Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H


  • This topic is locked This topic is locked
23 replies to this topic

#1 Decoys

Decoys

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 10 February 2010 - 12:34 PM

Greetings everyone,

I believe I've contracted the Vunduo virus. I had some hits on MBAM and ESET Online Scanenr, but it doesn't seem that those two can rid this machine of the malware. I've attached, along with the DDS Attach file, both BMAM and ESET logs.


GMER froze my computer (BSOD), and I rebooted. I wasnít very smart and forgot to write down the error. Iíve looked for the minidump file but it doesnít appear that there is one in C:\windows\minidump.

Awaiting next instructions.

-Decoys




DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 11:53:06.46 on Wed 02/10/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1311 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\WINDOWS\system32\taskmgr.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Steam\steam.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
uRun: [AIM] j:\aim\aim.exe -cnetwait.odl
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - j:\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245559460000
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203356621250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: raratisa.dll c:\windows\system32\deyegeri.dll zenimoni.dll juropawo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: kulihubok - {7ba0574e-c1e1-4f73-a18a-2a1b66ebd7e7} - c:\windows\system32\deyegeri.dll
STS: kupuhivus: {7ba0574e-c1e1-4f73-a18a-2a1b66ebd7e7} - c:\windows\system32\deyegeri.dll
LSA: Notification Packages = scecli lidisika.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\a2smo0sm.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\a2smo0sm.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {CD112B50-7F70-4BF6-AE63-072332178799} - c:\documents and settings\owner\local settings\application data\{CD112B50-7F70-4BF6-AE63-072332178799}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-31 214664]
R2 mcproxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-31 359952]
R2 mcshield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-31 144704]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects 2\uCamMonitor.exe [2009-11-20 104960]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-22 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2007-5-23 547744]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-11-20 14336]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-31 35272]
S0 dgjf070;dgjf070;\SystemRoot\\SystemRoot\System32\drivers\dgjf070.sys --> \SystemRoot\\SystemRoot\System32\drivers\dgjf070.sys [?]
S1 471ebc6c.sys;471ebc6c.sys;\??\c:\windows\system32\drivers\471ebc6c.sys --> c:\windows\system32\drivers\471ebc6c.sys [?]
S1 d39650e5;d39650e5;c:\windows\system32\drivers\d39650e5.sys --> c:\windows\system32\drivers\d39650e5.sys [?]
S2 gupdate1c98e505f7f7048;Google Update Service (gupdate1c98e505f7f7048);c:\program files\google\update\GoogleUpdate.exe [2009-2-13 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-31 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-31 40552]
S4 mcsysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-31 606736]

=============== Created Last 30 ================

2010-02-09 03:49:09 0 d-s---w- C:\CUMBOFIX
2010-02-08 21:30:58 0 d-----w- c:\program files\ESET
2010-02-07 05:10:43 0 d-----w- c:\program files\Free Video To Audio Converter
2010-02-07 05:04:40 0 d-----w- c:\docume~1\owner\applic~1\AVS4YOU
2010-02-07 05:04:38 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-02-07 05:01:34 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-02-07 05:01:34 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-02-07 05:01:34 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-07 05:01:34 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-02-07 05:01:34 0 d-----w- c:\program files\common files\AVSMedia
2010-02-07 05:01:34 0 d-----w- c:\program files\AVS4YOU
2010-02-07 04:53:38 0 d-----w- c:\docume~1\owner\applic~1\AnvSoft
2010-02-06 15:20:06 0 d-----w- c:\program files\CCleaner
2010-02-06 14:55:45 199 ----a-w- C:\Shortcut to CD Drive.lnk
2010-02-06 13:46:24 0 d-----w- c:\program files\trend micro
2010-01-27 00:18:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 00:18:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-27 00:04:42 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-01-27 00:01:34 0 d-----w- C:\Malwarebytes' Anti-Malware
2010-01-26 23:59:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-26 23:59:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 02:10:27 0 d-----w- c:\docume~1\owner\applic~1\runic games
2010-01-25 01:45:30 0 d-----w- c:\program files\Runic Games
2010-01-13 08:02:57 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-02-23 06:12:43 2713 --sha-w- c:\windows\system32\vekujusi.exe

============= FINISH: 11:53:59.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 16 February 2010 - 09:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 February 2010 - 10:16 PM

Greetings m0le,

I'm here.

-Decoys

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 17 February 2010 - 07:44 AM

Hi Decoys,

Yes, Vundo is showing on the log but the majority of it does appear to have been removed. Having said that we need to clear it all out so please download and run Combofix which deals well with this trojan.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2010 - 08:18 AM

Hi m0le,

Tried downloading it from all 3 links, renaming it as per your instructions, but every time I try to run the renamed Combofix, a message comes up that says it's not a valid win32 application.

