Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to delete rootkits.


  • This topic is locked This topic is locked
36 replies to this topic

#1 fordp82

fordp82

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 07 June 2010 - 05:32 AM

Hi Malware Expert Helper,
All of a sudden, i started facing following problems-
1)gross slowing.
2)programs don't end.
3)laptop shuts down and restarts very often.
4)malware bytes antimalware runs only in safe mode.
5)I can work only in safe mode.
6)Spybot s and d doesn't open, nor does bitdefender.

The antimalware finds a lot of trojans, worms and registry errors each time but is unable to delete them.
Even if I manually delete suspected files,they again reappear next time or so.

A few particulars about the infection:-
1)I find a lot of kernel mode driver managers in my documents and settings/user/temp section almost always.
2)Most of them are dated 2/2/2010.
3)few files keep on entering the start up-c/windows/system32/cicytivo.exe and dumprep.exe and userini.exe.

I have downloaded combofix but not opened it yet.

Hope you can help me out.




DDS (Ver_10-03-17.01) - FAT32x86 NETWORK
Run by Shree at 1:54:13.17 on Mon 06/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.24 [GMT 5.5:30]

AV: Bitdefender Antivirus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe
C:\Program Files\Program Files\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\raca.exe
"C:\WINDOWS\system32\svchost.exe"
C:\Documents and Settings\Shree\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: the blinkx toolbar: {f08555b0-9cc3-11d2-aa8e-000000000567} - c:\program files\blinkx remote toolbar\the_blinkx_shook.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: Taskman=c:\documents and settings\shree\application data\tnzbrg.exe
uWinlogon: Shell=c:\documents and settings\shree\application data\tnzbrg.exe,explorer.exe,c:\documents and settings\shree\application data\cift.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [beru] c:\windows\system32\cicytivo.exe
dRun: [beru] c:\documents and settings\localservice\application data\microsoft\cicytivo.exe
StartupFolder: c:\ism300\docume~1\programs\startup\livepe~1.lnk - c:\program files\liveperson\expert\LPExpertMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\ism300\documents and settings\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: moove.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {B07E9C85-1B8E-45A6-8BAF-8732769019E2} = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shree\applic~1\mozilla\firefox\profiles\pckd3ori.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2452476&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Games Bar 3 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://recovery.alexa.com/helper/?aid=WzOkb1RVf700Um&plugin=alxf-1.51&reason=keyword&location=
FF - component: c:\documents and settings\shree\application data\mozilla\firefox\profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\shree\application data\mozilla\firefox\profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\shree\application data\mozilla\firefox\profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\shree\application data\mozilla\firefox\profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\shree\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\shree\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\program files\program files\mozilla firefox\plugins\np_blinkx_plugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\program files\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\program files\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\program files\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\program files\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\program files\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\program files\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\program files\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\program files\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\program files\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-06 20:20:12 0 ----a-w- c:\documents and settings\shree\defogger_reenable
2010-06-06 19:17:20 332800 ----a-w- c:\windows\system32\raca.exe
2010-06-06 15:56:19 0 d-----w- c:\windows\LastGood.Tmp
2010-06-06 14:31:32 0 d-sh--w- C:\FOUND.008
2010-06-05 20:55:57 332800 ----a-w- c:\windows\system32\cicytivo.exe
2010-06-05 20:41:11 332800 ----a-w- c:\windows\system32\routumysaqu.exe
2010-06-05 20:26:58 0 d-sh--w- C:\FOUND.007
2010-06-05 19:28:03 54016 ----a-w- c:\windows\system32\drivers\oqllt.sys
2010-06-05 18:43:49 332800 ----a-w- c:\windows\system32\rozapoofa.exe
2010-06-05 18:42:39 332800 ----a-w- c:\windows\system32\fousygonny.exe
2010-06-04 18:37:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 14:51:20 0 d-sh--w- C:\FOUND.006
2010-06-04 11:06:07 0 d-----w- c:\docume~1\shree\applic~1\Malwarebytes
2010-06-04 11:05:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 11:05:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-04 11:05:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 11:05:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 10:32:00 157184 --sh--r- c:\docume~1\shree\applic~1\tnzbrg.exe
2010-06-04 10:23:05 136192 ----a-w- c:\windows\system32\drivers\nqcbunxr.sys
2010-06-04 10:00:48 0 d-sh--w- C:\FOUND.005
2010-06-03 18:16:14 0 d-sh--w- C:\FOUND.004
2010-06-03 18:08:20 0 d-sh--w- C:\FOUND.003
2010-06-03 17:15:42 0 d-sh--w- C:\FOUND.002
2010-06-03 15:57:12 0 d-sh--w- C:\FOUND.001
2010-06-02 19:51:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-02 19:35:22 0 d-----w- c:\program files\SpywareBlaster
2010-06-02 18:48:58 0 d-----w- c:\docume~1\shree\applic~1\Bitdefender
2010-06-02 18:48:09 0 d-----w- c:\program files\Softwin
2010-06-02 18:48:09 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-06-02 18:44:30 0 d-sh--w- C:\FOUND.000
2010-06-02 18:35:02 0 d-----w- c:\program files\common files\Softwin
2010-06-01 19:24:48 40128 ----a-w- c:\windows\system32\drivers\rprgjrjz.sys
2010-05-30 15:48:46 125952 --sh--r- c:\docume~1\shree\applic~1\cift.exe
2010-05-18 20:34:41 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-06-06 19:07:12 14528 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-06-06 15:59:40 81984 ----a-w- c:\windows\system32\bdod.bin
2010-04-26 19:06:00 90112 ----a-w- c:\windows\DUMP53ec.tmp
2008-11-25 17:39:40 152 --sh--r- c:\windows\system32\3668029F6B.dll

