Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multi Infections - Rustock, sopidkc, renos, wiwow, etc


  • This topic is locked This topic is locked
30 replies to this topic

#1 NFecTE

NFecTE

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 30 June 2009 - 03:07 PM

Hello. I apologize in advance for having to break the rules already, but I am unable to perfrom the dds scan. I am unable to start any new programs, exe's, etc. Well, almost unable. I have found a few "loopholes" that will allow me to run HiJackThis and a few others. I have not been able to run ComboFix or the dds scan even with name changes. I've attempted these things in SafeMode, as well.

Now onto a description:
I arrived on what is normally a safe site the other day, an unusual popup occured but it was adobe pdf reader. Immediately, my avg went off but obviously did not catch half of it. This is my second infection on any computer I've owned in 10yrs. I have removed some things (hopefully not screwing up others). I still am unable to start most programs. When I click a program to start, a black dos window opens up and in the title, it always shows c:\windows\system32\msalsat.exe, then immediately disappears; nothing in the taskbar; no program started; no smile on my face. I have not been able to find anything on this msalsat.exe. When I temporarily deleted it and tried starting a program, no dos box but instead it would ask me what program I wanted to use to open this file. It did this for whatever I tried to open, so I returned msalsat.exe. This way, I'm at least able to open/run a few things by using the right click menu or, for example, to run HiJack, I just right click a notepad file, use Open With, and then HiJackThis. This will not work for everything, however.

It loads a few things whenever I startup or open IE. Thos things seemed to have stopped now that I was able to shut off the BHO it installed and delete the file. It also affects my anti virus, etc programs and blocks me from my registry.

Here is a list of things I've found through various scans, manual searches, google digging and task manager viewing. (Some I know are bad, some not so sure. Some of these go together, I'm sure, too:
sopidkc.exe
tpsaxyd.exe
tpszxyd.exe
wiwow64.exe
Temp\tmp0_56585441106.bk.ol
Trojan-Spy.Win32.VB.bsr
Trojan.Win32.Koblu,jp
Trojan.Downlaoder.Win32.DlfBfkg.br
tmp0_189897181397.bk.old
W[2].bin
msalsat.exe
ntvdm.dll
b.exe
c.exe
liser.exe
msa.exe
73.tmp
Backdoor:Win32/Rustock.G
TrojanDownloader:Win32/Renos.DY
TrojanDownloader:Win32/Renos.DZ

I know I'm missing some things there, but that's what y'alls advice and suggested scans will come in. :)

I actually did a Kaspersky scan yesterday, however, it was not finding everything and would probably turn out differently, now. I can scan it again and update it, if you'd like. Otherwise, here's the last Kaspersky scan I did. ***NOTE:*** I just realized the following scan was only of my WINDOWS folder. The reason I did the WINDOWS folder only was because I had just accidentally closed the scanner window after a full scan. It only showed one infection at that time and it was in the windows folder, so I rescanned the windows folder only and I guessed I only saved that scan result. :thumbup2:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 27, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 27, 2009 07:23:50
Records in database: 2395324


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Folder
C:\WINDOWS

Scan statistics
Files scanned 25491
Threat name 4
Infected objects 6
Suspicious objects 0
Duration of the scan 01:07:53

File name Threat name Threats count
C:\WINDOWS\system32\3361\services.exe Infected: Trojan-Spy.Win32.VB.bsr 1

C:\WINDOWS\system32\sopidkc.exe Infected: Trojan.Win32.Koblu.jp 1

C:\WINDOWS\system32\tpsaxyd.exe Infected: Trojan-Downloader.Win32.DlfBfkg.bm 1

C:\WINDOWS\system32\tpszxyd.sys Infected: Trojan-Downloader.Win32.DlfBfkg.bn 1

C:\WINDOWS\system32\wiwow64.exe Infected: Trojan-Downloader.Win32.DlfBfkg.bn 1

C:\WINDOWS\Temp\tmp0_56585441106.bk.old Infected: Trojan-Downloader.Win32.DlfBfkg.bn 1

The selected area was scanned.

