Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent rootkit/malware infection - initially sdra64.exe


  • This topic is locked This topic is locked
20 replies to this topic

#1 JennieO

JennieO

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 19 March 2010 - 07:01 AM

My computer was recently infected with various malware including sdra64.exe. I ran malwarebytes to clear the infection. Although everything was reported as clear, I ran an ESET online scan today which found malware, but unfortunately it crashed before saving a log. My DDS log is below. I tried to run a GMER scan, but each time I ran GMER my computer restarted itself after a couple of minutes of scanning.

Any help in identifying and removing the problem would be much appreciated.

Many thanks

jennieo



DDS (Ver_10-03-17.01) - NTFSx86
Run by jennieo at 10:17:04.82 on 19/03/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.999 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\agent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\jennieo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSCRMStartup] "c:\program files\microsoft dynamics crm\client\res\web\bin\Microsoft.Crm.Application.Hoster.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSCRM] "c:\program files\microsoft dynamics crm\client\configwizard\CrmForOutlookInstaller.exe" /activateaddin
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\avaya\ip office\phone manager\PhoneManager.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://vocus.webex.com/client/T27L/webex/ieatgpc.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jennieo\applic~1\mozilla\firefox\profiles\shxs59st.default\
FF - prefs.js: browser.startup.homepage - hxxp://biofile/news|http://www.bioregional.com/about%20us/keypeople.htm
FF - component: c:\documents and settings\jennieo\application data\mozilla\firefox\profiles\shxs59st.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-18 343920]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-25 120128]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-2-15 70728]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-18 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-18 43288]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-15 66600]

=============== Created Last 30 ================

2010-03-19 10:16:00 0 ----a-w- c:\documents and settings\jennieo\defogger_reenable
2010-03-10 14:11:31 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-25 16:35:26 0 d-----w- c:\docume~1\jennieo\applic~1\webex

==================== Find3M ====================

2010-01-26 14:34:25 5115824 ----a-w- C:\mbam-setup.exe
2010-01-26 14:31:22 3837089 ----a-w- C:\ComboFix.exe
2010-01-06 20:07:00 70728 ----a-w- c:\windows\system32\mfevtps.exe
2009-06-02 08:33:17 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-05-11 16:51:36 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-24 12:40:57 3929393 ----a-w- c:\program files\FileZilla_3.2.4_win32-setup.exe
2009-04-24 10:10:02 11253034 ----a-w- c:\program files\zrnb.exe
2009-03-26 14:53:40 2777972 ----a-w- c:\program files\wvdownloader.zip

============= FINISH: 10:17:37.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 21 March 2010 - 04:03 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please try to run RootRepeal, a similar program to Gmer

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 22 March 2010 - 05:44 AM

Hi M0le,

Thanks for this. Here are my scan results from Root Repeal.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/22 10:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE9AD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA620000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAC27B000 Size: 180608 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB7716000 Size: 196224 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB798000 Size: 49152 File Visible: No Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAEB98000 Size: 361600 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: c:\documents and settings\jennieo\local settings\temporary internet files\content.word\~wrs2861.tmp
Status: Size mismatch (API: 42972, Raw: 0)

==EOF==

Also, in your message you say that if I don't respond within the following day after a forum post then you will close the topic. I do not have access to a computer on the weekends so this would mean that I will not be able to respond over these days. Can you please bear that in mind?

Many thanks, Jennie



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 22 March 2010 - 01:15 PM

I've noted your weekend absences but my post actually gives 3 days before I bump and then one more day before I close it - so that's 4 days.

The RootRepeal does not track any rootkit activity but sdra.exe is not a nice infection and RootRepeal doesn't pick everything up.

Please run a Combofix scan. I would expect to find very little on this if the infection has been removed, which I suspect is the case.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 23 March 2010 - 05:04 AM

Hi M0le,

Here's the combofix log.

Thanks again, Jennie

ComboFix 10-03-22.03 - jennieo 23/03/2010 9:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1123 [GMT 0:00]
Running from: c:\documents and settings\jennieo\Desktop\comfix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://biodc02
.
((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))
.

