Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan/ Search redirecter


  • This topic is locked This topic is locked
12 replies to this topic

#1 bakaduin

bakaduin

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 06 September 2009 - 12:05 PM

It all started a month or so ago where all searches on Yahoo, but not Google, would redirect to ads. I ran Malewarebytes but it came up clean and I lived with the problem. Now Google search isn't working, I also noticed my computer running extremely slow, programs like Firefox were taking 100% CPU usage, System Restore/Defrag/Chkdsk/Windows file search were all not functioning. I've been able to get System restore back online, same with file search, and I was able to run a Chkdsk /r through the windows boot CD. Defrag still says it's unable to start.

I've now run McAfee, Adaware, Spybot, and AVG. They've found various viruses including Sheur2 and Minix32 and "cleaned" them. Rerunning all the programs found no other viruses but still having the problems.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Me at 12:40:37.98 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: cru629.datr
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-06 10:22 <DIR> --d----- c:\windows\pss
2009-09-06 08:39 <DIR> --d----- c:\windows\system32\NtmsData
2009-09-05 14:57 <DIR> --d----- c:\program files\Trend Micro
2009-09-05 08:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-05 08:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-04 21:48 <DIR> --d----- C:\QUARANTINE
2009-09-04 21:22 <DIR> --d----- c:\program files\common files\McAfee
2009-09-04 18:12 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-03 21:17 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-09-03 21:13 <DIR> --d----- c:\program files\McAfee
2009-09-03 21:04 <DIR> --d----- c:\windows\Internet Logs
2009-09-03 21:04 125,328 a------- c:\windows\system32\drivers\dne2000.sys
2009-09-03 21:04 106,768 a------- c:\windows\system32\dneinobj.dll
2009-09-03 21:03 <DIR> --d----- c:\program files\common files\Deterministic Networks
2009-09-03 21:03 <DIR> --d----- c:\program files\Cisco Systems
2009-09-03 21:03 1,590 a------- c:\windows\VPNInstall.MIF
2009-09-03 21:03 <DIR> --d----- c:\temp\glvpn5.4.300.temp
2009-09-03 21:03 <DIR> --d----- C:\temp
2009-09-03 18:11 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-03 17:19 <DIR> --d----- c:\windows\system32\scripting
2009-09-03 17:19 <DIR> --d----- c:\windows\system32\en
2009-09-03 17:19 <DIR> --d----- c:\windows\l2schemas
2009-09-03 17:19 <DIR> --d----- c:\windows\system32\bits
2009-09-03 17:15 <DIR> --d----- c:\windows\network diagnostic
2009-09-03 17:01 <DIR> --dsh--- c:\documents and settings\me\PrivacIE
2009-09-03 15:54 <DIR> --d----- c:\docume~1\me\applic~1\AVG8
2009-09-03 07:18 <DIR> --dsh--- c:\documents and settings\me\IETldCache
2009-09-03 00:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-02 23:41 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-02 23:40 <DIR> --d----- c:\windows\ie8updates
2009-09-02 23:40 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-09-02 23:40 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-09-02 23:40 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-09-02 23:40 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-02 23:40 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-02 23:40 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-02 23:38 <DIR> -cd-h--- c:\windows\ie8
2009-09-02 17:24 120 a------- c:\windows\Vxobaho.dat
2009-08-31 15:58 <DIR> --d----- c:\program files\ScanScope
2009-08-14 00:06 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-12 23:23 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 23:22 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-12 23:22 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-09-03 17:23 87,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-18 18:40 98,304 a------- c:\windows\system32\MILcodec.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 07:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 07:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 07:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 10:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2008-03-26 15:20 60,968 a------- c:\documents and settings\me\GoToAssistDownloadHelper.exe

============= FINISH: 12:44:44.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 06 September 2009 - 12:16 PM

Hello bakaduin :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.







Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 bakaduin

bakaduin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 06 September 2009 - 05:37 PM

ComboFix 09-09-06.02 - Me 09/06/2009 18:24.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.731 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\SKYNETqhowxnms.sys
c:\windows\system32\SKYNETmxepxmpc.dat
c:\windows\system32\SKYNETnsfvxtju.dll
c:\windows\system32\SKYNETqxfuqbje.dat
c:\windows\system32\SKYNETtnkfybwu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETmurubxke
-------\Legacy_SKYNETmurubxke


