Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It all started with SEP finding Suspicious.Vundo.2...


  • Please log in to reply
1 reply to this topic

#1 DaveG_1

DaveG_1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 11 January 2010 - 06:01 PM

.. and then went to a world all its own like Rootkit.win32.Agent.pp and Trojan.downloader.js.multi.ca and even Network.win32.MyTob.t.

B 4 I just wipe this whole dayum thing clean and start fresh could someone please help? Thank you very much for your time.

I'm brand new to this HJT thing but I installed it and ran it. Then I read the "Read This First" post . Here are the appropriate logs requested: Thank you.



DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Administrator at 17:37:23.68 on Mon 01/11/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.330 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.DAVE-2003\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Enterprise
mRun: [Seagull Drivers] ssdal_nc.exe startup
mRun: [Panasonic Device Monitor Wakeup] c:\program files\panasonic\panasonic-dms\device monitor\DMWakeup.exe
mRun: [Panasonic Application Manager Agent] c:\program files\panasonic\panasonic-dms\panasonic nus\PamDlg.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\jobsta~1.lnk - c:\program files\panasonic\panasonic-dms\lrecvtrap\LRecvTrap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\panaso~1.lnk - c:\program files\panasonic\panasonic-dms\port controller\Mfpscdl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119974976323
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219261483536
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://bellmore-noip.dyndns.biz/Remote/msrdp.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://support.tconnection.com/inc/kaxRemote.dll
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://bmhc.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
TCP: {427B567A-C4B6-45DD-92CD-99A62ED463E9} = 192.168.2.1,209.244.0.3,209.244.0.4
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
Hosts: 192.168.2.5 services.successware21.com
Hosts: 192.168.2.4 successdev.successware21.com

============= SERVICES / DRIVERS ===============

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-8-19 101528]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-17 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-17 2477304]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-8-19 24876]
S0 llwxrem;llwxrem;c:\windows\system32\drivers\iymil.sys --> c:\windows\system32\drivers\iymil.sys [?]
S1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2005-11-21 11008]
S2 MSSQL$SW21SQL;SQL Server (SW21SQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
S2 Panasonic Application Manager Service;Panasonic Application Manager Service;c:\program files\panasonic\panasonic-dms\panasonic nus\PamService.exe [2008-10-15 20480]
S3 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2006-2-14 106496]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-17 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-11 102448]
S3 MSSQL$SW_BETA2TEST;SQL Server (SW_BETA2TEST);"c:\program files\microsoft sql server\mssql.5\mssql\binn\sqlservr.exe" -ssw_beta2test --> c:\program files\microsoft sql server\mssql.5\mssql\binn\sqlservr.exe [?]
S3 MSSQL$SW_BETATEST;SQL Server (SW_BETATEST);"c:\program files\microsoft sql server\mssql.4\mssql\binn\sqlservr.exe" -ssw_betatest --> c:\program files\microsoft sql server\mssql.4\mssql\binn\sqlservr.exe [?]
S3 MSSQL$SW_CERT;SQL Server (SW_CERT);"c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe" -ssw_cert --> c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [?]
S3 MSSQL$SW_CURTEST;SQL Server (SW_CURTEST);"c:\program files\microsoft sql server\mssql.3\mssql\binn\sqlservr.exe" -ssw_curtest --> c:\program files\microsoft sql server\mssql.3\mssql\binn\sqlservr.exe [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.121\NAVENG.SYS [2010-1-11 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.121\NAVEX15.SYS [2010-1-11 1323568]
S3 SWHttpHeartbeatSvc;Successware21 Http Heartbeat Service;c:\successware\successware21 trial server\httpserver\swhttpaux.exe --> c:\successware\successware21 trial server\httpserver\swhttpaux.exe [?]
S3 SWHttpMessageSvc;Successware21 Http Messaging Service;c:\successware\successware21 trial server\httpserver\swhttpaux.exe --> c:\successware\successware21 trial server\httpserver\swhttpaux.exe [?]
S3 SWHttpSvc;Successware21 Http Server;c:\successware\successware21 trial server\httpserver\swhttpserv.exe --> c:\successware\successware21 trial server\httpserver\SWHttpServ.exe [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-11 22:14:02 0 d-----w- c:\program files\Trend Micro
2010-01-07 04:01:32 0 d-----w- c:\docume~1\admini~1.dav\applic~1\Malwarebytes
2010-01-07 01:25:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 01:25:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 01:25:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 01:25:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-06 17:28:55 106 ----a-w- C:\SYMLogFile

==================== Find3M ====================

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-17 16:20:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-17 13:58:34 89600 ----a-w- c:\windows\system32\atl71.dll
2009-10-17 13:58:34 87368 ----a-w- c:\windows\system32\FwsVpn.dll
2009-10-17 13:58:34 625032 ----a-w- c:\windows\system32\SymNeti.dll
2009-10-17 13:58:34 242056 ----a-w- c:\windows\system32\SymRedir.dll
2009-10-17 13:58:34 107848 ----a-w- c:\windows\system32\SymVPN.dll
2008-08-27 07:10:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 17:38:07.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:07 AM

Posted 16 January 2010 - 09:57 PM

Hello DaveG_1,

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

We need to scan for Rootkits with GMER
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Close any and all open programs, as this process may crash your computer.
  3. Double click or on your desktop.
  4. Allow the gmer.sys driver to load if asked.
  5. You may see this window. If you do, click No.

    [field name="Additional Instructions" lines=20]
  6. Click on and wait for the scan to finish.
  7. If you see a rootkit warning window, click OK.
  8. Push and save the logfile to your desktop.
  9. Copy and Paste the contents of that file in your next post.

**********************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Since you already have Malwarebytes' Anti-Malware
* Press the Update tab then press the Check for Updates button.
* Select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 16 January 2010 - 10:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users