Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple malware infections


  • Please log in to reply
20 replies to this topic

#1 J_Mot

J_Mot

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 02 September 2009 - 12:19 PM

I have multiple infections on my laptop running XP SP2. I tried to use MAB but when opening it an error message came up saying "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem". So I uninstalled MAB and tried reinstalling it. Now I see that was a very bad idea! Now I can't open any .exe file. When I log on to the laptop I get the same error message for rundll32.exe.

Any help would be greatly appreciated!!

BC AdBot (Login to Remove)

 


#2 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 02 September 2009 - 12:26 PM

Should have read MBAM not MAB...fingers too fat to type :(

#3 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 03 September 2009 - 07:54 AM

Hey J Mot,
will the machine boot up, or is it currently stopping during the boot process?

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#4 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 03 September 2009 - 08:46 AM

Sometimes it will boot other times it will not.

#5 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 03 September 2009 - 09:00 AM

Ok J, lets see if you can get this tool to run:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
If you cannot get it loaded, or if it will not run let me know.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#6 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 04 September 2009 - 10:12 AM

I could not access the internet from the laptop. I used another PC downloaded the file and saved to flash drive to put on my laptop. Still trying to get it to load. I've tried 3-4 times and have not had any success. I'll continue to try over the weekend and I'll let you know. THANKS

#7 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 05 September 2009 - 04:46 PM

You can also try to boot the machine into safe mode with networking, see if that will work.

If not, we have other means to deal with this. Just be sure that you describe exactly what happens as you try to complete the instructions.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#8 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 09 September 2009 - 07:34 AM

Each time I try to boot up now it I get all my icons to come up but can't run any programs. I can move the mouse but can't open any programs. When I move the cursor over the START button it get the 'hour glass'. And now I have a RED X at the bottom right next to the clock. When I open up in SAFE MODE all I get is a black screen- no icons. Now what do I try?

#9 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 09 September 2009 - 11:52 AM

was able to finally run root repeal
here is what I found:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 12:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF82AB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C45000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rrrr.sys
Image Path: C:\WINDOWS\system32\drivers\rrrr.sys
Address: 0xF7B03000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8A0B000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF8873000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACotehbgixng.dll]
Process: svchost.exe (PID: 448) Address: 0x00ce0000 Size: 73728

Object: Hidden Module [Name: UACvoxuwnddlr.dll]
Process: svchost.exe (PID: 448) Address: 0x00950000 Size: 77824

Object: Hidden Module [Name: UACwuhmivmsrp.dll]
Process: svchost.exe (PID: 448) Address: 0x009b0000 Size: 217088

Object: Hidden Module [Name: kbiwkmidmyytsi.dll]
Process: svchost.exe (PID: 448) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: UACvoxuwnddlr.dll]
Process: Explorer.exe (PID: 972) Address: 0x00c00000 Size: 77824

Object: Hidden Module [Name: kbiwkmymrmsbfa.dll]
Process: Explorer.exe (PID: 972) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: kbiwkmxuwqinvp
Image Path: C:\WINDOWS\system32\drivers\kbiwkmkbwqemal.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACkyfqmojykh.sys

==EOF==

#10 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 11 September 2009 - 05:40 AM

Hey J Mot,
I moved this over to the malware forum, so we can try to get rid of your problems. Lets start with:
Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#11 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 14 September 2009 - 06:40 PM

Now I can not access the inernet from the laptop. On on another machine at the moment. Can I save combofix to a flash drive and then install it on my laptop?

#12 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 16 September 2009 - 03:50 AM

Hey J Mot, I missed your post.
Yes, you can copy Combofix to a CD and see if you can get it loaded onto the machine. If that will not work we will try something else :(

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#13 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 18 September 2009 - 11:02 AM