============= FINISH: 1:55:19.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 10 June 2010 - 06:19 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



=======================================



Your log shows 3 Anti virus programs, but only 1 is showing in the installed program list. Is BitDefender Free Edition v10 your current Anti virus program. AVG and McAfee are also showing on your logs.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.



Let's first settle this issue before we proceed because they may interfere with our tools and possibly cause some problems.


Thanks,
~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 10 June 2010 - 08:23 AM

Hey Semp,
Thanks for taking interest into my malware issues.

1)avg and mcafee, i deleted them a long time ago.
I'll have to look if they have left any traces and delete them.
But, i am sure that neither of these were actively running.

I downloaded bitdefender after i started having trouble.
(there was no antivirus on my lap when the problems started appearing).

But, i have deleted it now as it was freezing every single time i ran it.

So, currently there is only malware bytes anti malware on my lap and it doesn't provide real time protection.

the manner in which my lap is behaving and reappearance of a lot of suspected files in folders and startup menu (which the mbam shows but cant remove) points towards infection, i feel.

if you feel the need, should i post the log of mbam as well.

I am looking forward to your next advice.
Till then, i'll delete any traces of avg and macafee.

And again, thanks for looking into the my bug issues.

bye
Fordp82.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 10 June 2010 - 09:00 AM

Hi,

Please download and run their removal tools:

avg => http://www.avg.com/kr-en/download-tools
mcafee => http://service.mcafee.com/FAQDocument.aspx...amp;id=TS100507
Bitdefender => http://kb.bitdefender.com/KB333-en--How-to...itDefender.html


You need to have an Anti Virus program:

Avast is a good and free Anti Virus program. Download Avast here => http://www.avast.com/eng/avast_4_home.html


==================================


Please delete your copy of ComboFix and run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.





~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 10 June 2010 - 01:19 PM

Hey,
Two problems:-
I used avg 32 bit remover to remove all components of avg.
I also ran a search for AVG and deleted every thing that was found.
then i disabled windows firewall,

Finally, when i ran combofix,
It gave a warning message that it has detected avg real time protection to be on and it would be harmful to run combofix under these circumstances.

i tried this twice,but the same warning continues.

Can we do something about this or should i continue despite the warning?

And secondly, the lap runs sluggushly and erratically in normal mode.besides it could restart any time.
Is it ok if i run combofix in safe mode?this would be a lot easier for me.

bye.
Fordp82


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 10 June 2010 - 05:43 PM

Hi Fordp82,

Please run Combofix in safe mode and you can ignore AVG message if it still alerts you even in safe mode.

Also please monitor combofix while running, if it restarts your PC make sure to restart it again in safe mode to complete the process.


Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 11 June 2010 - 01:08 AM

Hi again Sempai,
I ran combo in safe mode inspite of the repeated warnings of avg running.

The combo rebooted immediately on scanning because it dettected rootkit activity.
the scanning was done in safe mode;just the final boot up was in normal mode.
I'll post the log in about 2 and half hours. (i am posting from my phone now due to net problems.)
See ya,
Good day Sempai.

#8 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 11 June 2010 - 03:23 AM

Hey there,
Here's the combofix log.

