Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC infection (post-System Security remnant)


  • This topic is locked This topic is locked
7 replies to this topic

#1 Dead CPU Walking

Dead CPU Walking

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 09 July 2009 - 10:52 PM

I picked up the System Security infection from a website yesterday, stupidly cruising around without AVG enabled. I managed to remove most of it (I think), thanks to the great tools out there, but the UAC rootkit keeps returning. I have used Malwarebytes Anti-Malware, RootRepeal, and GMER to isolate and delete portions of it, but it returns on reboot. It doesn't seem to do much at the moment but reinstall itself, so I don't have any overt symptoms to report. It continues to reappear in Malwarebytes scans though, and I'd still love to get it off there (and any fragments of System Security that might have lingered).

Here are the logs I generated, following on from your instruction thread. I greatly appreciate your help and am grateful there are people like yourselves who dedicate themselves to these good works. Please let me know if I can provide further info, and thank you so much!

--------------------------------------------------------------------------------

DDS (Ver_09-06-26.01) - NTFSx86
Run by Howard Kistler at 23:39:33.81 on Thu 07/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.573 [GMT -4:00]

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00D9-0D24-347CA8A3377C}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00FC-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00D9-0D24-347CA8A3377C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programs\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Programs\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Maxtor\Retrospect\retrorun.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Subversion\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WService.EXE
C:\Programs\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Howard Kistler\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Programs\NETGEAR\WG111T\wlan111t.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Howard Kistler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Flashget Catch Url Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\programs\flashget\jccatch.dll
BHO: {348FE907-249E-4C65-A838-F34A193FE1D1} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\programs\flashget\getflash.dll
TB: FlashGet: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\programs\flashget\fgiebar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SansaDispatch] c:\documents and settings\howard kistler\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [EPSON PictureMate] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WService] WService.EXE
mRun: [avgnt] "c:\programs\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\howard~1\startm~1\programs\startup\netgea~1.lnk - c:\programs\netgear\wg111t\wlan111t.EXE
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
IE: &Download All with FlashGet - c:\programs\flashget\jc_all.htm
IE: &Download with FlashGet - c:\programs\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\programs\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116258182518
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169084296572
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {9B931409-C8CC-427C-BBED-E4F425A44883} = 66.92.159.2,216.231.41.2
TCP: {DF01FE22-E75B-4411-BE83-099E6A5E0E98} = 66.92.159.2,216.231.41.2
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\docume~1\howard~1\locals~1\temp\690739421833mxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\howard~1\applic~1\mozilla\firefox\profiles\ozpphfn9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\programs\realalternative\browser\plugins\nppl3260.dll
FF - plugin: c:\programs\realalternative\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2004-11-19 77312]
R1 avgio;avgio;c:\programs\avira\antivir desktop\avgio.sys [2009-7-8 11608]
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [2005-6-26 75264]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\vcd\VCdRom.sys [2001-12-19 8576]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programs\avira\antivir desktop\sched.exe [2009-7-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programs\avira\antivir desktop\avguard.exe [2009-7-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-8 55640]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-11 17149]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2006-8-11 43392]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [2004-11-19 44032]
S3 MADWARE;MadPlayer driver (2000, Xp);c:\windows\system32\drivers\madmidi.sys [2003-4-8 22210]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [2008-11-27 12160]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2006-8-16 18944]

=============== Created Last 30 ================

2009-07-08 20:37 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-08 20:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-08 19:53 <DIR> --d----- c:\docume~1\howard~1\applic~1\Malwarebytes
2009-07-08 19:53 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 19:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 19:53 <DIR> --d----- c:\program files\Malwarebytes Anti-Malware
2009-07-08 19:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-05 11:47 <DIR> --d----- C:\Downloads

==================== Find3M ====================

2009-07-08 20:00 744 ----h--- c:\windows\fonts\mlog
2009-05-17 15:24 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 05:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 11:26 583,168 a------- c:\windows\system32\rpcrt4.dll
2003-06-20 03:05 138,288 a------- c:\windows\inf\usbport.sys
2003-06-20 03:05 49,776 a------- c:\windows\inf\usbhub20.sys
2003-06-20 03:05 24,752 a------- c:\windows\inf\hidclass.sys
2003-06-20 03:05 20,688 a------- c:\windows\inf\usbd.sys
2003-06-20 03:05 19,728 a------- c:\windows\inf\usbehci.sys
2001-09-03 12:21 309,453 a--sh--- c:\windows\rsx.exe
2006-05-03 06:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2008-02-10 10:19 7,520 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 23:40:01.23 ===============

Attached Files


Edited by Dead CPU Walking, 09 July 2009 - 10:55 PM.


