Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Skynet.exe and Trojan infection


  • This topic is locked This topic is locked
33 replies to this topic

#1 niels103

niels103

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 05 August 2009 - 10:03 AM

Dear all,

For 2 weeks now I have a virus/worm on my computer. A friend whose knowledge about computers is a bit more advanced told me it's a Skynet.exe virus/worm.

Problems started when I inserted my USB memory stick in my system. Since that moment the virus transformed all my folder into .exe 'folder' which allowed me to open the folder once. After that all folders disappeared, and in my menu of explorer, the button 'show hidden folders' did also disappear.
The virus takes over the foldername, into a .exe file, with a subscript below the foldername 'Microsoft Corporation'.

In a scan with Avira Antivir some problems arose; explore.exe and svhost.exe

Can anyone help me to solve this problem, I want my folders, and especially my documents back.

Hoping for a quick reply, I will be at my computer for the next couple of hours,

Niels

Here's my DDS file:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Niels at 17:00:58,73 on wo 05-08-2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.2046.1657 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Niels\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Shell=c:\windows\explorer.exe "c:\windows\system32\Explorer.exe"
mWinlogon: Userinit=c:\windows\system32\userinit.exe, "c:\documents and settings\niels\application data\Explore.exe"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [WinNT] c:\documents and settings\niels\application data\microsoft\WinNT.com
mExplorerRun: [Graphics] c:\windows\_default .pif
uPolicies-explorer: NoFolderOptions = 1 (0x1)
mPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-30 55640]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-8-3 66056]

=============== Created Last 30 ================

2009-07-31 03:11 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-31 03:10 272,640 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-31 03:10 272,640 -------- c:\windows\system32\drivers\bthport.sys
2009-07-31 03:00 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-31 03:00 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-07-30 23:36 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-30 23:35 21,504 a------- c:\windows\system32\hidserv.dll
2009-07-30 23:35 57,856 a------- c:\windows\system32\drivers\redbook.sys
2009-07-30 23:34 76,288 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-30 23:34 76,288 a------- c:\windows\system32\usbui.dll
2009-07-30 23:33 <DIR> --d----- c:\program files\common files\ODBC
2009-07-30 23:33 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-30 23:32 11,264 ac------ c:\windows\system32\dllcache\irenum.sys
2009-07-30 23:32 <DIR> --d-h--- c:\documents and settings\all users\Sjablonen
2009-07-30 23:32 <DIR> --d--r-- c:\documents and settings\all users\Menu Start
2009-07-30 23:32 <DIR> --d--r-- c:\documents and settings\all users\Documenten
2009-07-30 23:32 <DIR> --d----- c:\documents and settings\all users\Favorieten
2009-07-30 23:32 <DIR> --d----- c:\documents and settings\all users\Bureaublad
2009-07-30 23:31 261 a------- c:\windows\system32\$winnt$.inf
2009-07-30 22:54 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-07-30 22:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Hitman Pro
2009-07-30 22:49 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-07-30 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-07-30 22:26 <DIR> --d----- c:\program files\Avira
2009-07-30 22:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-30 22:18 <DIR> --d----- c:\program files\SigmaTel
2009-07-30 22:14 <DIR> --d----- c:\program files\ATI Technologies
2009-07-30 22:01 <DIR> --d----- c:\program files\Dell
2009-07-30 21:57 <DIR> --d-hr-- c:\documents and settings\niels\Onlangs geopend
2009-07-30 21:57 <DIR> --d-h--- c:\documents and settings\niels\Sjablonen
2009-07-30 21:57 <DIR> --d-h--- c:\documents and settings\niels\Netwerkprinteromgeving
2009-07-30 21:57 <DIR> --d--r-- c:\documents and settings\niels\Mijn documenten
2009-07-30 21:57 <DIR> --d--r-- c:\documents and settings\niels\Menu Start
2009-07-30 21:57 <DIR> --d--r-- c:\documents and settings\niels\Favorieten
2009-07-30 21:57 <DIR> --d----- c:\documents and settings\niels\Bureaublad
2009-07-30 21:41 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-30 21:41 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-30 21:41 <DIR> --d----- c:\program files\Online Services
2009-07-30 21:40 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-30 21:38 <DIR> --d----- c:\program files\Messenger
2009-07-30 21:38 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-30 21:38 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-08-01 12:45 364,330 a------- c:\windows\system32\perfh013.dat
2009-08-01 12:45 53,418 a------- c:\windows\system32\perfc013.dat
2009-08-01 03:09 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-07-31 21:59 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-30 21:39 21,748 a------- c:\windows\system32\emptyregdb.dat
2009-06-26 18:20 662,528 a------- c:\windows\system32\wininet.dll
2009-06-26 18:20 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 16:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 21:27 1,294,848 a------- c:\windows\system32\quartz.dll
2009-05-07 17:44 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 17:01:08,02 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 14 August 2009 - 01:05 PM

