Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Nasty rootkit attack.


  • This topic is locked This topic is locked
22 replies to this topic

#1 Alankate27

Alankate27

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 07 September 2009 - 08:33 AM

Hello

Our computer has been infected with a nasty rootkit virus which is making life very difficult indeed. It started with one of those fake security alert problems which was fixed with Malwarebytes, but then all of our antivirus/antimalware software stopped running, or we were prevented from loading them - apparently we suddenly did not have the appropriate permission to run the file!
I have since been getting various error messages every time I turn the computer on, and now cannot do anything on the internet which involves logging on to somewhere e.g. accessing googlemail or ebay for example. Our search function has gone doolally as well, very often redirecting me to somewhere completely unrelated.

I have been following instructions given by Garmanma in the 'Am I Infected?' section. I have been unable to run DDS, and he told me to do the Win32kdiag thing, which I did. I hereby attach the log. Please can someone advise me what to do now?!!!!! I'm getting desperate!

Thanks,
Kate.

Log file is located at: C:\Documents and Settings\Alan\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E5.tmp\ZAP1E5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC25D.tmp\ZAPC25D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC318.tmp\ZAPC318.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC423.tmp\ZAPC423.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD3.tmp\ZAPD3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\click4carbonscreensaver\click4carbonscreensaver

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe



I hope that's what was required.
Please let me know what you think.
Kate.

... update ... we are now infected with a 'Total Security' false alert nuisance thing. I can't run Malwarebytes to fix it. I tried downloading and running the 'Microsoft Windows Malicious Software Removal Tool' and it appeared to install ok but then disappeared when I tried to run it - the usual problem.

Help help help please help!

Kate.

Edited by Alankate27, 07 September 2009 - 12:01 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 08 September 2009 - 02:35 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

We need a little more information before we can begin removing this infection.


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 09 September 2009 - 10:09 AM

Hi Sam, thanks everso much for this.

Here is the log:

Volume in drive C has no label.
Volume Serial Number is 845B-E47B

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 05:00 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 05:00 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

04/08/2004 05:00 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:11 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

14/04/2008 01:12 181,248 scecli.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:12 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

14/04/2008 01:11 62,976 eventlog.dll
3 File(s) 651,264 bytes

Total Files Listed:
9 File(s) 1,938,944 bytes
0 Dir(s) 42,818,875,392 bytes free


Please let me know what to do next.

Now (as well as the Total Security bubbles and the SpyBot resident bubbles) we are getting a Windows Security bubble, telling us to click here (little red shield icon) to get an update of security software as Windows has detected spyware. I haven't clicked on it, assuming that this is a spoof message too.

We have had a wierd thing happen to our Ebay account; we listed some items for sale while we could still log on this time last week. Ebay last night froze the account and unlisted the items, saying that it looked like someone else had listed them by hijacking our account - so for some reason our computer doesn't look like our computer to Ebay. I have changed our Ebay password by logging on to it at work and they suggested changing our Googlemail password too, so I'm going to do that. Could this be related to all the other horrors?
Is there any danger of secure information becoming accessible to the world wide web?

The Peekbat programme above ran without any difficulty and completed really quickly.

Thanks for your support.
Kate.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 09 September 2009 - 01:50 PM

You've got a really nasty rootkit infection and it can be a lot of trouble. Try to minimize the use of your computer as much as you can while we get this cleaned for you. Also try to keep your computer disconnected from the internet as much as possible.



Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 10 September 2009 - 03:51 AM

Hi Sam

I think I did all that correctly, but here is the log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


It all completed very quickly indeed, and I notice that no rootkit was found; did I do it wrongly? Sorry if I did.

I have noticed that you are replying in the early evening (for us). I am going to switch off now, taking your advice about not using the computer much. I'll log on again this evening to see what to do next.

Thanks for being there!