Edited by NFecTE, 30 June 2009 - 03:09 PM.


BC AdBot (Login to Remove)

 


m

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 01 July 2009 - 10:41 AM

Hello and welcome to the BleepingComputer.com! :thumbup2:

I will be helping you today. :) Please reply to this thread to let me know, that you are still in need of help.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please give me some time to research your problem and get back to you,

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 02 July 2009 - 09:04 AM

Still in need and I've done nothing since posting here. Thanks for the reply.

#4 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 03 July 2009 - 09:44 AM

Ok. I can no longer wait around. temp, I'm sorry, you've been on at least twice since I've replied. Does it normally take this long? I"m sorry if I'm being impatient, but I have no other easy access to a computer not to mention, my job depends on this "piece". Please, I can no longer wait and must either try another forum, more tests etc, or wipe it alltogether. I'll try to wait a bit more after this post as I know you're from Germany and the hours are obviously very different.

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 03 July 2009 - 10:43 AM

Hello NFecTE,

please understand, that I am still in training.

For your own protection, I may not offer you any advice without it being checked by more experienced helpers first. This can unfortunately lead to slight delays in the responses. But we are working as hard as possible to help you as quickly as possible.

I understand that this may not be fast enough for you, however you will not get faster replies by asking help at another forum. The backlog of unanswered requests for help is around 1-2 weeks at most of the other boards as well.

I will get back to you as soon as possible, if you should decide to reformat your PC before I get back to you, please let me know.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 03 July 2009 - 11:17 AM

Heya NFecTE, :thumbup2:

sorry for the wait.

Could you please provide the exact path for the files you listed above. Without a location these names can point to a multitude of different infections. A path would help to narrow it down. :)

We're going to try to resolve your problem with the executable files, in order to get a better idea of what you are infected with.

We'll see if we can fix your file associations.

Please delete the following file again: c:\windows\system32\msalsat.exe

Afterwards go to Start>Run> type in command.com

This should open a DOS window. In that window please type in:
Please make sure it is exactly how I have written it above and hit Enter on your keyboard before starting on a new line.
ftype exefile="%1" %*
ftype scrfile="%1" /s
assoc .exe=exefile
assoc .scr=scrfile

(please note the blank after ftype and after assoc)
Then please type in Exit to exit out.

This should fix your .exe file associations. To check, please type cmd into the window of Start->Run and tell me if a DOS window opened.

Afterwards please run DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

If the first link does not work, please try the second. If both do fail, please post back the Hijackthis log you were able to create earlier.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#7 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 04 July 2009 - 10:52 PM

Hello again. Sorry for my earlier impatience. I deleted the msalsat.exe and tried opening the dos box to no avail. With the msalsat deleted, I only get a "Open With" list when trying to start a command line or just about anything else. Any other options?

I'll try to do a search later for the locations of some of those files I listed previously. At least I can search hidden still. Everytime you try to change the folder options to view hidden, as soon as you hit OK, the damn bug changes it back. I can only find msalsat by doing a search. lol

One other thing. Did you find anything on msalsat? Anything definitive? I haven't done a search in a few days, but I know I wasn't finding a thing on it before.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 05 July 2009 - 10:48 AM

Hi,

ok, please try it this way then:
  • Download the following file: UnHookExec.inf
  • Save it to your Desktop.
  • Rightclick the file and select install.
  • Please reboot
Afterwards please run Combofix:
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Please rename Combofix.exe to open.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on open.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


If you can not run open.exe after rebooting, please install UnHookExec.inf again and run open.exe without rebooting.

regards _temp_

Attached Files


Edited by _temp_, 05 July 2009 - 10:48 AM.

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#9 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 06 July 2009 - 08:20 AM

Can't install the first file "UnHookExec.inf". Much like everything else, as soon as I select "Install", an empty dos window quickly flashes up with the same c:\windows\system32\msalsat.exe in the title bar. This, of course, means I cannot go any further with your last post. :thumbup2:

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 07 July 2009 - 10:54 AM

Hi NFecTE,

we still have some other possibilities we might try, let's see if the following works:
  • download the attached zip-file: fixexe.zip

  • If you are able to unzip the content, you should find a file fix_exe.vbs,
    If your unable to unzip please tell me so and we'll try to get it to you another way.