ComboFix 10-06-10.03 - Shree 06/11/2010 10:46:31.1.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.246.54 [GMT 5.5:30]
Running from: c:\documents and settings\Shree\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
/wow section - STAGE 32
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.
The system cannot execute the specified program.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\common.data
c:\documents and settings\LocalService\Application Data\Microsoft\cicytivo.exe
c:\documents and settings\LocalService\Application Data\Microsoft\routumysaqu.exe
c:\documents and settings\Shree\Application Data\cift.exe
c:\documents and settings\Shree\Application Data\tnzbrg.exe
c:\documents and settings\Shree\Application Data\wiaservg.log
c:\documents and settings\Shree\ese.exe
c:\documents and settings\Shree\inqynne.exe
c:\documents and settings\Shree\Local Settings\Application Data\Bron.tok.A10.em.bin
c:\documents and settings\Shree\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\Shree\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Shree\qncpj.exe
c:\documents and settings\shree\wuaucldt.exe
c:\windows\system32\Drivers\oqllt.sys
c:\windows\system32\wbem\grpconv.exe
c:\windows\system32\wuaucldt.exe
F:\AUTORUN.INF
c:\documents and settings\Shree\secupdat.dat . . . . failed to delete
c:\windows\system32\secupdat.dat . . . . failed to delete

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\backup\cdrom.sys

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\backup\grpconv.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\backup\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ICF
-------\Legacy_ig91o1rto
-------\Service_ig91o1rto


((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 05:25 . 2010-06-05 18:42 332800 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\routumysaqu.exe
2010-06-11 05:22 . 2004-08-03 17:26 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-06-10 16:55 . 2010-06-10 16:55 -------- d-----w- c:\windows\ServicePackFiles
2010-06-08 19:45 . 2010-06-08 19:45 -------- d-----w- c:\program files\MSXML 4.0
2010-06-07 19:14 . 2010-06-07 19:14 93464 ----a-w- c:\documents and settings\Shree\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-07 19:12 . 2010-06-07 19:12 -------- d-----w- C:\FOUND.009
2010-06-06 19:17 . 2010-06-07 10:17 332800 ----a-w- c:\windows\system32\raca.exe
2010-06-06 14:31 . 2010-06-06 14:31 -------- d-----w- C:\FOUND.008
2010-06-05 20:41 . 2010-06-07 10:17 332800 ----a-w- c:\windows\system32\routumysaqu.exe
2010-06-05 20:26 . 2010-06-05 20:26 -------- d-----w- C:\FOUND.007
2010-06-05 18:43 . 2010-06-05 18:42 332800 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\cicytivo.exe
2010-06-05 18:42 . 2010-06-05 18:42 332800 ----a-w- c:\windows\system32\fousygonny.exe
2010-06-04 18:37 . 2010-06-04 18:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 14:51 . 2010-06-04 14:51 -------- d-----w- C:\FOUND.006
2010-06-04 11:06 . 2010-06-04 11:06 -------- d-----w- c:\documents and settings\Shree\Application Data\Malwarebytes
2010-06-04 11:05 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 11:05 . 2010-06-04 11:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 11:05 . 2010-06-04 11:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 11:05 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 10:00 . 2010-06-04 10:00 -------- d-----w- C:\FOUND.005
2010-06-03 18:16 . 2010-06-03 18:16 -------- d-----w- C:\FOUND.004
2010-06-03 18:13 . 2004-08-03 17:26 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-06-03 18:08 . 2010-06-03 18:08 -------- d-----w- C:\FOUND.003
2010-06-03 17:15 . 2010-06-03 17:15 -------- d-----w- C:\FOUND.002
2010-06-03 15:57 . 2010-06-03 15:57 -------- d-----w- C:\FOUND.001
2010-06-02 19:51 . 2010-06-02 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-02 19:35 . 2010-06-02 19:35 -------- d-----w- c:\program files\SpywareBlaster
2010-06-02 18:44 . 2010-06-02 18:44 -------- d-----w- C:\FOUND.000
2010-06-02 18:35 . 2010-06-02 18:35 -------- d-----w- c:\program files\Common Files\Softwin
2010-05-18 20:34 . 2010-05-18 20:34 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 19:31 . 2008-07-10 12:09 81984 ----a-w- c:\windows\system32\bdod.bin
2010-06-06 19:07 . 2007-05-22 00:40 14528 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-04-26 19:06 . 2009-02-28 16:16 90112 ----a-w- c:\windows\DUMP53ec.tmp
2010-03-24 10:42 . 2010-04-04 17:53 52224 ----a-w- c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\FFExternalAlert.dll
2010-03-24 10:42 . 2010-04-04 17:53 101376 ----a-w- c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\RadioWMPCore.dll
2010-03-24 09:41 . 2010-04-01 19:04 52224 ----a-w- c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\FFExternalAlert.dll
2010-03-24 09:41 . 2010-04-01 19:04 101376 ----a-w- c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\RadioWMPCore.dll
2008-11-25 17:39 . 2008-11-22 22:10 152 --sh--r- c:\windows\system32\3668029F6B.dll
.

