Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake svchost.exe trojan created in windows temp folder


  • This topic is locked This topic is locked
58 replies to this topic

#1 Pajajn

Pajajn

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 17 April 2010 - 04:11 PM

Hey all here on Bleepingcomputer thumbup2.gif

I need serious help now, or it's more my dad who need's your help guys mellow.gif
He came to me yesterday and asked if i could help him remove some virus that he had got on some pdfsource site

When i scanned with several AV's and strong programs listed here, i found nothing :S
Panda online scanner
F-secure - installed on his computer with newest database
Combofix
SmitfraudFix
Malwarebytes
Everything and couldn't manage to succeed deletion

Thhe problem is described in another thread here :
In my Windows\temp folder folders are being created with seemingly random names holding an svchost.exe file

Windows\temp\xxx.tmp\svchost.exe
Angrepp: Trojan downloader
: W32\Renos.gen!C


And another called trojan.generic.3314168 and one with 58 something in the end.

When i kept reading the forum post from 2009 with this problem ive saw this :

this virus as it repeatedly
started up a xxx.tmp/svchost.exe connects to Russian URL 91.212.226.182 (or a few others) and then deletes itself. It's fast enough to be gone by the time antivirus
tools like Windows Security Essentials can quarantine it or remove it. They may detect it,
and report it, BUT, it self deletes before the antivirus tools can do anything. That's why nobody
sees an svchost.exe file with or without antivirus tools doing anything about it.

It looks like it just may be waiting for a signal from the Russian URL or the other control locations



This sound's very wacko.gif NOT GOOD in my ears
Im begging you guys here to give me all advices i could get quick before something more happens
Im currently plugged out his Internet cable and on my own network

I scanned with Avz Aviral rootkit detector and came up with this log :

Attention !!! Database was last updated 2009-08-21 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 2010-04-18 16:28:44
Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 135524
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text

1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 8050446C (284)
Function NtCreateProcess (2F) intercepted (805D11EA->ED560CD6), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtCreateProcessEx (30) intercepted (805D1134->ED560CF0), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtCreateThread (35) intercepted (805D0FD2->ED55FE8C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtLoadDriver (61) intercepted (8058413A->ED5601BC), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtMapViewOfSection (6C) intercepted (805B1FE6->ED55FBCC), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtOpenSection (7D) intercepted (805AA3B2->ED5605EE), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtRenameKey (C0) intercepted (806231EA->ED56188C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSetSystemInformation (F0) intercepted (8060F3EC->ED56043E), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSuspendProcess (FD) intercepted (805D4A22->ED55FA4C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSuspendThread (FE) intercepted (805D4894->ED55FEC0), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSystemDebugControl (FF) intercepted (80617792->ED560042), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtTerminateProcess (101) intercepted (805D2982->B9761320), hook C:\Program\SUPERAntiSpyware\SASKUTIL.SYS
Function NtTerminateThread (102) intercepted (805D2B7C->ED55FB06), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtWriteVirtualMemory (115) intercepted (805B4378->ED55FF86), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function IoCreateDevice (805758EE) - machine code modification Method of JmpTo. jmp F73A5FFA fsdfw.sys
Functions checked: 284, intercepted: 14, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\driver\tcpip[IRP_MJ_CREATE] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_CLEANUP] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys

Checking - complete
2. Scanning RAM
Number of processes found: 33
Extended process analysis: 1556 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1580 C:\Program\Telia\Telias sakerhetstjanster\Common\FSMA32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1588 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1648 C:\Program\Telia\Telias sakerhetstjanster\Common\FSHDLL32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1808 C:\Program\Telia\Supportassistent\bin\sprtsvc.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1036 C:\Program\Telia\Telias sakerhetstjanster\ORSP Client\fsorsp.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1088 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1252 C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 2368 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 4036 C:\Program\Brother\Brmfcmon\BrMfcmon.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1224 C:\Program\Telia\Supportassistent\bin\sprtcmd.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 352
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP Protocol error: Number of protocols 11 doesn't correspond to real 21
Attention ! SPI/LSP errors detected. Number of errors - 1
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program\Telia\Supportassistent\bin\sprthook.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program\Telia\Supportassistent\bin\sprthook.dll>>> Behaviour analysis
1. Reacts to events: keyboard, mouse, all events
C:\Program\Telia\Supportassistent\bin\sprthook.dll>>> Neural net: file is 0.00% like a typical keyboard/mouse events interceptor
C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdc32.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdc32.dll>>> Behaviour analysis

Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
In the database 317 port descriptions
Opened at this PC: 5 TCP ports and 5 UDP ports
Checking - complete; no suspicious ports detected
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr ()
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>>> HDD autorun is allowed - fixed
>> Network drives autorun is allowed
>>> Network drives autorun is allowed - fixed
>> Removable media autorun is allowed
>>> Removable media autorun is allowed - fixed

Checking - complete
Files scanned: 385, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 2010-04-18 16:29:39
Time of scanning: 00:00:56
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

Edited by Pajajn, 18 April 2010 - 10:11 AM.


BC AdBot (Login to Remove)

 


#2 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 18 April 2010 - 06:32 AM

Also Known As: W32/Renos.gen!C [F-Secure], Trojan.Pidief.A' [Symantec], EXPL_Pidief.B' [Trend Micro].
Type: Rootkit/Trojan Downloader
Systems Affected: Windows XP and Internet Explorer 7

W32/generic.3314168 is a backdoor which uses an exploit in Adobe's popular PDF-viewing software "Adobe Reader" and editing suite "Acrobat",
Using round robin DNS, resolving to five unique IP address that revolve on each lookup, the infected system
attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

The trojan file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the server is "Temporarily busy" and suggests that the user shut down any
"firewall" and antivirus software. It also modifies the computer's hosts-file (svchost.exe) with the downloaded fake every 2 minute, in such a way that accessing websites of many antivirus vendors is blocked.
Then changes Internet Explorer's Home page, default search engine, and enables browser extensions.
The trojan also changes the Internet security zone settings to enable ActiveX controls.

When having 1 copy of Internet Explorer running, there schould actually be 2 processes "iexplorer.exe" in taskmanager.

When the trojan is running it presents a window every five minutes.
The security issue it warns of is just a hoax(I think), and are only giving you the option "Ok" then exiting.


One site from which users got infected from are "www.pdfsource.com"
Files created/replaced during process:

C:\Windows\Temp\"xxx".tmp/svchost.exe
iexplorer.exe (the fake process, which are trojan that downloading infected svchost.exe temp file every 4 minute)
IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll


Replacing "windows\system32\drivers\ftdisk.sys"
with infected file "windows\system32\drivers\fTdisk.sys"

Sometimes also infecting "atapi.sys" file located in
"windows\system32\"
And adding the infected ".sys" file into
"windows\system32\dllcache\"



This is what ive got after one whole night of research of this strange terrifying rootkit! :S
Ive tested these programs to remove it, but never succeeded.... .

Combofix downloaded from this forum
SDFix Gmer rootkit scanner newest downloaded from this forum
SmitfraudFix downloaded from this forum
Panda online scanner
Eset smart online scanner
F-Secure newest update, (Telia Safe surfing software)
Malwarebytes antimalware downloaded from this forum
SuperAnti spyware downloaded from this forum

The computer first got

Trojan.Gen.3314168

Trojan.Downloader
W32\Renos.gen!C


And finally
Rootkit.Patched.TDSS.Gen

system32\drivers\ftdisk.sys

Not a single one of them could detect or delete this Rootkit:SS And that's confusing me alot :-O
My father and i does now need seriously Help, as many others on this forum and around the world so please take a deep look into this Everyone

Edited by Pajajn, 18 April 2010 - 06:54 AM.


