Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware - suspect Rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 Argon0

Argon0

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 26 May 2010 - 04:41 AM

Good Morning.

Being an IT Pro I should know what I am doing - most of the time. However I foolishly clicked on a video link being sent around by a colleague (we should both know better), subsequently I got similar symptoms to those posted in this thread: http://www.bleepingcomputer.com/forums/t/317367/computer-infected-with-something/ (& subsequently this thread: http://www.bleepingcomputer.com/forums/topic317753.html). I'm pretty sure that I didn't click on the pop-up for Anti-Spyware Soft, but it looks as if some Malware has been installed in any case.... {My biggest concern is that this has spread to other PCs no the network}

My Machine - Windows XP, SP3, latest security patches, and Kaspersky - with 2 or 3 day old db (as of the infection, last Friday).

The most noticeable symptom was that Google Chrome wouldn't go anywhere and just crashed. Then IE and Firefox kept trying to go to "phishing sites" (as detailed in the above link) before crashing (Kaspersky blocked access to the Phishing site, as at least it is doing something right!).

Also PC would not let me launch any programs - kept saying somethign like "Virus found - do you want to launch AntiVirus software" in a standard windows dialogue box. Final symptom was that the machine hung when trying to shut down - just stopped shutting down when it got to a blank blue screen (so System Restore wouldn't work).

Another - possibly related - symptom was that the PC rebooted (black screen - no BSOD) a couple of days before, during a webex session, have since noticed it happen during a GMER run.... (this also happened to another colleague who also thinks he had some malware - he decided to just switch to a new PC, rather than solving....

So I assumed that there was a Malware related problem and started looking around on my machine - used Process Explorer to find some odd programs (started this as soon as booted to GUI, before Malware started up) - asam.exe was one of them, two others - mentioned in the ComboFix log - were also noted as being odd. Renamed them to .old to stop them launching... Was then able to at least do some stuff, launch programs etc...

Chrome still wouldn't work and IE and Firefox still tried to go to phishing sites - sounds like a DNS redirect to me. But nothing odd in /windows/system32/etc/hosts.

Tried SpyBot S&D - it found a couple of tracking cookies - nothing too frightening - but had it remove them in any case.

Tried MalwareBytes - didn't find anything. In retrospect should have tried BitDefender, but didn't get around to it.

So I did a search and came up with several rootkit removers (e.g. Sophos', Trend's, etc...) they either didn't work or didn't find anything. So I tried looking for the sited mentioned in the kaspersky phishins logs:
CODE
detected: Phishing attack     URL: http://clkh71yhks66.com/e0GOg/hf7v9K+x+c2X...Li4BoCUqaices8=
detected: Phishing attack     URL: http://7gafd33ja90a.com/fzh2rpmd7H5JRVo9dm...K2NvbXB1dGVy15x
detected: Phishing attack     URL: http://n1mo661s6cx0.com/fzh2rpmd7H5JRVo9dm...K2NvbXB1dGVy15x
detected: Phishing attack     URL: http://7gafd33ja90a.com/XK72RsXE6R4qi8O4dm...bXkrY29tcHV015x
detected: Phishing attack     URL: http://30xc1cjh91.com/fzh2rpmd7H5JRVo9dmVy...K2NvbXB1dGVy15x
detected: Phishing attack     URL: http://n1mo661s6cx0.com/XK72RsXE6R4qi8O4dm...bXkrY29tcHV015x
detected: malware    URL: http://j00k877x.cc/fzh2rpmd7H5JRVo9dmVyPTM...K2NvbXB1dGVy15x
detected: Phishing attack     URL: http://30xc1cjh91.com/XK72RsXE6R4qi8O4dmVy...bXkrY29tcHV015x
detected: Phishing attack     URL: http://m01n83kjf7.com/fzh2rpmd7H5JRVo9dmVy...K2NvbXB1dGVy15x
detected: malware    URL: http://j00k877x.cc/XK72RsXE6R4qi8O4dmVyPTM...bXkrY29tcHV015x
detected: Phishing attack     URL: http://m01n83kjf7.com/XK72RsXE6R4qi8O4dmVy...bXkrY29tcHV015x
detected: Trojan program Exploit.Java.CVE-2010-0886.a    file: http://zenrope.ru:8080/Applet7.html


And came across the above mentioned forum postings. This lead me to believe it was a problem that combofix could sort out. So I downloaded it and tried to run it [Sorry I know I shouldn't have done this without strict instructions - but just needed to do something]... But it kept failing saying something like "PEV.cfxxe" has encountered an error and closed. Eventually worked out that this was down to DeviceLock (as had disabled both SpyBot and Kaspersky). Got my admin to uninstall that and ran again, this also failed, but ran again in Safe Mode - this time it worked and seems to have got rid of my issue.

However I then decided to raise this on the Forum in any case, at the least to provide help to anyone else suffering...

