Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dropper and other unidentified problems


  • This topic is locked This topic is locked
9 replies to this topic

#1 dtimothy

dtimothy

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 24 July 2010 - 01:43 PM

I'm helping somebody with a Dell Optiplex 745 running Windows XP Pro SP3. On about 7/20 the PC began acting flaky. About 3/4 of the time when you start it, it doesn't recognize the keyboard. When you can get it to work, it doesn't work well. About half of the programs that you try to run just do nothing. When you can get something to run it often runs very slowly. There's no obvious pattern in what will run and what won't at any given time. And if you keep trying different programs, eventually the whole PC just locks up. Almost every time on the next startup we would eventually get a pop-up stating that the "Generic Host Process for Win32 Services has encountered a problem and needs to close". This pop-up showed that the faulting App was svchost.exe and the faulting Mod Name was 6to4v32.dll

Trend Micro antivirus never showed any problems. Finally managed to get Malware Bytes to run and it found and deleted three instances of Trojan.Dropper, including the file 6to4v32.dll. Malware Bytes now shows a clear scan. The Generic Host error is apparently gone but most of the other original problems still remain. There are a couple of other oddities that are probably related to this. I can't boot in safe mode. It starts to boot, gets to the Dell splash screen, starts to load windows, dies and returns to the "select an OS" boot screen. I also can't get to the Windows Update site.

= = = = = = = = = = = = = = = = = = = =

The Malware Bytes log when I first ran it is as follows:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4341

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/23/2010 1:11:52 PM
mbam-log-2010-07-23 (13-11-52).txt

Scan type: Quick scan
Objects scanned: 320678
Time elapsed: 16 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Dropper) -> Delete on reboot.

= = = = = = = = = = = = = = = = = = = =

The DDS log is as follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by tjohnson at 16:33:37.23 on Fri 07/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.390 [GMT -4:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {568BBA18-3F2F-4AAA-87FE-B5B447CE35E3}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Oracle\ora10g\bin\omtsreco.exe
C:\Program Files\Kyocera\FileUtility\SFUSVC.exe
C:\WINDOWS\system32\slClient.exe
C:\Program Files\Kyocera\FileUtility\nsCatCom.exe
C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Documents\malware\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [EHSVCClaimsCfg] EHS.VCClaims.RDPRegSetVCClaims.exe
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} - hxxps://www3.bcbssc.com/ClickToTalk/download/CVALAX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5241/mcfscan.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dll
Notify: igfxcui - igfxdev.dll
SSODL: vilorimun - {7197dcfc-b355-42ee-9122-f6d69aa6b364} - c:\windows\system32\radohomi.dll
SSODL: zajujukar - {f7559020-216e-4441-8556-0f340281ff7c} - c:\windows\system32\harunano.dll
SSODL: yowupokif - {d3fd4acd-bbc4-4a99-b9e1-620b5cbc8821} - c:\windows\system32\rilukumi.dll
SSODL: jomatapap - {241aa54d-8390-412c-ba3c-958fc154e04a} - c:\windows\system32\vitirunu.dll
SSODL: jigojepey - {38164193-0cf4-49a8-aa70-f1108ca49248} -
STS: gahurihor: {7197dcfc-b355-42ee-9122-f6d69aa6b364} - c:\windows\system32\radohomi.dll
STS: tokatiluy: {f7559020-216e-4441-8556-0f340281ff7c} - c:\windows\system32\harunano.dll
STS: jugezatag: {d3fd4acd-bbc4-4a99-b9e1-620b5cbc8821} - c:\windows\system32\rilukumi.dll
STS: jugezatag: {241aa54d-8390-412c-ba3c-958fc154e04a} - c:\windows\system32\vitirunu.dll
STS: gahurihor: {38164193-0cf4-49a8-aa70-f1108ca49248} -
LSA: Notification Packages = scecli zijokomo.dll