2010-03-19 10:42 . 2010-03-19 10:42 -------- d-----w- c:\program files\ESET
2010-03-10 14:11 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-02-25 16:35 . 2010-02-25 16:35 -------- d-----w- c:\documents and settings\jennieo\Application Data\webex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 14:34 . 2009-11-09 09:20 79488 ----a-w- c:\documents and settings\jennieo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-15 12:06 . 2010-02-15 12:06 -------- d-----w- c:\documents and settings\jennieo\Application Data\McAfee
2010-02-15 12:05 . 2010-02-15 12:05 5268729 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2010-02-03 12:33 . 2009-03-18 15:02 57616 ----a-w- c:\documents and settings\Administrator.BIOREG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-29 16:05 . 2010-01-22 15:06 -------- d-----w- c:\documents and settings\jennieo\Application Data\ntr
2010-01-26 15:00 . 2010-01-26 14:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-26 14:34 . 2010-01-26 14:34 -------- d-----w- c:\documents and settings\jennieo\Application Data\Malwarebytes
2010-01-26 14:34 . 2010-01-26 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-26 14:34 . 2010-01-26 14:34 5115824 ----a-w- C:\mbam-setup.exe
2010-01-26 14:31 . 2010-01-26 14:31 3837089 ----a-w- C:\ComboFix.exe
2010-01-25 14:52 . 2009-03-23 12:11 57616 ----a-w- c:\documents and settings\jennieo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 16:07 . 2010-01-26 14:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2010-01-26 14:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 20:07 . 2010-02-15 16:02 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-01-06 20:07 . 2010-02-15 16:02 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-01-06 20:07 . 2009-03-18 15:15 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 20:07 . 2009-03-18 15:15 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 20:07 . 2009-03-18 15:15 91832 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-06 20:07 . 2009-03-18 15:15 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-01-06 20:07 . 2009-03-18 15:15 343920 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-02 08:33 . 2009-06-02 08:33 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-05-11 16:51 . 2009-05-11 16:51 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-24 12:40 . 2009-04-24 12:40 3929393 ----a-w- c:\program files\FileZilla_3.2.4_win32-setup.exe
2009-04-24 10:10 . 2009-04-24 10:10 11253034 ----a-w- c:\program files\zrnb.exe
2009-03-26 14:53 . 2009-03-26 14:53 2777972 ----a-w- c:\program files\wvdownloader.zip
2010-01-06 20:07 . 2010-02-15 16:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSCRMStartup"="c:\program files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe" [2009-08-22 104296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-03 136600]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-11 413696]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSCRM"="c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" [2009-08-22 59232]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-06 124240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PhoneManager.lnk - c:\program files\Avaya\IP Office\Phone Manager\PhoneManager.exe [2007-5-14 8291840]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\english\\setup.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Avaya\\IP Office\\Phone Manager\\PhoneManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8000:TCP"= 8000:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [06/01/2010 20:07 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [15/02/2010 16:02 70728]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [15/02/2010 16:02 66600]
.
Contents of the 'Scheduled Tasks' folder

2009-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\jennieo\Application Data\Mozilla\Firefox\Profiles\shxs59st.default\
FF - prefs.js: browser.startup.homepage - hxxp://biofile/news|http://www.bioregional.com/about%20us/keypeople.htm
FF - component: c:\documents and settings\jennieo\Application Data\Mozilla\Firefox\Profiles\shxs59st.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-23 09:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-03-23 09:56:39
ComboFix-quarantined-files.txt 2010-03-23 09:56

Pre-Run: 75,931,750,400 bytes free
Post-Run: 78,472,646,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 1C329D38342A22934BFB844D03ABEE12

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 23 March 2010 - 12:50 PM

Are you using Remote Desktop?

If not, it looks like we may have a rootkit here.
Posted Image
m0le is a proud member of UNITE

#7 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 25 March 2010 - 04:30 AM

Hi M0le, I have had some IT help using remote desk top but I haven't used it myself. Thanks, Jennie

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 25 March 2010 - 12:57 PM

That would account for it then. smile.gif


Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Now an ESET scan again, these should be clean, clean, clean.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 27 March 2010 - 08:09 PM

Hi JennieO,

Let me know you are still here by replying when you can.

Thanks smile.gif

Edited by m0le, 28 March 2010 - 06:48 PM.

Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 28 March 2010 - 06:46 PM

Edited

Edited by m0le, 28 March 2010 - 06:48 PM.

Posted Image
m0le is a proud member of UNITE

#11 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 29 March 2010 - 08:14 AM

Hi M0le,
It's taking me a while as internet explorer crashed while I was doing the second scan. Starting it again now, hopefuly it will run all the way through this time. Jennie

#12 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 29 March 2010 - 10:46 AM

Hi M0le,

I've done both scans now. This is the result from Malwarebytes...

Malwarebytes' Anti-Malware 1.44
Database version: 3640
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

26/01/2010 15:01:13
mbam-log-2010-01-26 (15-01-13).txt

Scan type: Quick Scan
Objects scanned: 172338
Time elapsed: 23 minute(s), 0 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 50

Memory Processes Infected:
C:\Program Files\RelevantKnowledge\rlvknlg.exe (Spyware.MarketScore) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\RelevantKnowledge\rlls.dll (Spyware.MarketScore) -> Delete on reboot.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\RelevantKnowledge (Spyware.MarketScore) -> Delete on reboot.
C:\Program Files\RelevantKnowledge\components (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\33.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AA.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\B4.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BA.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BB.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BE.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BF.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C0.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C1.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C4.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C5.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C6.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\C7.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CA.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CB.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CC.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CD.tmp (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\16.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\17.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\1A.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\bEkW.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\maom.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\uLAY.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temp\uLAY.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temp\bEkW.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temp\maom.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\9CSF4P2A\eU230d9c2eHf5074002V0100f070006Rba7fcc95102Tbe59888e204l0409K0804e086318J0b0006010[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\ORIRBQ5Q\eHf5074002V0100f070006Rba7fcc95102Tbe5a8397204l0409K81a26b80318J0b0006010[1] (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\VXMU9A7X\eU230d9c2eHf5074002V0100f070006Rba4870d3102Tbe59f530204l0409Kfb15b1c6318J0b0006010[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temporary Internet Files\Content.IE5\9CSF4P2A\eU230d9c2eHf5074002V0100f070006Rba7fcc95102Tbe59888e204l0409K0804e086318J0b0006010[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temporary Internet Files\Content.IE5\ORIRBQ5Q\eHf5074002V0100f070006Rba7fcc95102Tbe5a8397204l0409K81a26b80318J0b0006010[1] (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\jennieo\Local Settings\Temporary Internet Files\Content.IE5\VXMU9A7X\eU230d9c2eHf5074002V0100f070006Rba4870d3102Tbe59f530204l0409Kfb15b1c6318J0b0006010[1] (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\chrome.manifest (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\install.rdf (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlls.dll (Spyware.MarketScore) -> Delete on reboot.
C:\Program Files\RelevantKnowledge\rloci.bin (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlph.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlservice.exe (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\rlvknlg.exe (Spyware.MarketScore) -> Delete on reboot.
C:\Program Files\RelevantKnowledge\rlxf.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files\RelevantKnowledge\components\rlxg.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Uninstall Instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

When I tried to run the ESET scan microsoft explorer crashed before it was finished, I did notice that it had detected one incident of malware before it crashed. I ran it again through to completion just now and it didn't pick anything up.

Thanks Jennie


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 29 March 2010 - 01:03 PM

ESET may not be able to deal with the amount of infection.

Please run Combofix so it can hoick out anything that's left.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 JennieO

JennieO
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 30 March 2010 - 04:00 AM

