Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro


  • This topic is locked This topic is locked
8 replies to this topic

#1 daltom1965

daltom1965

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 12 October 2009 - 08:10 PM

Any previous descriptions can be found in the Am I infected forum. I was asked to post 2 logs here and I'm doing so from the infected machine.

XP Home SP 2
Dell 2400
Seriously owned

I am posting in Safe mode network otherwise most exe files are shut down except regedit. Almost like they are lauging becuase any deleted keys recreate themselves (rootkit!). You can rename to .com with some files. Control panel is worthless.

A few more details:

I will be posting from 2 different systems.

Working Windows modules so far:

Renamed exe files to .com althoug results vary. Malwarebytes gets slapped and so did the antivirus on the system (Trend Micro Enterprise Officescan)

Regedit

Task Manager

Internet Explorer

Notepad

Everything else gets tagged by the trojan as infected and is shut down

Safe mode with networking is better but I still get a lot of popups wanting me to buy stuff.

oops,

did not read postings instructions. here are the log files pasted in addition to being attached.

----------------


DDS (Ver_09-10-13.01) - NTFSx86
Run by kkelly at 16:41:17.78 on Mon 10/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.222 [GMT -5:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {08937568-6BE8-451D-96F6-8463AED6DE8A}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
SVCHOST.EXE
C:WINDOWSSystem32svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:WINDOWSsystem32spoolsv.exe
SVCHOST.EXE
C:WINDOWSsvchast.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesTrend MicroOfficeScan Clientntrtscan.exe
C:Program FilesTrend MicroOfficeScan Clienttmlisten.exe
C:Program FilesTrend MicroOfficeScan ClientTmPfw.exe
C:WINDOWSTEMPZJ3849.EXE
C:Program FilesTrend MicroOfficeScan ClientCNTAoSMgr.exe
C:WINDOWSExplorer.EXE
C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
C:Program FilesJavajre1.6.0_02binjusched.exe
C:WINDOWSsystem32NWTRAY.EXE
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesWindows Police ProWindows Police Pro.exe
C:Documents and SettingskkellyDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.dell4me.com/mywaybiz
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:program filesasktbarsrchastt1.binA5SRCHAS.DLL
mURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:program filesasktbarsrchastt1.binA5SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_02binssv.dll
BHO: ICQSys (IE PlugIn): {77dc0b63-1535-4ba9-8be8-d59eb676fa02} - c:windowssystem32plugie.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:program filesasktbarsrchastt1.binA5SRCHAS.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.3.4501.1418swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_B7C5AC242193BB3E.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:program filesasktbarbar1.binASKTBAR.DLL
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:program filesasktbarbar1.binASKTBAR.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [DellSupport] "c:program filesdellsupportDSAgnt.exe" /startup
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:program filesanalog devicescoresmax4pnp.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre1.6.0_02binjusched.exe"
mRun: [mmtask] c:program filesmusicmatchmusicmatch jukeboxmmtask.exe
mRun: [RealTray] c:program filesrealrealplayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [NWTRAY] NWTRAY.EXE
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [NeroFilterCheck] c:program filescommon filesaheadlibNeroCheck.exe
mRun: [Google IME Autoupdater] "c:program filesgooglegoogle pinyinGooglePinyinDaemon.exe"
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [OfficeScanNT Monitor] "c:program filestrend microofficescan clientpccntmon.exe" -HideWindow
mRun: [durogawak] Rundll32.exe "c:windowssystem32kohajawu.dll",a
dRun: [inixs] c:windowssystem32minix32.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~4office10EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_02binssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://172.16.250.192:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://172.16.250.192:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://172.16.250.192:4343/officescan/console/html/root/AtxEnc.cab
DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://172.16.250.192:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {13AA074D-B036-4411-8FD9-923829859593} = 68.94.156.1,68.94.157.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:windowssystem32dolemiju.dll zitosaba.dll c:windowssystem32kohajawu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SSODL: yudumetef - {c68a6db1-ea3c-4b9a-a7d2-d8606956f3cc} - c:windowssystem32kohajawu.dll
SSODL: pakiwegap - {800fdc75-4892-4a51-95ea-3d2e55874b22} - c:windowssystem32kohajawu.dll
SSODL: rehupafoj - {1aaedc71-0add-4a5c-b71b-7a79ab57a805} - c:windowssystem32kohajawu.dll
SSODL: fepuhegut - {c4b960b7-217d-4e5f-a13c-ec261ab5b47f} - c:windowssystem32kohajawu.dll
SSODL: neradubel - {7dbff19f-7b85-4b2d-afc3-dbce0f924e6f} - c:windowssystem32kohajawu.dll
STS: kupuhivus: {c68a6db1-ea3c-4b9a-a7d2-d8606956f3cc} - c:windowssystem32kohajawu.dll
STS: tokatiluy: {800fdc75-4892-4a51-95ea-3d2e55874b22} - c:windowssystem32kohajawu.dll
STS: mujuzedij: {1aaedc71-0add-4a5c-b71b-7a79ab57a805} - c:windowssystem32kohajawu.dll
STS: mujuzedij: {c4b960b7-217d-4e5f-a13c-ec261ab5b47f} - c:windowssystem32kohajawu.dll
STS: mujuzedij: {7dbff19f-7b85-4b2d-afc3-dbce0f924e6f} - c:windowssystem32kohajawu.dll
LSA: Authentication Packages = msv1_0 nwv1_0
LSA: Notification Packages = scecli muzurimo.dll