I've tried it in safe mode also, same results.

Perhaps there is some malware monitoring occurring?

-Decoys

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 17 February 2010 - 04:02 PM

No doubt about that something's stopping Combofix.

Let's try a few tools to ease the path.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Now try Combofix again and post the three logs. If Combofix still fails then please post the first two logs. smile.gif
Posted Image
m0le is a proud member of UNITE

#7 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2010 - 10:31 PM

Hi m0le,

Followed your instructions. exeHelper and Rkill in combination seem to have done the trick, so far. Combofix has scanned and is rebooting the machine now (I'm on another computer). I'll post the two other logs, and the Combofix log as soon as it is available.

I'm an amateur malware hunter, and would like to learn how to become more proficient and eventually help others. I've heard about several online Universities, however, it seems none have open classes at this time. Are you aware of any that are currently accepting students?

-Decoys
P.S. I've heard of Rkill before, and I'm familiar with it's funciton, however I haven't hear of exeHelper. How does it aid in the malware hunting?

exeHelper by Raktor
Build 20091220
Run at 21:54:07 on 02/17/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--





This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 02/17/2010 at 21:55:51.


Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Owner\Desktop\rkill.com


Rkill completed on 02/17/2010 at 21:55:55.



#8 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2010 - 11:06 PM

ComboFix 10-02-16.03 - Owner 02/17/2010 22:10:53.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1395 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Rainmeter.lnk
c:\windows\system32\_005151_.tmp.dll
c:\windows\system32\_005154_.tmp.dll
c:\windows\system32\_005156_.tmp.dll
c:\windows\system32\_005157_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\stacsv.exe
c:\windows\system32\vekujusi.exe
c:\windows\Tasks\fjqpjrom.job
c:\windows\Tasks\lluxwssy.job
c:\windows\Tasks\owypxupj.job

.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-18 03:05 . 2010-02-18 03:08 -------- d-----w- C:\Combo-Fix
2010-02-11 01:47 . 2010-02-11 01:47 -------- d-----w- C:\VundoFix Backups
2010-02-08 21:30 . 2010-02-08 21:30 -------- d-----w- c:\program files\ESET
2010-02-07 05:10 . 2010-02-07 05:10 -------- d-----w- c:\program files\Free Video To Audio Converter
2010-02-07 05:04 . 2010-02-07 05:04 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2010-02-07 05:04 . 2010-02-07 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-02-07 05:01 . 2010-02-07 05:02 -------- d-----w- c:\program files\AVS4YOU
2010-02-07 05:01 . 2010-02-07 05:02 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-07 05:01 . 2008-08-13 16:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-02-07 05:01 . 2008-08-13 16:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-02-07 05:01 . 2008-08-13 16:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-02-07 05:01 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-02-07 04:53 . 2010-02-07 04:53 -------- d-----w- c:\documents and settings\Owner\Application Data\AnvSoft
2010-02-06 15:20 . 2010-02-06 15:20 -------- d-----w- c:\program files\CCleaner
2010-02-06 13:46 . 2010-02-06 15:07 -------- d-----w- c:\program files\trend micro
2010-02-06 13:46 . 2010-02-06 14:48 -------- d-----w- C:\rsit
2010-01-27 00:18 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 00:18 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-27 00:04 . 2010-01-27 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-27 00:01 . 2010-02-07 21:29 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-01-26 23:59 . 2010-01-26 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 23:59 . 2010-02-07 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 02:10 . 2010-01-25 02:10 -------- d-----w- c:\documents and settings\Owner\Application Data\runic games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 03:26 . 2008-08-25 08:13 -------- d-----w- c:\program files\Steam
2010-02-18 02:38 . 2009-08-25 16:45 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-18 02:25 . 2009-04-01 01:30 -------- d-----w- c:\program files\McAfee
2010-02-18 01:51 . 2008-08-25 11:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-17 22:30 . 2009-02-14 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-17 17:14 . 2008-09-07 20:59 -------- d-----w- c:\program files\Electronic Arts
2010-02-17 16:47 . 2008-02-18 15:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-17 16:18 . 2008-08-30 20:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-02-17 13:01 . 2008-08-25 11:31 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-17 02:24 . 2009-10-17 02:11 16 ----a-w- c:\windows\popcinfo.dat
2010-02-16 18:23 . 2009-02-18 01:55 -------- d-----w- c:\program files\MagicISO
2010-02-13 14:00 . 2008-08-26 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania
2010-02-10 20:11 . 2008-08-25 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-07 05:04 . 2008-02-18 20:00 75848 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-07 05:04 . 2008-02-18 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-07 04:44 . 2009-12-14 05:14 -------- d-----w- c:\documents and settings\Owner\Application Data\Audacity
2010-02-07 02:36 . 2008-09-01 03:20 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-02-06 15:31 . 2008-02-18 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 00:22 . 2009-02-14 02:58 -------- d-----w- c:\program files\Google
2010-01-22 09:29 . 2009-08-22 08:06 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-13 09:04 . 2008-05-13 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 11:24 . 2009-09-03 01:35 -------- d-----w- c:\program files\TibiaBot NG
2009-12-23 04:57 . 2008-08-30 20:03 -------- d-----w- c:\program files\Vuze
2009-12-22 05:21 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-22 03:56 . 2009-12-22 03:56 -------- d-----w- c:\program files\Lame for Audacity
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-04 149040]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-24 144792]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-01-20 200704]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-11-20 323584]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcods]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Steam\\steamapps\\zurkuspen15\\team fortress classic\\hl.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Steam\\steamapps\\zurkuspen15\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\zurkuspen15\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/9/2009 11:33 PM 721904]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [11/20/2009 8:46 PM 104960]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 3:15 AM 547744]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [11/20/2009 8:46 PM 14336]
S0 dgjf070;dgjf070;\SystemRoot\\SystemRoot\System32\drivers\dgjf070.sys --> \SystemRoot\\SystemRoot\System32\drivers\dgjf070.sys [?]
S1 471ebc6c.sys;471ebc6c.sys;\??\c:\windows\System32\drivers\471ebc6c.sys --> c:\windows\System32\drivers\471ebc6c.sys [?]
S1 d39650e5;d39650e5;c:\windows\system32\drivers\d39650e5.sys --> c:\windows\system32\drivers\d39650e5.sys [?]
S2 gupdate1c98e505f7f7048;Google Update Service (gupdate1c98e505f7f7048);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 10:00 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 00:12]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:00]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:00]

