Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit attack! [Computer 2] can't run antivirus or antimalware utilities


  • This topic is locked This topic is locked
13 replies to this topic

#1 jsteinpka

jsteinpka

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 September 2009 - 12:26 AM

Hi,

I was asked to move my topic here by boopme.

Here is the problem:

My PC running XP is infected with something terrible. I hope somebody here can help! Here are the symptoms:

-Firefox will not open
-Internet Explorer has been hijacked and takes me to random pages when I click on Google links
-All of my antivirus programs and spyware programs have now failed.
--AVG would not run a scan, so I tried to uninstall it, and that does not work
--Now I cannot install any other antivirus programs because AVG wont uninstall
--Ad-Aware shuts down when I try to run a scan (ERROR: System error: 1814 has occurred. Description: Could not login to service. Are you running this application as another user?Application terminates) (ERROR 2: Scanner error: 5001 has occurred. Description: Can't start Smart Scan, scanner is busy!)
--Malwarebytes Anti-Malware shuts down when I try to run a scan, and then wont re-open again (i have tried installing, changing the mbam.exe filename, that doesnt work either)
-DDS.scr just freezes up when I try to run it (also when renamed)
-GMER.exe doesn't run either
- _ex-08.exe has infiltrated my system, along with FI.exe, find.exe, and more I'm sure

I was able to run the Kaspersky online scanner, which detected many versions of Trojan-Spy.Win32.Agent.azpj along with several other trojans (but the online scanner does not remove them and I cannot install Kaspersky because AVG wont uninstall

I tried to run RootRepeal and I got as far as clicking all 7 boxes and scanning, then 5 seconds in the scanner closed and wouldn't reopen, or run in safe mode.

Please help me!!

Here is the win32kdiag log:

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED.tmp\ZAPED.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\ZAPFB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1843552209-3963088171-3400529718-1006\S-1-5-21-1843552209-3963088171-3400529718-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Google

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{26D90C04-503D-4597-A8F9-D49FBDB00EFD}\{26D90C04-503D-4597-A8F9-D49FBDB00EFD}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\production

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Overrides\Overrides

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Received Files\My Received Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

Edited by jsteinpka, 07 September 2009 - 07:50 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 08 September 2009 - 06:59 AM

Hi jsteinpka,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 08 September 2009 - 05:26 PM

Hi farbar,

Thanks for helping me with my problem!

Here is the combofix log:

ComboFix 09-09-08.02 - Owner 09/08/2009 17:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.402 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\wiaserva.log
c:\recycler\S-1-5-21-1087535184-507964475-1744964814-500
c:\recycler\S-1-5-21-1527782239-542040487-3850490872-500
c:\recycler\S-1-5-21-2070051904-3397552951-3790156412-500
c:\recycler\S-1-5-21-3004327122-2867795071-1980883787-500
c:\recycler\S-1-5-21-3673700948-2227381778-3754872131-500
c:\recycler\S-1-5-21-780100456-819808200-3623492556-500
c:\windows\bdagent .INI
c:\windows\Installer\5a8d1d3.msp
c:\windows\Installer\5a8d212.msp
c:\windows\Installer\6ef0361.msi
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\bakidkgc.ini
c:\windows\system32\bsswngxm.ini
c:\windows\system32\cJQqAcdd.ini
c:\windows\system32\cJQqAcdd.ini2
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\ealpdiec.ini
c:\windows\system32\ebstnypa.ini
c:\windows\system32\ednedcor.ini
c:\windows\system32\ejakepif.ini
c:\windows\system32\FijRYJjl.ini
c:\windows\system32\FijRYJjl.ini2
c:\windows\system32\hrociynf.ini
c:\windows\system32\iqxovudt.ini
c:\windows\system32\LVCOMSX .EXE
c:\windows\system32\net.net
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\rqojbibi.ini
c:\windows\system32\tmp.reg
c:\windows\system32\unahvsud.ini
c:\windows\system32\vqbwruaf.ini
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wpgfrovv.ini
c:\windows\system32\xIhilUvw.ini
c:\windows\system32\xIhilUvw.ini2
c:\windows\system32\xmreoult.ini
c:\windows\system32\ynrgxbhc.ini
c:\windows\Tasks\aavexxpc.job
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_NPF
-------\Legacy_SYSREST.SYS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-07 04:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 04:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 04:00 . 2009-09-07 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-09-06 13:50 . 2009-09-06 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-05 02:28 . 2009-09-05 02:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Talkback
2009-09-05 02:27 . 2009-09-05 02:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-09-05 02:27 . 2009-09-05 02:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2009-09-04 01:54 . 2009-09-04 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-04 01:53 . 2009-09-04 01:53 -------- d-----w- c:\program files\Common Files\iS3
2009-09-04 01:53 . 2009-09-08 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-27 22:15 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-27 22:15 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-27 22:15 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-27 22:15 . 2009-08-27 22:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-27 22:15 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-27 22:15 . 2009-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-23 20:43 . 2009-08-24 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\13559064

