Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet security 2010 & worm 32 netsky


  • This topic is locked This topic is locked
23 replies to this topic

#1 rachelm920

rachelm920

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 16 February 2010 - 12:40 AM

I believe there may be more than 1 infection on this machine. When I attempt to run dds I get an error message stating "Application cannot be exected. The file is infected. Please activate your antivirus software." I was able to run the GMER program. The log on message states that the pc is infected with worm 32 netsky...same message as here.

WINXP Home service pack 3
AMD Athlon 64 1ghz
448mb ram
Dell dimension C521 desktop

GMER
CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-16 00:02:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\kene\LOCALS~1\Temp\pwtyypow.sys


---- Devices - GMER 1.0.15 ----

Device   -> \Driver\atapi \Device\Harddisk0\DR0                                                                                         84B29618

---- Files - GMER 1.0.15 ----

File    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CF4HUN2J\httpErrorPagesScripts[1]  7579 bytes
File    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M9IJO329\info_48[1]                6993 bytes
File    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O5W94ZM1\bullet[1]                 3169 bytes
File    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O5W94ZM1\errorPageStrings[1]       850 bytes
File    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WXSHAHQ1\background_gradient[1]    453 bytes
File    C:\WINDOWS\system32\drivers\atapi.sys                                                                                           suspicious modification

---- EOF - GMER 1.0.15 ----

Please let me know if you would like any other logs. I've attached a cpl screenshots also.


Edited by elise025, 16 February 2010 - 08:24 AM.
Do not move this topic, GMER log suffices

Have a great day!
Rachel

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 19 February 2010 - 11:29 AM

Hi rachelm920,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved yet please update me on the current condition of your computer and provide the following logs.

Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Click Run Scan button.
  • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized



#3 rachelm920

rachelm920
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 23 February 2010 - 11:12 AM

Thank you for your reply. I did remove some of the malware (20 to be exact) finally by creating a new user account and re-installing malwarebytes from a thumb drive, but there are still some infections. I will download OTL tonight and copy them into another reply tonight.
Have a great day!
Rachel

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 23 February 2010 - 05:09 PM

How is the current condition of your computer? I can see if there is something suspicious on the log. What I need to know is if you notice something like popups, redirection, malfunction, boot problems, startup issues, update issues, etc.

#5 rachelm920

rachelm920
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 23 February 2010 - 11:43 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by admin at 23:23:57.56 on Tue 02/23/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.152 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070103
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [sybleepray2] c:\windows\higeorge12.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\r76533w.exe
dRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\windows\temp\mdm.exe
dRun: [efxgkkbx] c:\windows\system32\config\systemprofile\local settings\application data\lrxchk\knoqsysguard.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli giwefava.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-19 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-19 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-19 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-19 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-3 30192]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================


==================== Find3M ====================

2010-02-20 04:54:04 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-20 04:54:04 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-02-16 02:19:37 28409 ----a-w- c:\windows\system32\9Z0D0EWZB5.dat
2010-01-18 07:08:19 2498 ----a-w- c:\windows\system32\90Z0V6AL0.dat
2006-10-27 06:36:22 176128 -c----w- c:\program files\GoHomePortal.exe
2006-10-27 06:35:58 303104 -c----w- c:\program files\Uninstaller.exe
2006-10-27 06:35:44 180224 -c----w- c:\program files\WCAG.exe
2006-10-27 06:35:39 167936 -c----w- c:\program files\WirelessConsoleApp.exe
2006-10-27 06:35:33 638976 -c----w- c:\program files\WebWorks.exe
2006-10-27 06:34:39 135168 -c----w- c:\program files\WebSec.dll
2006-10-27 06:34:31 364544 -c----w- c:\program files\RGWProv.dll
2006-10-27 06:33:39 266240 -c----w- c:\program files\NetAPI.dll
2006-10-27 06:33:17 139264 -c----w- c:\program files\Endec.dll
2006-10-27 06:24:12 368726 -c----w- c:\program files\PRISMAPI.dll
2006-10-27 06:24:12 208993 -c----w- c:\program files\CardPres.exe
2006-10-27 06:23:54 888832 -c----w- c:\program files\iconv.dll
2006-10-27 06:23:54 872448 -c----w- c:\program files\libeay32.dll
2006-10-27 06:23:54 81920 -c----w- c:\program files\xmltok.dll
2006-10-27 06:23:54 53248 -c----w- c:\program files\zlib.dll
2006-10-27 06:23:54 53248 -c----w- c:\program files\xmlparse.dll
2006-10-27 06:23:54 395264 -c----w- c:\program files\shlwapi.dll
2006-10-27 06:23:54 159744 -c----w- c:\program files\ssleay32.dll

============= FINISH: 23:25:44.00 ===============

Edited by farbar, 24 February 2010 - 01:17 PM.

