Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Digital Security - Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 CaseyJones79

CaseyJones79

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 09 May 2010 - 03:20 PM

I am running Windows XP Pro on my HP Pavilion Slimline s7310n PC.

I was infected with the Digital Security Trojan(Virus?) by an infected thumb drive on May 1, 2010.

At first, I was getting all the warnings and pop-ups, etc...and having problems accessing the task manager, but found a few other "removal guides" before this one that showed me how to boot in Safe Mode w/ Networking. I have also deleted some of the files manually, but only SOME of the files listed to remove in the other guide were found. I am no longer using other resources in order to attempt to resolve this issue.

I no longer have the pop-ups and warning messages.

I can access the task manager now. (None of the digprot.exe etc were found once I finally gained access).

Tried MBAM and AVG Free several times, tried both in Safe Mode w/ Networking, Uninstalled, re-DL'd and changed the names of the exe files just to be on the safe side. Both programs seemed to pick up a crap load of infected items...I'd clean the infected items and then reboot (tried this in Safe Mode w/ Networking and just regular reboot just to see if it made a difference). There still seems to be a few related items that show up upon reboot and scanning again.

I have uninstalled (via the Control Panel) AVG Free and all other Anti-virus programs that I could find on my Add/Remove list. The only other Anti- program (other than the ones listed in your Preparation Guide) I have installed (to my knowledge) is MBAM.

I have completed all of the steps in the Preparation Guide.

I am currently running in Safe Mode with Networking.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Pearcy at 12:42:51.32 on Sun 05/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.284 [GMT -5:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\Documents and Settings\Pearcy\Desktop\DeeDeeEss.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.net/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Page_URL = hxxp://att.net
uWindow Title = Windows Internet Explorer provided by Yahoo!
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Easy Dock] c:\documents and settings\pearcy\my documents\rca easyrip\EZDock.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; yie8)" -"http://www.primarygames.com/arcade/sports/sewerrun/gamecode.htm"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Easy Dock]
mRun: [rysjudvah] c:\windows\system32\rysjudvah.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [mcexecwin] rundll32.exe c:\windows\temp\f23i3qh0.dll, RestoreWindows
dRun: [hsf87sdhfush87fsufhuie3fddf] c:\windows\temp\o2v16xah1c.exe
dRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\windows\temp\cmd.exe
dRun: [apmanager.exe] c:\documents and settings\pearcy\application data\armanager\apmanager.exe silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search
IE: Add to AMV/AVI Video Converter... - c:\program files\media player utilities 4.27\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: GootkitSSO - {C700C098-9997-42B3-9C26-792CF9618D6F} - c:\windows\system32\msxsltsso.dll
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pearcy\applic~1\mozilla\firefox\profiles\88pir8ez.default\
FF - plugin: c:\documents and settings\pearcy\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-27 104000]
S2 WinAcPci;WinAcPci;c:\windows\system32\drivers\winacpci.sys [2008-10-22 770496]
S3 CSQ200;CSQ driver;c:\windows\system32\drivers\CSQ200.sys [2009-11-24 18816]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\googledesktop.exe" --> c:\program files\google\google desktop search\GoogleDesktop.exe [?]
S4 hqcwbgcl;hqcwbgcl;c:\windows\system32\drivers\rtnq.sys [2010-5-2 54016]
S4 ojbrwuky;ojbrwuky;c:\windows\system32\drivers\kxlm.sys [2010-5-2 54016]
S4 pphvmpx;pphvmpx;c:\windows\system32\drivers\tbyjsqn.sys [2010-5-3 54016]
S4 srybt;srybt;c:\windows\system32\drivers\rekpct.sys [2010-5-2 54016]
S4 wqabooag;wqabooag; [x]
S4 xedov;xedov;c:\windows\system32\drivers\uhtmt.sys [2010-5-2 54016]