Kate.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 10 September 2009 - 09:38 AM

You did everything correctly! :(
Here's the next set of steps.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



========================



Now delete any copy of combofix.exe that you have if you downloaded it previously.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 10 September 2009 - 03:16 PM

Hi Sam

I set the diag. thing going, and it was churning out loads of info. The Total Security thing kept popping up along with the Windows Security alert, so I babysat the computer to keep clicking those xes so the programme would run uninteruppted. A good 20, 25 minutes later the screen was suddenly filled with a very badly spelled security alert about infections and spyware. Then I got a blue stop error screen. Here are the codes it gave me:
***STOP: 0x000000F4 (0x00000003, 0x82B1B4B0, 0x82B1B624, 0x805FB046)

I had no choice but to hit the button and switch the computer off.
When it rebooted it told me that it had encountered a problem. I clicked on the technical details of the error report in case this might be useful to you. It said C:\DOCUME~1\Alan\LOCALS~1\Temp\WER13ed.dir001\mini091009.01.dmp
It said: The following files will be included in this error report:
C:\DOCUME~1\Alan\LOCALS~1\Temp\WER13ed.dir001\sysdata.xml

Error signature:
BCcode: F4
BCP1: 00000003
BCP2: 82B1B4B0
BCP3: 82B1B624
BCP4: 805FB046
OSVer: 5_1_2600
SP:3_0 Product 768_1

Will now try to run the diag thing again....


... OK so second time through it finished in about one minute, with not half as much stuff in the log. Unfortunately as soon as I clicked on it, it disappeared and there didn't seem to be anything stored on the desktop to copy for you. Am going to run it again ...


... now you know that I'm a complete fool when it comes to computers. I have just realised that the Win32diag log was in the one created last time I ran it, and obviously it must just update each time. I was expecting a new icon on the desktop each time. Unfortunately that means that the results are lost, as now it just says:

Log file is located at: C:\Documents and Settings\Alan\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Sorry. Hope I haven't messed things up.

I am going to do the Combofix thing now. I had not downloaded it before, heeding all the warnings about it on the website.


Hooray, it completed successfully. After a reboot and a long think, it produced this log:

ComboFix 09-09-10.01 - Alan 10/09/2009 21:43.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.227 [GMT 1:00]
Running from: c:\documents and settings\Alan\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alan\Application Data\wiaserva.log
c:\documents and settings\Alan\Desktop\Total Security 2009.lnk
c:\documents and settings\Alan\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\Alan\Start Menu\Programs\Total Security
c:\documents and settings\Alan\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\Alan\Start Menu\Programs\Windows Antivirus Pro
c:\documents and settings\All Users\Application Data\11785004
c:\documents and settings\All Users\Application Data\11785004\11785004
c:\documents and settings\All Users\Application Data\11785004\11785004.exe
c:\documents and settings\All Users\Application Data\11785004\pc11785004ins
c:\program files\BrowserCtl
c:\program files\BrowserCtl\BrowserCtl.dll
c:\program files\Common Files\Companion Wizard
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
C:\setuplog.exe
c:\windows\010112010146120114.xe
c:\windows\0101120101464949.xe
c:\windows\0101120101465653.xe
c:\windows\9g2234wesdf3dfgjf23
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\8b0a0.msi
c:\windows\Installer\9a46.msi
c:\windows\prxid93ps.dat
c:\windows\scorel.dll
c:\windows\services32.dll
c:\windows\system32\{3296E2BB-AD7B-46EB-BF6C-D10D34C470AD}.exe
c:\windows\system32\218538
c:\windows\system32\al.txt
c:\windows\system32\bookls
c:\windows\system32\bookls\dooi.poc
c:\windows\system32\bookls\dooi.poc.lll
c:\windows\system32\bookls\orde.poc
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dz1.txt
c:\windows\system32\inform.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\p1.txt
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\r24.txt
c:\windows\system32\sblog.txt
c:\windows\system32\sdra64.exe
c:\windows\system32\stera.log
c:\windows\system32\tapi.nfo
c:\windows\system32\WanPacket.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\wpcap.dll
F:\autorun.inf