Hello niels103,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans.
This can make helping you impossible
.


You may have a file infector. :thumbup2:

*****************

We Need to check for Rootkits with
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
*****************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*****************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

*****************

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 17 August 2009 - 01:42 PM

He SifuMike,

I scanned my system as you told me, with my USB memory stick in my system. Once my antivirus program (Avira Antivir) popped up while performing the MBAM scan. It found about 25 trojans --> TR/Crypt.CFI.Gen. I disabled my antivirusprogram and performed the scan once more. It didn't found the trojans, Antivir did find.

ADDITIONAL INFORMATION: Every time I start my computer it give a notice that it could not find ..../explore.exe
Basic problem is still that I can't make my folder visible.

Hope you can help me soon, I will make a donation to your account.


Here my output of the scans,

ROOTREPEAL

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/17 18:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8037000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADDC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB54BA000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbaf6a606

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaf6a5fc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbaf6a60b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbaf6a615

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbaf6a61a

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaf6a5e8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaf6a5ed

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbaf6a624

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbaf6a61f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbaf6a610

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaf6a5f7

==EOF==

SECURITY CHECK

Results of screen317's Security Check version 0.98.8
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus


Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe


``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````


MBAM

Malwarebytes' Anti-Malware 1.40
Database version: 2641
Windows 5.1.2600 Service Pack 2

17-8-2009 19:11:33
mbam-log-2009-08-17 (19-11-33).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 122723
Time elapsed: 15 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


KASPERSKY

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 17, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 17, 2009 19:17:48
Records in database: 2641960
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 46481
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:53:15

No threats found. Scanned area is clean.

Selected area has been scanned.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 17 August 2009 - 05:59 PM

Hi niels103,

Once my antivirus program (Avira Antivir) popped up while performing the MBAM scan. It found about 25 trojans --> TR/Crypt.CFI.Gen. I disabled my antivirusprogram and performed the scan once more


If it was MBAM that found the trojans, I want to see the MBAM scan log.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

**************************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 18 August 2009 - 01:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 18 August 2009 - 01:06 PM

He SifuMike,

I did the ComboFix scan, with Avira and Windows firewall turned off.

It was Avira that found the trojan, not the MBAM.

Here the log of ComboFix, hope you can help me!!!

Greetz

ComboFix 09-08-10.06 - Niels 18-08-2009 19:59.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.2046.1698 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Niels\Bureaublad\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-18 to 2009-08-18 ))))))))))))))))))))))))))))))
.