  • Run the script to restore the registry keys associated with the exe file type by doubleclicking it.

  • If the usual msalat.exe window opens, please tell me so. If it doesn't open please try running an executable. :thumbup2:
regards _temp_

Attached Files


Edited by _temp_, 07 July 2009 - 10:57 AM.

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 07 July 2009 - 01:39 PM

If you can't unzip the zip-file please try the following:

(if you did unzip it successfully, but could not run the vbs script, no need to try these steps)


Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Afterwards download the attached fix_exe.txt , by doing a rightclick on it and selecteing save as.
Once you have the file on your Desktop do a rightlick on it and select rename, rename the file to fix_exe.vbs and try to execute it.

Do you get msalat.exe?

regards _temp_

Attached Files


Edited by _temp_, 07 July 2009 - 01:41 PM.

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#12 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 07 July 2009 - 10:27 PM

Holy hell! That worked! :thumbup2: I am still able to unzip with right click. I opened and ran the vb script. I was able to run my .exe normally, it seems so far.

I was considering starting from the beginning now, but I'll go ahead and await your suggestions. Thanks again.

Edited by NFecTE, 07 July 2009 - 10:28 PM.


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 08 July 2009 - 06:41 AM

Heya NFecTE,

glad to hear that worked! :thumbup2:

Let's try to make some headway:

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Rename the file to open.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on open.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post back the log in your next reply.

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#14 NFecTE

NFecTE
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 08 July 2009 - 11:57 AM

Well, had problems with ComboFix and AVG. No matter what I did, the Resident Shield process would not stop. I finally uninstalled AVG. That took a couple shots but I got it done. I've been unhappy with the new version since I installed it, anyway. Then, ComboFix complained of a missing file in the WINDOWS folder, regedit.exe. I was able to run regedit after the vbs yesterday, so I was a bit taken aback. I checked the folder and found a regedit.com but no .exe. So, I pulled a regedit.exe from my recovery disc I finally found last night and copied it to my WINDOWS folder and that worked.

I present to you my ComboFix log in all its glory. Finally. :thumbup2:

(I couldn't remember if I'm only supposed to upload or post it or both. So, I've done both. I can come back later and delete the copy/paste log if you'd like to shorten this thread.

===================================================================

ComboFix 09-07-07.A9 - Owner 07/08/2009 12:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.501 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Manson
c:\windows\Install.txt
c:\windows\regedit.com
c:\windows\system32\3361
c:\windows\system32\3361\mlog
c:\windows\system32\certstore.dat
c:\windows\system32\comsa32.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\launcher.exe
c:\windows\system32\msncache.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wiawow32.sys
c:\windows\TEMP\mta64428.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Legacy_IAS
-------\Legacy_MSNCACHE
-------\Legacy_OREANS32
-------\Legacy_SOPIDKC
-------\Service_aspimgr
-------\Service_Ias
-------\Service_msncache
-------\Service_oreans32
-------\Service_sopidkc