So followed the guidelines - Defrogger worked, as did dds.scr - this is the output from it:

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by andyowen at 14:26:15.45 on 25/05/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2400 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\iscsiexe.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\mstsc.exe
C:\dloads\Bleeping\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Microsoft Internet Explorer provided by Interactive Prospect Targeting
uStart Page = https://inventory.it.ipt-ltd.co.uk/
uDefault_Page_URL = https://inventory.it.ipt-ltd.co.uk/
uSearch Bar = hxxp://www.google.co.uk/search?q=%s
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEToolbarEngine.ShowToolbarBHO: {86a3cdaa-9b25-480e-b73f-c2d359b87966} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: KBSearchBar: {691ca8ec-7205-4aa9-bdd6-15493d16f835} - mscoree.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\andyowen\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe"
StartupFolder: c:\documents and settings\andyowen\start menu\programs\startup\BBC iPlayer Desktop.lnk.disabled
StartupFolder: c:\documents and settings\andyowen\start menu\programs\startup\BUFFALO NAS Navigator.lnk.disabled
StartupFolder: c:\documents and settings\andyowen\start menu\programs\startup\MagicDisc.lnk.disabled
StartupFolder: c:\documents and settings\andyowen\start menu\programs\startup\NAS Scheduler.lnk.disabled
StartupFolder: c:\documents and settings\andyowen\start menu\programs\startup\OpenOffice.org 3.1.lnk.disabled
StartupFolder: c:\docume~1\andyowen\startm~1\programs\startup\autoru~1\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Google Calendar Sync.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Monitor Apache Servers.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Service Manager.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\SnagIt 8.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Windows Search.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-system: Wallpaper = \\office.group.iptholdings.com\dfs-root\Universal_documentation\wallpapers\1280x1024_wallpaper_red.jpg
uPolicies-system: WallpaperStyle = 2
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\scieplgn.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://bq.bp.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl_v451.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236245780993
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://netpremacy.webex.com/client/T27LB/webex/ieatgpc.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {BF293F01-15D3-4856-BBBC-C85698582C1F} = 194.168.4.100,10.0.254.7,10.0.254.6,10.0.254.102
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\qlikview\qvprotocol\Qvp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andyowen\applic~1\mozilla\firefox\profiles\68l8egco.default\
FF - plugin: c:\documents and settings\andyowen\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2008-11-21 21664]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 klif;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-21 223760]
R2 AVP;Kaspersky Anti-Virus 6.0;c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe [2009-9-22 315736]
R2 klnagent;Kaspersky Lab Network Agent;c:\program files\kaspersky lab\networkagent 8\klnagent.exe [2009-9-18 138792]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-17 47640]
R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [2008-11-13 103480]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2008-10-10 69632]
R2 Opaplpt;Oki Application Parallel Device;c:\windows\system32\drivers\opaplpt.sys [2009-6-16 36896]
R2 vstor2-mntapi10;Vstor2 vix Disk Tools Virtual Storage Driver;c:\program files\vmware\vmware virtual disk development kit\bin\vstor2-mntapi10.sys [2009-11-3 22576]
R2 WIMASvc;Scalable WinINSTALL Master Agent;c:\program files\ondemand\wininstall\bin\WIMASvc.exe [2010-4-15 197952]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2008-11-13 158264]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2009-9-3 24848]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-5-30 32272]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 RsyncShare;RsyncShare;c:\progra~1\rsyncshare\cygrunsrv.exe [2008-12-5 68096]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2009-4-17 27312]
S3 essApache;essApache;c:\progra~1\esa-40~1.3w\apache2\bin\Apache.exe [2009-12-4 24634]
S3 essMysql;essMysql;c:\progra~1\esa-40~1.3w\mysql\bin\mysqld.exe --defaults-file=c:\progra~1\esa-40~1.3w\mysql\my.ini essmysql --> c:\progra~1\esa-40~1.3w\mysql\bin\mysqld.exe --defaults-file=c:\progra~1\esa-40~1.3w\mysql\my.ini essMysql [?]
S3 essTomcat;essTomcat;c:\progra~1\esa-40~1.3w\jakarta-tomcat\bin\tomcat5.exe [2009-12-4 94208]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\drivers\genbus.sys --> c:\windows\system32\drivers\GenBus.sys [?]
S3 EST_Server;Network USB Device;c:\windows\system32\drivers\GenHC.sys [2009-8-25 151552]
S3 EventTracker Agent;EventTracker Agent;c:\program files\prism microsystems\eventtracker\agent\etagent.exe [2009-2-16 88072]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\843.tmp --> c:\windows\system32\843.tmp [?]
S3 NasPmService;NAS PM Service;c:\program files\buffalo\nasnavi\nassvc.exe -service_execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 --> c:\program files\buffalo\nasnavi\nassvc.exe -Service_Execute -dcyc=60 -dto=3 -dluc=0 -dmin=1 -dmax=60 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=0 -pmin=1 -pmax=60 -pflc=0 [?]
S3 scrutinizer;Scrutinizer Netflow Collector;c:\scruti~1\html\scrut_collector.exe --> c:\scruti~1\html\scrut_collector.exe [?]
S3 scrutinizer_filed;Scrutinizer Filer Service;c:\scruti~1\html\scrut_filer.exe --> c:\scruti~1\html\scrut_filer.exe [?]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S4 DLServer;DeviceLock Server;c:\program files\devicelock\dlserver.exe --> c:\program files\devicelock\DLServer.exe [?]
S4 EventTracker EventVault;EventTracker EventVault;c:\program files\prism microsystems\eventtracker\evtarmgr.exe [2009-1-2 55304]
S4 EventTracker Receiver;EventTracker Receiver;c:\program files\prism microsystems\eventtracker\evtmgr.exe [2009-2-4 83976]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 NC_Net;NC_Net;c:\program files\montitech\nc_net\NC_Net.exe [2008-6-27 167936]
S4 vmware-converter-agent;VMware vCenter Converter Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2009-4-17 428592]
S4 vmware-converter-server;VMware vCenter Converter Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2009-4-17 428592]