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 22:09 . 2006-08-27 23:51 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-08 21:57 . 2006-08-23 19:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-08 01:55 . 2009-09-08 01:55 688 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-07 04:01 . 2008-04-12 16:18 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-06 20:56 . 2006-09-09 22:44 -------- d-----w- c:\program files\isoBuster
2009-09-06 20:54 . 2006-10-07 17:17 -------- d-----w- c:\program files\Black Hawk Down
2009-09-06 15:46 . 2008-11-27 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-05 02:55 . 2007-10-21 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:03 . 2006-08-28 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-28 12:32 . 2008-11-27 20:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 12:32 . 2008-11-27 20:08 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 12:32 . 2008-11-27 20:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 03:38 . 2009-08-27 03:38 784732 ----a-w- c:\windows\system32\xa.tmp
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Trusteer
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\program files\Trusteer
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-08-27 22:46 . 2007-09-21 19:31 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-27 22:46 . 2007-09-21 19:31 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-27 22:46 . 2007-09-21 19:31 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-27 22:46 . 2007-09-21 19:31 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-27 22:46 . 2007-09-21 19:31 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB266D2C-E4E0-4416-8539-CB6088C53C94}]
2004-08-10 19:00 119296 ----a-w- c:\windows\system32\ozkzndt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\syfvlybm]
2004-08-10 19:00 119296 ----a-w- c:\windows\system32\ozkzndt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/27/2009 06:15 PM 130936]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 02:13 PM 61328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/27/2008 04:08 PM 335240]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/29/2009 06:52 PM 58728]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/29/2009 06:52 PM 301928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/27/2008 04:07 PM 297752]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/29/2009 06:52 PM 918760]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [8/27/2006 07:39 PM 72576]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [5/16/2008 10:46 AM 99248]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [11/27/2008 12:27 AM 96256]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nakqelwi
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\At1.job
- c:\windows\system32\ozkzndt.dll [2005-01-09 19:00]

2006-08-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7404F611-4861-47DB-A3E5-7883F346D1A5} - c:\windows\system32\ljJYRjiF.dll
BHO-{B6EB502C-A896-42F7-A3F2-76A146E036CD} - c:\windows\system32\ddcAqQJc.dll
BHO-{DE01AC63-8551-4CDD-8EA9-465BBE180C24} - c:\windows\system32\wvUlihIx.dll
Toolbar-SITEguard - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xad9k94g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(864)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\lxddcoms.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
.
**************************************************************************
.
Completion time: 2009-09-08 18:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 22:21
ComboFix2.txt 2008-11-30 20:54

Pre-Run: 137,222,901,760 bytes free
Post-Run: 137,652,539,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

249 --- E O F --- 2009-01-14 08:03

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 08 September 2009 - 05:51 PM

Well done. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions

Please perform the steps fully and in the order they are written.
  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/255759/rootkit-attack-computer-2-cant-run-antivirus-or-antimalware-utilities/
    
    Collect::
    c:\windows\system32\ozkzndt.dll
    Drive::
    nakqelwi
    NetSvc::
    nakqelwi
    AtJob::
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB266D2C-E4E0-4416-8539-CB6088C53C94}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\syfvlybm]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"=-

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Download Win32kDiag from any of the following locations and save it On the C drive.We need to run the tool with the following command to fix some malware related changes.

    Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:

    "C:\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • We need to scan the system with this special tool.
    • Please download Junction.zip and save it.
    • Unzip it and put junction.exe in the Windows directory (C:\Windows).
    • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

      cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

      A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#5 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 08 September 2009 - 07:01 PM

Hi,

Sorry it took so long - scanning is done. Here are the logs:

ComboFix 09-09-08.02 - Owner 09/08/2009 19:00.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.541 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\ozkzndt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ozkzndt.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-07 04:03 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-07 04:03 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 04:00 . 2009-09-07 04:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-09-06 13:50 . 2009-09-06 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-05 02:28 . 2009-09-05 02:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Talkback
2009-09-05 02:27 . 2009-09-05 02:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-09-05 02:27 . 2009-09-05 02:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2009-09-04 01:54 . 2009-09-04 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-04 01:53 . 2009-09-04 01:53 -------- d-----w- c:\program files\Common Files\iS3
2009-09-04 01:53 . 2009-09-08 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-27 22:15 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-27 22:15 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-27 22:15 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-27 22:15 . 2009-08-27 22:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-27 22:15 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-27 22:15 . 2009-08-27 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-23 20:43 . 2009-08-24 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\13559064

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 22:51 . 2008-04-12 16:18 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-08 22:09 . 2006-08-27 23:51 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-08 21:57 . 2006-08-23 19:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-08 01:55 . 2009-09-08 01:55 688 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-06 20:56 . 2006-09-09 22:44 -------- d-----w- c:\program files\isoBuster
2009-09-06 20:54 . 2006-10-07 17:17 -------- d-----w- c:\program files\Black Hawk Down
2009-09-06 15:46 . 2008-11-27 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-05 02:55 . 2007-10-21 21:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:03 . 2006-08-28 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-28 12:32 . 2008-11-27 20:08 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 12:32 . 2008-11-27 20:08 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 12:32 . 2008-11-27 20:08 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 03:38 . 2009-08-27 03:38 784732 ----a-w- c:\windows\system32\xa.tmp
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Trusteer
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2009-07-29 22:52 . 2009-07-29 22:52 -------- d-----w- c:\program files\Trusteer
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-08-27 22:46 . 2007-09-21 19:31 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-27 22:46 . 2007-09-21 19:31 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-27 22:46 . 2007-09-21 19:31 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-27 22:46 . 2007-09-21 19:31 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-08-27 22:46 . 2007-09-21 19:31 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 12:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/27/2009 06:15 PM 130936]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 02:13 PM 61328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/27/2008 04:08 PM 335240]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/29/2009 06:52 PM 58728]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/29/2009 06:52 PM 301928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/27/2008 04:07 PM 297752]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/29/2009 06:52 PM 918760]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [8/27/2006 07:39 PM 72576]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [5/16/2008 10:46 AM 99248]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [11/27/2008 12:27 AM 96256]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2006-08-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-01-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xad9k94g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npnul32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-08 19:12
ComboFix-quarantined-files.txt 2009-09-08 23:12
ComboFix2.txt 2009-09-08 22:21
ComboFix3.txt 2008-11-30 20:54

Pre-Run: 137,686,704,128 bytes free
Post-Run: 137,665,421,312 bytes free

157 --- E O F --- 2009-01-14 08:03
Upload was successful


----------------------------------------------------------------------------


Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)





Finished!


-----------------------------------------------------------------



Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...


Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\RootRepeal.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Owner\Desktop\RootRepeal2.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\abcde.com: Access is denied.


..

...

...

...

...