BC AdBot (Login to Remove)

 


m

#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 10 July 2009 - 03:29 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Dead CPU Walking

Dead CPU Walking
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 10 July 2009 - 04:46 PM

Thank you for the quick response! I have run Combofix according to the instructions. On starting it the first time it reported that Avira Classic was running. I couldn't disable Avira enough to get the message to stop, so I uninstalled it (I reinstalled it when Combofix was done). Even uninstalled Combofix reported it as present, so I think it might have detected an old installation that wasn't somehow completely clean from the system.

Here is the log from the run. I have also run Malwarebytes (no problems found) and RootRepeal (it reports some SSDT changes and a couple suspiciously named drivers with hidden code). Let me know if you want me to send more about what RootRepeal has found.

-------------------------------------------------------------------------------------

ComboFix 09-07-09.08 - Howard Kistler 07/10/2009 17:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.667 [GMT -4:00]
Running from: c:\documents and settings\Howard Kistler\Desktop\Combo-Fix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00D9-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00D9-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00FC-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\97423116.ini
c:\documents and settings\Howard Kistler\Application Data\.#
c:\windows\Install.txt
c:\windows\irc.txt
c:\windows\system32\wservice.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_PCMSTUB


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 00:37 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-08 23:53 . 2009-07-08 23:53 -------- d-----w- c:\documents and settings\Howard Kistler\Application Data\Malwarebytes
2009-07-08 23:53 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 23:53 . 2009-07-08 23:53 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-07-08 23:53 . 2009-07-08 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 23:53 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 15:47 . 2009-07-05 15:51 -------- d-----w- C:\Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 21:28 . 2005-06-03 14:05 -------- d-----w- c:\documents and settings\Howard Kistler\Application Data\TSVNCache
2009-07-10 21:17 . 2008-02-13 00:50 168864 ----a-w- c:\documents and settings\Howard Kistler\Application Data\Mozilla\Firefox\Profiles\ozpphfn9.default\FlashGot.exe
2009-07-10 20:48 . 2005-05-16 16:17 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-09 00:00 . 2009-07-08 23:40 744 ---h--w- c:\windows\Fonts\mlog
2009-07-03 17:41 . 2007-10-14 14:35 -------- d-----w- c:\documents and settings\Howard Kistler\Application Data\FileZilla
2009-06-10 01:00 . 2009-01-20 12:52 541696 ----a-w- c:\documents and settings\Howard Kistler\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-06-10 00:48 . 2009-01-20 12:52 79872 ----a-w- c:\documents and settings\Howard Kistler\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2009-06-10 00:38 . 2004-11-19 16:18 176192 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 18:22 . 2009-01-01 19:46 1 ----a-w- c:\documents and settings\Howard Kistler\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-19 16:48 . 2009-05-19 16:48 18 ----a-w- c:\windows\smrtpnd32.dat
2009-05-17 19:24 . 2009-05-17 19:24 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-17 19:23 . 2005-05-16 20:34 -------- d-----w- c:\program files\Java
2009-05-07 15:44 . 2004-11-19 11:17 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-11-19 11:17 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-11-19 11:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-11-19 11:17 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:26 . 2004-11-19 11:17 583168 ----a-w- c:\windows\system32\rpcrt4.dll
2005-09-15 22:26 . 2005-05-16 16:16 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2001-09-03 16:21 . 2001-09-03 16:21 309453 --sha-w- c:\windows\rsx.exe
2006-05-03 10:06 . 2007-01-26 21:53 163328 --sh--r- c:\windows\system32\flvDX.dll
2008-02-10 14:19 . 2006-12-16 17:24 7520 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SansaDispatch"="c:\documents and settings\Howard Kistler\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-06-10 79872]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MXO Auto Loader"="c:\windows\MXOALDR.EXE" [2003-04-07 118784]
"EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2003-09-19 99840]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]

c:\documents and settings\Howard Kistler\Start Menu\Programs\Startup\
NETGEAR WG111T Smart Wizard.lnk - c:\programs\NETGEAR\WG111T\wlan111t.EXE [2006-8-11 483412]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Poser 4\\Poser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Jamagic\\Help\\Clickhelp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programs\\ULTRAEDIT\\uedit32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programs\\FlashGet\\flashget.exe"=
"c:\\Programs\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Corel\\Corel Graphics 11\\Programs\\CorelPP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:FlashGet