=============== Created Last 30 ================

2010-05-25 09:49:18 3698345 ----a-r- C:\Combo-Fix.exe
2010-05-24 16:19:59 0 d-sha-r- C:\cmdcons
2010-05-24 16:16:22 98816 ----a-w- c:\windows\sed.exe
2010-05-24 16:16:22 77312 ----a-w- c:\windows\MBR.exe
2010-05-24 16:16:22 256512 ----a-w- c:\windows\PEV.exe
2010-05-24 16:16:22 161792 ----a-w- c:\windows\SWREG.exe
2010-05-24 14:04:17 0 d-----w- c:\program files\Sophos
2010-05-24 13:41:17 1339288 ----a-w- C:\sar_15_sfx.exe
2010-05-24 13:19:06 0 d-----w- C:\VundoFix Backups
2010-05-24 08:28:07 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-24 08:28:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-21 14:47:42 0 d-----w- c:\windows\pss
2010-05-21 14:30:47 0 d-----w- c:\docume~1\andyowen\applic~1\Malwarebytes
2010-05-21 14:30:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-21 14:30:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-21 14:30:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 14:30:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 10:17:13 0 d-----w- c:\docume~1\andyowen\applic~1\webex
2010-05-20 12:35:01 0 d-----w- C:\Zabbix
2010-05-20 08:27:07 0 d-----w- c:\program files\ManageEngine
2010-05-14 15:04:03 20 ----a-w- c:\windows\system32\hnid
2010-05-12 04:17:14 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-04-28 16:32:21 0 d-----w- C:\DBs

==================== Find3M ====================

2010-05-25 13:17:18 20176 ----a-w- c:\windows\system32\drivers\sthdae.log
2010-05-14 15:29:09 73140 ----a-w- c:\windows\fonts\Teen.ttf
2010-05-06 10:08:21 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-06 10:08:21 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2002-01-20 12:48:00 262144 ----a-w- c:\program files\WinMTR.exe
2007-12-05 16:09:16 1210456 --sha-r- c:\windows\system32\LogParser.dll
2002-02-20 23:00:07 36 --sh--r- c:\windows\system32\watson19.dll
2010-02-04 10:28:29 186911008 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-04 10:28:30 3619616 --sha-w- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 14:27:06.45 ===============



BUT gmer.exe will not complete a scan - the PC seems to reboot someway through the run - I've tried this in Safe Mode, with and without Networking, directly from the Desktop (which is redirected to the network) and from the root of the C: drive. With Kaspersky, devicelock and spybot enabled and disabled.

As mentioned ComboFix did find a Rootkit (I think) and removed it....

Can post the whole of the ComboFix log if required. But I think this is the relevant bit:
QUOTE
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\AndyOwen\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\AndyOwen\Application Data\Desktopicon
c:\documents and settings\AndyOwen\Application Data\Desktopicon\eBayShortcuts.exe
c:\documents and settings\AndyOwen\g2mdlhlpx.exe
c:\documents and settings\AndyOwen\Local Settings\Application Data\asam.old
c:\documents and settings\AndyOwen\Local Settings\Application Data\syssvc.old
c:\documents and settings\AndyOwen\System
c:\documents and settings\AndyOwen\System\win_qs8.jqx
C:\test.exe
c:\windows\herjek.config
c:\windows\system32\Cache


As it mentions the files I had already identified as odd.

Any thing further I should be doing (I have since run MalwareBytes - found nothing, a full Kaspersky Scan - found nothing).

Regards

Argon0

Edited by Orange Blossom, 26 May 2010 - 01:29 PM.
Changed quote tags to code tags to deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:31 PM

Posted 28 May 2010 - 06:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:31 PM

Posted 02 June 2010 - 02:07 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users