=============== Created Last 30 ================

2010-05-09 17:40:47 0 ----a-w- c:\documents and settings\pearcy\defogger_reenable
2010-05-09 17:22:52 42496 ----a-w- c:\windows\system32\msxsltsso.dll
2010-05-09 14:36:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 14:36:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 21:06:14 0 d-----w- c:\program files\AVG
2010-05-07 02:18:08 0 d-----w- c:\windows\pss
2010-05-03 21:11:45 578560 ----a-w- c:\windows\system32\emfaoz
2010-05-03 12:47:50 54016 ----a-w- c:\windows\system32\drivers\tbyjsqn.sys
2010-05-03 04:22:26 54016 ----a-w- c:\windows\system32\drivers\uhtmt.sys
2010-05-03 00:59:32 54016 ----a-w- c:\windows\system32\drivers\rtnq.sys
2010-05-02 21:25:20 54016 ----a-w- c:\windows\system32\drivers\rekpct.sys
2010-05-02 21:07:03 54016 ----a-w- c:\windows\system32\drivers\kxlm.sys
2010-05-02 14:38:52 0 d-----w- c:\docume~1\pearcy\applic~1\Malwarebytes
2010-05-02 14:37:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-02 14:36:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 14:15:19 0 d-----w- c:\program files\Trend Micro
2010-05-02 13:21:27 578560 ----a-w- c:\windows\system32\tyssmrj
2010-05-02 13:17:30 38 ----a-w- c:\windows\system32\online_{954548a1-eeed-4bfa-aeb6-2e11801330e2}
2010-05-02 13:17:29 38 ----a-w- c:\documents and settings\pearcy\online_{954548a1-eeed-4bfa-aeb6-2e11801330e2}
2010-05-02 13:17:17 38 ----a-w- c:\windows\system32\{954548a1-eeed-4bfa-aeb6-2e11801330e2}
2010-05-02 13:17:17 38 ----a-w- c:\documents and settings\pearcy\{954548a1-eeed-4bfa-aeb6-2e11801330e2}
2010-05-01 17:28:31 147 ----a-w- c:\windows\system32\PRAGMAsrcr.dat
2010-05-01 17:21:59 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-05-01 17:21:58 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2010-04-22 14:35:59 1656 ----a-w- c:\documents and settings\pearcy\.recently-used.xbel
2010-04-21 12:49:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 19:21:49 0 d-----w- c:\docume~1\pearcy\applic~1\Office Genuine Advantage

==================== Find3M ====================

2010-05-01 17:21:58 210816 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-05-01 17:21:57 578560 ----a-w- c:\windows\system32\user32.DLL
2010-03-26 02:57:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-19 00:56:09 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 12:44:15.26 ===============


Thank you VERY MUCH in advance for your assistance!

--Casey

Attached Files


Edited by CaseyJones79, 10 May 2010 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 11 May 2010 - 09:53 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#3 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 13 May 2010 - 12:05 PM

Thanks a lot for your help, syler!

As ComboFix was finishing up the scan and creating the log, I got a pop-up that was basically forcing me to install something that was labeled as HPProduct assistant...and subsequently an error message that said "The service you are attempting to access is not available. This could be due to a problem with your internet connection..." I tried to close this on the task bar and by clicking the red X, they just kept coming (about 6 times) before they stopped popping up...don't know how crucial or necessary that info is, if it successfully installed, why it was there, what it was, or why it stopped popping up. Just wanted to let you know just in case.

ComboFix 10-05-13.01 - Pearcy 05/13/2010 11:42:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.287 [GMT -5:00]
Running from: c:\documents and settings\Pearcy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\Pearcy\Local Settings\Application Data\Windows Server
c:\documents and settings\Pearcy\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Pearcy\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\system32\drivers\kxlm.sys
c:\windows\system32\drivers\rekpct.sys
c:\windows\system32\drivers\rtnq.sys
c:\windows\system32\drivers\tbyjsqn.sys
c:\windows\system32\drivers\uhtmt.sys
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\msxsltsso.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\rundll32 .exe
c:\windows\system32\Temp
c:\windows\system32\winstartup.log
H:\Autorun.inf
I:\autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ND
-------\Legacy_hqcwbgcl
-------\Legacy_ojbrwuky
-------\Legacy_pphvmpx
-------\Legacy_srybt
-------\Legacy_xedov
-------\Service_hqcwbgcl
-------\Service_ojbrwuky
-------\Service_pphvmpx
-------\Service_srybt
-------\Service_xedov