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-08 15:53 . 2003-07-16 20:43 134144 ----a-w- c:\windows\REGEDIT.EXE
2009-07-08 15:51 . 2009-07-08 15:52 -------- d-s---w- C:\open
2009-07-08 15:51 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-08 15:51 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-08 15:51 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-07-08 15:51 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-07-08 15:51 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-07-08 15:51 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-07-08 15:49 . 2004-08-04 05:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-07-08 15:48 . 2001-08-17 16:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-07-08 15:47 . 2002-08-29 03:59 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2009-07-08 15:46 . 2001-08-18 02:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-07-08 15:45 . 2001-08-17 18:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-07-08 15:44 . 2001-08-17 18:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-07-08 15:43 . 2001-08-17 16:11 25065 -c--a-w- c:\windows\system32\dllcache\lmndis3.sys
2009-07-08 15:42 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-07-08 15:41 . 2001-08-18 02:36 89088 -c--a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-07-08 15:40 . 2001-08-17 17:53 7296 -c--a-w- c:\windows\system32\dllcache\elmsmc.sys
2009-07-08 15:39 . 2001-08-17 16:19 6912 -c--a-w- c:\windows\system32\dllcache\ctlfacem.sys
2009-07-08 15:38 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-07-08 15:37 . 2001-08-17 17:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2009-07-08 15:37 . 2001-08-17 16:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-08 15:37 . 2001-08-17 17:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-07-08 15:37 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-08 15:37 . 2001-08-17 18:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-07-08 15:37 . 2001-08-17 16:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-08 15:37 . 2001-08-17 18:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-07-08 15:37 . 2001-08-17 17:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2009-07-05 19:43 . 2009-07-05 19:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2009-06-29 16:38 . 2009-06-29 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2009-06-28 23:02 . 2009-06-29 14:29 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-28 04:39 . 2009-06-28 04:39 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-26 21:00 . 2009-06-26 21:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-06-26 18:43 . 2009-06-26 18:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-26 14:24 . 2009-06-26 14:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-26 14:12 . 2009-06-26 14:12 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-26 14:07 . 2009-06-26 14:07 12288 ----a-w- c:\windows\sr5usw46is4jhserthtksrw81.exe
2009-06-25 02:26 . 2009-06-25 02:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Playrix Entertainment
2009-06-25 00:52 . 2009-06-25 01:11 -------- d-----w- c:\program files\Fishdom H2O Hidden Odyssey
2009-06-25 00:52 . 2009-06-25 00:52 -------- d-----w- c:\windows\Fishdom H2O Hidden Odyssey
2009-06-22 07:53 . 2009-06-22 07:53 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-22 07:53 . 2009-06-22 07:53 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-22 07:53 . 2009-06-22 07:53 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-22 07:53 . 2009-06-22 07:53 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-22 07:53 . 2009-06-22 07:53 296800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-22 07:53 . 2009-06-22 07:53 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-22 07:53 . 2009-06-22 07:53 72704 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-06-22 07:53 . 2009-06-22 07:53 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-22 07:53 . 2009-06-22 07:53 561016 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-22 07:53 . 2009-06-22 07:53 565096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-22 07:52 . 2009-06-22 07:52 2349384 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-22 07:52 . 2009-06-22 07:52 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-22 07:52 . 2009-06-22 07:52 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-22 07:52 . 2009-06-22 07:52 1003344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-17 00:47 . 2009-06-17 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Total Eclipse
2009-06-12 21:24 . 2007-10-23 13:27 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2009-06-12 20:48 . 2008-05-02 14:41 3493888 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2009-06-11 21:46 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 21:46 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 15:02 . 2008-07-27 03:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Orbit
2009-07-07 20:52 . 2006-11-19 21:38 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-06-30 16:02 . 2009-02-11 22:12 -------- d-----w- c:\program files\mkv2vob
2009-06-20 02:42 . 2007-08-31 23:34 -------- d-----w- c:\program files\Ancient Tripeaks II
2009-06-12 21:24 . 2009-02-22 00:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-06-12 20:10 . 2006-10-11 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-06-10 02:27 . 2008-07-17 21:12 -------- d-----w- c:\program files\Broadcom
2009-06-10 01:42 . 2005-07-02 19:08 -------- d-----w- c:\program files\Lavasoft
2009-06-10 01:42 . 2005-07-02 19:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Lavasoft
2009-06-08 07:56 . 2009-06-08 07:56 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-08 07:56 . 2009-04-27 08:52 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-08 07:55 . 2009-06-08 07:55 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-08 07:55 . 2009-06-08 07:55 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-08 07:55 . 2009-06-08 07:55 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-02 04:02 . 2009-06-02 04:02 -------- d-----w- c:\program files\Isotope244 Graphics
2009-05-28 21:30 . 2008-01-31 22:40 -------- d-----w- c:\program files\TCPOptimizer
2009-05-28 20:16 . 2009-05-28 20:15 139031 ----a-w- c:\program files\14458-utorrent.1d4b.dmp
2009-05-26 06:22 . 2009-05-22 02:55 -------- d-----w- c:\program files\HighGrow
2009-05-21 23:43 . 2006-12-22 07:28 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-13 05:15 . 2005-04-27 15:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-27 07:54 . 2009-04-27 07:54 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-17 12:26 . 2003-07-16 20:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-06-29 07:43 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-01 01:09 . 2009-03-01 01:09 572928 ----a-w- c:\program files\hfs.exe
2009-02-09 22:10 . 2006-11-19 21:34 270128 -c--a-w- c:\program files\utorrent.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StarWindService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"LBTServ"=3 (0x3)
"aspimgr"=2 (0x2)
"Lavasoft Ad-Aware Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:RSP
"48208:TCP"= 48208:TCP:*:Disabled:SolidNetworkManager
"48208:UDP"= 48208:UDP:*:Disabled:SolidNetworkManager
"2789:TCP"= 2789:TCP:*:Disabled:SolidNetworkManager
"2789:UDP"= 2789:UDP:*:Disabled:SolidNetworkManager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [5/8/2006 12:34 AM 2368]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
S3 ComFiltr;Panda Anti-Dialer;\??\c:\windows\system32\DRIVERS\COMFiltr.sys --> c:\windows\system32\DRIVERS\COMFiltr.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\Mabinogi\GameGuard\dump_wmimmc.sys --> c:\nexon\Mabinogi\GameGuard\dump_wmimmc.sys [?]
S3 jgameenp;jgameenp;\??\c:\docume~1\Owner\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\Owner\LOCALS~1\Temp\jgameenp.sys [?]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [9/11/2005 8:12 PM 11776]
S3 pcidisk;pcidisk;\??\c:\windows\system32\pcidisk.sys --> c:\windows\system32\pcidisk.sys [?]
S3 usb2vcom;DKU-5 Connectivity Adapter Cable;c:\windows\system32\drivers\usb2vcom.sys [11/3/2006 3:37 AM 28704]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva030;XDva030;\??\c:\windows\system32\XDva030.sys --> c:\windows\system32\XDva030.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1003344]
S4 sr5usw46is4jhserthtksrw80;sr5usw46is4jhserthtksrw80;c:\windows\sr5usw46is4jhserthtksrw81.exe [6/26/2009 10:07 AM 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 12:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-08 12:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 16:14

