Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit, Worn, Trojan.


  • This topic is locked This topic is locked
2 replies to this topic

#1 allanq

allanq

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 14 April 2009 - 07:43 AM

Hi,
I hope you guys can help me. I have dual boot on my PC namely win98se and WinXP Pro. The infected system is WinXP Pro as I don't use win98 that much and only use it with my old scanner which doesn't run on XP and as backup if ever Xp had problems. The probelems began when some programs suddenly stopped working. Programs affected were Coreldraw and Tracks Eraser Pro, Msoffice etc. It had different effects like say on Msoffice all of the shortcuts pointing to msoffice disappeared but I could still access it directly using windows explorer and the program still works while Coreldraw doesn't work at all and all of its shortcuts also disappeared. Tracks eraser pro keeps launching msiexec when clicked on so I just uninstalled it. This all started after my nephew visited and downloaded something which I am not sure of as he likes playing online games. Mostly flashganes though but he keeps clicking yes on the promts (He's only 9) which pop up on those websites. I'm not really sure what protection against viruses or spyware this PC has as my brother is the one who configured & installed mostly everything on it. I however installed an antivirus on Win98 (Avast) which I used to scan the PC. I didn't install on XP as I it may have an antivirus (am not really sure); although I've seen some programs like Norton utilities & spyware doctor but I don't think the spyware doctor still works (it may have been corrunpted) as clicking on it doesn't launch anything. Anyways, here is the result of avast.

I copied this from the pop-up but there were other pop ups which I wasn't able to copy.
File Name:OVFSTH.SYS
Malware name: Win32:Alureon-G (Rtk)
Malware Type Rootkit

This one I copied from its log file although I don't think it's complete as the computer hanged after it finished scanning.
4/13/09 6:56:24 AM 1239576984 Cool3 4294678011 Sign of "Win32:Tdss-C [Trj]" has been found in "C:\WINDOWS\SYSTEM32\ovfsthcgypulgyxocoixexctysshbeucxnfvcu.dll" file.
4/13/09 6:56:41 AM 1239577001 Cool3 4294678011 Sign of "Win32:Tdss-C [Trj]" has been found in "C:\WINDOWS\SYSTEM32\ovfsthjawylqoxcynuefywjtvqutpxiceivkai.dll" file.
4/13/09 6:56:41 AM 1239577001 Cool3 4294678011 Sign of "Win32:Tdss-C [Trj]" has been found in "C:\WINDOWS\SYSTEM32\ovfsthlgbiemvofqmkfribltclnfxqyhkxsenv.dll" file.
4/13/09 7:22:30 AM 1239578550 Cool3 4294681683 Sign of "Win32:Alureon-G [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\DRIVERS\OVFSTH.SYS" file.

I remember seeing a pop-up that said it had a trojan but I was not able to write down what file it was. I'm worried that this rootkit thing might somehow steal credit card info as I pay some of my bills online using paypal.
I hope you guys can help me.

Btw, here is the ddslogs.

DDS (Ver_09-03-16.01) - FAT32x86
Run by Supergwapo at 10:28:17.04 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch_1.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [VTTrayp] VTTrayp.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RaidTool] c:\program files\via\raid\raid_tool.exe
mRun: [CARPService] carpserv.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Flashget] c:\program files\flashget\flashget.exe /min
dRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
IE: &download all with flashget - c:\program files\flashget\jc_all.htm
IE: &download with flashget - c:\program files\flashget\jc_link.htm
IE: &Save Flash In This Page by Flash Saver - c:\progra~1\flashs~1\save.htm
IE: + Offline &Explorer: Download the link - file://c:\program files\offline explorer enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\offline explorer enterprise\Add_AllO.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210
IE: Save Flash By FlashFavorite - c:\progra~1\flashf~1\FFCom.dll/IeMenu.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1\save.htm
IE: {4335F0BE-9AAF-4023-9929-681B937B814A} - res://c:\progra~1\flashf~1\FFCom.dll/IeMenu.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233214893656
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\superg~1\applic~1\mozilla\firefox\profiles\akchqqcf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\supergwapo\application data\mozilla\firefox\profiles\akchqqcf.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - component: c:\program files\mozilla firefox\components\FFComm.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile\shell\handyhtml\command="c:\program files\silverage software\handyhtml\HandyHTM.exe" /dde