((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-09 14:36 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 14:36 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 21:06 . 2010-05-08 21:06 -------- d-----w- c:\program files\AVG
2010-05-03 15:20 . 2010-05-03 15:20 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-05-03 15:20 . 2010-05-03 15:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-05-03 15:20 . 2010-05-03 15:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-05-03 15:20 . 2010-05-03 15:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\ATTTOOLBAR
2010-05-03 15:19 . 2010-05-08 14:39 -------- d-----w- c:\documents and settings\Pearcy\Local Settings\Application Data\xbeqxyntk
2010-05-03 15:18 . 2010-05-03 15:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-02 18:53 . 2010-05-02 18:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-02 18:52 . 2010-05-02 18:52 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-05-02 18:52 . 2010-05-03 15:17 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATTTOOLBAR
2010-05-02 14:38 . 2010-05-02 14:38 -------- d-----w- c:\documents and settings\Pearcy\Application Data\Malwarebytes
2010-05-02 14:37 . 2010-05-02 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-02 14:36 . 2010-05-09 14:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 14:15 . 2010-05-02 14:15 -------- d-----w- c:\program files\Trend Micro
2010-05-01 17:21 . 2010-05-13 16:49 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-05-01 17:21 . 2010-05-01 17:21 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2010-04-21 12:49 . 2010-04-21 12:49 -------- d-----w- c:\program files\Common Files\Java
2010-04-21 12:49 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-20 19:22 . 2010-04-20 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-20 19:21 . 2010-04-20 19:21 -------- d-----w- c:\documents and settings\Pearcy\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 16:49 . 2004-08-04 05:56 578560 ----a-w- c:\windows\system32\user32.dll
2010-05-09 14:13 . 2008-10-30 01:07 -------- d-----w- c:\program files\InstallShield Installation Information
2010-05-09 14:10 . 2008-11-07 04:14 -------- d-----w- c:\program files\ATTToolbar
2010-05-08 22:03 . 2009-06-24 02:08 -------- d-----w- c:\program files\iTunes
2010-05-08 21:38 . 2009-06-24 02:05 -------- d-----w- c:\program files\QuickTime
2010-05-02 18:53 . 2008-10-30 01:08 -------- d-----w- c:\program files\Google
2010-05-02 14:10 . 2008-10-27 18:59 -------- d-----w- c:\program files\McAfee
2010-05-02 14:10 . 2008-10-27 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-01 20:33 . 2008-12-19 01:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-01 20:10 . 2010-02-08 18:33 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-01 20:10 . 2010-03-21 15:39 -------- d-----w- c:\program files\NirSoft
2010-05-01 17:21 . 2004-08-04 04:14 210816 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-22 14:36 . 2009-05-31 14:42 -------- d-----w- c:\documents and settings\Pearcy\Application Data\gtk-2.0
2010-04-21 12:49 . 2010-04-21 12:49 503808 ----a-w- c:\documents and settings\Pearcy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ff0fdcd-n\msvcp71.dll
2010-04-21 12:49 . 2010-04-21 12:49 499712 ----a-w- c:\documents and settings\Pearcy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ff0fdcd-n\jmc.dll
2010-04-21 12:49 . 2010-04-21 12:49 348160 ----a-w- c:\documents and settings\Pearcy\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4ff0fdcd-n\msvcr71.dll
2010-04-21 12:49 . 2010-04-21 12:49 61440 ----a-w- c:\documents and settings\Pearcy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e74f5f0-n\decora-sse.dll
2010-04-21 12:49 . 2010-04-21 12:49 12800 ----a-w- c:\documents and settings\Pearcy\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6e74f5f0-n\decora-d3d.dll
2010-04-21 12:48 . 2008-11-27 15:02 -------- d-----w- c:\program files\Java
2010-03-26 02:57 . 2010-03-26 02:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-19 00:56 . 2010-03-19 00:56 766 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_6FEFF9B68218417F98F549.exe
2010-03-19 00:56 . 2010-03-19 00:56 2550 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_F415C0399FE4410351779D.exe
2010-03-19 00:56 . 2010-03-19 00:56 16262 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_1F48BFC0B3CDCF73216AEE.exe
2010-03-19 00:56 . 2010-03-19 00:56 1518 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_B192F1266B62973E3C6E8D.exe
2010-03-19 00:56 . 2010-03-19 00:56 1078 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_AD1A7C3BA8003140ADA4FB.exe
2010-03-19 00:56 . 2010-03-19 00:56 1078 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_11661914722A14137C1801.exe
2010-03-19 00:56 . 2010-03-19 00:56 10134 ----a-r- c:\documents and settings\Pearcy\Application Data\Microsoft\Installer\{8B9852AF-B0B0-47B7-9BC5-89A95D77B6C9}\_5A7FE1548DB431F2239A06.exe
2010-03-19 00:56 . 2010-03-19 00:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-03-19 00:55 . 2010-03-19 00:55 -------- d-----w- c:\program files\Media Player Utilities 4.27
2010-03-10 15:00 . 2010-03-10 15:00 50354 ----a-w- c:\documents and settings\Pearcy\Application Data\Facebook\uninstall.exe
2010-03-10 06:15 . 2004-08-04 05:56 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Pearcy\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Pearcy\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-25 06:24 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 04:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 14:10 . 2004-08-04 04:20 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
Infected c:\windows\system32\user32.dll hex repaired

CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\Hp\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\explorer .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Yahoo!\browser\ybrwicon .exe
</pre>


------- Sigcheck -------

[-] 2010-05-01 17:21 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-05-01 17:21 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-14 05:50 . !HASH: COULD NOT OPEN FILE !!!!! . 182656 . . [------] . . c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 . !HASH: COULD NOT OPEN FILE !!!!! . 182656 . . [------] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2004-08-04 04:14 . !HASH: COULD NOT OPEN FILE !!!!! . 182912 . . [------] . . c:\windows\$NtServicePackUninstall$\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Easy Dock"="c:\documents and settings\Pearcy\My Documents\RCA easyRip\EZDock.exe" [N/A]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"Easy Dock"="" [N/A]
"rysjudvah"="c:\windows\System32\rysjudvah.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"apmanager.exe"="c:\documents and settings\Pearcy\Application Data\ARManager\apmanager.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=rpdll32.dll
"mixer"=rpdll32.dll
"wave1"=rpdll32.dll
"MIDI1"=rpdll32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Pearcy^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Pearcy\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Protection]
c:\program files\Digital Protection\digprot.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
c:\program files\AWS\WeatherBug\Weather.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"2098:TCP"= 2098:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

S2 WinAcPci;WinAcPci;c:\windows\system32\drivers\winacpci.sys [10/22/2008 8:56 AM 770496]
S3 CSQ200;CSQ driver;c:\windows\system32\drivers\CSQ200.sys [11/24/2009 10:01 AM 18816]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]
S4 wqabooag;wqabooag; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: Add to AMV/AVI Video Converter... - c:\program files\Media Player Utilities 4.27\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pearcy\Application Data\Mozilla\Firefox\Profiles\88pir8ez.default\
FF - plugin: c:\documents and settings\Pearcy\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SSODL-GootkitSSO-{44503E15-F582-4A8C-A887-AA082DD94FD5} - c:\windows\System32\msxsltsso.dll
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-CD - DVD Publishing Service - c:\documents and settings\Pearcy\Desktop\Casey's\Kunaki_CD-DVD_Publishing_Service.exe
AddRemove-RCA Detective™_is1 - c:\documents and settings\Pearcy\My Documents\RCA Detective\unins000.exe
AddRemove-RCA easyRip_is1 - c:\documents and settings\Pearcy\My Documents\RCA easyRip\unins000.exe
AddRemove-RCA Updater_is1 - c:\documents and settings\Pearcy\My Documents\RCA Updater\unins000.exe
AddRemove-WinAcPci - c:\windows\WinAcPci\setup -u



