Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.rtk and Rootkit.Trace and probably others


  • Please log in to reply
16 replies to this topic

#1 chakakhan

chakakhan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 18 June 2009 - 09:01 PM

Hello. Tried to deal with this myself but I'm stuck. Night before last I had a bunch of tabs open in firefox and then the window started jumping around, wouldn't let me close it/mouse over it. Then Firefox crashed. A new windows background appeared with a whole paragraph (badly typed in broken english) stating that my computer was now infected with spyware, but surprisingly with no 'helpful' link for how to 'remove' it. I tried running Spybot SD, but it wouldn't open. Same thing with Malwarebytes. I tried running a Panda Active Scan; it gets to about 8%, then flies through the rest of the Hard Drive in a few seconds and says I'm "not infected." When I search for anything in Google - either in Firefox or IE (which I normally never use) - almost all of the links redirect me to strange ad sites. I can type addresses into the bar but not use any links from search engines. Computer is running really slow and sometimes the fan sounds like it's going to take off.

I tried running AVG Antivirus and it came up clean. I tried installing and running multiple antivirus/antispyware programs (Avira Antivir, Trendmicro Housecall, Exterminate It!), all of which would find lots of junk, but not get rid of it (always the same problem after a restart). I changed the names of the .exe files for both Spybot SD (added some numbers) and Malwarebytes ('anti failware') and was able to make them work. I updated them both, ran them both, they both keep finding instances of Win32.TDSS.rtk and Rootkit.Trace (along with other stuff) and say that they are deleting them, I can see the deletion happening on reboot, but then I still have the same issues and if I scan again, the same problems come up. I tried looking at an HJT log myself, but couldn't find anything obvious that jumped out at me. I tried using Killbox to manually delete the files that Malwarebytes and Spybot are pointing to, it deleted them on reboot, but the issues are still in place.

Basically I've tried a whole lot of stuff in the past 36 hours and nothing has worked. I'm handing this one over to the experts! Any help would be extremely appreciated!

While I ran the DDS log I got an error message two times stating "Sort Utility encountered a problem and needs to close."??? Any way, here is the DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Charles Townsend at 18:15:26.62 on Thu 06/18/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3454.2612 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
G:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
G:\WINDOWS\system32\spoolsv.exe
svchost.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\PROGRA~1\AVG\AVG8\avgrsx.exe
G:\Program Files\M-Audio\Ozone\Install\ozinst.exe
G:\WINDOWS\System32\svchost.exe -k imgsvc
G:\WINDOWS\RTHDCPL.EXE
G:\PROGRA~1\AVG\AVG8\avgtray.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\Program Files\Brownie\BrstsWnd.exe
G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\Program Files\Brownie\brpjp04a.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\Charles Townsend\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://webmail.ucr.edu/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - g:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - g:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] g:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [SpybotSD TeaTimer] g:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG8_TRAY] g:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] g:\windows\system32\NeroCheck.exe
mRun: [Acrobat Assistant 8.0] "g:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [BrStsWnd] g:\program files\brownie\BrstsWnd.exe Autorun
mRun: [M-Audio Taskbar Icon] g:\windows\system32\M-AudioTaskBarIcon.exe
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
StartupFolder: g:\docume~1\charle~1\startm~1\programs\startup\openof~1.lnk - g:\program files\openoffice.org 2.4\program\quickstart.exe
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {1F958B09-6612-7a0e-9223-4C7324C57B23} - g:\program files\webpage capture\Webpage Capture.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - g:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://g:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216381608576
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli g:\windows\system32\fenefezu.dll g:\windows\system32\wuvotifa.dll

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\charle~1\applic~1\mozilla\firefox\profiles\6nhnclfa.default\
FF - prefs.js: browser.startup.homepage - webmail.ucr.edu
FF - plugin: g:\documents and settings\charles townsend\application data\mozilla\firefox\profiles\6nhnclfa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;g:\windows\system32\drivers\pavboot.sys [2009-1-1 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [2008-7-18 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;g:\windows\system32\drivers\avgmfx86.sys [2008-7-18 27784]
R2 avg8wd;AVG Free8 WatchDog;g:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-27 298776]
RUnknown fcvkv;fcvkv; [x]
S3 ma763008;M-Audio Ozone;g:\windows\system32\drivers\MA763008.sys [2009-2-10 63872]
S3 MADFU008;MADFU008;g:\windows\system32\drivers\MADFU008.sys [2009-2-10 14336]
S3 USBNZ1X1;M-Audio Ozone Midi;g:\windows\system32\drivers\usbnz1x1.sys [2009-2-10 22272]

