Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rasacd.sys infected with Win32/Patched.DX


  • This topic is locked This topic is locked
10 replies to this topic

#1 blue.dreams

blue.dreams

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 29 June 2010 - 04:42 PM

Hello,

So last Monday my computer (running Windows XP, SP3) got hit with some nasty stuff calling itself the "AV Security Suite Demo." I rebooted into safe mode and ran AVG and MBAM. MBAM removed 8 infections. AVG found one, but couldn't remove it. That's the Win32/Patched.DX. It's noted as white-listed and a critical file. It's located at C:\WINDOWS\system32\drivers\rasacd.sys

After rebooting into normal mode and updating AVG, MBAM, and Spybot, I scanned with all three. AVG and MBAM gave the all-clear, but Spybot removed one infection. I've updated and scanned several times in the last week with all three, and they'd found no infections. Yet ... my PC is still acting weird: slow, volume was messed up (but I fixed it), there are 8 svchost.exe's in my Task Manager, I can't paste from a website text+pics into Word when that used to work just fine.

Mostly I'm worried that the Win32/Patched.DX is still hanging around as AVG apparently did nothing to it since it's white-listed/critical. I'd just like to know if my computer is infected or not and how to clean it.

I have a firewall on and update/scan with AVG, MBAM, Spybot constantly...what else should I be doing in the future to protect my computer?

Some notes on when I was following the prep guide for this post:

--instructions say to dispose of DSS when done with it. Is deleting it from my desktop sufficient? It was not listed under Add/Remove programs.

--when I first opened GMER, it seemed to scan automatically and listed several files. I just continued to follow the guide's instructions.

--I'm guessing GMER finished scanning. There was no flashing of file names at the bottom.

Thank you so much for your selfless and noble (IMO) offer to help!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:38:53.76 on Tue 06/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.767 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - c:\progra~1\common~1\verizo~1\sfp\vzbb.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - c:\progra~1\common~1\verizo~1\sfp\vzbb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Ulead Video@Home Scheduling Wizard] c:\program files\ulead systems\ulead video@home 2.0\monitor.exe
mRun: [emMON] emMON.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\verizo~1.lnk - c:\program files\verizon online\bin\matcli.exe
StartupFolder: c:\docume~1\all

Please forgive the multiple (like 27!) posts. I'm *mortified*. Firefox said the connection was reset when I clicked "Post New Topic" and to "Try Again." So I kept trying again. sad.gif

I'd delete the extra posts if I could. If a mod could please do that, I'd appreciate it. (I've PMed one to request this.) Very, very sorry.

Also, my DDS log was cut off somehow! Here's the rest:

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265964774812
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: bevimahu.dll c:\windows\system32\jahujihi.dll c:\windows\system32\basukavu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pihuzomul - {aa9aaa69-2176-45d1-9655-0fa3e2d3e6b1} - c:\windows\system32\jahujihi.dll
SSODL: saboleloy - {15a4d199-9581-469d-a4fa-22f3593c5c02} - c:\windows\system32\basukavu.dll
STS: gahurihor: {aa9aaa69-2176-45d1-9655-0fa3e2d3e6b1} - c:\windows\system32\jahujihi.dll
STS: tokatiluy: {15a4d199-9581-469d-a4fa-22f3593c5c02} - c:\windows\system32\basukavu.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\97xu6jao.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-2 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-2 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-06-29 19:35:54 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-06-15 08:42:50 393 ----a-w- c:\windows\NJCOM.INI
2010-06-15 08:42:39 0 d-----w- c:\docume~1\owner\applic~1\NJStar
2010-06-15 08:42:31 0 d-----w- c:\program files\NJStar Communicator

==================== Find3M ====================

2010-06-02 12:45:01 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-08 13:16:49 34464 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 15:40:53.95 ===============

Attached Files


Edited by boopme, 29 June 2010 - 06:05 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 30 June 2010 - 05:16 AM

Hi blue.dreams,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#3 blue.dreams

blue.dreams
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 30 June 2010 - 02:56 PM

Thank you very much for your time and assistance, farbar!

TDSSKiller did instruct me to reboot. I tried to reboot. My computer hung/froze at "Saving Your Settings." After a long time hoping it would un-freeze, I did what I believe is called a hard reboot -- I turned the computer off by the button on the tower. After several seconds, I then turned it back on.

Attaching the log.

Many thanks!