Hi M0le, Here's that log..., thanks Jennie

ComboFix 10-03-29.03 - jennieo 30/03/2010 9:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1184 [GMT 1:00]
Running from: c:\documents and settings\jennieo\Desktop\comfix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-23 09:42 . 2010-03-23 09:56 -------- d-----w- C:\comfix
2010-03-19 10:42 . 2010-03-19 10:42 -------- d-----w- c:\program files\ESET
2010-03-10 14:11 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 17:17 . 2010-01-26 14:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 14:34 . 2009-11-09 09:20 79488 ----a-w- c:\documents and settings\jennieo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 16:35 . 2010-02-25 16:35 -------- d-----w- c:\documents and settings\jennieo\Application Data\webex
2010-02-15 12:06 . 2010-02-15 12:06 -------- d-----w- c:\documents and settings\jennieo\Application Data\McAfee
2010-02-15 12:05 . 2010-02-15 12:05 5268729 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe
2010-02-03 12:33 . 2009-03-18 15:02 57616 ----a-w- c:\documents and settings\Administrator.BIOREG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-29 16:05 . 2010-01-22 15:06 -------- d-----w- c:\documents and settings\jennieo\Application Data\ntr
2010-01-26 14:34 . 2010-01-26 14:34 5115824 ----a-w- C:\mbam-setup.exe
2010-01-26 14:31 . 2010-01-26 14:31 3837089 ----a-w- C:\ComboFix.exe
2010-01-25 14:52 . 2009-03-23 12:11 57616 ----a-w- c:\documents and settings\jennieo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 16:07 . 2010-01-26 14:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2010-01-26 14:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 20:07 . 2010-02-15 16:02 70728 ----a-w- c:\windows\system32\mfevtps.exe
2010-01-06 20:07 . 2010-02-15 16:02 66600 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-01-06 20:07 . 2009-03-18 15:15 75704 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-01-06 20:07 . 2009-03-18 15:15 43288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-06 20:07 . 2009-03-18 15:15 91832 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-06 20:07 . 2009-03-18 15:15 64208 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2010-01-06 20:07 . 2009-03-18 15:15 343920 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-06-02 08:33 . 2009-06-02 08:33 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-05-11 16:51 . 2009-05-11 16:51 21878064 ----a-w- c:\program files\QuickTimeInstaller.exe
2009-04-24 12:40 . 2009-04-24 12:40 3929393 ----a-w- c:\program files\FileZilla_3.2.4_win32-setup.exe
2009-03-26 14:53 . 2009-03-26 14:53 2777972 ----a-w- c:\program files\wvdownloader.zip
2010-01-06 20:07 . 2010-02-15 16:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-03-23_09.55.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 08:07 . 2010-03-30 08:07 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2007-07-27 12:00 . 2010-03-29 08:13 87898 c:\windows\system32\perfc009.dat
+ 2007-07-27 12:00 . 2010-03-29 08:13 478044 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSCRMStartup"="c:\program files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe" [2009-08-22 104296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-03 136600]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-11 413696]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSCRM"="c:\program files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" [2009-08-22 59232]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-06 124240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PhoneManager.lnk - c:\program files\Avaya\IP Office\Phone Manager\PhoneManager.exe [2007-5-14 8291840]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\english\\setup.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Avaya\\IP Office\\Phone Manager\\PhoneManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8000:TCP"= 8000:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [06/01/2010 21:07 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [15/02/2010 17:02 70728]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [15/02/2010 17:02 66600]
.
Contents of the 'Scheduled Tasks' folder

2009-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\jennieo\Application Data\Mozilla\Firefox\Profiles\shxs59st.default\
FF - prefs.js: browser.startup.homepage - hxxp://biofile/news|http://www.bioregional.com/about%20us/keypeople.htm
FF - component: c:\documents and settings\jennieo\Application Data\Mozilla\Firefox\Profiles\shxs59st.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 09:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2604)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
.
Completion time: 2010-03-30 09:48:12
ComboFix-quarantined-files.txt 2010-03-30 08:48
ComboFix2.txt 2010-03-23 09:56

Pre-Run: 78,308,634,624 bytes free
Post-Run: 78,457,520,128 bytes free

- - End Of File - - E5D5D4B38DD833515A420C030A10CA26


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:53 PM

Posted 30 March 2010 - 04:25 PM

That looks fine thumbup2.gif

A quick scan with the new BitDefender, this should take a minute and you can keep it to do quick scans in the future. Please let me know if the instructions differ from what you are seeing - this is a new tool.

Please run a BitDefender QuickScan
  • Click Start Scanner
  • Click Start Scan

    If you are running Firefox you should accept the installation of the Plug-in and restart Firefox
    If you are running Internet Explorer then allow the ActiveX control to install when prompted.


  • Click Start Scan
  • Check the I ACCEPT box on the EULA and click OK
When the scan has finished, it should take about a minute, click View Log and copy and paste the log into your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users