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 12:39 . 2009-09-06 12:39 -------- d-----w- c:\windows\system32\NtmsData
2009-09-06 05:05 . 2009-09-06 05:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-05 19:20 . 2009-09-05 19:20 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Google
2009-09-05 18:57 . 2009-09-05 18:57 -------- d-----w- c:\program files\Trend Micro
2009-09-05 12:32 . 2009-09-05 12:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-05 12:32 . 2009-09-05 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-05 01:48 . 2009-09-05 18:49 -------- d-----w- C:\QUARANTINE
2009-09-05 01:22 . 2009-09-05 01:22 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-04 23:57 . 2009-09-04 23:57 -------- d-----w- c:\program files\Alwil Software
2009-09-04 22:11 . 2009-09-04 22:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-04 20:27 . 2009-09-04 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-04 01:17 . 2009-09-04 01:17 -------- d-----w- c:\program files\Common Files\Cisco Systems
2009-09-04 01:17 . 2009-09-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-04 01:13 . 2009-09-05 01:22 -------- d-----w- c:\program files\McAfee
2009-09-04 01:04 . 2009-09-04 01:04 -------- d-----w- c:\windows\Internet Logs
2009-09-04 01:04 . 2008-03-29 21:36 106768 ----a-w- c:\windows\system32\dneinobj.dll
2009-09-04 01:04 . 2008-03-29 21:36 125328 ----a-w- c:\windows\system32\drivers\dne2000.sys
2009-09-04 01:03 . 2009-09-04 01:03 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-09-04 01:03 . 2009-09-04 01:03 -------- d-----w- c:\program files\Cisco Systems
2009-09-04 01:03 . 2009-09-04 01:03 -------- d-----w- c:\temp\glvpn5.4.300.temp
2009-09-04 01:03 . 2009-09-04 01:03 -------- d-----w- C:\temp
2009-09-03 22:30 . 2009-09-03 22:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-03 22:11 . 2009-09-03 22:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-09-03 21:19 . 2009-09-03 21:19 -------- d-----w- c:\windows\system32\scripting
2009-09-03 21:19 . 2009-09-03 21:19 -------- d-----w- c:\windows\system32\en
2009-09-03 21:19 . 2009-09-03 21:19 -------- d-----w- c:\windows\l2schemas
2009-09-03 21:19 . 2009-09-03 21:19 -------- d-----w- c:\windows\system32\bits
2009-09-03 21:01 . 2009-09-03 21:01 -------- d-sh--w- c:\documents and settings\Me\PrivacIE
2009-09-03 19:54 . 2009-09-03 19:54 -------- d-----w- c:\documents and settings\Me\Application Data\AVG8
2009-09-03 11:53 . 2009-09-03 11:53 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Thunderbird
2009-09-03 11:53 . 2009-09-03 11:53 -------- d-----w- c:\documents and settings\Me\Application Data\Thunderbird
2009-09-03 11:19 . 2009-09-03 11:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-03 11:18 . 2009-09-03 11:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-03 11:18 . 2009-09-03 11:18 -------- d-sh--w- c:\documents and settings\Me\IETldCache
2009-09-03 04:27 . 2009-09-04 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-03 03:41 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-03 03:40 . 2009-09-03 03:41 -------- d-----w- c:\windows\ie8updates
2009-09-03 03:40 . 2009-07-19 22:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-03 03:40 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-03 03:40 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-03 03:40 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-03 03:40 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-03 03:40 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-03 03:38 . 2009-09-03 03:40 -------- dc-h--w- c:\windows\ie8
2009-09-02 21:24 . 2009-09-02 21:24 120 ----a-w- c:\windows\Vxobaho.dat
2009-09-02 11:45 . 2009-09-02 11:45 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\{2A6AE858-4DB6-4F53-A017-E2A96ED359DF}
2009-08-31 19:58 . 2009-03-20 11:53 44544 ------w- c:\windows\system32\GIF89.DLL
2009-08-31 19:58 . 2009-03-20 11:53 40960 ------w- c:\windows\system32\SSubTmr6.dll
2009-08-31 19:58 . 2009-03-20 11:51 947472 ------w- c:\windows\system32\msjava.dll
2009-08-31 19:58 . 2009-03-20 11:50 344064 ------w- c:\windows\system32\agent.exe
2009-08-31 19:58 . 2009-03-20 11:47 665600 ------w- c:\windows\system32\DXDBGrid.dll
2009-08-31 19:58 . 1998-06-18 05:00 89360 ------w- c:\windows\system32\VB5DB.DLL
2009-08-31 19:58 . 2009-03-20 11:52 69632 ----a-w- c:\windows\system32\MilCacheInfo.dll
2009-08-31 19:58 . 2009-03-20 11:51 37280 ------w- c:\windows\system32\license.bin
2009-08-31 19:58 . 2009-08-18 22:40 98304 ----a-w- c:\windows\system32\MILcodec.dll
2009-08-31 19:58 . 2009-03-20 11:52 4509696 ----a-w- c:\windows\system32\mil.dll
2009-08-31 19:58 . 2009-03-20 11:51 24576 ------w- c:\windows\system32\msxml3a.dll
2009-08-31 19:58 . 2009-08-31 20:11 -------- d-----w- c:\program files\ScanScope
2009-08-14 04:06 . 2009-09-03 21:17 -------- d-----w- c:\windows\ServicePackFiles
2009-08-13 03:22 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 03:22 . 2009-06-10 13:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 17:20 . 2006-11-10 01:50 23600 ----a-w- c:\documents and settings\Me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 00:53 . 2009-04-10 06:32 -------- d-----w- c:\program files\Panda Security
2009-08-31 19:58 . 2006-11-03 14:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 10:58 . 2009-09-04 22:12 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 21:00 . 2009-08-03 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\10002654
2009-07-31 13:55 . 2008-02-17 17:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 14:56 . 2006-11-03 14:46 -------- d-----w- c:\program files\CyberLink
2009-07-28 14:38 . 2009-07-28 14:38 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-07-28 14:37 . 2006-11-03 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-28 14:37 . 2009-07-28 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-07-28 14:37 . 2006-12-14 14:22 -------- d-----w- c:\program files\AIM6
2009-07-28 14:36 . 2006-11-10 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 01:38 . 2009-07-17 01:38 -------- d-----w- c:\program files\Veetle
2009-07-14 03:43 . 2004-08-11 23:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 18:36 . 2004-08-11 23:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-11 23:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-11 23:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-11 23:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-11 23:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-11 23:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-11 23:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-11 23:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-11 23:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-11 23:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-11 23:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-11 23:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 11:49 . 2004-08-11 23:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-11 23:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-11 23:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-11 23:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 10:54 . 2009-06-22 10:54 93 ------w- c:\windows\system32\SKYNET.dat
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-11 23:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 23:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-11 23:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-11 23:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-11 23:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-03 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-11-3 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-3 24576]
Gatorlink VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-9-3 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-03-26 19:18 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 8:07 PM 21256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/25/2008 6:28 AM 24652]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [11/3/2006 10:27 AM 87936]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-ClamWin - c:\program files\ClamWin\bin\ClamTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-06 18:35
ComboFix-quarantined-files.txt 2009-09-06 22:34

