Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware & Rootkit Infection? Don't know what I have..


  • This topic is locked This topic is locked
2 replies to this topic

#1 a_chameleon

a_chameleon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 07 June 2010 - 10:04 PM

{OS: XP Home Edition}

Hello Staff, Moderators, All..

I am having the same problem that Cian7197 is having.
This is my 1st rootkit encounter mad.gif .
  • The IP addresses trying to attack via svchost.exe include some of the ones Cian7197 notes,
    but also a host more.
  • I keep getting a JIT Script debugger request.
    Every time I debug, MS Script Editor reports the file being debugged is
    "[XXXX] svchost.exe Script program"
  • If it's of any value, AVG found (4) infections in c:\System Volume Information, but apparantly
    AVG couldn't clean them, or (wild guess) this malware installs a script that re-inserts the
    whatever-it-is inside System Volume Info., because I cannot restore the machine to a pre-infection date.
    In fact, System Restore didn't/doesn't work at all.
  • I installed Norton AV, (which was how I learned of the intrusion attempts); it detected
    "Spyware.CometCursor" inside c:\System Volume Information.
    Norton AV has apparently cleaned that up.
{+} _____________________ DDS.txt ____________________ {+}



DDS (Ver_10-03-17.01) - NTFSx86
Run by Cheri at 20:20:05.34 on Mon 06/07/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.418 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Cheri\Desktop\Rootkit Killer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [lxctmon.exe] "c:\program files\lexmark 5400 series\lxctmon.exe"
mRun: [Lexmark 5400 Series Fax Server] "c:\program files\lexmark 5400 series\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 5400 series\ezprint.exe"
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\cheri\startm~1\programs\startup\taskmg~1.lnk - c:\windows\system32\taskmgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/pm/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-6-5 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-6-5 173104]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-6 242896]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-6-5 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-6-5 116784]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-6-5 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-5 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100607.006\NAVENG.SYS [2010-6-7 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100607.006\NAVEX15.SYS [2010-6-7 1347504]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2010-5-4 627072]
S4 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-6 308064]