------- Sigcheck -------

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3qfe\tcpip.sys
[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3gdr\tcpip.sys
[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2gdr\tcpip.sys
[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2qfe\tcpip.sys
[-] 2007-10-30 . D1E0A099360A7AC279D883B057AB58A5 . 360064 . . [5.1.2600.3244] . . c:\windows\system32\drivers\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2004-08-03 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
[7] 2004-08-03 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\backup\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F08555B0-9CC3-11D2-AA8E-000000000567}"= "c:\program files\blinkx Remote Toolbar\the_blinkx_shook.dll" [2009-09-16 42240]

[HKEY_CLASSES_ROOT\clsid\{f08555b0-9cc3-11d2-aa8e-000000000567}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{F08555A1-9CC3-11D2-AA8E-000000000567}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"beru"="c:\documents and settings\LocalService\Application Data\Microsoft\cicytivo.exe" [2010-06-05 332800]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rprgjrjz.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Program Files\\Program Files\\Safari\\Safari.exe"=
"d:\\Program Files\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Shree\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Shree\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Program Files\\Java\\JRE6\\BIN\\java.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"c:\\Program Files\\Program Files\\Program Files\\uTorrent\\uTorrent.exe"=

R0 rprgjrjz;rprgjrjz;c:\windows\system32\Drivers\rprgjrjz.sys --> c:\windows\system32\Drivers\rprgjrjz.sys [?]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/3/2002 12:09 AM 31504]
S0 ngspeb;ngspeb;c:\windows\system32\drivers\payei.sys --> c:\windows\system32\drivers\payei.sys [?]
S2 bwfjqbb;Windows Monitor;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 10:56 PM 14336]
S2 CableFlta;CableFlta;\??\c:\windows\System32\DRIVERS\CableFlta.sys --> c:\windows\System32\DRIVERS\CableFlta.sys [?]
S2 CableFltb;CableFltb;\??\c:\windows\System32\DRIVERS\CableFltb.sys --> c:\windows\System32\DRIVERS\CableFltb.sys [?]
S2 CableFlte;CableFlte;\??\c:\windows\System32\DRIVERS\CableFlte.sys --> c:\windows\System32\DRIVERS\CableFlte.sys [?]
S2 CableFltf;CableFltf;\??\c:\windows\System32\DRIVERS\CableFltf.sys --> c:\windows\System32\DRIVERS\CableFltf.sys [?]
S2 CableFltg;CableFltg;\??\c:\windows\System32\DRIVERS\CableFltg.sys --> c:\windows\System32\DRIVERS\CableFltg.sys [?]
S2 CableFlti;CableFlti;\??\c:\windows\System32\DRIVERS\CableFlti.sys --> c:\windows\System32\DRIVERS\CableFlti.sys [?]
S2 CableFltk;CableFltk;\??\c:\windows\System32\DRIVERS\CableFltk.sys --> c:\windows\System32\DRIVERS\CableFltk.sys [?]
S2 CableFlto;CableFlto;\??\c:\windows\System32\DRIVERS\CableFlto.sys --> c:\windows\System32\DRIVERS\CableFlto.sys [?]
S2 CableFltp;CableFltp;\??\c:\windows\System32\DRIVERS\CableFltp.sys --> c:\windows\System32\DRIVERS\CableFltp.sys [?]
S2 CableFltq;CableFltq;\??\c:\windows\System32\DRIVERS\CableFltq.sys --> c:\windows\System32\DRIVERS\CableFltq.sys [?]
S2 CableFltr;CableFltr;\??\c:\windows\System32\DRIVERS\CableFltr.sys --> c:\windows\System32\DRIVERS\CableFltr.sys [?]
S2 CableFltu;CableFltu;\??\c:\windows\System32\DRIVERS\CableFltu.sys --> c:\windows\System32\DRIVERS\CableFltu.sys [?]
S2 CableFlty;CableFlty;\??\c:\windows\System32\DRIVERS\CableFlty.sys --> c:\windows\System32\DRIVERS\CableFlty.sys [?]
S2 hprnkzjo;hprnkzjo; [x]
S2 ig91o1rto;SigmaTel Audio Service;c:\documents and settings\LocalService\Application Data\Microsoft\routumysaqu.exe [6/11/2010 10:55 AM 332800]
S2 ipfuklmj;ipfuklmj; [x]
S2 nqcbunxr;nqcbunxr; [x]
S2 rnr2feu9xy79oaoi;Crypkey License;c:\windows\system32\rozapoofa.exe --> c:\windows\system32\rozapoofa.exe [?]
S2 sbbotdi;sbbotdi;\??\c:\progra~1\SPEEDB~1\sbbotdi.sys --> c:\progra~1\SPEEDB~1\sbbotdi.sys [?]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S2 X4HS32Ex;X4HS32Ex;\??\c:\program files\Indiagames GoD\X4HS32Ex.Sys --> c:\program files\Indiagames GoD\X4HS32Ex.Sys [?]
S3 CableFlt;Quick Heal Network Protection Service;c:\windows\system32\DRIVERS\CableFlt.sys --> c:\windows\system32\DRIVERS\CableFlt.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [7/31/2009 3:17 AM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [7/31/2009 3:17 AM 8320]
S3 ViaUsbEtsDriver;VIA Telecom USB ETS Driver;c:\windows\system32\drivers\ViaUsbEts.sys [10/5/2009 11:11 AM 43520]
S3 ViaUsbModemDriver;Via Telecom USB Modem Driver;c:\windows\system32\drivers\ViaUsbModem.sys [10/5/2009 11:11 AM 107264]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bwfjqbb
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-308236825-1801674531-1003Core1cac68b3161318c.job
- c:\documents and settings\Shree\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-26 19:28]