Pre-Run: 62,830,157,824 bytes free
Post-Run: 63,667,462,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

224 --- E O F --- 2009-09-05 12:11

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 06 September 2009 - 06:34 PM

Looks like a good run of CF. Let's check for rootkits one more time with another program:

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 bakaduin

bakaduin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 06 September 2009 - 08:28 PM

GMER 1.0.15.15077 [ogk62m0v.exe] - http://www.gmer.net
Rootkit scan 2009-09-06 21:28:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Me\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Me\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EB1A
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EB8B
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90ECB9
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 15, 00]
.text C:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2924] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[844] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00EE2BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[844] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00EE2CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)
IAT C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[844] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00EE2CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat A959BD20

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke@imagepath \systemroot\system32\drivers\SKYNETqhowxnms.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETqhowxnms.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules@SKYNETcmd.dll \systemroot\system32\SKYNETnsfvxtju.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules@SKYNETlog.dat \systemroot\system32\SKYNETqxfuqbje.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules@SKYNETwsp.dll \systemroot\system32\SKYNETtnkfybwu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETmurubxke\modules@SKYNET.dat \systemroot\system32\SKYNETmxepxmpc.dat

---- EOF - GMER 1.0.15 ----

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 06 September 2009 - 09:20 PM

That looks OK, let's do a little updating to be rid of some vulnerable areas that can be exploited by Malware:


Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.







Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



When this is completed let me know how everything is running now and if any problems are persisting.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 bakaduin

bakaduin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 September 2009 - 11:15 AM

Don't know what you did but seems to have really helped! Defrag is now working and when I turned on my computer this morning the Chkdsk I had set to run on start up 3 days ago (and that never did) ran as well. I'm also not getting redirected when I search anymore. Thank you so much for the help!

One question, what is that "SKYNET" from those last two logs you had me post?

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 07 September 2009 - 11:56 AM

Well that sounds good. :( Always nice to see we are headed in the right direction.

"SKYNET" is a version of the TDSS rootkit, these things show up under various names and we are constantly running into new ones which are causing more and more problems and becoming harder to remove. These things are really mean and as I just told another poster the people who write them don't care what damage they do. Their sole aim is to make money in an illegal manner.

I would still like for you to run one last scan. It sometimes takes quite a bit for this one to complete itself but it is very thorough and we don't want to leave anything on the unit which may come back to cause you problems later. It was necessary for the Java update above to be installed so this one would run along with getting the old stuff off of your computer.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Edited by thewall, 07 September 2009 - 11:58 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 bakaduin

bakaduin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 September 2009 - 03:43 PM

Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 7, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 07, 2009 20:22:58
Records in database: 2757058
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 54536
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:13:04


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETqhowxnms.sys.vir Infected: Rootkit.Win32.TDSS.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETnsfvxtju.dll.vir Infected: Trojan.Win32.Monder.cpxu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETtnkfybwu.dll.vir Infected: Trojan.Win32.Small.cad 1

Selected area has been scanned.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 07 September 2009 - 04:10 PM

No problems there, those will be gone when we uninstall ComboFix. Let me know if everything still seems to be OK and we can probably wrap up.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 bakaduin

bakaduin
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 07 September 2009 - 06:22 PM

Everything seems good!

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 07 September 2009 - 08:50 PM

Well then from everything I am seeing you are clean now. :(

A little bit of tool removal and some last suggestions and we can close it up.


We will now uninstall ComboFix:
Go to Start > Run - type in ComboFix /u (case insensitive) >>OK


You can also go ahead and delete both GMER and RootRepeal from your Desktop if you haven't already done so.



Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
  • Finally, this is very important. It is absolutely essential to keep all of your security programs up to date



If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. :(


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:15 AM

Posted 10 September 2009 - 10:01 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users