2009-08-17 17:16 . 2009-08-17 17:16 -------- d-----w- c:\windows\Sun
2009-08-17 17:15 . 2009-08-17 17:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-17 17:15 . 2009-08-17 17:15 -------- d-----w- c:\program files\Java
2009-08-17 17:14 . 2009-08-17 17:14 152576 ----a-w- c:\documents and settings\Niels\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\documents and settings\Niels\Application Data\Malwarebytes
2009-08-17 16:24 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-17 16:24 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 16:15 . 2009-08-17 16:15 0 ----a-w- c:\documents and settings\Niels\settings.dat
2009-08-14 01:00 . 2009-08-14 01:00 -------- d-----w- c:\windows\ServicePackFiles
2009-08-06 07:01 . 2009-08-06 07:01 -------- d-s---w- c:\documents and settings\Niels\UserData
2009-08-02 22:29 . 2009-08-02 22:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-02 22:28 . 2009-08-06 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-02 22:28 . 2009-08-06 20:10 -------- d-----w- c:\program files\NOS
2009-07-31 01:11 . 2009-07-31 01:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-31 01:10 . 2008-06-14 18:00 272640 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-31 01:10 . 2008-06-14 18:00 272640 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-31 01:09 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-31 01:09 . 2009-02-09 11:45 2067328 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 01:09 . 2009-02-09 11:45 2025472 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-31 01:09 . 2009-02-09 11:45 2190464 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-31 01:09 . 2009-02-09 11:45 2147328 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-31 01:00 . 2007-07-27 08:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 17:56 . 2009-07-30 20:49 13104 ----a-w- c:\documents and settings\Niels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:12 . 2009-07-30 20:54 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-05 20:28 . 2009-07-30 20:26 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:07 . 2004-08-04 10:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 10:45 . 2004-08-04 10:00 53418 ----a-w- c:\windows\system32\perfc013.dat
2009-08-01 10:45 . 2004-08-04 10:00 364330 ----a-w- c:\windows\system32\perfh013.dat
2009-07-31 19:59 . 2009-07-30 19:41 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-30 21:08 . 2009-07-30 20:49 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-30 21:08 . 2009-07-30 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-30 20:55 . 2009-07-30 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-07-30 20:54 . 2009-07-30 20:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-07-30 20:26 . 2009-07-30 20:26 -------- d-----w- c:\program files\Avira
2009-07-30 20:26 . 2009-07-30 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-30 20:18 . 2009-07-30 20:18 -------- d-----w- c:\program files\SigmaTel
2009-07-30 20:18 . 2009-07-30 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 20:18 . 2009-07-30 20:00 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-30 20:14 . 2009-07-30 20:14 -------- d-----w- c:\program files\ATI Technologies
2009-07-30 20:03 . 2009-07-30 20:03 -------- d-----w- c:\program files\Intel
2009-07-30 20:01 . 2009-07-30 20:01 -------- d-----w- c:\program files\Dell
2009-07-30 19:42 . 2009-07-30 19:42 -------- d-----w- c:\program files\microsoft frontpage
2009-07-30 19:39 . 2009-07-30 19:39 21748 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 00:18 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:20 . 2006-03-04 03:35 662528 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:20 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 11:33 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:26 . 2004-08-04 10:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:55 . 2009-07-30 19:38 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 10:00 1294848 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 339968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-17 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30-7-2009 22:26 108289]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - HTTPFILTER
.
Inhoud van de 'Gedeelde Taken' map
.
- - - - ORPHANS VERWIJDERD - - - -

HKLM-Explorer_Run-Graphics - c:\windows\_default .pif
HKCU-Explorer_Run-WinNT - c:\documents and settings\Niels\Application Data\Microsoft\WinNT.com


.
------- Bijkomende Scan -------
.
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 20:01
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2208)
c:\windows\system32\msi.dll
.
Voltooingstijd: 2009-08-18 20:01
ComboFix-quarantined-files.txt 2009-08-18 18:01

Pre-Run: 13.276.143.616 bytes beschikbaar
Post-Run: 13.955.260.416 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

143 --- E O F --- 2009-08-14 01:01

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 18 August 2009 - 01:45 PM

Hi Neils,

I dont see any skynet rootkit on this computer.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

****************

Your system is infected with a Flash Drive infector

Warning: Any flash / jump drives you have connected to this system since your infection have been compromised by a flash drive infector.
We are going to run a tool as part of the following fix which will disinfect your machine, as well as clean any flash drives connected to the system.
It is advised you connect any flash drives that have been connected to this machine during this time frame to this system for the following fix, in order to disinfect them.

Please let owners of other machines to which you have connected any flash media or drives that their machines may now be infected.

We need to remove the Flash Drive infector


What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Edited by SifuMike, 18 August 2009 - 01:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 18 August 2009 - 03:34 PM

He SifuMike,

I did the ComboFix again, with your new registry line.

Followed by the Flash Desinfector, (this took only 10 sec) and could not find a hidden file on memory stick.

I still can't see my folder, other than that, everything seems to work normally.

Here is the ComboFix log

ComboFix 09-08-10.06 - Niels 18-08-2009 22:16.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.2046.1690 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Niels\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Niels\Bureaublad\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((( Bestanden Gemaakt van 2009-07-18 to 2009-08-18 ))))))))))))))))))))))))))))))
.