============= SERVICES / DRIVERS ===============

R2 AntiPol;AntiPol;c:windowssvchast.exe [2009-10-12 422400]
R2 TmFilter;Trend Micro Filter;c:program filestrend microofficescan clienttmxpflt.sys [2009-5-22 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:program filestrend microofficescan clienttmpreflt.sys [2009-5-22 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:windowssystem32driversTM_CFW.sys [2009-3-18 335888]
R3 TmPfw;OfficeScan NT Firewall;c:program filestrend microofficescan clientTmPfw.exe [2009-3-18 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:program filestrend microofficescan clientTmProxy.exe [2009-3-18 652552]

============== File Associations ===============

exefile=c:windowssystem32pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-12 15:36 8,192 a------- c:windowssystem32control.com
2009-10-12 13:09 12,160 a------- c:windowssystem32driversmouhid.sys
2009-10-12 13:09 12,160 a------- c:windowssystem32dllcachemouhid.sys
2009-10-12 13:08 9,600 a------- c:windowssystem32drivershidusb.sys
2009-10-12 13:08 9,600 a------- c:windowssystem32dllcachehidusb.sys
2009-10-12 12:44 <DIR> --d----- C:Malware
2009-10-12 12:26 <DIR> --d----- c:docume~1kkellyapplic~1Malwarebytes
2009-10-12 12:26 38,224 a------- c:windowssystem32driversmbamswissarmy.sys
2009-10-12 12:25 19,160 a------- c:windowssystem32driversmbam.sys
2009-10-12 12:25 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-10-12 12:25 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-10-12 08:37 150 a------- c:windowssystem32tempie.html
2009-10-12 08:31 4 a------- c:windowssystem32bincd32.dat
2009-10-12 08:21 <DIR> --d----- c:windowssystem32schtml
2009-10-12 08:17 422,400 a------- c:windowssvchast.exe
2009-10-12 08:17 58 a------- c:windowswf4.dat
2009-10-12 08:17 2 a------- c:windowswf3.dat
2009-10-12 08:17 652,800 a------- c:windowssystem32plugie.dll
2009-10-12 08:17 36 a------- c:windowssystem32skynet.dat
2009-10-12 08:17 9 a------- c:windowssystem32nuar.old
2009-10-12 08:17 544,768 a------- c:windowssystem32pump.exe
2009-10-12 08:16 <DIR> --d----- c:program filesWindows Police Pro
2009-10-08 08:18 <DIR> --d----- c:docume~1alluse~1applic~122427219
2009-10-08 08:18 614 ---sh--- c:windowssystem32rumepopo.dll
2009-10-07 11:52 614 ---sh--- c:windowssystem32siveraja.dll
2009-10-07 11:51 614 ---sh--- c:windowssystem32bopomija.dll

==================== Find3M ====================

2009-08-21 04:46 450,560 -------- c:windowssystem32dllcachejscript.dll
2009-08-12 11:39 66,168 a------- c:docume~1kkellyapplic~1GDIPFONTCACHEV1.DAT
2009-08-06 19:24 327,896 a------- c:windowssystem32dllcachewucltui.dll
2009-08-06 19:24 209,632 a------- c:windowssystem32dllcachewuweb.dll
2009-08-06 19:24 35,552 a------- c:windowssystem32dllcachewups.dll
2009-08-06 19:24 53,472 a------- c:windowssystem32dllcachewuauclt.exe
2009-08-06 19:24 96,480 a------- c:windowssystem32dllcachecdm.dll
2009-08-06 19:23 575,704 a------- c:windowssystem32dllcachewuapi.dll
2009-08-06 19:23 1,929,952 a------- c:windowssystem32dllcachewuaueng.dll
2009-08-05 04:11 204,800 a------- c:windowssystem32mswebdvd.dll
2009-08-05 04:11 204,800 -------- c:windowssystem32dllcachemswebdvd.dll
2009-07-18 11:20 3,062,272 -------- c:windowssystem32dllcachemshtml.dll
2009-07-18 11:20 1,506,304 -------- c:windowssystem32dllcacheshdocvw.dll
2009-07-17 13:55 58,880 a------- c:windowssystem32atl.dll
2009-07-17 13:55 58,880 -------- c:windowssystem32dllcacheatl.dll
2009-07-12 08:15 38,400 a--sh--- c:windowssystem32dogubina.dll
2009-07-09 08:35 89,088 a--sh--- c:windowssystem32dolemiju.dll
2009-07-07 11:51 26,624 a--sh--- c:windowssystem32fatatezu.dll
2009-07-09 08:35 50,688 a--sh--- c:windowssystem32liwadefi.dll
2009-07-08 08:18 38,400 a--sh--- c:windowssystem32mebokewe.dll
2009-07-09 08:35 50,688 a--sh--- c:windowssystem32meridewa.dll
2009-07-09 08:35 50,688 a--sh--- c:windowssystem32muzurimo.dll
2009-07-09 08:35 1,011,752 a--sh--- c:windowssystem32nozahiti.exe
2009-07-08 08:18 1,011,243 a--sh--- c:windowssystem32tepusiga.exe
2009-07-08 08:18 51,712 a--sh--- c:windowssystem32yupujufo.dll
2009-07-09 08:35 50,688 a--sh--- c:windowssystem32zitosaba.dll