=============== Created Last 30 ================

2009-06-18 13:15 <DIR> --d----- g:\program files\Anti Failware
2009-06-18 11:59 <DIR> --d----- G:\!KillBox
2009-06-17 23:26 1,071,088 a------- g:\windows\system32\MSCOMCTL.OCX
2009-06-17 23:26 118,784 a------- g:\windows\system32\MSSTDFMT.DLL
2009-06-17 23:03 0 a------- g:\windows\ativpsrm.bin
2009-06-17 23:02 593,920 -------- g:\windows\system32\ati2sgag.exe
2009-06-17 22:52 <DIR> --d----- G:\ATI
2009-06-17 21:38 <DIR> --d----- g:\program files\Trend Micro
2009-06-17 20:14 <DIR> --d----- g:\program files\Exterminate It!
2009-06-17 17:00 5,493 a------- g:\windows\wininit.ini
2009-06-17 14:33 55,640 a------- g:\windows\system32\drivers\avgntflt.sys
2009-06-17 14:28 161,792 a------- g:\windows\SWREG.exe
2009-06-17 14:28 155,136 a------- g:\windows\PEV.exe
2009-06-17 14:28 98,816 a------- g:\windows\sed.exe
2009-06-17 14:27 <DIR> --ds---- G:\ComboFix1234
2009-06-17 14:27 389,120 a------- g:\windows\system32\CF31833.exe
2009-06-17 06:34 <DIR> --d----- g:\windows\pss
2009-06-17 05:22 102,664 a------- g:\windows\system32\drivers\tmcomm.sys
2009-06-17 05:22 <DIR> --d----- g:\documents and settings\charles townsend\.housecall6.6
2009-06-03 01:25 <DIR> --d----- g:\docume~1\alluse~1\applic~1\PIXELA
2009-06-03 01:20 <DIR> --d----- g:\program files\PIXELA
2009-05-21 23:09 1,089,593 -c------ g:\windows\system32\dllcache\ntprint.cat
2009-05-21 17:40 <DIR> --d----- g:\program files\Microsoft SQL Server
2009-05-21 17:37 <DIR> --d----- g:\program files\Microsoft Web Designer Tools
2009-05-21 17:34 <DIR> --d----- g:\windows\SxsCaPendDel

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- g:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- g:\windows\system32\drivers\mbam.sys
2009-05-08 12:24 325,896 a------- g:\windows\system32\drivers\avgldx86.sys
2009-05-08 12:24 11,952 a------- g:\windows\system32\avgrsstx.dll
2009-05-07 08:32 345,600 a------- g:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- g:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 -------- g:\windows\system32\ieencode.dll
2009-04-17 05:26 1,847,168 a------- g:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- g:\windows\system32\rpcrt4.dll
2008-08-27 18:20 87,608 ac------ g:\docume~1\charle~1\applic~1\inst.exe
2008-08-27 18:20 47,360 ac------ g:\docume~1\charle~1\applic~1\pcouffin.sys

============= FINISH: 18:16:52.93 ===============

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 19 June 2009 - 01:32 AM

Hi, chakakhan :thumbup2:

Welcome.

Download This file. Note its name and save it to your root folder, such as G:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Edited by JSntgRvr, 19 June 2009 - 01:33 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 19 June 2009 - 02:57 PM

Hi, that was a quick reply, thanks so much! I forgot to mention that when all of this first started, it messed with my ATI Catalyst Control Center so that it displayed an error message on startup. I uninstalled Catalyst Control Center and reinstalled just the ATI driver. Don't know if that adds any pieces to the puzzle. Thank you very much for your help. Here is my GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-19 12:45:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A63ECCE ZwEnumerateKey
Code 8A88044E ZwFlushInstructionCache
Code 8AD5E655 IofCallDriver
Code 8A8A6BDD IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8AD5E65A
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A8A6BE2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A880452
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 4 Bytes JMP 8A63ECD2

---- User code sections - GMER 1.0.15 ----

.text G:\WINDOWS\Explorer.EXE[208] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A5000A
.text G:\WINDOWS\RTHDCPL.EXE[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 019F000A
.text G:\WINDOWS\system32\ctfmon.exe[568] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0138000A
.text G:\Program Files\Brownie\BrstsWnd.exe[580] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 014E000A
.text G:\WINDOWS\System32\M-AudioTaskBarIcon.exe[592] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 013F000A
.text ...

---- Services - GMER 1.0.15 ----

Service G:\WINDOWS\system32\drivers\SKYNETswyvhtvb.sys (*** hidden *** ) [SYSTEM] SKYNETjkcpxnmj <-- ROOTKIT !!!
Service G:\WINDOWS\system32\drivers\UACuhabgodpskmxjqr.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj@imagepath \systemroot\system32\drivers\SKYNETswyvhtvb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETswyvhtvb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules@SKYNETcmd.dll \systemroot\system32\SKYNETailulbfj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules@SKYNETlog.dat \systemroot\system32\SKYNETgalcdqcr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnldvhffn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETjkcpxnmj\modules@SKYNET.dat \systemroot\system32\SKYNETypaqitbl.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACuhabgodpskmxjqr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACuhabgodpskmxjqr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdhxmkmlkyxvqtii.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACxiwsvwpaxqmodep.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACxrtuyaatoypuoym.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACnsocjduwvjwgowx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACtyojhyafritlmsn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACnognvexwkmlwmmx.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwhwnrnsccrqdxda.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACamnwmwadekgpgvo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACyedrsqlcgdappjc.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACdnonotpppkegltf.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UAChjetkhfdlpdfmwg.log
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj@imagepath \systemroot\system32\drivers\SKYNETswyvhtvb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETswyvhtvb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules@SKYNETcmd.dll \systemroot\system32\SKYNETailulbfj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules@SKYNETlog.dat \systemroot\system32\SKYNETgalcdqcr.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules@SKYNETwsp.dll \systemroot\system32\SKYNETnldvhffn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETjkcpxnmj\modules@SKYNET.dat \systemroot\system32\SKYNETypaqitbl.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACuhabgodpskmxjqr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACuhabgodpskmxjqr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdhxmkmlkyxvqtii.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACxiwsvwpaxqmodep.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACxrtuyaatoypuoym.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACnsocjduwvjwgowx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACtyojhyafritlmsn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACnognvexwkmlwmmx.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACwhwnrnsccrqdxda.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACamnwmwadekgpgvo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACyedrsqlcgdappjc.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACdnonotpppkegltf.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UAChjetkhfdlpdfmwg.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs G:\WINDOWS\system32\avgrsstx.dll

