Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

probably infected with Id08.exe


  • Please log in to reply
7 replies to this topic

#1 mariags

mariags

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 30 May 2009 - 07:05 PM

Hi

Two days ago, I got a warning from Avast regarding malicious code ...
I didn't pay attention enough to the virus name
I choosed the option "Delete"

After the next boot Firefox browser didn't work properly: It was trying to connect to the Internet
through a proxy ( I think on port 7171 ).
I reconfigured Firefox to connect directly to the internet

I ran task manager and I saw something suspicious : Id08.exe
I searched for some info about Id08.exe, and I found you.
I disabled Id08.exe to run at startup ( msconfig )

Right now the computer seems to be working properly, but ...
What steps should I follow to remove the malware completely ( if possible )?

TIA


DDS (Ver_09-05-14.01) - NTFSx86
Run by tuma at 1:15:07,21 on 31/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.2047.1588 [GMT 2:00]

AV: avast! antivirus 4.8.1229 [VPS 081027-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Archivos de programa\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost
D:\archprog\firefox\firefox.exe
C:\Documents and Settings\tuma\Escritorio\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\archivos de programa\acobe\acobat\reader\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archiv~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATIPTA] "c:\archivos de programa\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SmcService] c:\archiv~1\sygate\spf\smc.exe -startgui
mRun: [avast!] c:\archiv~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\archivos de programa\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\archiv~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {038D02D8-71EF-44BB-8FE5-588C9848400C} = 80.58.61.250,80.58.61.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archiv~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archiv~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tuma\datosd~1\mozilla\firefox\profiles\nd7bbv9c.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-28 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-28 20560]
R2 avast! Antivirus;avast! Antivirus;c:\archivos de programa\alwil software\avast4\ashServ.exe [2007-2-16 147640]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\archivos de programa\alwil software\avast4\ashMaiSv.exe [2007-2-16 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\archivos de programa\alwil software\avast4\ashWebSv.exe [2007-2-16 348344]
S3 DIBLOAD2;Digital TV firmware loader(Type 2);c:\windows\system32\drivers\dgtvload2.sys [2007-2-2 17123]
S3 MODUSB;Digital TV DVB-T USB adapter driver;c:\windows\system32\drivers\dgtvcap.sys [2007-2-2 16312]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-29 42512]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\archprog\vs8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-05-29 17:51 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-29 17:51 2 ----h--- c:\windows\sonce122730.dat
2009-05-27 05:55 14,848 ----h--- c:\windows\ld08.exe

==================== Find3M ====================

2009-04-20 20:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-20 20:19 607,640 a------- C:\jre-6u13-windows-i586-p-iftw.exe
2009-03-29 06:53 499,698 a------- c:\windows\system32\perfh00A.dat
2009-03-29 06:53 499,328 a------- c:\windows\system32\perfh0c0.dat
2009-03-29 06:53 93,994 a------- c:\windows\system32\perfc00A.dat
2009-03-29 06:53 93,864 a------- c:\windows\system32\perfc0c0.dat
2009-02-13 00:21 36,864 a------- c:\documents and settings\tuma\sbsrwp.exe
2009-02-13 00:16 36,864 a------- c:\documents and settings\tuma\qnfh4s.exe

============= FINISH: 1:15:36,81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:41 PM

Posted 10 June 2009 - 07:58 PM

hi,

sorry for delay, no shortage of posters. If you still need help you can reply to my post.

FYI:
Sygate firewall is no longer being developed/updated. I would get another software firewall.

How Can I Reduce My Risk to Malware?


#3 mariags

mariags
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 11 June 2009 - 01:19 AM

Computer tries to connect to verringo.cn and some other locations at startup.

Some random errors occur at startup

Still waiting for help.

TIA

#4 shelf life

shelf life

  • Malware Response Team
  • 2,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:41 PM

Posted 11 June 2009 - 05:03 PM

hi,

ok we will start with malwarebytes. Link and directions;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in your reply

How Can I Reduce My Risk to Malware?


#5 mariags

mariags
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 12 June 2009 - 04:02 PM

Hi,

MalwareBytes scan performed. mbam log below :

====== log start =======
Malwarebytes' Anti-Malware 1.37
Database version: 2267
Windows 5.1.2600 Service Pack 2

12/06/2009 22:47:43
mbam-log-2009-06-12 (22-47-43).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 331322
Time elapsed: 42 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (c:\windows\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\documents and settings\tuma\configuración local\myrkna.mbf (Trojan.Gumblar) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\archivos temporales de internet\Content.IE5\L57C1T3J\g9l8[1].exe (Worm.Autorun) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\archivos temporales de internet\Content.IE5\L57C1T3J\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\archivos temporales de internet\Content.IE5\SN45MAX0\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\archivos temporales de internet\Content.IE5\ZE64D8D9\pipo[1] (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\archivos temporales de internet\Content.IE5\ZE64D8D9\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\configuración local\Temp\~TM7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{40a48602-2ce7-4adc-9a92-89b25f726936}\RP833\A0075185.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{40a48602-2ce7-4adc-9a92-89b25f726936}\RP837\A0076342.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\system volume information\_restore{40a48602-2ce7-4adc-9a92-89b25f726936}\RP837\A0076343.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\system volume information\_restore{40a48602-2ce7-4adc-9a92-89b25f726936}\RP837\A0076344.dll (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
d:\archprog\firefox\a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
d:\incomenous\books\nueva carpeta\cadifra.uml.editor.v1.3.1\cadifra.uml.editor.v1.3.1\nfoviewer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5rqu2F.syz (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\Gz1Nh6.syz (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\jXCVni.syz (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\rG7V0j.syz (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\x9QsyS.syz (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\Temp\wpv151242735314.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv671240213447.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv931243751817.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\tuma\Favoritos\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Menú Inicio\Cheap Pharmacy Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Favoritos\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Menú Inicio\Search Online.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Favoritos\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Menú Inicio\VIP Casino.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\tuma\Datos de programa\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
====== log end ===========

TIA

#6 shelf life

shelf life

  • Malware Response Team
  • 2,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:41 PM

Posted 12 June 2009 - 08:04 PM

hi,

ok. good. Must be looking better now on your end? Check MBAM for updates and run it once more for good measure.

How Can I Reduce My Risk to Malware?


#7 mariags

mariags
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:41 AM

Posted 14 June 2009 - 11:26 AM

Hi,

second scan performed succesfully

Additional scans have been performed on removable drives. One file infected, but succesfully deleted.

Everything seems to be working properly.

Should I take some further steps?

TIA

#8 shelf life

shelf life

  • Malware Response Team
  • 2,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:41 PM

Posted 14 June 2009 - 07:08 PM

hi,

ok good. You had quite a load so we will get another look for any more possible malware using combofix. there is a guide to read first. read the guide, download combofix to your desktop, disable any AV/anti-malware as explained in the guide, double click the combofix icon and follow the prompts. Post the log in your reply.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users