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 30 June 2010 - 03:42 PM

Thanks for the feedback. The rootkit is taken care of. thumbup2.gif
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#5 blue.dreams

blue.dreams
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 30 June 2010 - 08:49 PM

"Show Results" did not come up when I clicked "OK" after MBAM finished. But the MBAM and DDS logs follow. I am so grateful for your assistance! May I ask a question, too? Do I need to worry that this infection presents a backdoor threat?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4262

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 9:40:56 PM
mbam-log-2010-06-30 (21-40-56).txt

Scan type: Quick scan
Objects scanned: 132318
Time elapsed: 16 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 21:45:43.23 on Wed 06/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.831 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-

52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Ulead Systems\Ulead Video@Home 2.0\monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\~mad's 2.7.10~\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_search
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9

\avgssie.dll
BHO: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - c:\progra~1\common~1

\verizo~1\sfp\vzbb.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-d0fc-e57af4d5fa7d} - c:\progra~1\common~1

\verizo~1\sfp\vzbb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Ulead Video@Home Scheduling Wizard] c:\program files\ulead systems\ulead video@home 2.0

\monitor.exe
mRun: [emMON] emMON.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\verizo~1.lnk - c:\program

files\verizon online\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program

files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1265964774812
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9

\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: bevimahu.dll c:\windows\system32\jahujihi.dll c:\windows\system32\basukavu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32

\WPDShServiceObj.dll
SSODL: pihuzomul - {aa9aaa69-2176-45d1-9655-0fa3e2d3e6b1} - c:\windows\system32\jahujihi.dll
SSODL: saboleloy - {15a4d199-9581-469d-a4fa-22f3593c5c02} - c:\windows\system32\basukavu.dll
STS: gahurihor: {aa9aaa69-2176-45d1-9655-0fa3e2d3e6b1} - c:\windows\system32\jahujihi.dll
STS: tokatiluy: {15a4d199-9581-469d-a4fa-22f3593c5c02} - c:\windows\system32\basukavu.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} -

c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\97xu6jao.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b}

- c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-2

216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32

\drivers\avgmfx86.sys [2010-2-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-2 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-15 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-15 308064]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-06-29 19:35:54 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-06-15 08:42:50 393 ----a-w- c:\windows\NJCOM.INI
2010-06-15 08:42:39 0 d-----w- c:\docume~1\owner\applic~1\NJStar
2010-06-15 08:42:31 0 d-----w- c:\program files\NJStar Communicator

==================== Find3M ====================

2010-06-30 19:48:25 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-06-02 12:45:01 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-08 13:16:49 34464 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 21:46:35.73 ===============


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 01 July 2010 - 11:07 AM

To answer your question the rootkit has the backdoor potential but have not seen cases where there is great harm. I don't think you should worry about it. But it is better to be safe than sorry. We will do an extra check.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#7 blue.dreams

blue.dreams
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 02 July 2010 - 01:34 PM

farbar, you're my hero thumbup.gif

The fix.bat indeed fixed a problem my computer still had. Before the problem was fixed, when I tried to paste from the Web, Microsoft Word would access 127.0.0.1 and images wouldn't paste. Now after the fix, Word is accessing 72.something that's a long number, and I can paste from the Web again.

Since I'm not a computer expert by any means, could you please explain what that problem was and how fix.bat fixed it? I hope it wasn't a backdoor.

Also, ESET said "No threats found."

Thank you!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 02 July 2010 - 01:51 PM

Great. thumbup2.gif

The problem was that the malware has added a proxy setting through 127.0.0.1 (that is the local host) to a domain. So Internet Explorer should go through that particular domain to get to internet unless there was another setting to overrule. We removed the settings and set it to the default LAN settings. This was not a backdoor.

It looks good. thumbup2.gif
  1. You may delete any tool or log we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  3. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing blue.dreams. smile.gif

#9 blue.dreams

blue.dreams
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 02 July 2010 - 05:38 PM

I'm so grateful for your patience and help -- and recommendation of SpywareBlaster. Thanks for fighting the good fight!

I definitely want to free you up to help others like you've helped me. I just have one more question, but please feel free to ignore it since I've taken up a lot of your time. The other stuff that infected my computer at the same time as the Win32/Patched.DX (but that MBAM and Spybot removed) was:
Rogue.AntivirusSuite.Gen
Rogue.AntivirusSuite
Trojan.Fraudpack
Trojan.Alureon
Fraud.Sysguard

If any of those have backdoor potential, did the steps you had me do take care of any possible backdoor vulnerability? I'm trying to decide whether I need to change my passwords, stop online banking, or consider this machine "clean" for sensitive data.

I really can't thank you enough smile.gif smile.gif smile.gif

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 02 July 2010 - 06:13 PM

You are most welcome blue.dreams. smile.gif

All of the software you are mentioning are so called rouge software except one. They claim your system is infected and ask your to run scan or buy the software where they actually themselves are the malware.

The rootkit we removed and Trojan.Alureon have backdoor potentiality. So you make take any action even if it is just a precaution. Better be safe than sorry.

But since you use your computer for online banking. I recommend you to purchase a paid antivirus like Kaspersky or ESET Nod32. AVG used to be good once but is degraded lately.

I hope I have answer your question.



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:33 AM

Posted 06 July 2010 - 05:55 PM



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users