#3 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 18 April 2010 - 12:09 PM

I need fast help with my other computer, ive got F-Secure installed and newest Signature database
My AV came up with a error message telling this

Intrusion:
Rootkit.Patched.TDSS.Gen
Attacked:
C:\windows\system32\drivers\ftdisk.sys


Trojan.Downloader
W32\Renos.gen!C
Attacked:
C:\Windows\temp\"xxx".tmp\svchost.exe

xxx= name changes each time the file is downloaded :S

Ive got IE7 and Service Pack 3 installed.
I run a scan with AVZ Antiviral Toolkit log; AVZ version is 4.32

This is the log file:

Attention !!! Database was last updated 2009-08-21 it is necessary to update the database (via File - Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.32
Scanning started at 2010-04-18 16:28:44
Database loaded: signatures - 237871, NN profile(s) - 2, malware removal microprograms - 56, signature database released 21.08.2009 14:23
Heuristic microprograms loaded: 374
PVS microprograms loaded: 9
Digital signatures of system files loaded: 135524
Heuristic analyzer mode: Maximum heuristics mode
Malware removal mode: enabled
Windows version is: 5.1.2600, Service Pack 3 ; AVZ is run with administrator rights
System Restore: enabled
1. Searching for Rootkits and other software intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 8050446C (284)
Function NtCreateProcess (2F) intercepted (805D11EA->ED560CD6), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtCreateProcessEx (30) intercepted (805D1134->ED560CF0), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtCreateThread (35) intercepted (805D0FD2->ED55FE8C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtLoadDriver (61) intercepted (8058413A->ED5601BC), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtMapViewOfSection (6C) intercepted (805B1FE6->ED55FBCC), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtOpenSection (7D) intercepted (805AA3B2->ED5605EE), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtRenameKey (C0) intercepted (806231EA->ED56188C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSetSystemInformation (F0) intercepted (8060F3EC->ED56043E), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSuspendProcess (FD) intercepted (805D4A22->ED55FA4C), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSuspendThread (FE) intercepted (805D4894->ED55FEC0), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtSystemDebugControl (FF) intercepted (80617792->ED560042), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtTerminateProcess (101) intercepted (805D2982->B9761320), hook C:\Program\SUPERAntiSpyware\SASKUTIL.SYS
Function NtTerminateThread (102) intercepted (805D2B7C->ED55FB06), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function NtWriteVirtualMemory (115) intercepted (805B4378->ED55FF86), hook C:\Program\Telia\Telias sakerhetstjanster\HIPS\drivers\fshs.sys
Function IoCreateDevice (805758EE) - machine code modification Method of JmpTo. jmp F73A5FFA fsdfw.sys
Functions checked: 284, intercepted: 14, restored: 0
1.3 Checking IDT and SYSENTER
Analyzing CPU 1
Analyzing CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking IRP handlers
\driver\tcpip[IRP_MJ_CREATE] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_DEVICE_CONTROL] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_INTERNAL_DEVICE_CONTROL] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
\driver\tcpip[IRP_MJ_CLEANUP] = F73A568E -> C:\WINDOWS\system32\Drivers\fsdfw.sys
Checking - complete
2. Scanning RAM
Number of processes found: 33
Extended process analysis: 1556 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1580 C:\Program\Telia\Telias sakerhetstjanster\Common\FSMA32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1588 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1648 C:\Program\Telia\Telias sakerhetstjanster\Common\FSHDLL32.EXE
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1808 C:\Program\Telia\Supportassistent\bin\sprtsvc.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Registered for automatic startup !!
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1036 C:\Program\Telia\Telias sakerhetstjanster\ORSP Client\fsorsp.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1088 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 1252 C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Extended process analysis: 2368 C:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 4036 C:\Program\Brother\Brmfcmon\BrMfcmon.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
Extended process analysis: 1224 C:\Program\Telia\Supportassistent\bin\sprtcmd.exe
[ES]:Program code includes networking-related functionality
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 352
Scanning RAM - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP Protocol error: Number of protocols 11 doesn't correspond to real 21
Attention ! SPI/LSP errors detected. Number of errors - 1
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Program\Telia\Supportassistent\bin\sprthook.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program\Telia\Supportassistent\bin\sprthook.dll>>> Behaviour analysis
1. Reacts to events: keyboard, mouse, all events
C:\Program\Telia\Supportassistent\bin\sprthook.dll>>> Neural net: file is 0.00% like a typical keyboard/mouse events interceptor
C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdc32.dll --> Suspicion for Keylogger or Trojan DLL
C:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdc32.dll>>> Behaviour analysis
Behaviour typical for keyloggers was not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious software
In the database 317 port descriptions
Opened at this PC: 5 TCP ports and 5 UDP ports
Checking - complete; no suspicious ports detected
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: TlntSvr ()
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> HDD autorun is allowed
>>> HDD autorun is allowed - fixed
>> Network drives autorun is allowed
>>> Network drives autorun is allowed - fixed
>> Removable media autorun is allowed
>>> Removable media autorun is allowed - fixed
Checking - complete
Files scanned: 385, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 2010-04-18 16:29:39
Time of scanning: 00:00:56
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference




If any one of you could take a look into this and help me get rid of the rootkit trojan i would be so thankful dance.gif mellow.gif

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 18 April 2010 - 03:58 PM

Hello ,please do these and post back the MBAM and GMER logs.

TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
    Save any unsaved work. TFC will close ALL open programs including your browser!
    Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
    Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 19 April 2010 - 03:47 PM

Hi boopme, thanks for your fast reply to me.
The TFC and malwarebytes ran without any trouble at all, and didnt catch any infect in the computer.

When i then ran Gmer exactly as written, i printed out the instruction, the first scan time was ~2hours ...

After that, when it was done, i pressed "save" and wrote gmer and then the whole explorer and gmer program crashed totally wacko.gif couldnt do anything, open taskmanager or any

I then rebooted the computer and started the scan once again. This time the scan run faster than ever, in about 2 minutes a bunch of code appeared which first scan took 2 f*cking hours :|
The whole scan operation was like almost frozen in a folder called
Software\Microsoft\Windows\ShellNoRoam\bags\xxx\shell

Where "xxx" was multiple folders that where searched throw called everything from 1060 to 1501.
And then my explorer suddenly crashed again, after searching this folder in about 1 hour and 50minutes wacko.gif mellow.gif

From 20.00 to 22.43 the second scan ran before it totally crashed like i said

Im currently turned of the computer and are waiting for a reply once again sad.gif mellow.gif

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 19 April 2010 - 04:09 PM

what Operating system is this??

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 20 April 2010 - 12:43 AM

Oh sorry, my dads computer using Windows XP home edition 2002 i think it was & Service Pack 3
So it was like this
1. 1st scan ~2hours didnt was slow only in the end but crashed when was about to save log
2. 2rd scan ~1minute to complete every folder like program and everything, on the first scan we was able to read what the gmer program scanned threw
but this time it scanned so fast that we didn't catch one single word .. untill after 2 hours when it started going slow on
Software\Microsoft\Windows\ShellNoRoam\bags\"xxx"\shell like i described in the previous reply :/

Im sorry for my slow replies but i was in school and then used the whole day i had left for scanning which lead into nothing more than computer freezing
Hopefully you could help me and my father when im back from school again later today


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 PM

Posted 20 April 2010 - 10:12 AM

That's all OK, we are voluteers her so ...
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Skip GMER and include the explanation you gave here why it won't run.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 20 April 2010 - 12:39 PM

Hi i yesterday got this problem with Trojan\Renos gen!C and posted a topic which is here http://www.bleepingcomputer.com/forums/topic310756.html

The moderator told me to follow some steps as i followed exacly as written!
When i disabled cd emulator Defogger told me to reboot as i did

When i started again, i couldn't get into desktop :S explorer.exe didn't start at all instead a system process called svchost.exe with 50%&cpu started for about 10seconds and then disappeared
The other strange thing was that my keyboard and mouse stopped react on movements and keypresses(notice) just in windows , not in boot process of Windows mellow.gif

I now need seriously help , this is not my computer which i got told the instructions to do, its my father's
And im begging for futher help really as fast as possible

#10 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 21 April 2010 - 04:11 AM

Hi, my computer crashed after disabled cd-emulation with Defrogger, and i followed the instructions exaclty as you wrote!
Then my keyboard/mouse stopped working. And i can't do anything without them :S

I reset my registry with recovery console and now i being able to succed with autologin normal mode
But as i wrote, i cant move anything so i need some auto script or something sad.gif
Or any advice in Recovery console how to restore drivers for my mouse

#11 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 21 April 2010 - 09:43 AM

Hello everyone thumbup.gif '

So this is my dads problemn mad.gif

Hes got Windows XP service pack 3 with Internet explorer 7
Adobe reader 8

Yesterday his F-Secure came up with several warnings and i was told by a moderator to run Defrogger which is step 1 of 6
Listed in your forum help topic.