2010-02-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3953219801-69340374-1237355300-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 02:38]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3953219801-69340374-1237355300-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 02:38]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-01 16:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-01 16:22]

2010-02-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-23 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a2smo0sm.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a2smo0sm.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {CD112B50-7F70-4BF6-AE63-072332178799} - c:\documents and settings\Owner\Local Settings\Application Data\{CD112B50-7F70-4BF6-AE63-072332178799}
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{C94E154B-1459-4A47-966B-4B843BEFC7DB} - c:\program files\AskSearch\bin\DefaultSearch.dll
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-AIM - j:\aim\aim.exe
SharedTaskScheduler-{7ba0574e-c1e1-4f73-a18a-2a1b66ebd7e7} - c:\windows\system32\deyegeri.dll
SSODL-kulihubok-{7ba0574e-c1e1-4f73-a18a-2a1b66ebd7e7} - c:\windows\system32\deyegeri.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-DreamWorks Interactive: Neverhood - c:\program files\DreamWorks Interactive\Neverhood\setup95.exe
AddRemove-EADM - c:\program files\Electronic Arts\EADM\Uninstall.exe
AddRemove-LucasArts' Curse of Monkey Island - c:\program files\LucasArts\Curse\DeIsL1.isu
AddRemove-Runic Games Torchlight - c:\program files\Runic Games\Torchlight\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 22:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcc.sys >>UNKNOWN [0x8AB97938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba666cb8
\Driver\atapi -> atapi.sys @ 0xba5fbb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: D-Link WDA-1320 Desktop Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba4eebd4
PacketIndicateHandler -> NDIS.sys @ 0xba4faa21
SendHandler -> NDIS.sys @ 0xba4eed44
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3953219801-69340374-1237355300-1003\Software\SecuROM\License information*]
"datasecu"=hex:0b,77,0c,13,96,46,a0,be,30,a5,07,60,e8,5b,19,68,80,a1,c0,3d,99,
01,47,68,2e,0b,05,a8,45,ec,9f,d7,e5,bb,83,15,51,5a,3c,36,7d,a5,fa,96,7c,be,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(428)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\RUNDLL32.EXE
c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sigmatel\C-Major Audio\WDM\STacSV.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2010-02-17 22:40:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 03:40
ComboFix2.txt 2009-08-22 02:15

Pre-Run: 6,062,804,992 bytes free
Post-Run: 5,993,369,600 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 604FD8041E8E2AD6C22736A9234723F1


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 18 February 2010 - 06:37 AM

ExeHelper is a lesser known program which was designed to remove the most prolific rogue programs but also resets a lot of specific system settings (such as defaults on the registry and admin permissions on file extensions) that this type of threat tends to alter. It is useful to run before Rkill as Rkill resets settings in the same way but does not remove any malware or remnants which can still cause tools to falter.