---- Files - GMER 1.0.15 ----

File G:\!KillBox\UACuhabgodpskmxjqr.sys 51712 bytes executable
File G:\!KillBox\UACuhabgodpskmxjqr.sys( 1) 51712 bytes executable
File G:\!KillBox\UACuhabgodpskmxjqr.sys( 2) 51712 bytes executable
File G:\Documents and Settings\Charles Townsend\Local Settings\Temp\SKYNETevmuwjxvdu.tmp 5652 bytes
File G:\Documents and Settings\Charles Townsend\Local Settings\Temp\UAC3ddc.tmp 343040 bytes executable
File G:\WINDOWS\system32\drivers\UACqjrvpppynmdcxjb.sys 53760 bytes executable
File G:\WINDOWS\system32\drivers\UACuhabgodpskmxjqr.sys 51712 bytes executable <-- ROOTKIT !!!
File G:\WINDOWS\system32\drivers\SKYNETswyvhtvb.sys 68608 bytes executable <-- ROOTKIT !!!
File G:\WINDOWS\system32\SKYNETailulbfj.dll 43008 bytes executable
File G:\WINDOWS\system32\SKYNETgalcdqcr.dat 56260 bytes
File G:\WINDOWS\system32\SKYNETnldvhffn.dll 19456 bytes executable
File G:\WINDOWS\system32\UACamnwmwadekgpgvo.dll 66560 bytes
File G:\WINDOWS\system32\UACdhxmkmlkyxvqtii.dll 23552 bytes executable
File G:\WINDOWS\system32\UACgrqlfypulkyxbxt.dll 25600 bytes executable
File G:\WINDOWS\system32\UACnognvexwkmlwmmx.db 1110399 bytes
File G:\WINDOWS\system32\UACnsocjduwvjwgowx.dll 17408 bytes executable
File G:\WINDOWS\system32\UACtyojhyafritlmsn.dll 19456 bytes executable
File G:\WINDOWS\system32\UACwhwnrnsccrqdxda.dll 30208 bytes executable
File G:\WINDOWS\system32\UACxiwsvwpaxqmodep.dat 224 bytes
File G:\WINDOWS\system32\UACxrtuyaatoypuoym.dll 19968 bytes executable
File G:\WINDOWS\system32\UACyedrsqlcgdappjc.log 50390 bytes
File G:\WINDOWS\Temp\SKYNETnneeyryexe.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNEToixtytkrtf.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETpdfxpxhwei.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETqctrxtfgbq.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETqfuumdrgkc.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETqpaxkdlufx.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETqptrnsideo.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETqxgnbdqcxq.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETrvmtvpfpjr.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETtexnseectq.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETvbcttedwqe.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETvcrmibncri.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETvfppqxxxqu.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETwpshpfdmxr.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETxegnwodqph.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETxtuspvlnrt.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETyfwossmbci.tmp 20992 bytes executable
File G:\WINDOWS\Temp\UAC5e96.tmp 66560 bytes
File G:\WINDOWS\Temp\SKYNETagbtrsioyt.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETaxvpfhwfpu.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETbdddrrpqvs.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETbwunilmybu.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETcaxpwsvsos.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETcxpnwbwuyc.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETensekxwhos.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETerqwbuypeq.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETewtplxpwdi.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETffvnufgsck.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETfodumbttpp.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETgceahnsxnj.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNEThpjkficlnp.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNEThtibpmqjpw.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETjkpbpkrnsk.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETkqnicjytlx.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETmguicngtrx.tmp 20992 bytes executable
File G:\WINDOWS\Temp\SKYNETnbvjthceix.tmp 20992 bytes executable

---- EOF - GMER 1.0.15 ----

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 19 June 2009 - 10:16 PM

Hi, chakakhan :thumbup2:

Seems that you attempted to run Combofix. We will run an application that will hopefully allow Combofix to handle this infection.

Please read and follow all these instructions very carefully

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
Download the enclosed folder. [attachment=23442:XUAC_Fix.zip]Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat. The MSDOS window will be displayed and the computer will restart. Upon restart, continue as follows:
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in our next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Edited by JSntgRvr, 19 June 2009 - 10:34 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 June 2009 - 01:31 AM

Hi JSntgRvr. Thanks again for the quick responses. I followed all of your instructions carefully. Combofix did find rootkit activity, and it restarted the computer. These are the files that it pointed to:

G:\WINDOWS\System32\drivers\SKYNETswyvhtvb.sys
G:\WINDOWS\System32\drivers\UACvipyprtlewbeetkdp.sys
G:\WINDOWS\System32\UACfbpfmjlfwdfwiitvh.dll

After Combofix rebooted and finished running, I saved the log, and re-enabled Spybot SD/Teatimer and AVG console/Resident Shield. Then I opened Firefox to reply to you and AVG Resident popped up saying it had detected 2 instances of Win32/Cryptor on opening Firefox, one in Firefox, the other in a Java. Both were the same:

G:\WINDOWS\System32\UACamnwmwadekgpgvo.dll

AVG quarantined the first instance (Firefox) and deleted the other (from Java).