I was able to run combofix and the problems seem to be gone. Here is the log

ComboFix 09-09-14.02 - john 09/17/2009 17:09.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.315 [GMT -4:00]
Running from: c:\documents and settings\john\Desktop\CF.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
c:\documents and settings\All Users\Application Data\10792344
c:\documents and settings\All Users\Application Data\10792344\10792344
c:\documents and settings\All Users\Application Data\10792344\10792344.exe
c:\documents and settings\All Users\Application Data\10792344\pc10792344ins
c:\documents and settings\john\Application Data\Microsoft\Installer\{95DEDA30-F2C2-4B2E-B39D-795E8B426315}\NewShortcut1_95DEDA30F2C24B2EB39D795E8B426315.exe
c:\documents and settings\john\Application Data\Microsoft\Installer\{95DEDA30-F2C2-4B2E-B39D-795E8B426315}\NewShortcut2_95DEDA30F2C24B2EB39D795E8B426315.exe
c:\documents and settings\john\nah_log.dat
C:\emxtqjit.exe
C:\fyblb.exe
C:\osps.exe
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
C:\pvewnn.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\braviax.exe
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\kbiwkmkbwqemal.sys
c:\windows\system32\drivers\UACkyfqmojykh.sys
c:\windows\system32\gumiviho.dll
c:\windows\system32\guvebosa.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\kbiwkmidmyytsi.dll
c:\windows\system32\kbiwkmkcirftjx.dat
c:\windows\system32\kbiwkmymrmsbfa.dll
c:\windows\system32\kbiwkmyqxtavhx.dat
c:\windows\system32\mojujebu.dll
c:\windows\system32\net.net
c:\windows\system32\nofijoke.exe
c:\windows\system32\pojabese.dll
c:\windows\system32\sohojire.exe
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\UACaposbjqaoa.db
c:\windows\system32\UACcuprqpupkr.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACotehbgixng.dll
c:\windows\system32\UACvoxuwnddlr.dll
c:\windows\system32\UACvsrrlcawbw.dll
c:\windows\system32\UACwuhmivmsrp.dll
c:\windows\system32\wekavube.dll
c:\windows\system32\wepekigi.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wobebupi.dll
c:\windows\system32\xa.tmp
c:\windows\system32\yatehaje.dll

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\i386\beep.sys

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmxuwqinvp
-------\Legacy_kbiwkmxuwqinvp
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-14 23:25 . 2009-09-14 23:25 -------- d-----w- c:\program files\zzzz
2009-09-09 16:42 . 2009-09-14 23:11 -------- d-----w- c:\program files\bubbles
2009-09-04 17:47 . 2009-09-04 17:47 -------- d-----w- c:\program files\abam
2009-09-04 14:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 14:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 21:15 . 2009-08-31 21:34 29184 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-08-28 17:39 . 2009-08-28 17:39 -------- d-----w- c:\documents and settings\john\Application Data\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 23:00 . 2009-06-14 23:00 89088 --sha-w- c:\windows\system32\pinapuwe.dll
2009-09-04 14:38 . 2009-06-09 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:11 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 21:28 . 2007-01-31 15:48 -------- d-----w- c:\program files\ClamWin
2009-08-02 20:51 . 2007-01-25 01:35 -------- d-----w- c:\program files\Java
2009-07-17 18:55 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-11 23:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2004-08-11 23:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-11 23:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-11 23:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-11 23:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-11 23:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-11 23:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-11 23:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-11 23:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-11 23:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-11 23:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-11 23:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 15:43 . 2009-06-22 15:42 874534 ----a-w- c:\windows\system32\rn.tmp
2009-06-22 11:49 . 2004-08-11 23:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-11 23:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-11 23:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-11 23:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-17 20:40 . 2009-06-17 20:40 25600 --sha-w- c:\windows\system32\howiduga.dll
2009-06-17 20:40 . 2009-06-17 20:40 16384 --sha-w- c:\windows\system32\jehodini.exe
2009-06-17 20:40 . 2009-06-17 20:40 26624 --sha-w- c:\windows\system32\jeyanoyu.exe
2009-06-17 20:40 . 2009-06-17 20:40 28672 --sha-w- c:\windows\system32\kezolape.exe
2009-06-17 20:40 . 2009-06-17 20:40 5120 --sha-w- c:\windows\system32\susalade.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"gagesozez"="c:\windows\system32\pinapuwe.dll" [2009-09-14 89088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-24 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{c9ac225c-5b70-4eab-9324-61180d13f82d}"= "c:\windows\system32\pinapuwe.dll" [2009-09-14 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"hagubupok"= {c9ac225c-5b70-4eab-9324-61180d13f82d} - c:\windows\system32\pinapuwe.dll [2009-09-14 89088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrrr.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-09-17 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-06-03 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{2aa9c146-ce98-49bc-959c-f76962b11d3b} - c:\windows\system32\wekavube.dll
HKCU-Run-AV Care - c:\program files\AV Care\AvCare.exe
HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-vasiporopa - c:\windows\system32\gumiviho.dll
HKLM-Run-10792344 - c:\documents and settings\All Users\Application Data\10792344\10792344.exe
AddRemove-AV Care - c:\program files\AV Care\Uninstall.exe
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 17:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2140)
c:\windows\system32\WININET.dll
c:\windows\system32\pinapuwe.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Apoint\hidfind.exe
.
**************************************************************************
.
Completion time: 2009-09-17 17:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 21:19