2009-08-17 17:16 . 2009-08-17 17:16 -------- d-----w- c:\windows\Sun
2009-08-17 17:15 . 2009-08-17 17:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-17 17:15 . 2009-08-17 17:15 -------- d-----w- c:\program files\Java
2009-08-17 17:14 . 2009-08-17 17:14 152576 ----a-w- c:\documents and settings\Niels\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\documents and settings\Niels\Application Data\Malwarebytes
2009-08-17 16:24 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 16:24 . 2009-08-17 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-17 16:24 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 16:15 . 2009-08-17 16:15 0 ----a-w- c:\documents and settings\Niels\settings.dat
2009-08-14 01:00 . 2009-08-14 01:00 -------- d-----w- c:\windows\ServicePackFiles
2009-08-06 07:01 . 2009-08-06 07:01 -------- d-s---w- c:\documents and settings\Niels\UserData
2009-08-02 22:29 . 2009-08-02 22:29 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-02 22:28 . 2009-08-06 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-02 22:28 . 2009-08-06 20:10 -------- d-----w- c:\program files\NOS
2009-07-31 01:11 . 2009-07-31 01:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-31 01:10 . 2008-06-14 18:00 272640 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-31 01:10 . 2008-06-14 18:00 272640 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-31 01:09 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-31 01:09 . 2009-02-09 11:45 2067328 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-31 01:09 . 2009-02-09 11:45 2025472 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-31 01:09 . 2009-02-09 11:45 2190464 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-31 01:09 . 2009-02-09 11:45 2147328 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-31 01:00 . 2007-07-27 08:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 17:56 . 2009-07-30 20:49 13104 ----a-w- c:\documents and settings\Niels\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 16:12 . 2009-07-30 20:54 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-05 20:28 . 2009-07-30 20:26 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:07 . 2004-08-04 10:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 10:45 . 2004-08-04 10:00 53418 ----a-w- c:\windows\system32\perfc013.dat
2009-08-01 10:45 . 2004-08-04 10:00 364330 ----a-w- c:\windows\system32\perfh013.dat
2009-07-31 19:59 . 2009-07-30 19:41 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-30 21:08 . 2009-07-30 20:49 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-30 21:08 . 2009-07-30 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-30 20:55 . 2009-07-30 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-07-30 20:54 . 2009-07-30 20:54 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-07-30 20:26 . 2009-07-30 20:26 -------- d-----w- c:\program files\Avira
2009-07-30 20:26 . 2009-07-30 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-30 20:18 . 2009-07-30 20:18 -------- d-----w- c:\program files\SigmaTel
2009-07-30 20:18 . 2009-07-30 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-30 20:18 . 2009-07-30 20:00 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-30 20:14 . 2009-07-30 20:14 -------- d-----w- c:\program files\ATI Technologies
2009-07-30 20:03 . 2009-07-30 20:03 -------- d-----w- c:\program files\Intel
2009-07-30 20:01 . 2009-07-30 20:01 -------- d-----w- c:\program files\Dell
2009-07-30 19:42 . 2009-07-30 19:42 -------- d-----w- c:\program files\microsoft frontpage
2009-07-30 19:39 . 2009-07-30 19:39 21748 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 00:18 . 2004-08-04 10:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:20 . 2006-03-04 03:35 662528 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:20 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 11:33 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:26 . 2004-08-04 10:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 10:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:55 . 2009-07-30 19:38 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 10:00 1294848 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 339968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-17 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30-7-2009 22:26 108289]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - HTTPFILTER
.
.
------- Bijkomende Scan -------
.
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 22:17
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\msi.dll
.
Voltooingstijd: 2009-08-18 22:18
ComboFix-quarantined-files.txt 2009-08-18 20:18
ComboFix2.txt 2009-08-18 18:01

Pre-Run: 13.967.704.064 bytes beschikbaar
Post-Run: 13.958.520.832 bytes beschikbaar

131 --- E O F --- 2009-08-14 01:01



Hope to hear from you soon!

And thanks for helping me in the first place!!!