As to the malware training, it is available on 8 UNITE-associated sites and I can't give you a magic key to get in (only a link) but I am aware that Geeks 2 Go have been taking students within the week lately so they are worth a look at.

Link


As to the fix, Combofix removed some nasty files but there are still services/drivers which need to go so we will rerun Combofix (without Rkill or ExeHelper) to target these entries.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/top...ml#entry1635413

Collect::
c:\windows\System32\drivers\dgjf070.sys
c:\windows\System32\drivers\471ebc6c.sys
c:\windows\system32\drivers\d39650e5.sys

Driver::
dgjf070
471ebc6c.sys
d39650e5


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 February 2010 - 07:58 AM

Hi m0le,

Thanks for the reply. I'll check out Geeks To Go. Which would you advise is the best educational institution for someone such as myself to attend?


As for the Combofix changes, I'll do them as soon as I get back to the trouble computer. However, a question about your instructions.

I've never seen a Combofix script with a weblink in it, is that normal?

QUOTE
http://www.bleepingcomputer.com/forums/top...ml#entry1635413

Collect::
c:\windows\System32\drivers\dgjf070.sys
c:\windows\System32\drivers\471ebc6c.sys
c:\windows\system32\drivers\d39650e5.sys

Driver::
dgjf070
471ebc6c.sys
d39650e5


I'm more familiar with CFScripts that look like this (or something like it):

CODE
KillAll::
RegNull::


But never with a hyperlink in it. Can you explain this please? I'm not doubting it or anything, don't get me wrong. I've just never seen one with a hyperlink in it.

Will post Combofix log as soon as I return to the infected computer.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 18 February 2010 - 08:11 AM

The files that I want to delete are also being collected (Collect:: ) because they were not recognised by Combofix. If the files are still present they will be zipped and sent to the developers for analysis. The link just tells the developers which forum/topic the samples came from.

As to who I recommend, I recommend Bleeping Computer first, I learnt here and found the experience a good one. But all the listed sites are excellent and have great training facilities and coaches.

Edited by m0le, 18 February 2010 - 08:11 AM.

Posted Image
m0le is a proud member of UNITE

#12 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 February 2010 - 08:20 AM

QUOTE(m0le @ Feb 18 2010, 08:11 AM) View Post
The files that I want to delete are also being collected (Collect:: ) because they were not recognised by Combofix. If the files are still present they will be zipped and sent to the developers for analysis. The link just tells the developers which forum/topic the samples came from.


Gotcha. So that command zips, sends, AND deletes those files if they are still present? Good to know. I learn something new every day smile.gif

QUOTE(m0le @ Feb 18 2010, 08:11 AM) View Post
As to who I recommend, I recommend Bleeping Computer first, I learnt here and found the experience a good one. But all the listed sites are excellent and have great training facilities and coaches.


Thanks for the recommendation. I'll follow up on that with you after repairs here are completed.


Do you ever use RSIT logs?

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 18 February 2010 - 08:36 AM

Yes, zips, send and deletes. smile.gif

I have used RSIT and still do because it has a registry dump as part of its process and DDS doesn't.

However, the developer has stated that it has not been updated for some time and is probably lagging behind DDS and OTL in terms of detection.

Edited by m0le, 18 February 2010 - 08:36 AM.

Posted Image
m0le is a proud member of UNITE

#14 Decoys

Decoys
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 February 2010 - 08:47 AM

QUOTE(m0le @ Feb 18 2010, 08:36 AM) View Post
Yes, zips, send and deletes. smile.gif


Nifty little tool Combofix is!

QUOTE
I have used RSIT and still do because it has a registry dump as part of its process and DDS doesn't.

However, the developer has stated that it has not been updated for some time and is probably lagging behind DDS and OTL in terms of detection.


RSIT was probably the first source of log information which I became interested in, so I'm most familiar with that. What function does the Registry Dump serve?

Edited by Decoys, 18 February 2010 - 08:51 AM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 PM

Posted 18 February 2010 - 08:58 AM

QUOTE(Decoys @ Feb 18 2010, 01:47 PM) View Post
Nifty little tool Combofix is!


If you do make it into a study hall you will see just how excellent Combofix is...


QUOTE
RSIT was probably the first source of log information which I became interested in, so I'm most familiar with that. What function does the Registry Dump serve?


At the moment malware is prevalent in processes, services, drivers, roots and registry. Registry keys which usually get attacked are dumped by RSIT (and OTL to an extent) and though rootkits hide their allies and themselves well from these initial scans registry keys are often a more visible way of tracking down what's attacked a PC. It can also leave behind remnants which can tell me what infection was in the machine and that can help with clean-up and repair.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users