Have a great day!
Rachel

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 24 February 2010 - 01:20 PM

Please don't put the logs in the code box. Also post the logs only if instructed to do so.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 24 February 2010 - 01:21 PM

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 24 February 2010 - 02:15 PM

Please don't miss my previous posts.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the wrong download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#9 rachelm920

rachelm920
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 24 February 2010 - 02:53 PM

QUOTE(farbar @ Feb 24 2010, 01:21 PM) View Post
Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.


Agreed
Sorry about the code boxes. I will install combo fix tonight and post the log WITHOUT the code tags. smile.gif

Have a great day!
Rachel

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 24 February 2010 - 03:14 PM

Thanks. smile.gif

#11 rachelm920

rachelm920
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 25 February 2010 - 07:45 AM

It took a lot longer than 10 min I let it run over night. Then it restarted and wouldn't log on, I had to cold boot it and it finally logged on and finished. Here is the log:

ComboFix 10-02-24.01 - admin 02/25/2010 0:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.160 [GMT -5:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\\uninstaller.exe
c:\program files\sFX
c:\windows\system32\11323.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11840.exe
c:\windows\system32\11942.exe
c:\windows\system32\12316.exe
c:\windows\system32\12382.exe
c:\windows\system32\12623.exe
c:\windows\system32\12859.exe
c:\windows\system32\13931.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15006.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15350.exe
c:\windows\system32\15724.exe
c:\windows\system32\15890.exe
c:\windows\system32\16118.exe
c:\windows\system32\16541.exe
c:\windows\system32\16827.exe
c:\windows\system32\16944.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\1842.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\18756.exe
c:\windows\system32\19169.exe
c:\windows\system32\19264.exe
c:\windows\system32\19629.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\19954.exe
c:\windows\system32\20037.exe
c:\windows\system32\2082.exe
c:\windows\system32\21538.exe
c:\windows\system32\21726.exe
c:\windows\system32\22190.exe
c:\windows\system32\22648.exe
c:\windows\system32\22704.exe
c:\windows\system32\22929.exe
c:\windows\system32\23281.exe
c:\windows\system32\23805.exe
c:\windows\system32\23811.exe
c:\windows\system32\24084.exe
c:\windows\system32\24370.exe
c:\windows\system32\24393.exe
c:\windows\system32\24464.exe
c:\windows\system32\24626.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26308.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27446.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\288.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\29658.exe
c:\windows\system32\2995.exe
c:\windows\system32\30106.exe
c:\windows\system32\30333.exe
c:\windows\system32\3035.exe
c:\windows\system32\31101.exe
c:\windows\system32\31115.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32439.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3548.exe
c:\windows\system32\3902.exe
c:\windows\system32\4639.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\4833.exe
c:\windows\system32\491.exe
c:\windows\system32\4966.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5537.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6729.exe
c:\windows\system32\6868.exe
c:\windows\system32\7376.exe
c:\windows\system32\7711.exe
c:\windows\system32\778.exe
c:\windows\system32\8723.exe
c:\windows\system32\8942.exe
c:\windows\system32\9040.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\Tasks\kfeedssq.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 10:38 . 2010-02-25 10:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-02-20 04:34 . 2010-02-20 16:22 -------- d-----w- C:\$AVG
2010-02-20 04:33 . 2010-02-20 04:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-20 04:33 . 2010-02-20 04:33 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-20 04:33 . 2010-02-20 04:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-20 04:33 . 2010-02-20 04:33 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-20 04:33 . 2010-02-25 04:45 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-20 04:32 . 2010-02-20 04:32 -------- d-----w- c:\program files\AVG
2010-02-20 04:32 . 2010-02-20 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-20 02:56 . 2007-01-04 04:37 65584 ----a-w- c:\documents and settings\admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-20 02:51 . 2010-02-20 02:51 -------- d--h--r- c:\documents and settings\Zahar\Application Data\yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 05:42 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-24 04:02 . 2007-01-23 03:19 -------- d-----w- c:\documents and settings\kene\Application Data\OpenOffice.org2
2010-02-20 04:33 . 2010-02-20 20:21 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-20 04:32 . 2010-02-20 20:21 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-20 04:13 . 2008-05-18 17:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-20 04:12 . 2010-02-20 04:12 -------- d-----w- c:\documents and settings\admin\Application Data\Apple Computer
2010-02-20 04:01 . 2007-01-04 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-20 04:01 . 2007-01-04 04:23 -------- d-----w- c:\program files\Common Files\AOL
2010-02-20 03:14 . 2010-02-20 03:14 -------- d-----w- c:\documents and settings\admin\Application Data\Malwarebytes
2010-01-05 10:00 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-10 17:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-08-10 18:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2004-08-10 17:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2006-10-27 06:36 . 2007-01-13 04:55 176128 -c----w- c:\program files\GoHomePortal.exe
2006-10-27 06:35 . 2007-01-13 04:55 180224 -c----w- c:\program files\WCAG.exe
2006-10-27 06:35 . 2007-01-13 04:55 167936 -c----w- c:\program files\WirelessConsoleApp.exe
2006-10-27 06:35 . 2007-01-13 04:55 638976 -c----w- c:\program files\WebWorks.exe
2006-10-27 06:34 . 2007-01-13 04:55 135168 -c----w- c:\program files\WebSec.dll
2006-10-27 06:34 . 2007-01-13 04:55 364544 -c----w- c:\program files\RGWProv.dll
2006-10-27 06:33 . 2007-01-13 04:55 266240 -c----w- c:\program files\NetAPI.dll
2006-10-27 06:33 . 2007-01-13 04:55 139264 -c----w- c:\program files\Endec.dll
2006-10-27 06:24 . 2007-01-13 04:55 368726 -c----w- c:\program files\PRISMAPI.dll
2006-10-27 06:24 . 2007-01-13 04:55 208993 -c----w- c:\program files\CardPres.exe
2006-10-27 06:23 . 2007-01-13 04:56 81920 -c----w- c:\program files\xmltok.dll
2006-10-27 06:23 . 2007-01-13 04:56 53248 -c----w- c:\program files\zlib.dll
2006-10-27 06:23 . 2007-01-13 04:56 53248 -c----w- c:\program files\xmlparse.dll
2006-10-27 06:23 . 2007-01-13 04:55 395264 -c----w- c:\program files\shlwapi.dll
2006-10-27 06:23 . 2007-01-13 04:55 159744 -c----w- c:\program files\ssleay32.dll
2006-10-27 06:23 . 2007-01-13 04:55 888832 -c----w- c:\program files\iconv.dll
2006-10-27 06:23 . 2007-01-13 04:55 872448 -c----w- c:\program files\libeay32.dll
2009-11-26 02:08 . 2007-09-05 12:55 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-26 30192]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\kene\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-20 04:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/19/2010 11:33 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/19/2010 11:33 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/19/2010 11:32 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 10:07 PM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/3/2007 11:28 PM 30192]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:07]