=============== Created Last 30 ================

2009-04-13 09:07 <DIR> --d----- c:\program files\Trend Micro
2009-04-13 09:05 <DIR> --d----- C:\VundoFix Backups
2009-04-13 09:03 4,898 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-12 16:04 <DIR> --d----- c:\temp\GL.39
2009-04-06 18:48 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-06 18:48 1,409 a------- c:\windows\QTFont.for
2009-04-05 20:59 <DIR> --d----- c:\program files\CoreCodec
2009-04-04 17:59 <DIR> --d----- c:\program files\Combined Community Codec Pack
2009-04-04 17:58 <DIR> --d----- c:\program files\Matroska Pack
2009-04-04 01:36 <DIR> --d----- c:\program files\FlashFXP
2009-04-04 01:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FlashFXP
2009-04-03 22:02 105,170 a------- c:\windows\system32\drivers\86a0ceeb.sys
2009-04-03 21:18 105,170 a------- c:\windows\system32\drivers\f7b73236.sys
2009-03-29 03:14 <DIR> --d----- c:\program files\CDisplay
2009-03-27 21:04 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-27 21:04 385 a------- c:\windows\system32\user_gensett.xml
2009-03-27 09:34 274 a------- c:\windows\system32\BDUpdateV1.xml
2009-03-27 07:59 121 a------- c:\windows\bdagent.INI
2009-03-27 07:48 <DIR> --d----- c:\windows\system32\logs
2009-03-27 07:48 <DIR> --d----- C:\Binaries
2009-03-27 07:48 <DIR> --d----- c:\program files\BitDefender
2009-03-26 22:00 61,491 a------- c:\windows\system32\wbemdisp.TLB
2009-03-26 22:00 <DIR> --d----- c:\program files\KLC
2009-03-26 08:37 21,504 a------- c:\windows\system32\hidserv.dll
2009-03-26 08:37 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-03-26 08:37 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-26 08:37 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-03-20 19:38 737,280 -------- c:\windows\system32\gfpplib1.dll
2009-03-20 19:38 44,150 -------- c:\windows\system32\PrintPro.hlp
2009-03-20 19:38 1,266 -------- c:\windows\system32\PrintPro.cnt
2009-03-20 19:37 <DIR> --d----- c:\program files\Altamira Group
2009-03-18 13:04 0 a------- c:\windows\iPlayer.INI
2009-03-18 04:12 394 a------- c:\windows\capture.ini

==================== Find3M ====================

2009-04-11 11:15 1,032,192 a------- c:\windows\system32\sqlrcmd.dll
2009-04-07 01:11 2,241 a------- c:\windows\panose.bin
2009-03-11 03:45 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-08 17:11 39,936 a------- c:\windows\system32\drivers\CDAC11BA.EXE
2009-02-15 02:07 1,981 a------- c:\windows\win.tmp
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 19:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-29 18:09 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2007-01-08 04:26 10,396 a------- c:\program files\uninstal.log
2007-01-08 04:25 13 ----h--- c:\docume~1\alluse~1\applic~1\UYA─31~1.SYS
2007-01-08 04:25 13 ----h--- c:\docume~1\alluse~1\applic~1\sys.sys
2007-01-08 04:25 13 ----h--- c:\docume~1\alluse~1\applic~1\─D3113.SYS
2007-01-08 04:24 75 ---shr-- c:\windows\CT4SET.BIN

============= FINISH: 10:28:44.42 ===============


I've also attached the Attach.txt

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 16 April 2009 - 01:14 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:05 PM

Posted 21 April 2009 - 10:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users