=============== Created Last 30 ================

2010-06-07 21:57:08 0 d-----w- c:\program files\MSECache
2010-06-06 00:25:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-06 00:25:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-06 00:25:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-06 00:25:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-06 00:25:45 0 d-----w- c:\program files\Symantec
2010-06-06 00:25:45 0 d-----w- c:\program files\common files\Symantec Shared
2010-06-06 00:24:13 0 d-----w- c:\windows\system32\drivers\NAV
2010-06-06 00:24:10 0 d-----w- c:\program files\Norton AntiVirus
2010-06-06 00:09:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-06 00:02:28 0 d-----w- c:\program files\NortonInstaller
2010-06-06 00:02:28 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-05 00:35:00 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-01 12:22:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-01 12:22:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-27 12:10:15 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cafd9590f65e60.mof
2010-05-15 17:03:30 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-05-15 17:03:30 0 d-----w- c:\program files\Belarc
2010-05-15 16:37:44 60416 ----a-w- c:\windows\ALCFDRTM.VER
2010-05-15 16:37:44 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2010-05-15 16:37:44 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-05-15 16:37:44 125690 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-05-15 16:37:43 0 d-----w- c:\windows\system32\Lang
2010-05-15 16:19:34 1048 ------w- c:\windows\system32\drivers\alcxinit.dat
2010-05-15 15:47:26 0 d-----w- c:\program files\Windows Media Connect 2
2010-05-15 15:46:05 0 d-----w- c:\windows\system32\LogFiles
2010-05-14 23:52:38 692224 ----a-w- c:\windows\system32\lxctdrs.dll
2010-05-14 23:42:48 458752 ----a-w- c:\windows\system32\lxctutil.dll
2010-05-14 23:42:46 667648 ----a-w- c:\windows\system32\lxctcomc.dll
2010-05-14 23:42:46 376832 ----a-w- c:\windows\system32\lxctcfg.exe
2010-05-14 23:42:15 0 d-----w- C:\drivers
2010-05-14 23:37:39 0 d-----w- c:\docume~1\cheri\applic~1\NoteTab Light
2010-05-14 23:37:10 0 d-----w- c:\docume~1\cheri\applic~1\5400 Series
2010-05-14 23:31:37 0 d-----w- c:\program files\lx_cats
2010-05-14 23:21:36 40960 ----a-w- c:\windows\system32\lxctvs.dll
2010-05-14 23:17:26 528384 ----a-w- c:\windows\system32\lxctcoms.exe
2010-05-14 23:17:17 421888 ----a-w- c:\windows\system32\lxctcomm.dll
2010-05-14 23:16:13 335872 ----a-w- c:\windows\system32\lxctcoin.dll
2010-05-14 22:09:34 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-05-14 22:09:34 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-05-14 22:09:10 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-14 22:09:10 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-05-14 22:07:53 65536 ----a-w- c:\windows\system32\lxctcaps.dll
2010-05-14 21:59:53 61440 ----a-w- c:\windows\system32\lxctcnv4.dll
2010-05-14 21:55:01 40960 ----a-w- c:\windows\system32\lxctpmon.dll
2010-05-14 21:55:01 32768 ----a-w- c:\windows\system32\LXCTFXPU.DLL
2010-05-14 21:55:01 12288 ----a-w- c:\windows\system32\lxctpmrc.dll
2010-05-14 21:55:00 98345 ----a-w- c:\windows\system32\IMHOST32.DLL
2010-05-14 21:55:00 98304 ----a-w- c:\windows\system32\IM31XPNG.DEL
2010-05-14 21:55:00 69632 ----a-w- c:\windows\system32\IM31XTIF.DEL
2010-05-14 21:55:00 49152 ----a-w- c:\windows\system32\IM31IMG.DIL
2010-05-14 21:55:00 339968 ----a-w- c:\windows\system32\IMGMAN32.DLL
2010-05-14 21:54:46 0 d-----w- c:\docume~1\alluse~1\applic~1\5400 Series
2010-05-14 21:34:14 0 d-----w- c:\program files\Lexmark Toolbar
2010-05-14 21:32:49 0 d-----w- c:\program files\Lexmark 5400 Series
2010-05-14 21:15:25 274432 ----a-w- c:\windows\system32\LXCTinst.dll
2010-05-14 21:15:23 409600 ----a-w- c:\windows\system32\lxctinpa.dll
2010-05-14 21:15:22 393216 ----a-w- c:\windows\system32\lxctiesc.dll
2010-05-14 21:09:58 86016 ----a-w- c:\windows\system32\lxctcub.dll
2010-05-14 21:09:57 73728 ----a-w- c:\windows\system32\lxctcu.dll
2010-05-14 21:09:57 36864 ----a-w- c:\windows\system32\lxctcur.dll
2010-05-14 21:00:30 77824 ----a-w- c:\windows\system32\LXCTcfg.dll
2010-05-14 21:00:30 2180 ----a-w- c:\windows\system32\lxct.loc
2010-05-14 21:00:30 21342 ----a-w- c:\windows\system32\LexFiles.ulf
2010-05-14 21:00:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-05-14 21:00:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

==================== Find3M ====================

2010-06-02 14:00:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-06 13:29:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-06 13:29:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll

============= FINISH: 20:21:20.21 ===============

{+} __________________END of DDS.txt ____________________ {+}

I hope I've done everything correctly..

TIA for any help & advice!

Attached Files


Edited by a_chameleon, 07 June 2010 - 10:07 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:44 AM

Posted 11 June 2010 - 01:20 PM

Hi a_chameleon,

Welcome to Virus/Trojan/Spyware/Malware Removal forum.

Please update me on the current condition of your computer if the issue is not resolved.

Also run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:44 AM

Posted 16 June 2010 - 03:10 PM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users