2010-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:07]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070103
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
HKLM-Run-sybleepray2 - c:\windows\higeorge12.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 07:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x849C9618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf7316852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7221bb0
PacketIndicateHandler -> NDIS.sys @ 0xf722ea21
SendHandler -> NDIS.sys @ 0xf720c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-25 07:43:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-25 12:43

Pre-Run: 27,979,583,488 bytes free
Post-Run: 28,702,662,656 bytes free

- - End Of File - - 8B4A47A00AB6FB814B33A15FCD07830D

Have a great day!
Rachel

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 25 February 2010 - 08:51 AM

Well done. thumbup2.gif

ComboFix removed a lot, but still there is a rootkit we have to deal with.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


CODE
@ECHO OFF
copy /y c:\windows\ServicePackFiles\i386\atapi.sys c:\ >log.txt
dir /a /s c:\atapi.* >>log.txt
sc query type= driver group= "SCSI Miniport" >> Log.txt
Start Log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate dirlook.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.



#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 01 March 2010 - 03:17 PM

Are you still there?

#14 rachelm920

rachelm920
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:East Hartford, Connecticut, USA
  • Local time:05:10 PM

Posted 02 March 2010 - 09:23 AM

Yes sorry very busy weekend... I plan on doing this tonight
Have a great day!
Rachel

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 02 March 2010 - 02:54 PM

thumbup2.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users