Here is the Combofix log, and after that a HJT log (from before AVG detected the issue when I started Firefox):

ComboFix 09-06-18.02 - Charles Townsend 06/19/2009 22:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3454.3018 [GMT -7:00]
Running from: g:\documents and settings\Charles Townsend\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\system32\dPI19
g:\windows\system32\drivers\SKYNETswyvhtvb.sys
g:\windows\system32\drivers\UACuhabgodpskmxjqr.sys
g:\windows\system32\drivers\UACvipyprtlewbeetkdp.sys
g:\windows\system32\UACdhxmkmlkyxvqtii.dll
g:\windows\system32\UACfbpfmjlfwdfwiitvh.dll
g:\windows\system32\UACnsocjduwvjwgowx.dll
g:\windows\system32\UACtyojhyafritlmsn.dll
g:\windows\system32\UACxiwsvwpaxqmodep.dat
g:\windows\system32\UACxrtuyaatoypuoym.dll
g:\documents and settings\Charles Townsend\Application Data\inst.exe
g:\windows\system32\drivers\SKYNETswyvhtvb.sys
g:\windows\system32\drivers\UACvipyprtlewbeetkdp.sys
g:\windows\system32\SKYNETailulbfj.dll
g:\windows\system32\SKYNETexniduth.dll
g:\windows\system32\SKYNETgalcdqcr.dat
g:\windows\system32\SKYNETnldvhffn.dll
g:\windows\system32\SKYNETqfgqxvun.dat
g:\windows\system32\SKYNETvtmsbpfq.dll
g:\windows\system32\UACfbpfmjlfwdfwiitvh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETjkcpxnmj


((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-19 18:43 . 2009-06-19 18:43 286208 ----a-w- G:\9c9dhfgn.exe
2009-06-18 20:15 . 2009-06-18 20:16 -------- d-----w- g:\program files\Anti Failware
2009-06-18 18:59 . 2009-06-18 20:33 -------- d-----w- G:\!KillBox
2009-06-18 06:26 . 2005-08-26 02:18 118784 ----a-w- g:\windows\system32\MSSTDFMT.DLL
2009-06-18 06:03 . 2009-06-18 06:03 0 ----a-w- g:\windows\ativpsrm.bin
2009-06-18 06:02 . 2009-01-14 04:05 593920 ------w- g:\windows\system32\ati2sgag.exe
2009-06-18 05:52 . 2009-06-18 05:52 -------- d-----w- G:\ATI
2009-06-18 04:38 . 2009-06-18 04:38 -------- d-----w- g:\program files\Trend Micro
2009-06-18 03:14 . 2009-06-18 06:43 -------- d-----w- g:\program files\Exterminate It!
2009-06-17 21:33 . 2009-03-24 23:08 55640 ----a-w- g:\windows\system32\drivers\avgntflt.sys
2009-06-17 21:27 . 2009-06-17 21:31 -------- d-s---w- G:\ComboFix1234
2009-06-17 12:22 . 2009-06-17 12:22 102664 ----a-w- g:\windows\system32\drivers\tmcomm.sys
2009-06-17 12:22 . 2009-06-17 12:26 -------- d-----w- g:\documents and settings\Charles Townsend\.housecall6.6
2009-06-17 10:28 . 2009-06-20 05:35 66560 ----a-w- g:\windows\system32\UACamnwmwadekgpgvo.dll
2009-06-17 10:28 . 2009-06-17 10:28 30208 ------w- g:\windows\system32\UACwhwnrnsccrqdxda.dll
2009-06-16 06:34 . 2009-06-16 06:34 25600 ------w- g:\windows\system32\UACgrqlfypulkyxbxt.dll
2009-06-16 06:34 . 2009-06-16 06:34 53760 ------w- g:\windows\system32\drivers\UACqjrvpppynmdcxjb.sys
2009-06-03 08:25 . 2009-06-03 08:25 -------- d-----w- g:\documents and settings\All Users\Application Data\PIXELA
2009-06-03 08:20 . 2009-06-03 08:20 -------- d-----w- g:\program files\PIXELA
2009-05-28 07:12 . 2009-05-28 07:12 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\vlc
2009-05-22 00:40 . 2009-05-22 00:40 -------- d-----w- g:\program files\Microsoft SQL Server
2009-05-22 00:40 . 2009-05-22 00:40 488576 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll
2009-05-22 00:39 . 2009-05-22 00:39 416 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-05-22 00:38 . 2009-05-22 00:39 -------- d-----w- g:\program files\Microsoft Visual Studio 9.0
2009-05-22 00:38 . 2009-05-22 00:38 -------- d-----w- g:\program files\Microsoft.NET
2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\Microsoft Help
2009-05-22 00:37 . 2009-05-22 00:40 -------- d-----w- g:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w- g:\program files\Microsoft Web Designer Tools
2009-05-22 00:36 . 2009-05-22 00:36 -------- d--h--r- G:\MSOCache
2009-05-22 00:36 . 2009-05-22 00:36 -------- d-----w- g:\program files\Microsoft SDKs
2009-05-22 00:34 . 2009-05-22 01:41 -------- d-----w- g:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 05:54 . 2008-07-18 22:36 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org2
2009-06-18 23:26 . 2008-07-28 19:21 -------- d-----w- g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-18 20:09 . 2008-12-02 08:59 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-06-18 06:46 . 2008-12-30 00:31 3561743 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 06:45 . 2008-07-18 22:37 1 ----a-w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-18 05:43 . 2008-07-18 11:19 -------- d-----w- g:\program files\ATI Technologies
2009-06-17 23:03 . 2009-01-01 23:07 -------- d-----w- g:\program files\Spybot - Search & Destroy
2009-06-17 18:27 . 2008-12-02 08:59 38160 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-12-02 08:59 19096 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-06-17 12:55 . 2008-12-30 02:19 -------- d-----w- g:\program files\PTGui
2009-06-17 07:20 . 2008-07-27 04:55 -------- d-----w- g:\program files\Mozilla Sunbird
2009-06-11 00:39 . 2008-07-18 12:43 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\uTorrent
2009-06-03 08:20 . 2008-07-18 11:19 -------- d--h--w- g:\program files\InstallShield Installation Information
2009-06-02 09:39 . 2008-07-18 12:47 -------- d-----w- g:\program files\PeerGuardian2
2009-05-22 03:45 . 2008-11-25 22:30 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\FileZilla
2009-05-22 01:41 . 2008-07-18 11:38 19304 -c--a-w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 00:36 . 2008-12-16 16:11 69400 ----a-w- g:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-17 06:21 . 2008-09-28 20:01 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Move Networks
2009-05-08 19:24 . 2009-01-28 01:49 11952 ----a-w- g:\windows\system32\avgrsstx.dll
2009-05-08 19:24 . 2008-07-18 22:49 325896 ----a-w- g:\windows\system32\drivers\avgldx86.sys
2009-05-08 19:24 . 2008-07-18 22:49 27784 ----a-w- g:\windows\system32\drivers\avgmfx86.sys
2009-05-08 07:50 . 2009-05-08 07:49 -------- d-----w- g:\program files\Webpage Capture
2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- g:\windows\system32\localspl.dll
2009-05-02 07:32 . 2009-05-02 07:32 -------- d-----w- g:\program files\CDisplayEx
2009-04-29 04:46 . 2001-08-18 12:00 666624 ----a-w- g:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- g:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- g:\windows\system32\win32k.sys
2009-04-15 14:51 . 2001-08-18 12:00 585216 ----a-w- g:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="g:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"BrStsWnd"="g:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"M-Audio Taskbar Icon"="g:\windows\System32\M-AudioTaskBarIcon.exe" [2005-10-18 91136]
"RTHDCPL"="RTHDCPL.EXE" - g:\windows\RTHDCPL.exe [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - g:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 19:24 11952 ----a-w- g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=usbnz1x1.dll
"midi4"=usbnz1x1.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor.lnk]
path=g:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor.lnk
backup=g:\windows\pss\ImageMixer 3 SE Camera Monitor.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\M-Audio\\Ozone\\Install\\ozinst.exe"=
"g:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"g:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"g:\\WINDOWS\\system32\\spoolsv.exe"=