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BROWSERCTL
-------\Legacy_BROWSERCTLDRV
-------\Legacy_FOPN
-------\Legacy_FWSVC
-------\Legacy_NPF
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Legacy_XXXCODEC_ACCELERATION_SERVICE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_NPF
-------\Service_SfX
-------\Service_XXXCodec Acceleration Service


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 20:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-10 20:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-10 20:52 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-10 20:52 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-10 07:58 . 2009-09-10 07:58 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\{8C552DDD-5325-49A1-A845-D1E460FAA8AB}
2009-09-03 10:49 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 10:49 . 2009-09-03 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 10:49 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 08:41 . 2009-08-28 08:41 -------- d-----w- c:\program files\Windows Defender
2009-08-27 20:22 . 2009-08-31 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 17:27 . 2009-08-27 17:27 -------- d-----w- c:\documents and settings\Nieve\Local Settings\Application Data\{FE66F8AA-B68D-45A0-A7E5-86735D2FF029}
2009-08-27 17:23 . 2009-08-27 17:23 -------- d-----w- c:\documents and settings\Eleanor\Local Settings\Application Data\{055C1104-F833-4557-B756-F34C2D5BDFBB}
2009-08-26 20:57 . 2009-09-10 19:22 120 ----a-w- c:\windows\Hxigafekutegefix.dat
2009-08-26 20:57 . 2009-08-26 20:57 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\{DF4B9221-44BC-4D12-A369-D230CEAC12F9}
2009-08-20 11:12 . 2009-08-20 13:14 -------- d-----w- c:\program files\PrivacyCenter
2009-08-19 07:42 . 2009-08-19 07:42 -------- d-----w- c:\documents and settings\Alan\Application Data\Screensaver Factory
2009-08-19 07:17 . 2009-09-10 19:28 -------- d-----w- c:\windows\click4carbonscreensaver
2009-08-19 07:16 . 2009-08-19 07:16 -------- d-----w- c:\program files\Click4Carbon
2009-08-18 16:52 . 2009-08-18 16:52 1 ---h--w- c:\windows\ex23567.dat
2009-08-17 12:57 . 2009-09-10 19:44 -------- d-----w- c:\windows\system32\Dorset Cereals Screen Saver dir
2009-08-16 18:51 . 2009-08-16 18:51 34304 ----a-w- c:\windows\system32\magks32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 19:44 . 2005-12-07 12:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-09-10 08:44 . 2008-03-01 19:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 20:09 . 2006-01-10 15:04 -------- d-----w- c:\program files\Web Publish
2009-09-07 16:48 . 2009-05-22 18:08 -------- d-----w- c:\program files\Yahoo!
2009-09-06 19:31 . 2006-05-26 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-06 19:27 . 2008-01-07 13:01 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2009-09-01 08:32 . 2007-08-30 17:17 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-08-27 19:49 . 2006-05-26 20:29 -------- dc--a-w- c:\program files\Spybot - Search & Destroy1
2009-08-21 23:47 . 2005-10-20 14:11 -------- d-----w- c:\program files\Dell
2009-08-11 17:39 . 2006-01-07 23:50 99984 -c--a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 14:39 . 2009-08-11 13:57 -------- d-----w- c:\documents and settings\Alan\Application Data\Nokia
2009-08-11 14:29 . 2008-07-03 17:10 -------- d-----w- c:\program files\Nokia
2009-08-11 14:08 . 2009-08-11 14:08 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-11 14:08 . 2009-08-11 14:08 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-11 14:06 . 2008-07-03 17:14 -------- d-----w- c:\program files\DIFX
2009-08-11 14:06 . 2009-08-11 14:06 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-11 14:03 . 2008-07-03 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-08-11 13:56 . 2008-07-03 17:35 -------- d-----w- c:\documents and settings\Kate\Application Data\Nokia
2009-08-11 08:24 . 2009-08-11 08:24 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 08:12 . 2005-12-13 14:49 99984 -c--a-w- c:\documents and settings\Kate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 11:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-08-10 11:51 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-10 11:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 11:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 11:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 11:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 11:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 11:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\MediaExe\PreODM.EXE" [2005-03-18 107520]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Rbopepepajon"="c:\windows\onokahubozerahe.dll" [2008-04-14 172032]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OSCD_Creator"="c:\dell\MediaExe\PreODM.EXE" [2005-03-18 107520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-12-22 962660]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Software Update.lnk - c:\program files\Click4Carbon\ScreenUpdate.exe [2009-8-19 165888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Click4Carbon\\ScreenUpdate.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/06/2009 12:22 33176]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 13:54 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 13:54 98568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
rundll32 magks32.dll,InitO
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {BEC796E0-5836-4441-A596-DA5A815EE83E} - hxxp://www.burnsrecyclinginc.com/acc/ANNA_PORN_MPEG.CAB
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-11785004 - c:\documents and settings\All Users\Application Data\11785004\11785004.exe
HKLM-Run-adiras - adiras.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 21:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OSCD_Creator = c:\dell\MediaExe\PreODM.EXE /2?%c: ?- %s?c:\dell\complete.fst?c:\dell\FIST?OSCD_Creator?OSCD_Creator?Common Programs?%s\Dell OS Recovery CD.lnk?c:\dell\MediaExe\ODM.Exe?c:\dell\MediaExe?Dell OS Recovery CD?%s*.*?%s\*.*?%s\%s??????@???????????@???????????????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(776)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2009-09-10 22:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 21:01