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 11:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x82D840E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85e9f28
\Driver\ACPI -> ACPI.sys @ 0xf845ccb8
\Driver\atapi -> 0x82af03b8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x82cdabb0
PacketIndicateHandler -> NDIS.sys @ 0x82ce7a21
SendHandler -> NDIS.sys @ 0x82cc587b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A18710
malicious code @ sector 0x012A18713 !
PE file found in sector at 0x012A18729 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\WSDLL32.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\WSDLL32.dll

- - - - - - - > 'explorer.exe'(4676)
c:\windows\system32\WININET.dll
c:\windows\system32\WSDLL32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2010-05-13 11:59:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-13 16:59

Pre-Run: 102,048,096,256 bytes free
Post-Run: 102,005,301,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5B42A79361B39A872516DA7E0EE46A97

Edited by CaseyJones79, 13 May 2010 - 12:07 PM.


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 13 May 2010 - 02:16 PM

Hi CaseyJones79,

Thanks for the info it did help, you have a whole lot of infections there and you need to be aware of the following information.


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\Hp\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Malwarebytes' Anti-Malware\explorer .exe
c:\program files\McAfee\Common Framework\udaterui .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Yahoo!\browser\ybrwicon .exe
Folder::
c:\documents and settings\Pearcy\Local Settings\Application Data\xbeqxyntk
c:\program files\Digital Protection
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rysjudvah"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Digital Protection]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=""
Driver::
wqabooag


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
Then please post back here with the following logs:
  • Combofix.txt
  • ESET report
Thanks

Edited by syler, 13 May 2010 - 05:58 PM.

unite.jpg


#5 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 14 May 2010 - 07:09 AM

syler,

Wow!

You know what? I'm willing to let that old computer go altogether, as it is not worth the risk. I do have an external hard drive full of data that I definitely do not want to lose. What are the odds of saving that device and the data that it contains? Can you advise on this?

Thanks again!

#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 14 May 2010 - 04:19 PM

You should scan your external drive for malware, your data on it should be fine. You should run the following tool
on another machine to turn off the autoplay feature and do some check on your external HD, Then scan the HD
with a few scanners.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


Please let me know if you have any other question.

Edited by syler, 14 May 2010 - 04:20 PM.

unite.jpg


#7 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 14 May 2010 - 05:59 PM

Thanks, syler. Sorry to be a bugaboo, but I would like to get clarification on a couple of things before I proceed...

Will my computer be completely infection free if I reformat and re-install the OS?

I got this infection from an infected USB Flash (thumb) drive...

Was it the simple act of plugging the device into my PC, or specifically that I copied files onto my PC without a proper scan that got me in this predicament? Should I avoid plugging in foreign devices altogether or would a scan from FlashDisinfector have prevented this?

I REALLY do not want to risk getting this thing on my laptop or deal with any similar issues in the future if I can avoid them.

"Knowing is half the battle." -GI Joe

Thanks!



#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 16 May 2010 - 01:14 PM

Hello,

QUOTE
Will my computer be completely infection free if I reformat and re-install the OS?


Yes

QUOTE
Was it the simple act of plugging the device into my PC, or specifically that I copied files onto my PC without a proper scan that got me in this predicament?


Malware that spreads via removable devices usually take advantage of windows Autoplay feature, so just
plugging the device in will load the malware. FlashDisinfector will disable the Autoplay feature, so when you
have run FD you should be ok to plug an external in without any malware loading automatically, although
their is still always a slight risk, I would make sure you give the device a good scan with a couple of scanners.


unite.jpg


#9 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 18 May 2010 - 09:19 AM

I tried to run the FlashDisinfector exe on my new laptop (Windows 7)...it wouldn't run. I completely removed all Anti-virus, Anti-spyware, Anti-malware programs off of my machine and tried again. Same thing even after uninstall...I double click on the FalshDisinfector exe and I get the little "working" circle on the icon like it's gonna run, but then nothing happens.

Is there another tool that I can try?


Any idea why it's not working?


Can I manually disable the Autorun feature in Windows 7 settings?