R0 pavboot;pavboot;g:\windows\system32\drivers\pavboot.sys [1/1/2009 5:32 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [7/18/2008 3:49 PM 325896]
R2 avg8wd;AVG Free8 WatchDog;g:\progra~1\AVG\AVG8\avgwdsvc.exe [1/27/2009 6:49 PM 298776]
S3 ma763008;M-Audio Ozone;g:\windows\system32\drivers\MA763008.sys [2/10/2009 1:40 AM 63872]
S3 MADFU008;MADFU008;g:\windows\system32\drivers\MADFU008.sys [2/10/2009 1:40 AM 14336]
S3 USBNZ1X1;M-Audio Ozone Midi;g:\windows\system32\drivers\usbnz1x1.sys [2/10/2009 1:40 AM 22272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 g:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- g:\program files\Spybot - Search & Destroy\Spy6969botSD6969.exe [2009-01-01 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.ucr.edu/
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {{1F958B09-6612-7a0e-9223-4C7324C57B23} - g:\program files\Webpage Capture\Webpage Capture.exe
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 22:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"f:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2340)
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
g:\windows\system32\ati2evxx.exe
g:\windows\system32\ati2evxx.exe
g:\program files\Java\jre6\bin\jqs.exe
g:\program files\M-Audio\Ozone\Install\ozinst.exe
g:\program files\AVG\AVG8\avgrsx.exe
g:\windows\system32\wscntfy.exe
g:\program files\OpenOffice.org 2.4\program\soffice.exe
g:\program files\OpenOffice.org 2.4\program\soffice.bin
g:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-06-20 22:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-20 05:56

Pre-Run: 60,007,555,072 bytes free
Post-Run: 60,022,996,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