2010-05-18 c:\windows\Tasks\Install.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-05-18 20:35]

2010-06-11 c:\windows\Tasks\User_Feed_Synchronization-{3DAEC182-3599-430F-8894-346DB198445F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 13:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\ism300\Documents and Settings\Programs\IMVU\Run IMVU.lnk
Trusted Zone: moove.com
TCP: {B07E9C85-1B8E-45A6-8BAF-8732769019E2} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2452476&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Games Bar 3 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://recovery.alexa.com/helper/?aid=WzOkb1RVf700Um&plugin=alxf-1.51&reason=keyword&location=
FF - component: c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{63365e63-f107-47df-a4ae-9e889a10eb36}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Shree\Application Data\Mozilla\Firefox\Profiles\pckd3ori.default\extensions\{9c0ce3e8-2eb9-44e2-9ad5-d3b87be68fd8}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Shree\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Shree\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Program Files\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Program Files\Program Files\Mozilla Firefox\plugins\np_blinkx_plugin.dll

---- FIREFOX POLICIES ----
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Program Files\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Program Files\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Program Files\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Program Files\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-syncman - c:\documents and settings\shree\wuaucldt.exe
HKLM-Run-beru - c:\windows\system32\cicytivo.exe
HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
SafeBoot-bgxnqoos
SafeBoot-hprnkzjo
SafeBoot-ipfuklmj
SafeBoot-nljdrjro
SafeBoot-nqcbunxr
SafeBoot-sbpnmnzr
AddRemove-Nokia PC Internet Access - c:\documents and settings\All Users\Application Data\Installations\{39833F8D-0389-43A3-BDED-1C272E1703EA}\Installer.exe
AddRemove-{3F92ABBB-6BBF-11D5-B229-002078017FBF} - c:\program files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 10:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bwfjqbb]
"ServiceDll"="c:\windows\system32\fvzobzwn.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1417001333-308236825-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1400)
c:\windows\system32\igfxsrvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\documents and settings\LocalService\Application Data\Microsoft\raca.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2010-06-11 10:59:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 05:29

Pre-Run: 5,334,941,696 bytes free
Post-Run: 5,219,647,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2ACFE5C8B31C6D41F5F9C0CCDA383888


I ran a malware bytes quick scan and it still reported 8 infections.

Thanks once again.
Bye



#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 11 June 2010 - 05:52 AM

Hi,

I am currently creating a fix for you.

Are you using or did you used "Quick Heal Network Protection"?


Thanks,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 11 June 2010 - 06:37 AM

Hi Semp,
I have to say that i highly appreciate your help, guidance and precise direction.

