Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan infection - XP Home - vundo?


  • Please log in to reply
25 replies to this topic

#1 kps

kps

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 12 April 2009 - 08:35 PM

Specifics: XP Home, Service Pack 2

Hello everyone,

I have a Trojan infection that won't go away.

For many years I had no spyware/trojan problems. Then suddenly, late last week, I had a massive attack with flashing advertisements, browser immediately slowed to a crawl, etc. The computer was totally hijacked. Task Manager was disabled. System restore was locked out. Download.com was blocked. Spybot was blocked from opening. Nightmare.

I'll admit to going into a panic and not really thinking straight. I downloaded practically every known spyware removal tool and just started scanning and removing. Nothing worked until I stumbled across Malware Bytes Anti Malware and ComboFix. Together they ALMOST removed it. ComboFix practically scuttled my network connections but I got them going again. Now I understand the error of my ways. I should have posted something here before wasting time and screwing things up further.

The major symptoms are all gone, but the bug is not. Two reasons I know this:

1) msconfig. Startup tab. There is an item in the list that always comes back after a reboot despite unchecking the box. It has an ugly name:
Item: ojugamewo
Command: rundll32.exe "C:\WINDOWS\ojugamewo.dll", e
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


2) Malware Bytes Anti Malware finds two entries for malware:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current\Version\Run\aredizegosuli
- C:\WINDOWS\ojugamewo.dll


When I choose Remove Selected - then reboot, rescan - they are gone. And so is the entry in the msconfig Startup tab.

However, after a very short time, they come back, but with new random names.

I had a hunch this was Vundo, because one of the things ComboFix got rid of was called: Sujegaro.dll, which triggered several Vundo related hits when I googled it.

However, VundoFix failes to find anything at all.

Thanks for any help you can provide.

Kirk S.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 PM

Posted 12 April 2009 - 09:10 PM

Hi let's try this.. Install and update ATF and SAS and MBAM (Malware bytes). Then disconnect from the internet, Unplug your modem's connection to the PC or unplug the router if wireless and the run the tools.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Now ATF and SAS.
From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware

, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 13 April 2009 - 05:36 PM

I just updated MBAM and ATF Cleaner. However, I tried to install SAS and failed. I get the error message

"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

The computer is NOT running in Windows safe mode.

Should I try to rectify this? or proceed without SAS?

Thanks again.

Kirk S.

Edited by kps, 13 April 2009 - 09:04 PM.


#4 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 13 April 2009 - 05:46 PM

Sorry. I figured out the SAS thing. Installer Service was not running.

I'll try the rest of this now.

#5 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 13 April 2009 - 08:36 PM

Here is the MBAM log from the first step.

Malwarebytes' Anti-Malware 1.36
Database version: 1978
Windows 5.1.2600 Service Pack 2

4/13/2009 7:53:30 PM
mbam-log-2009-04-13 (19-53-30).txt

Scan type: Quick Scan
Objects scanned: 98730
Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aredizegosuli (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ojugamewo.dll (Trojan.Agent) -> Delete on reboot.

#6 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 13 April 2009 - 08:38 PM

Here is the SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2009 at 09:17 PM

Application Version : 4.26.1000

Core Rules Database Version : 3841
Trace Rules Database Version: 1796

Scan type : Complete Scan
Total Scan Time : 00:57:47

Memory items scanned : 214
Memory threats detected : 0
Registry items scanned : 6482
Registry threats detected : 0
File items scanned : 126039
File threats detected : 2

Adware.SeekSuggest
C:\QOOBOX\QUARANTINE\C\WINDOWS\JESTERTB.DLL.VIR

Trojan.RootKit/Gen
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UACWYLGYJNV.DLL.VIR

I hope that removes the problem. I'll post again soon to say whether it has come back.

Thanks again.

Kirk S.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 PM

Posted 13 April 2009 - 08:49 PM

Yes this is looking good . Let me know tomorrow if it's still good and we'll mop up.

Edited by boopme, 13 April 2009 - 08:49 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 13 April 2009 - 09:03 PM

Sadly, that didn't work. The bug is back. This time it is named:

ahihuboz

Any ideas?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 PM

Posted 14 April 2009 - 06:17 PM

Rats, I had a long day here so I couldn't respond earlier.
We'll need to run S!Ri's SmitfraudFix and SDFix.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Now SDFix:
Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 14 April 2009 - 07:33 PM

Hey, no problem. I know how it is.
Thanks for sticking with me on this. I'm from NJ too, by the way.

Below is the SmitFraudFix Log. Next I will do SD Tracker.

--------------------------------

SmitFraudFix v2.408

Scan done at 20:27:27.35, Tue 04/14/2009
Run from C:\Documents and Settings\KPS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\KPS\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\KPS


C:\DOCUME~1\KPS\LOCALS~1\Temp


C:\Documents and Settings\KPS\Application Data


Start Menu


C:\DOCUME~1\KPS\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="c:\\windows\\system32\\sujegaru.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 PM

Posted 14 April 2009 - 08:32 PM

Well we have a rootkit and some others will wait for SDFix to see where we go next.