217 --- E O F --- 2009-06-10 01:55



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:58 PM, on 6/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\M-Audio\Ozone\Install\ozinst.exe
G:\WINDOWS\System32\svchost.exe
G:\PROGRA~1\AVG\AVG8\avgrsx.exe
G:\WINDOWS\system32\wscntfy.exe
G:\WINDOWS\RTHDCPL.EXE
G:\PROGRA~1\AVG\AVG8\avgtray.exe
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\explorer.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] G:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BrStsWnd] G:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = G:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Webpage Capture - {1F958B09-6612-7a0e-9223-4C7324C57B23} - G:\Program Files\Webpage Capture\Webpage Capture.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216381608576
O20 - AppInit_DLLs: G:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - G:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Ozone Installer (OzoneInstallerService) - Nemesis - G:\Program Files\M-Audio\Ozone\Install\ozinst.exe

--
End of file - 6306 bytes

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 20 June 2009 - 01:53 AM

Hi, chakakhan :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Collect::
g:\windows\system32\UACamnwmwadekgpgvo.dll
g:\windows\system32\UACwhwnrnsccrqdxda.dll
g:\windows\system32\UACgrqlfypulkyxbxt.dll
g:\windows\system32\drivers\UACqjrvpppynmdcxjb.sys


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
By any chance, did the fix create a Catchme.zip folder on your desktop?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 June 2009 - 02:53 AM

Hi again JSntgRvr. I started up firefox to check my Email and AVG popped up with "accessed file has warning... found tracking cookie.Revsci detected on open" at:

G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\6nhnctfa.default\cookies.sqlite

Any way, I quarantined it. Then I followed the directions in your last post, ran Combofix with the CFScript file, and submitted the files for analysis. No, there was no catchme.zip folder.

Google searches don't seem to be redirecting any more, and the system sound and feels more back to normal (yay! :thumbup2: ). Should I run AVG/Malwarebytes/Spybot SD to see what comes up?

Thank you so much!

Here are the latest Combofix and HJT logs:

ComboFix 09-06-18.02 - Charles Townsend 06/20/2009 0:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3454.2962 [GMT -7:00]
Running from: g:\documents and settings\Charles Townsend\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Charles Townsend\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

file zipped: g:\windows\system32\drivers\UACqjrvpppynmdcxjb.sys
file zipped: g:\windows\system32\UACgrqlfypulkyxbxt.dll
file zipped: g:\windows\system32\UACwhwnrnsccrqdxda.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\system32\drivers\UACqjrvpppynmdcxjb.sys
g:\windows\system32\UACgrqlfypulkyxbxt.dll
g:\windows\system32\UACwhwnrnsccrqdxda.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-20 to 2009-06-20 )))))))))))))))))))))))))))))))
.