Pre-Run: 12,243,607,552 bytes free
Post-Run: 12,925,972,480 bytes free

233 --- E O F --- 2009-08-27 16:09




Then ran MBAM and it deleted 21 items. So I ran combofix again and here is the log



Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.257 [GMT -4:00]
Running from: c:\documents and settings\john\Desktop\CF.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\run.log
c:\windows\system32\xa.tmp

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 22:18 . 2009-09-17 22:18 -------- d-----w- c:\windows\LastGood
2009-09-14 23:25 . 2009-09-14 23:25 -------- d-----w- c:\program files\zzzz
2009-09-09 16:42 . 2009-09-14 23:11 -------- d-----w- c:\program files\bubbles
2009-09-04 17:47 . 2009-09-04 17:47 -------- d-----w- c:\program files\abam
2009-09-04 14:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 14:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 17:39 . 2009-08-28 17:39 -------- d-----w- c:\documents and settings\john\Application Data\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 14:38 . 2009-06-09 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:11 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 21:28 . 2007-01-31 15:48 -------- d-----w- c:\program files\ClamWin
2009-08-02 20:51 . 2007-01-25 01:35 -------- d-----w- c:\program files\Java
2009-07-17 18:55 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-11 23:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 23:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 2004-08-11 23:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-11 23:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-11 23:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-11 23:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-11 23:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-11 23:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-11 23:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-11 23:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-11 23:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-11 23:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-11 23:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2004-08-11 23:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-11 23:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-11 23:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-11 23:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-17 20:40 . 2009-06-17 20:40 25600 --sha-w- c:\windows\system32\howiduga.dll
2009-06-17 20:40 . 2009-06-17 20:40 16384 --sha-w- c:\windows\system32\jehodini.exe
2009-06-17 20:40 . 2009-06-17 20:40 26624 --sha-w- c:\windows\system32\jeyanoyu.exe
2009-06-17 20:40 . 2009-06-17 20:40 28672 --sha-w- c:\windows\system32\kezolape.exe
2009-06-17 20:40 . 2009-06-17 20:40 5120 --sha-w- c:\windows\system32\susalade.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_21.17.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 23:00 . 2009-09-17 22:16 53838 c:\windows\system32\perfc009.dat
- 2004-08-11 23:00 . 2009-09-17 21:12 53838 c:\windows\system32\perfc009.dat
+ 2009-09-17 21:46 . 2009-09-17 22:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-31 14:53 . 2009-09-17 20:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-01-31 14:53 . 2009-09-17 22:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-17 21:46 . 2009-09-17 22:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 23:00 . 2009-09-17 22:16 382260 c:\windows\system32\perfh009.dat
- 2004-08-11 23:00 . 2009-09-17 21:12 382260 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-12 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-1-24 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrrr.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-08-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-09-17 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-06-03 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\WININET.dll
.
Completion time: 2009-09-17 18:45
ComboFix-quarantined-files.txt 2009-09-17 22:44
ComboFix2.txt 2009-09-17 21:19

Pre-Run: 12,918,927,360 bytes free
Post-Run: 12,899,209,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

144 --- E O F --- 2009-08-27 16:09


#14 J_Mot

J_Mot
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 18 September 2009 - 11:03 AM

What type software should I get/use so this doesn't happen again?

THANKS FOR ALL YOUR HELP!!
LOVE THIS PLACE!!


#15 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:06 AM

Posted 18 September 2009 - 06:25 PM

Hey J Mot,
We are not quite done yet, I have to go over those logs. If you can find the log from MBAM and what it removed it would be helpful.

By the way (off topic) I have a question for you. The name seems really familar to me, sort of an abbreviated version of a person I used to know. Ever been to Philadelphia?

I should get through the logs sometime tonight or tomorrow and will give some more instructions. Until then lets keep the surfing to a minimum :(

Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users