Hey we Jersey's have to stick together. I'm not far away on the cliffs in Hudson.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 14 April 2009 - 09:00 PM

Cool. I work in Englewood luckily, so I get to stay on the good side of the Hudson. :)

Here is the SDFix log:


SDFix: Version 1.240
Run by Administrator on Tue 04/14/2009 at 09:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 21:54:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"="C:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe:*:Enabled:WolfMP"
"C:\\Program Files\\The All-Seeing Eye\\eye.exe"="C:\\Program Files\\The All-Seeing Eye\\eye.exe:*:Enabled:Yahoo! All-Seeing Eye"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"="C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s"
"C:\\Program Files\\Quote.com\\QCharts 5.1\\QCharts.exe"="C:\\Program Files\\Quote.com\\QCharts 5.1\\QCharts.exe:*:Enabled:QCharts"
"C:\\Program Files\\Fidelity Investments\\Wealth-Lab Pro\\WealthLab.exe"="C:\\Program Files\\Fidelity Investments\\Wealth-Lab Pro\\WealthLab.exe:*:Enabled:WealthLab"
"C:\\Program Files\\Caribbean Sun Poker\\UA.exe"="C:\\Program Files\\Caribbean Sun Poker\\UA.exe:*:Enabled:UA Application"
"C:\\WINDOWS\\SYSTEM32\\FTP.EXE"="C:\\WINDOWS\\SYSTEM32\\FTP.EXE:*:Enabled:File Transfer Program"
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"="C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\thinkpipes\\jre\\bin\\javaw.exe"="C:\\Program Files\\thinkpipes\\jre\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"="C:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"="C:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1125760835\\ee\\aolservicehost.exe"="C:\\Program Files\\Common Files\\AOL\\1125760835\\ee\\aolservicehost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\trlrm\\RMHSvc.exe"="C:\\WINDOWS\\trlrm\\RMHSvc.exe:*:Enabled:RMHSvc.exe"

Remaining Files :



Files with Hidden Attributes :

Tue 16 Aug 2005 4 A..H. --- "C:\ajspu.sys"
Mon 17 Dec 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Tue 16 Aug 2005 4 A..H. --- "C:\WINDOWS\ujspa.sys"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 7 Apr 2009 61,440 A.SH. --- "C:\WINDOWS\SYSTEM32\bewijeze.exe"
Tue 7 Apr 2009 23,552 A.SH. --- "C:\WINDOWS\SYSTEM32\lutayesi.exe"
Mon 20 Feb 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 9 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 20 Feb 2006 4,348 ...H. --- "C:\Documents and Settings\KPS\My Documents\My Music\License Backup\drmv1key.bak"
Tue 21 Feb 2006 20 A..H. --- "C:\Documents and Settings\KPS\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 20 Feb 2006 400 A.SH. --- "C:\Documents and Settings\KPS\My Documents\My Music\License Backup\drmv2key.bak"
Tue 7 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 7 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 11 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:11 PM

Posted 14 April 2009 - 10:53 PM

Good, Yeah I watched some interesting things on the Hudson these last 10 years.

We need to run Part 2 Cleaning and then a Root kit scan

S!Ri's SmitfraudFix
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 15 April 2009 - 10:44 PM

Sorry, I didn't get a chance to try this out tonight. I will almost certainly get to it tomorrow. Thanks again.

#15 kps

kps
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bergen County NJ
  • Local time:12:11 PM

Posted 16 April 2009 - 09:25 PM

SmitFraudFix v2.408

Scan done at 22:00:25.32, Thu 04/16/2009
Run from C:\Documents and Settings\KPS\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A5B9AD13-5476-45BD-953C-D12E91ABF914}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


RK.2



Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/16 22:10
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAA89F000 Size: 479232 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7A6F000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\7CAA70D8-0F33-41B3-A8AB-D2AF4B15ED85\0\gravitationalforcesnotes3a.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\2839DA66-087E-422D-A2A0-1917D9AB416C\0\03assignwk8b.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\2839DA66-087E-422D-A2A0-1917D9AB416C\0\03assignwk8b.pdf:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\2CA0AB28-6739-430B-82FE-4173182C435C\0\coordsproptime.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\48153E03-1E6D-43D6-A69C-464A51AD68BC\0\03assignwk4n.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\4FEF9A51-937F-4C90-8304-54A6426BBBC4\0\gravitymetricscoordinatesnotes2.pdf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\5FF7190A-D368-49B3-8EAB-7578A2AEC4FA\0\03assignwks1_2.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\5FF7190A-D368-49B3-8EAB-7578A2AEC4FA\0\03assignwks1_2.pdf:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\60352FB7-8BD9-49B3-861A-466A369D1C44\0\03assignwk5p.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\665A79EF-C5D1-46D5-AFCF-5284CA81FF6E\0\8224cosmosa67.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\713581BF-D055-4228-984B-B7EBC725E61D\0\cosmosa67figs.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\78477900-D698-44F6-903B-FE63A1803690\0\midtermexam.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\9DA6328F-11B7-4E1E-AFE6-D7CD821C72F5\0\midtermpreview.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\A9B56C6C-B976-4CEE-929A-DA23AACF8923\0\8224_Sem03GKS2.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\AAB08CB5-8193-4992-A410-A3AF65F8E38C\0\03assignwk6e.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\B4F7260F-36E9-4638-B2B7-9AFF779B9B91\0\8224baganoff_v2.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\B639E8FB-88C6-4F68-887A-BD3F08ABB53D\0\questionsseminar2.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\B76FFDA3-8157-421C-9CB6-3533E8A640BF\0\03assignwk3h.pdf:Zone.Identifier
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KPS\My Documents\OnlineCourses\Physics\8-224Spring-2003\8-224Spring-2003\NR\rdonlyres\Physics\8-224Exploring-Black-Holes--General-Relativity---AstrophysicsSpring2003\BACA8D9D-22D3-4C3C-9B4C-74806523CA84\0\03assignwk7d.pdf:Zone.Identifier
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89de83e8




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users