2009-06-19 18:43 . 2009-06-19 18:43 286208 ----a-w- G:\9c9dhfgn.exe
2009-06-18 20:15 . 2009-06-18 20:16 -------- d-----w- g:\program files\Anti Failware
2009-06-18 18:59 . 2009-06-18 20:33 -------- d-----w- G:\!KillBox
2009-06-18 06:26 . 2005-08-26 02:18 118784 ----a-w- g:\windows\system32\MSSTDFMT.DLL
2009-06-18 06:03 . 2009-06-18 06:03 0 ----a-w- g:\windows\ativpsrm.bin
2009-06-18 06:02 . 2009-01-14 04:05 593920 ------w- g:\windows\system32\ati2sgag.exe
2009-06-18 05:52 . 2009-06-18 05:52 -------- d-----w- G:\ATI
2009-06-18 04:38 . 2009-06-18 04:38 -------- d-----w- g:\program files\Trend Micro
2009-06-18 03:14 . 2009-06-18 06:43 -------- d-----w- g:\program files\Exterminate It!
2009-06-17 21:33 . 2009-03-24 23:08 55640 ----a-w- g:\windows\system32\drivers\avgntflt.sys
2009-06-17 21:27 . 2009-06-17 21:31 -------- d-s---w- G:\ComboFix1234
2009-06-17 12:22 . 2009-06-17 12:22 102664 ----a-w- g:\windows\system32\drivers\tmcomm.sys
2009-06-17 12:22 . 2009-06-17 12:26 -------- d-----w- g:\documents and settings\Charles Townsend\.housecall6.6
2009-06-03 08:25 . 2009-06-03 08:25 -------- d-----w- g:\documents and settings\All Users\Application Data\PIXELA
2009-06-03 08:20 . 2009-06-03 08:20 -------- d-----w- g:\program files\PIXELA
2009-05-28 07:12 . 2009-05-28 07:12 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\vlc
2009-05-22 00:40 . 2009-05-22 00:40 -------- d-----w- g:\program files\Microsoft SQL Server
2009-05-22 00:40 . 2009-05-22 00:40 488576 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll
2009-05-22 00:39 . 2009-05-22 00:39 416 ----a-w- g:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-05-22 00:38 . 2009-05-22 00:39 -------- d-----w- g:\program files\Microsoft Visual Studio 9.0
2009-05-22 00:38 . 2009-05-22 00:38 -------- d-----w- g:\program files\Microsoft.NET
2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\Microsoft Help
2009-05-22 00:37 . 2009-05-22 00:40 -------- d-----w- g:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-22 00:37 . 2009-05-22 00:37 -------- d-----w- g:\program files\Microsoft Web Designer Tools
2009-05-22 00:36 . 2009-05-22 00:36 -------- d--h--r- G:\MSOCache
2009-05-22 00:36 . 2009-05-22 00:36 -------- d-----w- g:\program files\Microsoft SDKs
2009-05-22 00:34 . 2009-05-22 01:41 -------- d-----w- g:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 07:22 . 2008-07-18 22:36 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org2
2009-06-18 23:26 . 2008-07-28 19:21 -------- d-----w- g:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-18 20:09 . 2008-12-02 08:59 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2009-06-18 06:46 . 2008-12-30 00:31 3561743 ----a-w- g:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-18 06:45 . 2008-07-18 22:37 1 ----a-w- g:\documents and settings\Charles Townsend\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-18 05:43 . 2008-07-18 11:19 -------- d-----w- g:\program files\ATI Technologies
2009-06-17 23:03 . 2009-01-01 23:07 -------- d-----w- g:\program files\Spybot - Search & Destroy
2009-06-17 18:27 . 2008-12-02 08:59 38160 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-12-02 08:59 19096 ----a-w- g:\windows\system32\drivers\mbam.sys
2009-06-17 12:55 . 2008-12-30 02:19 -------- d-----w- g:\program files\PTGui
2009-06-17 07:20 . 2008-07-27 04:55 -------- d-----w- g:\program files\Mozilla Sunbird
2009-06-11 00:39 . 2008-07-18 12:43 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\uTorrent
2009-06-03 08:20 . 2008-07-18 11:19 -------- d--h--w- g:\program files\InstallShield Installation Information
2009-06-02 09:39 . 2008-07-18 12:47 -------- d-----w- g:\program files\PeerGuardian2
2009-05-22 03:45 . 2008-11-25 22:30 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\FileZilla
2009-05-22 01:41 . 2008-07-18 11:38 19304 -c--a-w- g:\documents and settings\Charles Townsend\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 00:36 . 2008-12-16 16:11 69400 ----a-w- g:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-17 06:21 . 2008-09-28 20:01 -------- d-----w- g:\documents and settings\Charles Townsend\Application Data\Move Networks
2009-05-08 19:24 . 2009-01-28 01:49 11952 ----a-w- g:\windows\system32\avgrsstx.dll
2009-05-08 19:24 . 2008-07-18 22:49 325896 ----a-w- g:\windows\system32\drivers\avgldx86.sys
2009-05-08 19:24 . 2008-07-18 22:49 27784 ----a-w- g:\windows\system32\drivers\avgmfx86.sys
2009-05-08 07:50 . 2009-05-08 07:49 -------- d-----w- g:\program files\Webpage Capture
2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- g:\windows\system32\localspl.dll
2009-05-02 07:32 . 2009-05-02 07:32 -------- d-----w- g:\program files\CDisplayEx
2009-04-29 04:46 . 2001-08-18 12:00 666624 ----a-w- g:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- g:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- g:\windows\system32\win32k.sys
2009-04-15 14:51 . 2001-08-18 12:00 585216 ----a-w- g:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_05.54.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-20 07:22 . 2009-06-20 07:22 16384 g:\windows\Temp\Perflib_Perfdata_31c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="g:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="g:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"Acrobat Assistant 8.0"="g:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"BrStsWnd"="g:\program files\Brownie\BrstsWnd.exe" [2008-01-08 864256]
"M-Audio Taskbar Icon"="g:\windows\System32\M-AudioTaskBarIcon.exe" [2005-10-18 91136]
"RTHDCPL"="RTHDCPL.EXE" - g:\windows\RTHDCPL.exe [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

g:\documents and settings\Charles Townsend\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - g:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 19:24 11952 ----a-w- g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=usbnz1x1.dll
"midi4"=usbnz1x1.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor.lnk]
path=g:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor.lnk
backup=g:\windows\pss\ImageMixer 3 SE Camera Monitor.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"g:\\Program Files\\M-Audio\\Ozone\\Install\\ozinst.exe"=
"g:\\Program Files\\Common Files\\Macrovision Shared\\FLEXnet Publisher\\FNPLicensingService.exe"=
"g:\\Program Files\\AVG\\AVG8\\avgwdsvc.exe"=
"g:\\WINDOWS\\system32\\spoolsv.exe"=

R0 pavboot;pavboot;g:\windows\system32\drivers\pavboot.sys [1/1/2009 5:32 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [7/18/2008 3:49 PM 325896]
R2 avg8wd;AVG Free8 WatchDog;g:\progra~1\AVG\AVG8\avgwdsvc.exe [1/27/2009 6:49 PM 298776]
S3 ma763008;M-Audio Ozone;g:\windows\system32\drivers\MA763008.sys [2/10/2009 1:40 AM 63872]
S3 MADFU008;MADFU008;g:\windows\system32\drivers\MADFU008.sys [2/10/2009 1:40 AM 14336]
S3 USBNZ1X1;M-Audio Ozone Midi;g:\windows\system32\drivers\usbnz1x1.sys [2/10/2009 1:40 AM 22272]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 g:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- g:\program files\Spybot - Search & Destroy\Spy6969botSD6969.exe [2009-01-01 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.ucr.edu/
IE: Append to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {{1F958B09-6612-7a0e-9223-4C7324C57B23} - g:\program files\Webpage Capture\Webpage Capture.exe
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 00:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"f:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
g:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-20 0:34
ComboFix-quarantined-files.txt 2009-06-20 07:34
ComboFix2.txt 2009-06-20 05:56