Pre-Run: 44,192,800,768 bytes free
Post-Run: 44,429,053,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

273 --- E O F --- 2009-09-10 08:51


The first good news is that Total Security has gone very quiet. Has it gone, or is it just sleeping?!

All is promising so far ... let me know what to do now.
Thanks for your help, Sam.
Can you really understand all that gobbledegook?

Kate.

Edited by Alankate27, 10 September 2009 - 04:09 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 10 September 2009 - 06:53 PM

The fact that you got Combofix to run and it removed a load of badness, is a great sign. :(
We'll follow up with another tool shortly to make sure nothing was left behind.

Now let's see if you can get Malwarebytes up and running.


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 11 September 2009 - 10:52 AM

Hi Sam.

The news is good. Our computer now seems trouble free and is working better than ever - thank you so much!

When I clicked on MBAM it told me the old message about not having appropriate permission, so I reinstalled it, and then it ran like a dream. It took ages and found several nasties, which I removed. It then wanted a reboot.

On reboot there were a couple of new error messages:

Error loading
magks32.dll
The specified module could not be found.

... and ...

Error loading
C:\WINDOWS\onokahubozerahe.dll
The specified module could not be found.


Also Windows Defender still fell over at that point too.

However, here is the log from MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2777
Windows 5.1.2600 Service Pack 3

11/09/2009 10:38:06
mbam-log-2009-09-11 (10-38-05).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 219632
Time elapsed: 1 hour(s), 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\magks32.dll (Password.Stealer) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbopepepajon (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\magks32.dll (Password.Stealer) -> Delete on reboot.
C:\Qoobox\Quarantine\C\Documents and Settings\Alan\Start Menu\Programs\Startup\ikowin32.exe.vir (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\11785004\11785004.exe.vir (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\BrowserCtl\BrowserCtl.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP877\A0147179.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP877\A0147181.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP877\A0147182.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP877\A0147198.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\onokahubozerahe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ex23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.


I want to ask too - I see mention in various places on this website about how different antivirus software can actually conflict with each other. Thanks to trying all sorts of things in the run-up to connecting with you, we now have various programmes on our system: MBAM, Ccleaner, Spybot search & destroy, Windows Defender etc. Can you advise me about what to keep and what to uninstall, and what, if anything, we can do to up our security measures so that this sort of attack does not happen again?


Thanks,

Kate.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 11 September 2009 - 06:23 PM

Conflicts of security programs occur when you have them running in the background, or providing real time protection. This is the reason you never want to have more than one antivirus because they always are running in the background. But the programs that you mention aren't true antiviruses, so as long as you don't have them running at the same time you won't get any conflicts. I'll touch more on this once we get you cleaned up for sure.

