UAC files in windows system, which allowed me to get MBAM running, which allowed me to get superspyware going. So those logs are definitely too old to use. Latest MBAM from today shows nothing. Here are my last couple logs tho until it ran clean. Superspyware hasn't run clean yet, tho I haven't run it again after last MBAM, so here is that log. Currently running Kaspersky Online scan. I realize that some of these logs won't help and will need another one for assistance, just wanted to attempt to get interest and help since was unable to at first. Firefox is still running pretty crappily, memory hogging way more than I've seen before at about 136,000k and fluctuating wildly. Stuttering graphics are also noted. Haven't tried to play any games or had real time to sit down with it since clean to check other problems but my browser redirects are apparantly gone as of right now. I will update this when the Kaspersky scan completes.


http://www.superantispyware.com

Generated 04/02/2009 at 03:08 AM

Application Version : 4.26.1000

Core Rules Database Version : 3824
Trace Rules Database Version: 1780

Scan type : Complete Scan
Total Scan Time : 00:58:17

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 5947
Registry threats detected : 3
File items scanned : 28095
File threats detected : 7

Rogue.Component/Trace
HKLM\Software\Microsoft\28B8AEE4
HKLM\Software\Microsoft\28B8AEE4#28b8aee4
HKLM\Software\Microsoft\28B8AEE4#Version

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Jason\Cookies\jason@www.findstuff[1].txt

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\PROGRAM FILES\BEARSHARE\CRACK\BEARSHARE.EXE

Rootkit.Agent/Gen-UACFake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000006.DLL

Trojan.Smitfraud Variant-Gen/Bensorty
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP1\A0000045.DLL


Malwarebytes' Anti-Malware 1.35
Database version: 1931
Windows 5.1.2600 Service Pack 2

4/2/2009 7:38:58 AM
mbam-log-2009-04-02 (07-38-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 272331
Time elapsed: 1 hour(s), 32 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\desten.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncozer (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\desten.dll (Trojan.Hiloti) -> Delete on reboot.
C:\wtwriam.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nhser43uhjnefr.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACcfjdjwyk.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACieecqvuu.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000005.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000006.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP1\A0000045.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\asiyafiseq.dll (Trojan.Agent) -> Delete on reboot.

Database version: 1931
Windows 5.1.2600 Service Pack 2

4/2/2009 5:32:03 PM
mbam-log-2009-04-02 (17-32-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 272330
Time elapsed: 1 hour(s), 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncozer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Database version: 1931
Windows 5.1.2600 Service Pack 2

4/2/2009 6:24:01 PM
mbam-log-2009-04-02 (18-24-01).txt

Scan type: Quick Scan
Objects scanned: 74341
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

http://www.superantispyware.com

Generated 04/02/2009 at 03:08 AM

Application Version : 4.26.1000

Core Rules Database Version : 3824
Trace Rules Database Version: 1780

Scan type : Complete Scan
Total Scan Time : 00:58:17

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 5947
Registry threats detected : 3
File items scanned : 28095
File threats detected : 7

Rogue.Component/Trace
HKLM\Software\Microsoft\28B8AEE4
HKLM\Software\Microsoft\28B8AEE4#28b8aee4
HKLM\Software\Microsoft\28B8AEE4#Version

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Jason\Cookies\jason@www.findstuff[1].txt

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\PROGRAM FILES\BEARSHARE\CRACK\BEARSHARE.EXE

Rootkit.Agent/Gen-UACFake
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000005.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP0\A0000006.DLL

Trojan.Smitfraud Variant-Gen/Bensorty
C:\SYSTEM VOLUME INFORMATION\_RESTORE{36FF1658-4E16-4DCA-BC37-E87A62B660D1}\RP1\A0000045.DLL

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:43 AM

Posted 08 April 2009 - 06:28 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 08 April 2009 - 07:29 PM

I've been able to kill off most of my troubles, I think. Computer still kinda acts slow, IE still crashes occasionally, randomly. It just isn't acting right since infection. DDS logs here.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jason at 19:24:29.01 on Wed 04/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1263 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
D:\Steam\steam.exe
C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\CRW894J8\dds[1].com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175134884750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = desten.dll scecli