Niels

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 18 August 2009 - 04:21 PM

Hi Niels,

I still can't see my folder, other than that, everything seems to work normally.


What folder cant you see?


Lets check for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.

Edited by SifuMike, 18 August 2009 - 04:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 19 August 2009 - 03:51 PM

He SifuMike,

I did a new Kaspersky online scan (with Avira turned off)

My only problem, as far as I can see, is that I still can't see my folders. For example, I have all my music in D:\Niels\Music, but when I click my d:\ partition I can't see any of the folders.
The same with my C:\ partition, I can't see the folder Windows or Program files. When I click C: or D: the only thing I can see are the files directly in that directory. Even with the option 'show hidden folders' turned on.
Even when I want to access my music from Winamp of Mediaplayer, it just doesn't like to exist. However, I know all my files still exist whereas I can see them when the Kaspersky scans runs. (in the scan window of kaspersky)

Hope u get my problem and you can help me,

Here the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 19, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 19, 2009 18:38:56
Records in database: 2663167
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 39551
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:47:32

No threats found. Scanned area is clean.

Selected area has been scanned.


Seems to be clean?

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 19 August 2009 - 05:41 PM

Hi Niels,


Yes, I believe we have you clean. :thumbup2: We just have the program clean up to do.

I still can't see my folders. For example, I have all my music in D:\Niels\Music, but when I click my d:\ partition I can't see any of the folders.
The same with my C:\ partition, I can't see the folder Windows or Program files. When I click C: or D: the only thing I can see are the files directly in that directory. Even with the option 'show hidden folders' turned on.
Even when I want to access my music from Winamp of Mediaplayer, it just doesn't like to exist. However, I know all my files still exist whereas I can see them when the Kaspersky scans runs. (in the scan window of kaspersky

)

This sounds like a Windows problem, not a malware problem.

How long has your computer been like this?
Do any folders not appear?
Or it is all folders not appearing?

Lets see if the files and folders actually exist on the root drive of your computer.

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :dir
    %systemdrive%        
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 20 August 2009 - 11:34 AM

He SifuMike,

It seems to be that my computer is free of viruses, as I said before, the only problem is that I can't see my folders.

This sounds like a Windows problem, not a malware problem.

How long has your computer been like this?
Do any folders not appear?
Or it is all folders not appearing?


The dissapearing of the folders was the first sign of having a virus. This happened when I inserted my USB memory stick, all my folders, C:\ and D:\ are hidden since then. I can only access them by opening MS-DOS, so I know they are still there. So, none of my folders are visible. I only can access them from MS-DOS, when I try to access them from other programs e.g. Adobe Photoshop, Notepad, Excel, Word, Nero etc. I can't see anything.

The virus, skynet.exe made new folders with subscript 'Microsoft Coporation', but when I clicked them, a new screen opened with only the folders in it. When I clicked further, the same thing kept happening. When I closed all new screens the folders were no longer visible.

Hope you are familiar with this problem.

To be short, here is the log of SystemLook

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 18:20 on 20/08/2009 by Niels (Administrator - Elevation successful)

========== dir ==========

C: - Parameters: "(none)"

---Files---
AUTOEXEC.BAT --a--- 0 bytes [19:42 30/07/2009] [19:42 30/07/2009]
Boot.bak --a--- 211 bytes [17:59 18/08/2009] [19:37 30/07/2009]
boot.ini -rahs- 281 bytes [21:31 30/07/2009] [17:59 18/08/2009]
Bootfont.bin -rahs- 4952 bytes [10:00 04/08/2004] [10:00 04/08/2004]
cmldr --a--- 261936 bytes [17:59 18/08/2009] [21:00 03/08/2004]
ComboFix.txt --a--- 9243 bytes [20:18 18/08/2009] [20:18 18/08/2009]
CONFIG.SYS --a--- 0 bytes [19:42 30/07/2009] [19:42 30/07/2009]
IO.SYS -rahs- 0 bytes [19:42 30/07/2009] [19:42 30/07/2009]
MSDOS.SYS -rahs- 0 bytes [19:42 30/07/2009] [19:42 30/07/2009]
NTDETECT.COM -rahs- 47564 bytes [10:00 04/08/2004] [10:00 04/08/2004]
ntldr -rahs- 251184 bytes [10:00 04/08/2004] [10:00 04/08/2004]
pagefile.sys --ahs- -1048576000 bytes [21:23 30/07/2009] [16:17 20/08/2009]
rollback.ini --a--- 1558 bytes [20:59 30/07/2009] [20:59 30/07/2009]
RootRepeal report 08-17-09 (18-17-39).txt --a--- 3540 bytes [16:17 17/08/2009] [16:17 17/08/2009]