Malwarebytes picked up a few things that surprised me, some of them quite nasty.
Can you run Combofix once more for me and then post that log?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 12 September 2009 - 02:32 AM

Hi Sam
I am so grateful for your advice.

Combofix ran successfully; here is the log:


ComboFix 09-09-11.01 - Alan 12/09/2009 8:12.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT 1:00]
Running from: c:\documents and settings\Alan\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-10 20:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-10 20:52 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-10 20:52 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-09-10 20:52 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-09-10 07:58 . 2009-09-10 07:58 -------- d-----w- c:\documents and settings\Kate\Local Settings\Application Data\{8C552DDD-5325-49A1-A845-D1E460FAA8AB}
2009-09-03 10:49 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 10:49 . 2009-09-11 08:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 10:49 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 08:41 . 2009-08-28 08:41 -------- d-----w- c:\program files\Windows Defender
2009-08-27 20:22 . 2009-08-31 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 17:27 . 2009-08-27 17:27 -------- d-----w- c:\documents and settings\Nieve\Local Settings\Application Data\{FE66F8AA-B68D-45A0-A7E5-86735D2FF029}
2009-08-27 17:23 . 2009-08-27 17:23 -------- d-----w- c:\documents and settings\Eleanor\Local Settings\Application Data\{055C1104-F833-4557-B756-F34C2D5BDFBB}
2009-08-26 20:57 . 2009-09-11 07:23 120 ----a-w- c:\windows\Hxigafekutegefix.dat
2009-08-26 20:57 . 2009-08-26 20:57 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\{DF4B9221-44BC-4D12-A369-D230CEAC12F9}
2009-08-20 11:12 . 2009-08-20 13:14 -------- d-----w- c:\program files\PrivacyCenter
2009-08-19 07:42 . 2009-08-19 07:42 -------- d-----w- c:\documents and settings\Alan\Application Data\Screensaver Factory
2009-08-19 07:17 . 2009-09-10 19:28 -------- d-----w- c:\windows\click4carbonscreensaver
2009-08-19 07:16 . 2009-08-19 07:16 -------- d-----w- c:\program files\Click4Carbon
2009-08-17 12:57 . 2009-09-10 19:44 -------- d-----w- c:\windows\system32\Dorset Cereals Screen Saver dir

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:44 . 2008-03-01 19:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 20:09 . 2006-01-10 15:04 -------- d-----w- c:\program files\Web Publish
2009-09-07 16:48 . 2009-05-22 18:08 -------- d-----w- c:\program files\Yahoo!
2009-09-06 19:31 . 2006-05-26 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-06 19:27 . 2008-01-07 13:01 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2009-09-01 08:32 . 2007-08-30 17:17 -------- d-----w- c:\program files\Common Files\Oberon Media
2009-08-27 19:49 . 2006-05-26 20:29 -------- dc--a-w- c:\program files\Spybot - Search & Destroy1
2009-08-21 23:47 . 2005-10-20 14:11 -------- d-----w- c:\program files\Dell
2009-08-11 17:39 . 2006-01-07 23:50 99984 -c--a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 14:39 . 2009-08-11 13:57 -------- d-----w- c:\documents and settings\Alan\Application Data\Nokia
2009-08-11 14:29 . 2008-07-03 17:10 -------- d-----w- c:\program files\Nokia
2009-08-11 14:08 . 2009-08-11 14:08 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-11 14:08 . 2009-08-11 14:08 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-11 14:06 . 2008-07-03 17:14 -------- d-----w- c:\program files\DIFX
2009-08-11 14:06 . 2009-08-11 14:06 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-11 14:03 . 2008-07-03 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-08-11 13:56 . 2008-07-03 17:35 -------- d-----w- c:\documents and settings\Kate\Application Data\Nokia
2009-08-11 08:24 . 2009-08-11 08:24 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 08:12 . 2005-12-13 14:49 99984 -c--a-w- c:\documents and settings\Kate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 11:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2004-08-10 11:51 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-10 11:51 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 11:51 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 11:51 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-10 11:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 11:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-10 11:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-10_20.56.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-14 10:14 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2004-08-10 11:51 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
- 2004-08-10 11:51 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2004-08-10 12:02 . 2009-06-21 21:44 153088 c:\windows\system32\dllcache\triedit.dll
- 2004-08-10 12:02 . 2008-04-14 00:12 153088 c:\windows\system32\dllcache\triedit.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"OSCD_Creator"="c:\dell\MediaExe\PreODM.EXE" [2005-03-18 107520]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-12-22 962660]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Software Update.lnk - c:\program files\Click4Carbon\ScreenUpdate.exe [2009-8-19 165888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Click4Carbon\\ScreenUpdate.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [06/06/2009 12:22 33176]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [23/04/2007 13:54 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [23/04/2007 13:54 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [23/04/2007 13:54 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [23/04/2007 13:54 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [23/04/2007 13:54 98568]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2E1A9DE4-ADA0-4501-A46E-6633CDB01654}]
rundll32 magks32.dll,InitO
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: {BEC796E0-5836-4441-A596-DA5A815EE83E} - hxxp://www.burnsrecyclinginc.com/acc/ANNA_PORN_MPEG.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 08:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3084)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-12 8:26
ComboFix-quarantined-files.txt 2009-09-12 07:26
ComboFix2.txt 2009-09-10 21:01