Thanks again syler, I smell a donation in your future for your great work on this! thumbup2.gif

Edited by CaseyJones79, 18 May 2010 - 09:22 AM.


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 19 May 2010 - 06:18 AM

Hi,

I don't think Flash disinfector is compatible with windows7, however I had a look around about autorun on
Win7, and it seems that Microsoft have now seen the security hole in the autorun feature and in Win7 this
feature is disabled by default. Having said that, they still allow it for optical devices like CD/DVD drives, and
their are some usb drives that can pose as a CD/DVD drive so you should be wary of that, you can see more
information on this here.

If you have any more questions about this, then you would be best asking in the Windows7 forum, as I
don't have Win7 so I am not familiar with it.

unite.jpg


#11 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 21 May 2010 - 07:56 AM

QUOTE(syler @ May 19 2010, 06:18 AM) View Post
Hi,

I don't think Flash disinfector is compatible with windows7, however I had a look around about autorun on
Win7, and it seems that Microsoft have now seen the security hole in the autorun feature and in Win7 this
feature is disabled by default. Having said that, they still allow it for optical devices like CD/DVD drives, and
their are some usb drives that can pose as a CD/DVD drive so you should be wary of that, you can see more
information on this here.

If you have any more questions about this, then you would be best asking in the Windows7 forum, as I
don't have Win7 so I am not familiar with it.



syler,

I downloaded FlashDisinfector on my Windows Vista system. It would not run on that either, it did the same thing...just sort of looked like it was gonna run, but didn't. I disabled the Autoplay feature manually for all media, plugged in my external USB hard drive, and have scanned with McAfee, Malwarebytes, and Spybot S&D...none of these programs found any infection.

For my final scan, I used Webroot AV with Spy Sweeper, which found one security threat...

App/Messen-Gen
mspass.zip

I believe this to be MS Passview, a program I used to recovery a lost password some time ago. I am using the free version of Webroot, so I cannot remove this item without either, A) accessing the external directly and deleting it or cool.gif finding a free scanner that will actually find and remove it.

I guess I have two final (hopefully) questions for you...

MS Passview is a legitimate program, right?

Now that I have ran these various scans of the external hard drive in question...should I feel secure enough to begin using it again, if not which tool would be the best to scan/destroy any infections?

Thanks again!

Edited by CaseyJones79, 21 May 2010 - 07:58 AM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 21 May 2010 - 08:18 AM

Hello,

QUOTE
MS Passview is a legitimate program, right?


I believe this is a legitimate program, It is probably being detected by the heuristics because of what it does,
so I think you can consider this to be a false positive.

QUOTE
Now that I have ran these various scans of the external hard drive in question...should I feel secure enough to begin using it again, if not which tool would be the best to scan/destroy any infections?


As long as you have disabled the autorun feature on your machines, then any malware that maybe there will
not be able to run automatically, so you would only have a problem if you ran it yourself, so just make sure
that if you find anything on the drive that you are not aware of that you don't run it. You could also try running
an online scan on it with ESET, this has good detections and will remove what it finds.

unite.jpg


#13 CaseyJones79

CaseyJones79
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 21 May 2010 - 08:34 AM

QUOTE(syler @ May 21 2010, 08:18 AM) View Post
Hello,

QUOTE
MS Passview is a legitimate program, right?


I believe this is a legitimate program, It is probably being detected by the heuristics because of what it does,
so I think you can consider this to be a false positive.

QUOTE
Now that I have ran these various scans of the external hard drive in question...should I feel secure enough to begin using it again, if not which tool would be the best to scan/destroy any infections?


As long as you have disabled the autorun feature on your machines, then any malware that maybe there will
not be able to run automatically, so you would only have a problem if you ran it yourself, so just make sure
that if you find anything on the drive that you are not aware of that you don't run it. You could also try running
an online scan on it with ESET, this has good detections and will remove what it finds.



Great, I will run a scan with ESET now and post when I'm all set. Thanks.

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 21 May 2010 - 09:35 AM

Your welcome thumbup2.gif

unite.jpg


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:23 PM

Posted 25 May 2010 - 10:08 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users