---Folders---
autorun.inf drahs- [20:22 18/08/2009]
cmdcons drahs- [17:59 18/08/2009]
ComboFix d---s- [20:15 18/08/2009]
DELL d-ahs- [19:42 30/07/2009]
Documents and Settings d-ahs- [21:32 30/07/2009]
drvrtmp d-ahs- [20:17 30/07/2009]
Program Files drahs- [21:33 30/07/2009]
Qoobox d----- [17:58 18/08/2009]
System Volume Information d--hs- [21:27 30/07/2009]
WINDOWS d-ahs- [21:23 30/07/2009]

-=End Of File=-

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 20 August 2009 - 01:23 PM

Hi,

Windows XP Service Pack 2
Out of date service pack!!

You need ot update your Windows to SP3.



You seem to have many folders missing. You only have 10 folders on your C:\ drive :thumbup2:

---Folders---
autorun.inf drahs- [20:22 18/08/2009]
cmdcons drahs- [17:59 18/08/2009]
ComboFix d---s- [20:15 18/08/2009]
DELL d-ahs- [19:42 30/07/2009]
Documents and Settings d-ahs- [21:32 30/07/2009]
drvrtmp d-ahs- [20:17 30/07/2009]
Program Files drahs- [21:33 30/07/2009]
Qoobox d----- [17:58 18/08/2009]
System Volume Information d--hs- [21:27 30/07/2009]
WINDOWS d-ahs- [21:23 30/07/2009]


I noitice the most of your folders have the attriblues set as ahs (arhive, hidden, system)

R = READ ONLY
H = HIDDEN
S = SYSTEM
A = ARCHIVE


so that explains why you cant see the folders.

Try this, go to
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp
click on Windowx XP and Windows 2003 and follow the directions

Let me know what happens.

***********

Lets see if we can find the attriblutes of your Music folder in D drive.

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
     
    :folderfind
    D:\Niels\Music
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Edited by SifuMike, 20 August 2009 - 01:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 20 August 2009 - 01:47 PM

He SifuMike,

I followed the 'tutorial' that you posted. I can see my folder D:\Niels. But when I double click it, a new explore screen opens, and this screen is the same as you get when you open the Search function in the Start menu.

So I can see the folders in the D:\ directory, but when I double click, I get a search screen. Maybe also useful to know, most of the folder are transparant.

Again, I can access them from MS-DOS function.

Here is the log of SystemLook (even I get this one)

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:37 on 20/08/2009 by Niels (Administrator - Elevation successful)

========== folderfind ==========

Searching for "D:\Niels\Muziek"
No folders found.

-=End Of File=-

I did also the look for only D:\Niels

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:44 on 20/08/2009 by Niels (Administrator - Elevation successful)

========== folderfind ==========

Searching for "D:\Niels"
No folders found.

-=End Of File=-

That's weird ain't it?

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:19 AM

Posted 20 August 2009 - 01:55 PM

Hi,

Can you check what the file attributes are on that D:\Niels\Muziek folder.
My guess it they are Hidden, System and Archive.

Only do steps 1 thru 4
http://www.febooti.com/products/filetweak/...attributes.html

Dont change the file attributes yet, just tell me what they are for that folder.

Edited by SifuMike, 20 August 2009 - 01:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 niels103

niels103
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:04:19 PM

Posted 20 August 2009 - 04:50 PM

Hi SifuMike,

I checked it, and it says:

read only (normal box, checkmark in the checkbox)
hidden (transparant box, checkmark in the checkbox)

So I can turn on or off the read only box, but I can not check and uncheck the hidden box

We're getting there, hope your wisdom will reach far enough...

(ps. I will not be able to respond for 36 hours, so no hurry)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users