Pre-Run: 44,191,342,592 bytes free
Post-Run: 44,353,032,192 bytes free

168 --- E O F --- 2009-09-12 06:44


Thanks everso much,
Kate.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 13 September 2009 - 07:16 AM

Ok, it looks like Malwarebytes did the job. How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 13 September 2009 - 06:06 PM

SOOOOO much better thanks.

What do you advise re. antivirus protection for the future and all those other programmes already loaded - Combo fix, root repeal, avenger etc as well as Spybot etc?

Thanks from a very grateful
Kate.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:44 PM

Posted 14 September 2009 - 06:52 AM

The first thing you need to do now is install an antivirus program. There's a few very good free programs out there that I can recommend.

http://free.avg.com/download
http://www.avast.com/eng/download-avast-home.html

Now for the other programs, I recommend that you keep Spybot and Malwarebytes, but the other specific tools that I had you download we will need to remove. The Combofix removal process will also remove those other tools for us.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Alankate27

Alankate27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 28 September 2009 - 03:14 AM

Hi Sam
So I've left it for a couple of weeks to see what appears and how things go. Everything has been running very smoothly and no nasty things have taken hold again, so it would seem that we are virus-free and we are very happy, thank you!
I have made a donation.
Now I am ready to follow all your instructions about removing Combo Fix and downloading those other things.
Thanks so much again, you have been wonderful.
Kate.

Further questions:

... having done that ComboFix uninstall instruction it quickly uninstalled ComboFix but I still have Avenger.zip, Avenger, Rootrepeal, Windiag etc. These don't seem to appear on the list of programmes on the 'Add/Remove Programmes' page of the control panel. Do I just leave them?

Also, along with my initial enquiry to this website when our virus was first becoming apparent, I also posted a question about our CD drive which no longer recognises CDs. The advice at the time was to resolve all our other issues as this may be resolved along with them. It hasn't been - we still can't play/load any sort of CD - any suggestions?

ALSO (sorry) when we set up our computer we set it up with four user names or accounts - one for each member of the family. It was useful to keep all our stuff separate. Ages ago three of us lost the ability to connect to the internet from our own account, and we all have to use 'Alan' (my husband's account) when we want to connect to the web which is most of the time. Any thoughts on how we can restore our own connectivity? It would seem to be a computer problem rather than a router or modem issue; we have changed these a couple of times but we lost our connections at a completely unrelated time, all at the same time.

Any thoughts at all?

Edited by Alankate27, 28 September 2009 - 03:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users