Pre-Run: 60,002,816,000 bytes free
Post-Run: 59,988,463,616 bytes free

177 --- E O F --- 2009-06-10 01:55
Upload was successful



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:49 AM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\RTHDCPL.EXE
G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.exe
G:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\M-Audio\Ozone\Install\ozinst.exe
G:\PROGRA~1\AVG\AVG8\avgrsx.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\WINDOWS\explorer.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ucr.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] G:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BrStsWnd] G:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] G:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = G:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Webpage Capture - {1F958B09-6612-7a0e-9223-4C7324C57B23} - G:\Program Files\Webpage Capture\Webpage Capture.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216381608576
O20 - AppInit_DLLs: G:\WINDOWS\system32\avgrsstx.dll
O20 - Winlogon Notify: avgrsstarter - G:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio Ozone Installer (OzoneInstallerService) - Nemesis - G:\Program Files\M-Audio\Ozone\Install\ozinst.exe

--
End of file - 6329 bytes

#8 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 June 2009 - 03:14 AM

Also, should I be worried that the other computers on my wireless network, or any of my accounts/passwords might be compromised at this point??? :thumbup2:

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 20 June 2009 - 12:27 PM

Also, should I be worried that the other computers on my wireless network, or any of my accounts/passwords might be compromised at this point??? :thumbup2:

The infection was backdoor Trojan.

These are the most dangerous, and most widespread, type of Trojan. Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear. Concerning your network, It should not be affected, but it wouldn't hurt to run GMER to confirm. If a rootkit is found let me know.

Posted ImagePlease download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot for a few times.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 June 2009 - 05:34 PM

Hello again. Thanks for the information about my accounts. I've taken the necessary precautions.

The same thing happened with the Revsci tracking cookie when I started up Firefox today - AVG popped up with "accessed file has warning... found tracking cookie.Revsci detected on open" at:

G:\Documents and Settings\Charles Townsend\Application Data\Mozilla\Firefox\6nhnctfa.default\cookies.sqlite

I quarantined it again. Hmmph, any way, I followed all of your instructions, I updated Java, ran ATF cleaner, then ran a Kaspersky online scan. Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 20, 2009 21:19:15
Records in database: 2371636
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 75825
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:04:57


File name / Threat name / Threats count
G:\Qoobox\Quarantine\G\WINDOWS\system32\UACnsocjduwvjwgowx.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
G:\Qoobox\Quarantine\G\WINDOWS\system32\UACtyojhyafritlmsn.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
G:\Qoobox\Quarantine\G\WINDOWS\system32\UACxrtuyaatoypuoym.dll.vir Infected: Packed.Win32.Tdss.m 1
G:\Qoobox\Quarantine\[4]-Submit_2009-06-20_00.31.21.zip Infected: Packed.Win32.Tdss.m 1
G:\Qoobox\Quarantine\[4]-Submit_2009-06-20_00.31.21.zip Infected: Trojan.Win32.TDSS.aekg 1
G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP393\A0038318.dll Infected: Trojan.Win32.TDSS.adzx 1
G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP393\A0038319.dll Infected: Trojan.Win32.TDSS.adzz 1
G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP393\A0038320.dll Infected: Packed.Win32.Tdss.m 1
G:\System Volume Information\_restore{EE239FD8-C6D1-4688-A66E-4CD07BF92278}\RP393\A0038428.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 20 June 2009 - 06:05 PM

Hi, chakakhan :thumbup2:

The ATF cleaner should have removed all temp files including cookies. Cookies represent no threat to your computer.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
Test the computer and let me know how is it doing.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 20 June 2009 - 08:04 PM

Hello JSntgRvr. Thank you for all of your work on this!

I was concerned about the tracking cookie only because AVG kept finding it right when I started Firefox. It seems to have gone away now.

I followed all of your instructions regarding system restore, then I ran some scans.

Things seem to be looking better now, Google searches no longer redirect, the computer is running smoother. I ran AVG and Malwarebytes scans and they both came up clean... but I ran a Spybot SD scan and it found this:

Win32.TDSS.rtk
(SBI $6665A6E1)
G:\WINDOWS\system32\UACyedrsqlcgdappjc.log

What's next?

Thank you again!

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 20 June 2009 - 11:03 PM

Hello JSntgRvr. Thank you for all of your work on this!

I was concerned about the tracking cookie only because AVG kept finding it right when I started Firefox. It seems to have gone away now.

I followed all of your instructions regarding system restore, then I ran some scans.

Things seem to be looking better now, Google searches no longer redirect, the computer is running smoother. I ran AVG and Malwarebytes scans and they both came up clean... but I ran a Spybot SD scan and it found this:

Win32.TDSS.rtk
(SBI $6665A6E1)
G:\WINDOWS\system32\UACyedrsqlcgdappjc.log

What's next?

Thank you again!

The infection is neutralized, but lets search for for any file remnants.

Download the enclosed folder. [attachment=23512:FindIt.zip]Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. It will take sometime to search the system folders. A report will be produced. Post its contents in a reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 chakakhan

chakakhan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 21 June 2009 - 05:05 PM

:thumbup2: You're awesome! Yeah, I think everything is clean now. Ran scans again and everything is clean. Thank you so much for all of your help!!! Here is the log from findit:

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

Total Entries: 0 (0)
Total Directories: 0 Files: 0
Total Bytes: 0 Blocks: 0

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:44 AM

Posted 21 June 2009 - 11:27 PM

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users