Pre-Run: 22,962,679,808 bytes free
Post-Run: 23,955,529,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

245 --- E O F --- 2009-06-11 21:56

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:11 AM

Posted 09 July 2009 - 06:25 AM

Hi NFecTE,

I actually prefer it when you paste the logs into your answer right away. No need to attach them. :thumbup2: Thanks for asking. :)

Please try to always run an anti virus program on your system. If you have trouble disabling the resident shield please have a look at this thread: temporarily disabling your antivirus program

Do you know the following two files? Did you drop them in C:\program files?

c:\program files\hfs.exe
c:\program files\utorrent.exe


C:\program files should not contain any files and most files found in there are actually dropped by malware, which is why I'm asking.

You seem to be using peer-to-peer or file-sharing programs (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."
Which is why I would like to ask you to refrain from the use of any of these programs until we finished cleaning your PC.

There still is some malware left on your PC, please do the following:

Please open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/237857/multi-infections-rustock-sopidkc-renos-wiwow-etc/?p=1332091

Driver::
sr5usw46is4jhserthtksrw80
jgameenp

Collect::
c:\docume~1\Owner\LOCALS~1\Temp\jgameenp.sys
c:\windows\sr5usw46is4jhserthtksrw81.exe

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
Afterwards run the following two scans to give us a better look at what might still be on your PC:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply please post the logs from Combofix, gmer and both logs from OTL. How is your PC doing now?

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users