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [11/19/2004 7:17 AM 77312]
R1 SSHDRV79;SSHDRV79;c:\windows\system32\drivers\SSHDRV79.sys [6/26/2005 12:27 AM 75264]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\VCD\VCdRom.sys [12/19/2001 12:45 PM 8576]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/11/2006 7:27 PM 17149]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [8/11/2006 7:27 PM 43392]
S3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5b.sys [11/19/2004 7:18 AM 44032]
S3 MADWARE;MadPlayer driver (2000, Xp);c:\windows\system32\drivers\madmidi.sys [4/8/2003 4:09 PM 22210]
S3 MayPro;TigerGame SuperJoy Box Pro Filter Service;c:\windows\system32\drivers\Maypro.sys [11/27/2008 4:09 PM 12160]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [8/16/2006 7:43 PM 18944]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WService - WService.EXE


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download All with FlashGet - c:\programs\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\programs\FlashGet\jc_link.htm
TCP: {9B931409-C8CC-427C-BBED-E4F425A44883} = 66.92.159.2,216.231.41.2
TCP: {DF01FE22-E75B-4411-BE83-099E6A5E0E98} = 66.92.159.2,216.231.41.2
FF - ProfilePath - c:\documents and settings\Howard Kistler\Application Data\Mozilla\Firefox\Profiles\ozpphfn9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL -
FF - prefs.js: keyword.enabled - false
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\programs\RealAlternative\browser\plugins\nppl3260.dll
FF - plugin: c:\programs\RealAlternative\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-2147115177-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3732)
c:\program files\Subversion\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\Subversion\TortoiseSVN\bin\libdb43.dll
c:\program files\Subversion\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\programs\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PSIService.exe
c:\program files\Maxtor\Retrospect\retrorun.exe
c:\windows\system32\drivers\WtSrv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Subversion\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2009-07-10 17:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 21:30

Pre-Run: 14,785,949,696 bytes free
Post-Run: 14,720,036,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221 --- E O F --- 2009-06-28 02:20

#4 Dead CPU Walking

Dead CPU Walking
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 10 July 2009 - 07:08 PM

Sorry to post again, but I wanted to provide these screenshots from RootRepeal. This is the item I have not been able to get rid of. It reinstalls the SSDT hooks shown in the first screenshot every time I reboot. In addition, it creates two fake drivers with gibberish names. These drivers do not exist at the location shown in RootRepeal, or if they do, nothing will reveal them (including a search using the attrib command, nor RootRepeal itself). They are recreated with new names on each reboot. The first driver screen shows the fake driver that always has a long name composed of letters and numbers, and so far it always begins with "a". The second driver screen shows the other fake driver, whose name is always four letters long, begins with "s", and has no path defined. I think the first driver is more involved, as it is the one that also appears in Hidden Code list (last image).

I hope this information helps, and thank you once more!

Attached Files



#5 Dead CPU Walking

Dead CPU Walking
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 10 July 2009 - 11:12 PM

Me again. I just found this thread, which addresses the exact problem I mentioned in the previous post:

http://www.bleepingcomputer.com/forums/t/203985/avg-antirootkit-keeps-finding-renamed-sys-file-after-every-reboot/

So it's not a virus at all, it's DaemonTools. Yay! Sounds like my system is probably clean. Please do let me know if you see anything in the Combofix log that looks like a remaining problem, and otherwise thanks again for sparing your time to help me out. It is much appreciated!

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 11 July 2009 - 12:08 AM

Yup.. That's not rootkit.. Just somekind of CD Emulator or Daemon Tools drivers..

Lets do some cleanup...


Please download OTC by OldTimer and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Dead CPU Walking

Dead CPU Walking
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 11 July 2009 - 03:03 PM

Run and done, all looks good now. I've deleted Daemon Tools and the first funky hidden driver is gone, though the SSDT hooks and the four-letter-name hidden driver remain. I'm going to hunt down a way to fully purge that from the system. But everything else seems to be running great. By the way, is there a sticky thread for "common false positives" like the one I had with Daemon Tools? That could be a cool thing to have for folks like me who confuse them with actual viruses.

Anyway, thanks again for guiding me through this process, it was a big help and I'm a happy guy now! :thumbup2:

EDIT: Finally got sptd.sys and all its attendant processes removed after another round of battle. Had to purge remnants of StarForce and SecuROM crapware as well from my systems to get a clean bill of health from RootRepeal, but in the end it was worth it. My system is finally my own again. Now to encase it in concrete and never install another program. :)

Edited by Dead CPU Walking, 11 July 2009 - 04:42 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:40 PM

Posted 12 July 2009 - 02:05 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users