...
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...No reparse points found.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 09 September 2009 - 01:29 AM

We are almost there.
  • Delete the file in bold: c:\windows\system32\xa.tmp

  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
    "ShellNext"="http://windowsupdate.microsoft.com/"
    "Completed"=hex:01,00.00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • We need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
    • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

      "%userprofile%\desktop\inherit" "c:\Documents and Settings\Owner\Desktop\RootRepeal.exe"
      "%userprofile%\desktop\inherit" "c:\Documents and Settings\Owner\Desktop\RootRepeal2.exe"
      "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\abcde.com"

    • If you get a security warning select Run.
    • You will get a "Finish" popup. Click OK.
    • Do the same for the rest of the lines until you have run all the above commands one by one.
  • Open your Malwarebytes' Anti-Malware. Since you have changed the exe name you might not be able to run it with the short cut. In that case you can run the renamed copy, but after updating you will be able to run with the shortcut too.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Let's take a look at the program lists.
    Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


#7 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 09 September 2009 - 04:38 PM

Hi,

Thanks again for all the help. Here are the logs:

Malwarebytes' Anti-Malware 1.40
Database version: 2766
Windows 5.1.2600 Service Pack 3

9/9/2009 05:28:35 PM
mbam-log-2009-09-09 (17-28-35).txt

Scan type: Quick Scan
Objects scanned: 99657
Time elapsed: 10 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\13559064 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\13559064\13559064 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13559064\pc13559064ins (Rogue.Multiple) -> Quarantined and deleted successfully.


---------------------------------------


2006 FIFA World Cup ™
ABBYY FineReader 6.0 Sprint
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
AGEIA PhysX v2.5.0
AVG Free 8.5
Azureus
CASHFLOW® 202 THE E-GAME
CASHFLOW® THE E-GAME
Delta Force - Black Hawk Down
Digital Media Reader
DirectVobSub (remove only)
DivX Web Player
Final Draft 7
Google Earth
Guitar Pro 5.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IsoBuster 1.9.1
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 3
K-Lite Codec Pack 2.76 Full
Lexmark 2500 Series
Lexmark Fax Solutions
Logitech Gaming Software
Logitech QuickCam Software
Logitech® Camera Driver
Magic ISO Maker v5.4 (build 0239)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.20)
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Napster Burn Engine
Nero 7 Demo
NVIDIA Drivers
OpenOffice.org 2.3
Personal Financial Statement
QuickTime
Rapport
Realtek AC'97 Audio
Recovery Software Suite Gateway
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Soft Data Fax Modem with SmartCP
Sonic Encoders
StampManage 2009
STOPzilla
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
Veoh Web Player Beta
VeohTV BETA
WebFldrs XP
Winamp (remove only)
Windows Backup Utility
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Mobile® Device Handbook
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 09 September 2009 - 04:50 PM

  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

      Note: Don't use the CCleaner's registry cleaner unless you know what you are doing.
  • Tell me how is your computer running.


#9 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 09 September 2009 - 05:36 PM

Hi!

Everything seems to be in working order, how do I know if I'm clean for sure?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 10 September 2009 - 12:20 AM

how do I know if I'm clean for sure?

The active malware/rogue/rootkit is gone. The logs are showing it. We now go for an extra check as a second opinion.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note: If it find nothing, there will be no log to save.

#11 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 10 September 2009 - 04:40 PM

Wow... more stuff. Here's the log:


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\bakidkgc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\bsswngxm.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\cJQqAcdd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\cJQqAcdd.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ealpdiec.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ebstnypa.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ednedcor.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ejakepif.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\FijRYJjl.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\FijRYJjl.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\hrociynf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\iqxovudt.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir Win32/TrojanClicker.Punad.AA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqojbibi.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\unahvsud.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\vqbwruaf.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpgfrovv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\xIhilUvw.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\xIhilUvw.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\xmreoult.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ynrgxbhc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACd.sys.vir a variant of Win32/Olmarik.HI trojan cleaned by deleting - quarantined

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 10 September 2009 - 04:55 PM

Actually Other than a zipped file in Spybot S&D folder, ESET found nothing but those infected files removed and quarantined by ComboFix (C:\Qoobox\Quarantine is the folder in which Combofix quarantines the removed malware). If you take a look at the ComboFix deleted files you see they are the same found by ESET. When we uninstall Combofix that folder will be emptied.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /u

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Remove also the tools we used in the course of disinfection.

***************

Please consult this article by Miekiemoes on How To Prevent Malware.

Happy Surfing !

#13 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 10 September 2009 - 05:27 PM

Hi,

You are AWESOME! Thank you so much!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 10 September 2009 - 05:34 PM

You are most welcome. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users