The warnings contained first:
Trojan.Gen.3314168

Then it keeps telling:
Trojan.Downloader
W32\Renos.gen!C


And finally
Rootkit.Patched.TDSS.Gen

system32\drivers\ftdisk.sys


I disabled CD-Emulation software that i was told to do, and rebooted computer.
At Windows XP logo screen the Transmitter to mouse and keyboard(usb connected) stopped from shine mad.gif
And i wasnt able to move mouse&keyboard anymore wacko.gif

This is what ive currently have done after that:

Replaced and backuped my Registry which include this following files:
Software
System
Sam
Security
Default


Also replaced this files:
Usbhub.sys
Usbport.sys
Usbehci.sys
i8042prt.sys


Whenever i try to replace the rootkit infected system file ftdisk.sys i get blue screens on next startup mellow.gif


Is there any ideas or solutions on this problem? in_love.gif

#12 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:09 PM

Posted 21 April 2010 - 09:25 PM

If you can.... follow boopme's reply post to you. Don't try to do anything else, or you may not be able to get the help you need.

Also, don't post any more topics on this subject or to any other 'anti-malware' forums because we cannot keep track of the advice given and what you've done. It just defeats our help to you. smile.gif

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:09 AM

Posted 22 April 2010 - 01:41 AM

Hi Pajajin,

Please see if you can follow the steps below. I am moving this topic to the appropriate forum.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Pajajn

Pajajn
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:09 PM

Posted 22 April 2010 - 09:34 AM

Okay, here is the Log from OTL dance.gif thumbup.gif




OTL logfile created on: 4/22/2010 5:23:46 PM - Run
OTLPE by OldTimer - Version 3.1.37.2 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 6.0.2900.2180)
Locale: 0000041D | Country: Sverige | Language: SVE | Date Format: yyyy-MM-dd

1,022.00 Mb Total Physical Memory | 856.00 Mb Available Physical Memory | 84.00% Memory free
906.00 Mb Paging File | 850.00 Mb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program
Drive C: | 149.00 Gb Total Space | 45.10 Gb Free Space | 30.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2010/04/20 16:32:20 | 000,125,696 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\ftdisk.sys -- (Ftdisk)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mouhid.sys -- (mouhid)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\modem.sys -- (Modem)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (Ip6Fw)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)
DRV - [2010/04/20 12:32:31 | 000,006,656 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2008/04/13 14:45:37 | 000,059,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbhub.old -- (usbhub)
DRV - [2008/04/13 14:45:35 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBEHCI.old -- (usbehci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0