============= FINISH: 16:42:51.73 ===============


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/12 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xEF6B7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF8A85000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.com.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.com.sys
Address: 0xEEA27000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: C:WINDOWSPrefetchROOTREPEAL.COM-0C21E63E.pf
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingskkellyDesktopRootRepeal.exe
Status: Invisible to the Windows API!

Path: C:Documents and SettingskkellyDesktopRootRepeal.com
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingskkellyDesktopsettings.dat
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingskkellyMy DocumentsAttach2.txt
Status: Invisible to the Windows API!

Path: C:Documents and SettingskkellyMy DocumentsAttach.txt
Status: Visible to the Windows API, but not on disk.

Path: C:Documents and SettingskkellyLocal SettingsTemp4.tmp
Status: Invisible to the Windows API!

==EOF==

Thanks

daltom1965

Attached Files


Edited by boopme, 12 October 2009 - 10:08 PM.


BC AdBot (Login to Remove)

 


#2 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 12 October 2009 - 10:14 PM

Something I said or posted? All of my replies have been deleted. Would really like to know why.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:48 AM

Posted 12 October 2009 - 11:23 PM

Hello daltom1965,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 13 October 2009 - 06:55 AM

Fireman!

Welcome to the fight!

I will be at work today until around 6pm CDT US time. The system is at my residence as I dare not plug into my office network. I will be checking the forums from time to time today for your suggestions and begin implementing them this afternoon.

Thanks

daltom1965

#5 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 13 October 2009 - 05:23 PM

I have returned home and am ready if you have analyzed the logs

Daltom1965

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:48 AM

Posted 13 October 2009 - 09:18 PM

1.
Ask Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know as stated in the following Articles:

http://www.benedelman.org/spyware/ask-toolbars/
http://vil.nai.com/vil/content/v_185490.htm


I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ask Toolbar.

2.
Download to your desktop FixPolicies, a self-extracting ZIP archive.
  • Double-click FixPolicies.exe.
  • Click the Install button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  • A black box will briefly appear and then close.
  • Reboot the computer so the changes can take affect.
2.
Download Combofix from any of the links below. You must rename it 1234.scr before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on 1234.scr & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a DDS log so we can continue cleaning the system.


Things to include in your next reply:
Combofix.txt
A new DDS log
ATTACH.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 AM

Posted 13 October 2009 - 10:31 PM

The machine is "clean".

I did a "bad" and went after this thing on my own but really need to share my jouney. (pleae don't consider me a rougue but I've been at this a while)

I used the dds logs to target the random file names and services created.

I created a text file from the log using the file names and locations as a guideline inserting the del command in front of every enrty (risky, I know)

I booted from a XP CD into recovery console and ran the "batch" command referencing the text file. Had to find a location the rootkit would not find the file and delete it. (C:\Windows turned out to be a surprising fit)

Once the batch command deleted the files I rebooted in safe mode and Malwarebytes installed, scanned, and did an amazing job of cleaning up. (It would not even try prior to these actions)

Now I am really in trouble with some of the handlers....I ran combofix without advice but have used it before.

It mopped up the remnants and left me a log I was happy with. After running gmer, dds, and win32diag there seems to be no nasty files. I have connected this system to a honeypot network and have seen no negative results.

I seriously apologize for the time you spent looking at the logs. I agree the ASK bar is a problem. I thought I had it eradicated from my network 6 months ago and found this system still using it.

If you feel my presumptions on this system are premature I would gladly accept a suggestion. (we all have things to learn)

I have log files galore if you want them to better understand what I did and maybe what I have not done.

Best regards and thanks! It is a team effort.

daltom1965

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:48 AM

Posted 14 October 2009 - 05:02 PM

Congradulations your clean!

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:48 AM

Posted 18 October 2009 - 06:55 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :(

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users