No, i dont remember using quick heal on this lap.
See ya,
Fordp82

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 11 June 2010 - 06:38 AM

Alright, give me a minute to complete and post the fix for you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 11 June 2010 - 06:48 AM

Hi,


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




==========================================



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.



==========================================



Please follow the next instructions only if you do not wish to reformat:


1. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

FCopy::  
c:\windows\system32\dllcache\tcpip.sys | c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3qfe\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp3gdr\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2gdr\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\sp2qfe\tcpip.sys
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\System32\ctfmon.exe


File::
c:\documents and settings\Shree\secupdat.dat
c:\windows\system32\secupdat.dat
c:\documents and settings\LocalService\Application Data\Microsoft\routumysaqu.exe
c:\windows\system32\raca.exe
c:\windows\system32\routumysaqu.exe
c:\documents and settings\LocalService\Application Data\Microsoft\cicytivo.exe
c:\windows\system32\fousygonny.exe
c:\windows\system32\bdod.bin
c:\windows\system32\3668029F6B.dll
c:\windows\system32\Drivers\rprgjrjz.sys
c:\windows\system32\drivers\payei.sys
c:\windows\system32\fvzobzwn.dll
c:\windows\system32\rozapoofa.exe
c:\windows\System32\DRIVERS\CableFlta.sys
c:\windows\System32\DRIVERS\CableFltb.sys
c:\windows\System32\DRIVERS\CableFlte.sys
c:\windows\System32\DRIVERS\CableFltf.sys
c:\windows\System32\DRIVERS\CableFltg.sys
c:\windows\System32\DRIVERS\CableFlti.sys
c:\windows\System32\DRIVERS\CableFltk.sys
c:\windows\System32\DRIVERS\CableFlto.sys
c:\windows\System32\DRIVERS\CableFltp.sys
c:\windows\System32\DRIVERS\CableFltq.sys
c:\windows\System32\DRIVERS\CableFltr.sys
c:\windows\System32\DRIVERS\CableFltu.sys
c:\windows\System32\DRIVERS\CableFlty.sys
c:\windows\system32\DRIVERS\CableFlt.sys


Folder::
c:\program files\Common Files\Softwin

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bwfjqbb]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rprgjrjz.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver::
rprgjrjz
ngspeb
bwfjqbb
hprnkzjo
ipfuklmj
nqcbunxr
rnr2feu9xy79oaoi
ig91o1rto
CableFlta
CableFltb
CableFlte
CableFltf
CableFltg
CableFlti
CableFltk
CableFlto
CableFltp
CableFltq
CableFltr
CableFltu
CableFlty
CableFlt

NetSvc::
bwfjqbb

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.










~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 11 June 2010 - 12:59 PM

Hi Semp,
I realize that the threat is a major one.
I think i'll reformat and reinstall windows.
Do you mean to say that even after doing that, my computer might still not be safe? And i shouldn't do any purchasing or bank dealings from it?

Also, while reformatting, can i back up and save some music and stuff?or should i let it go preferably?

Another thing-do i need to reset my broadband router which was wirelessly connected to the lap?

Many thanks for the clear and
necessary guidelines.
I couldn't have handled this confidently without your valuable help.
Bye.
Fordp82:

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:21 AM

Posted 11 June 2010 - 07:19 PM

Hi fordp82,

QUOTE
Do you mean to say that even after doing that, my computer might still not be safe? And i shouldn't do any purchasing or bank dealings from it?

QUOTE
We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.

I meant after we complete removing the malwares manually, reformat is a good choice and will ensure that all malwares will be wipe out, you can do all usual stuffs after the reformat. But I will still advice you to change all your offline and online passwords.


QUOTE
Also, while reformatting, can i back up and save some music and stuff?or should i let it go preferably?

It would be wise for you to back up any files and folders that you don't want to lose before reformatting.

Do not backup any programs/applications/installers like .exe, .scr, .htm, .html, .xml, .zip/.rar files...
The reason for this is because these files may be infected also. If you replace them after the re installation of OS, it will surely re-infect you again.


QUOTE
Another thing-do i need to reset my broadband router which was wirelessly connected to the lap?

I didn't see any router hijacking on your log but doing that will not make any harm. smile.gif


Regards,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 fordp82

fordp82
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 12 June 2010 - 12:28 AM

Hi Semp, i'll go ahead with the reformatting.
And i'll reset the router settings.
Thanks for all the systematic effort put in by you.
good luck for your future.
Regards,
Fordp82.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users