O1 HOSTS File: ([2010/04/17 12:15:04 | 000,000,686 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O4 - Startup: C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Status Monitor.lnk = C:\Program\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - Startup: C:\Documents and Settings\Thomas\Start-meny\Program\Autostart\Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Ägaren_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService.NT_INSTANS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService.NT_INSTANS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Min aktuella startsida) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Sommar.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Sommar.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/25 14:25:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/20 16:45:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\tmp
[2010/04/20 16:22:23 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\IETldCache
[2010/04/20 16:09:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ägaren\Mina dokument\Mina bilder
[2010/04/20 16:09:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ägaren\Mina dokument\Min musik
[2010/04/20 16:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ägaren\Application Data\Identities
[2010/04/20 16:08:27 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ägaren\IETldCache
[2010/04/20 16:08:27 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ägaren\Cookies
[2010/04/20 16:08:25 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService.NT INSTANS\Cookies
[2010/04/20 16:08:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar\Application Data\Microsoft
[2010/04/20 16:08:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ägaren\Application Data\Macromedia
[2010/04/20 16:08:16 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService.NT INSTANS\Application Data\Microsoft
[2010/04/20 16:08:16 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Ägaren\Application Data\Microsoft
[2010/04/20 16:08:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ägaren\SendTo
[2010/04/20 16:08:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ägaren\Recent
[2010/04/20 16:08:16 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ägaren\Application Data
[2010/04/20 16:08:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ägaren\Start-meny
[2010/04/20 16:08:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ägaren\Mina dokument
[2010/04/20 16:08:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ägaren\Favoriter
[2010/04/20 16:08:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Ägaren\Skrivare
[2010/04/20 16:08:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Ägaren\Nätverket
[2010/04/20 16:08:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Ägaren\Mallar
[2010/04/20 16:08:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LocalService.NT INSTANS\Lokala inställningar
[2010/04/20 16:08:16 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Ägaren\Lokala inställningar
[2010/04/20 16:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ägaren\Skrivbord
[2010/04/20 16:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ägaren\Lokala inställningar\Application Data\Microsoft
[2010/04/20 16:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService.NT INSTANS\Application Data
[2010/04/20 15:59:39 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\Cookies
[2010/04/20 15:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\Lokala inställningar\Application Data\Microsoft
[2010/04/20 15:59:21 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\Application Data\Microsoft
[2010/04/20 15:59:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\Lokala inställningar
[2010/04/20 15:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService.NT INSTANS\Application Data
[2010/04/20 12:16:57 | 000,000,000 | ---D | C] -- C:\Program\Microsoft Common
[2010/04/18 09:37:41 | 000,000,000 | ---D | C] -- C:\Program\SUPERAntiSpyware
[2010/04/18 09:37:21 | 000,000,000 | ---D | C] -- C:\Program\Delade filer\Wise Installation Wizard
[2010/04/18 08:05:46 | 000,000,000 | ---D | C] -- C:\Program\Sophos
[2010/04/17 17:24:29 | 000,000,000 | ---D | C] -- C:\Program\ESET
[2010/04/17 16:50:08 | 000,000,000 | ---D | C] -- C:\Program Files
[2010/04/17 13:36:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia
[2010/04/17 13:36:25 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\IETldCache
[2010/04/17 13:36:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe
[2010/04/17 13:36:13 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\PrivacIE
[2010/04/17 13:35:40 | 000,000,000 | -HSD | C] -- C:\WINDOWS\system32\config\systemprofile\Cookies
[2010/04/17 12:17:08 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/17 09:46:59 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/04/17 09:46:39 | 000,000,000 | ---D | C] -- C:\Program\Panda Security
[2010/04/17 09:13:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/17 09:13:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/17 09:13:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/17 09:13:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/17 09:13:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/17 09:11:23 | 000,000,000 | ---D | C] -- C:\Karantän filer Spara
[2010/04/16 15:56:25 | 000,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/04/16 15:46:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2010/04/16 15:43:08 | 000,000,000 | ---D | C] -- C:\SDFix
[2010/04/16 13:41:10 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe
[2010/03/31 12:38:08 | 000,000,000 | ---D | C] -- C:\Program\Microsoft Silverlight
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/22 17:23:12 | 000,524,288 | -H-- | M] () -- C:\Documents and Settings\Ägaren\NTUSER.DAT
[2010/04/21 15:35:01 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService.NT INSTANS\NTUSER.DAT
[2010/04/21 15:35:01 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService.NT INSTANS\NTUSER.DAT
[2010/04/21 15:35:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/21 15:34:59 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/21 15:34:57 | 000,000,192 | -HS- | M] () -- C:\Documents and Settings\Ägaren\ntuser.ini
[2010/04/21 15:34:39 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/20 16:38:47 | 003,775,066 | -H-- | M] () -- C:\Documents and Settings\Ägaren\Lokala inställningar\Application Data\IconCache.db
[2010/04/20 16:32:20 | 000,125,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ftdisk.sys
[2010/04/20 16:32:20 | 000,125,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\ftdisk.sys
