Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups,something is hiding in my scedli.dll and dumprep.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 doy

doy

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 19 August 2009 - 07:51 PM

I was able to run and save a dds log,and text log. RootRepeal scan stops and disappears after scanning Scecli.dll. RootRepeal.exe will not start again. Comes back with a permission error. I get this same error if I try to delete RootRepeal.exe. I can delete RootRepeal with Sopho scan. Malwarebytes.exe and HiJackthis.exe react the same way.

Sopho Scan Results: C:\windows\system32\scecli.dll
C:\windows\system32\dumprep.exe
C:ProgramFiles\dell\Quickset\NicconfigSvc.exe


DDS (Ver_09-07-30.01) - NTFSx86
Run by Doy at 13:18:02.74 on Wed 08/19/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.582 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Doyle Boyd\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/a/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mDefault_Page_URL = hxxp://www.comcast.net/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {b44a1082-9391-46bc-9fa0-6f4c7c6d54b8} - c:\windows\system32\nuvameje.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CPMeb999f23] Rundll32.exe "c:\windows\system32\gesiwoha.dll",a
mRun: [wuvekinila] Rundll32.exe "c:\windows\system32\mafolibu.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2E2DD38-D088-4134-82B7-F2BA38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11D2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161034857140
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gesiwoha.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\gesiwoha.dll
LSA: Notification Packages = scecli c:\windows\system32\kenahozi.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-22 822424]

=============== Created Last 30 ================

2009-08-18 00:39 <DIR> --d----- C:\H
2009-08-17 23:38 <DIR> --d----- c:\program files\CCleaner
2009-08-16 20:25 2,098 ---sh--- c:\windows\system32\hehataye.exe
2009-08-15 22:30 <DIR> --d----- c:\program files\Sophos
2009-08-14 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-14 18:37 <DIR> --d----- c:\docume~1\doyleb~1\applic~1\SUPERAntiSpyware.com
2009-08-14 18:01 <DIR> --d----- c:\documents and settings\doyle boyd\DoctorWeb
2009-08-14 12:33 <DIR> --d----- C:\HJT
2009-08-14 12:26 <DIR> --d----- c:\docume~1\doyleb~1\applic~1\Malwarebytes
2009-08-14 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 11:21 493,056 a------- c:\windows\system32\CheckDll.dll
2009-08-06 17:01 72,192 a------- c:\windows\system32\drivers\ESQULserv.sys

==================== Find3M ====================

2009-08-19 12:50 50,176 a--sh--- c:\windows\system32\bikuhagu.dll
2009-08-19 12:49 84,480 a--sh--- c:\windows\system32\gesiwoha.dll
2009-08-19 12:49 37,376 a--sh--- c:\windows\system32\muvifedu.dll
2009-08-17 18:59 49,664 a--sh--- c:\windows\system32\nivilivu.dll
2009-08-17 18:58 83,968 a--sh--- c:\windows\system32\yijajeku.dll
2009-08-17 18:58 37,376 a--sh--- c:\windows\system32\hosakaja.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

============= FINISH: 13:18:11.55 ===============

BC AdBot (Login to Remove)

 


#2 doy

doy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 19 August 2009 - 10:32 PM

GMER 1.0.15.15077 [xesoks5l.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-19 23:26:44
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

#3 doy

doy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 19 August 2009 - 10:45 PM

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-10 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 20:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 20:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)





Finished!

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:04 PM

Posted 20 August 2009 - 06:47 AM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.

*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*You must reply within 5 days otherwise this topic will be closed.


Your log will be analyzed and you will be instructed on what to do next as soon as possible.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 doy

doy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 August 2009 - 07:48 AM

In advance I want to thank you for your time and help.

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:04 PM

Posted 20 August 2009 - 07:55 AM

Hello doy,

My name is Sempai and I will be helping you with your malware problem. :thumbup2:


Some of the identified infections are Rootkit and backdoor trojan.

They are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Let me know how you wish to proceed.


Please follow the next instructions if you decided that we do the cleaning process:


1. Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.



2. If combofix will run succesfuly, please perform another rootrepeal scan and post the log for me. Delete your copy of Rootrepeal and download a new one.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

~Semp :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 doy

doy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 August 2009 - 09:17 PM

Thank You for your reply. If I reformat and reload; Is there anything I can save. Documents?
Pictures? Outlook files? Address book?

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:04 PM

Posted 21 August 2009 - 08:54 PM

Hello doy,

It would be wise for you to back up any files and folders that you don't want to lose before reformatting. :thumbup2:

You can do the backup and can save all of what you are concerned about:

Documents?
Pictures? Outlook files? Address book?



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 doy

doy
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 22 August 2009 - 12:56 PM

Thank You for your help. Please close out this post.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:04 AM

Posted 23 August 2009 - 08:52 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users