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-1 130424]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-4-5 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-4-5 38208]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-31 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-4-1 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-31 298264]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-4-5 33088]
S1 85a0414a;85a0414a;c:\windows\system32\drivers\85a0414a.sys --> c:\windows\system32\drivers\85a0414a.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-2 38496]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-4-1 64392]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2007-12-31 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2007-12-31 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2007-12-31 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-12-31 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-12-31 98568]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-1 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-1 1095560]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2009-04-05 14:27 38,208 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-04-05 14:27 33,088 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-04-05 14:27 12,608 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-04-05 14:27 51,520 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-04-05 12:56 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-04-05 12:56 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-04-05 12:55 <DIR> --d----- c:\windows\system32\Lang
2009-04-05 08:11 <DIR> --d----- c:\windows\system32\RTCOM
2009-04-04 20:15 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-04 17:19 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-04 16:50 <DIR> --d----- c:\windows\ie8updates
2009-04-04 16:46 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-04 16:27 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-04 15:55 19,569 a------- c:\windows\002972_.tmp
2009-04-04 15:52 685,056 -------- c:\windows\system32\drivers\hsfcxts2.sys
2009-04-04 14:52 18,944 ac------ c:\windows\system32\dllcache\simptcp.dll
2009-04-04 14:52 18,944 a------- c:\windows\system32\simptcp.dll
2009-04-04 13:09 24,576 a------- c:\windows\system32\SET108E.tmp
2009-04-04 13:09 177,152 a------- c:\windows\system32\SET106A.tmp
2009-04-04 13:09 75,776 a------- c:\windows\system32\SET1043.tmp
2009-04-04 13:09 15,872 a------- c:\windows\system32\SET103C.tmp
2009-04-04 13:09 354,304 a------- c:\windows\system32\SET1038.tmp
2009-04-04 13:09 80,896 a------- c:\windows\system32\SET1033.tmp
2009-04-04 13:09 <DIR> --d----- c:\windows\system32\scripting
2009-04-04 13:09 <DIR> --d----- c:\windows\l2schemas
2009-04-04 13:09 <DIR> --d----- c:\windows\system32\en
2009-04-04 13:09 <DIR> --d----- c:\windows\system32\bits
2009-04-04 13:05 584,704 a------- c:\windows\system32\SET24F.tmp
2009-04-04 13:04 19,569 a------- c:\windows\002965_.tmp
2009-04-04 13:01 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-04-04 13:00 <DIR> --d----- c:\windows\EHome
2009-04-03 15:39 <DIR> --d----- c:\docume~1\jason\applic~1\wsInspector
2009-04-03 15:38 <DIR> --d----- c:\program files\Startup Inspector for Windows
2009-04-03 15:35 <DIR> --d----- c:\windows\pss
2009-04-03 15:24 <DIR> --dsh--- c:\documents and settings\jason\IECompatCache
2009-04-03 15:23 <DIR> --dsh--- c:\documents and settings\jason\PrivacIE
2009-04-03 15:21 <DIR> --dsh--- c:\documents and settings\jason\IETldCache
2009-04-03 15:11 <DIR> -cd-h--- c:\windows\ie8
2009-04-03 14:45 <DIR> --d----- c:\docume~1\jason\applic~1\Uniblue
2009-04-02 02:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 02:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 02:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-02 02:08 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-02 02:08 <DIR> --d----- c:\docume~1\jason\applic~1\SUPERAntiSpyware.com
2009-04-02 01:46 <DIR> a-dshr-- C:\cmdcons
2009-04-02 01:45 161,792 a------- c:\windows\SWREG.exe
2009-04-02 01:45 98,816 a------- c:\windows\sed.exe
2009-04-01 19:18 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-01 19:17 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-01 19:17 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-01 19:17 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-01 19:17 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-01 19:17 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-01 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-31 21:09 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-31 21:08 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-31 21:08 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-31 21:08 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-31 21:08 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-26 18:07 32,272 a------- c:\windows\ATMREG.ATM
2009-03-26 18:07 15,360 a------- c:\windows\system32\ATMsrvc.exe
2009-03-26 18:07 <DIR> --d----- C:\PSFONTS
2009-03-26 18:06 299,520 a------- c:\windows\uninst.exe
2009-03-26 18:06 <DIR> --d----- c:\temp\adobe
2009-03-23 17:29 <DIR> --d----- c:\program files\THQ

==================== Find3M ====================

2009-04-04 16:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-24 22:47 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-02-14 01:23 70,968 a------- c:\windows\system32\PnkBstrA.exe
2009-02-14 01:20 22,328 a------- c:\docume~1\jason\applic~1\PnkBstrK.sys
2009-02-14 01:20 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\_004422_.tmp.dll
2009-01-15 19:44 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:25:11.34 ===============

Attached Files



#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:43 AM

Posted 08 April 2009 - 07:45 PM

Hang on. Well try to get a Tech to help you in the next day or so. Be patient as we are almost swamped.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 09 April 2009 - 07:18 AM

Hello.

Let's see what we can do.

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :services
    85a0414a
    
    :reg
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):"scecli"
    
    :files
    c:\windows\system32\BuzzingBee.wav
    c:\windows\system32\LoopyMusic.wav
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Followup with a fresh DDS.txt log please.

With Regards,
The Panda

#7 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 April 2009 - 02:43 PM

Well thats kinda what I was thinking. I'm just going to do a fresh format and reinstall. Its been 2 years so its way past time.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 09 April 2009 - 02:52 PM

Hello Larnek.

That would be a good choice.

Do you have your Windows XP disk?

With Regards,
The Panda

#9 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 April 2009 - 02:55 PM

Yeah, but I'm gonna have to mess with Microsoft tech support to get a code for it I believe.. I'm going to be away from computer for a few hours.

#10 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 09 April 2009 - 05:55 PM

Is there anything in particular I need to be sure to do prior to format in order to clean this thing out?

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 10 April 2009 - 05:33 PM

Sorry for the delay.

Mainly, data should be backed up.

Please follow the guide here.

With Regards,
The Panda

#12 Larnek

Larnek
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 10 April 2009 - 06:00 PM

K, just wanted to make sure there was nothing that could hide in boot sector or anything crazy like that. Thanks for your help. I assume you can close the topic now.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 AM

Posted 10 April 2009 - 06:52 PM

Welcome.

Windows handles anything close to the bootsector.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users