[2010/04/20 16:27:00 | 000,000,916 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/20 16:10:25 | 000,393,330 | ---- | M] () -- C:\WINDOWS\System32\perfh01D.dat
[2010/04/20 16:10:25 | 000,390,252 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/20 16:10:25 | 000,066,672 | ---- | M] () -- C:\WINDOWS\System32\perfc01D.dat
[2010/04/20 16:10:25 | 000,056,708 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/20 16:10:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/20 16:08:40 | 000,000,717 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/20 16:08:19 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\LocalService.NT INSTANS\ntuser.ini
[2010/04/20 15:59:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/20 15:59:22 | 000,000,020 | -HS- | M] () -- C:\Documents and Settings\NetworkService.NT INSTANS\ntuser.ini
[2010/04/20 15:59:05 | 000,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\usbuhci.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\nv4_mini.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndproxy.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ndiswan.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\mspqm.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\mskssrv.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\mouhid.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\modem.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\irenum.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ipinip.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ipfltdrv.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\ip6fw.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\audstub.sys
[2010/04/20 12:32:31 | 000,006,656 | ---- | M] () -- C:\WINDOWS\System32\drivers\asyncmac.sys
[2010/04/20 01:59:13 | 000,000,552 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2010/04/18 14:51:30 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/17 12:15:10 | 000,001,286 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/17 12:15:04 | 000,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/04/17 09:35:24 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/17 09:09:44 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/16 17:55:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/16 15:56:25 | 000,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/03/29 18:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/29 18:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 06:01:28 | 000,917,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/20 16:08:20 | 000,000,192 | -HS- | C] () -- C:\Documents and Settings\Ägaren\ntuser.ini
[2010/04/20 16:08:19 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService.NT INSTANS\ntuser.ini
[2010/04/20 16:08:16 | 000,106,496 | -H-- | C] () -- C:\Documents and Settings\Ägaren\Ntuser.dat.LOG
[2010/04/20 16:08:16 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService.NT INSTANS\Ntuser.dat.LOG
[2010/04/20 16:08:15 | 000,524,288 | -H-- | C] () -- C:\Documents and Settings\Ägaren\NTUSER.DAT
[2010/04/20 16:08:15 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\LocalService.NT INSTANS\NTUSER.DAT
[2010/04/20 15:59:22 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService.NT INSTANS\ntuser.ini
[2010/04/20 15:59:21 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService.NT INSTANS\Ntuser.dat.LOG
[2010/04/20 15:59:20 | 000,262,144 | -H-- | C] () -- C:\Documents and Settings\NetworkService.NT INSTANS\NTUSER.DAT
[2010/04/17 12:09:53 | 000,001,286 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2010/04/17 09:13:51 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/17 09:13:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/17 09:13:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/17 09:13:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/17 09:13:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/09 14:42:35 | 000,000,431 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/11/09 14:42:35 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/11/09 14:36:09 | 000,031,326 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/05/28 05:13:53 | 000,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2009/02/02 16:25:35 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2008/10/27 08:12:13 | 000,000,157 | ---- | C] () -- C:\WINDOWS\lmps.INI
[2008/08/18 14:56:59 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/04/12 06:42:49 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2008/03/26 13:06:11 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/02/25 15:18:43 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\audstub.sys
[2008/02/25 15:16:08 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\irenum.sys
[2008/02/25 14:35:29 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\mskssrv.sys
[2008/02/25 14:35:27 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\mspqm.sys
[2007/12/04 20:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/04 20:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/04 20:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/04 20:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/04 20:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/12/04 20:41:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\nv4_mini.sys
[2004/08/04 08:00:00 | 000,125,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\ftdisk.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\usbuhci.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndproxy.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndiswan.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipinip.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipfltdrv.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\ip6fw.sys
[2004/08/04 08:00:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\asyncmac.sys
[2004/08/03 21:06:26 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\modem.sys
[2001/09/06 15:55:28 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\mouhid.sys

========== LOP Check ==========

[2010/04/20 01:59:13 | 000,000,552 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled scanning task.job

========== Purity Check ==========


< End of report >


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:09 AM

Posted 22 April 2010 - 10:09 AM

Hello again, lets see if we can first get rid of that rootkit once and for all.

Rerun OTLPE, copy/paste the text in the codebox below into the "run scan/fix" field, click None and click Run Scan.

CODE
/md5start
ftdisk.sys
/md5stop

Post me the resulting log (it will be a shorter one).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users