============= SERVICES / DRIVERS ===============

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [2007-10-15 527360]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-11-30 50192]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-5-21 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-5-21 36368]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\ultidev\cassini web server for asp.net 2.0\UltiDevCassinWebServer2a.exe [2007-2-8 49152]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2010-3-19 55016]
R3 dsdd;dsdd;c:\windows\system32\drivers\dsvideo.sys [2007-9-6 2111]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-3-10 335376]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2009-10-1 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-10-1 685320]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2006-5-8 347648]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\USR_CD2.sys [2008-11-19 216064]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
UnknownUnknown dsload;dsload; [x]

=============== Created Last 30 ================

2010-07-23 15:56:23 0 d-sh--w- c:\documents and settings\tjohnson\IECompatCache
2010-07-23 15:29:37 0 d-----w- c:\docume~1\tjohnson\applic~1\Malwarebytes
2010-07-22 17:59:12 0 d-sh--w- c:\documents and settings\tjohnson\IETldCache

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2009-11-30 15:34:52 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 16:34:53.46 ===============

The other DDS file and the GMER log are attached as requested.
huh.gif

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 24 July 2010 - 06:26 PM

Hello dtimothy,

See if this will run. If it will, it will clear up a whole lot of the problems and we'll go from there.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to dtimothy.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dtimothy

dtimothy
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 24 July 2010 - 09:26 PM

Hello tea,

So far, so good. thumbup2.gif

ComboFix ran, apparently very well. While it was running I was notified that ComboFix had detected the presence of rootkit activity and needed to reboot. After the reboot it did it's scan and deleted a bunch of files and rebooted again. And eventually it completed and produced a log file.

The good news is that I can now get to the Windows Update site and I can now boot in safe mode. It will take a little more time to see if the keyboard problems and speed issues are also completely gone. So, what do you think? Did this get everything or are there still some hidden loose ends that might need to be cleaned up?

Here's the ComboFix log:

ComboFix 10-07-24.01 - tjohnson 07/24/2010 20:59:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.636 [GMT -4:00]
Running from: f:\documents\malware\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {568BBA18-3F2F-4AAA-87FE-B5B447CE35E3}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\Downloaded Program Files\Oracle
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\cnsproxy.exe
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\console.exe
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\conuienu.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\cubert.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsdd.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsdd.in_
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsengine.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsgrab.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dshook.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsload.sys
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dspcube.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\dsvideo.sys
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\gdihk16.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\instctrl.dll
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\language.xml
c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\setup.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\sdra64.exe

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-23 15:56 . 2010-07-23 15:56 -------- d-sh--w- c:\documents and settings\tjohnson\IECompatCache
2010-07-23 15:29 . 2010-07-23 15:29 -------- d-----w- c:\documents and settings\tjohnson\Application Data\Malwarebytes
2010-07-22 17:59 . 2010-07-22 17:59 -------- d-sh--w- c:\documents and settings\tjohnson\IETldCache
2010-07-15 15:43 . 2010-07-15 15:52 -------- d-----w- c:\documents and settings\billingsupervisor\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 16:50 . 2009-11-30 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 21:13 . 2007-08-22 14:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-22 21:12 . 2007-08-22 14:46 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-22 18:00 . 2010-07-22 17:58 83112 ----a-w- c:\documents and settings\tjohnson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-19 05:32 . 2007-12-03 18:48 -------- d-----w- c:\program files\Coupons
2010-06-17 20:56 . 2010-06-17 20:56 -------- d-----w- c:\program files\The Weather Channel Toolbar
2010-06-17 20:53 . 2010-06-17 20:52 -------- d-----w- c:\program files\Xobni
2010-06-17 20:53 . 2010-06-17 20:52 -------- d-----w- c:\program files\Bing Bar Installer
2010-05-06 10:41 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-11-30 15:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-30 15:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"EHSVCClaimsCfg"="EHS.VCClaims.RDPRegSetVCClaims.exe" [2008-10-31 20480]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2009-06-02 935208]
"OE"="c:\program files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe" [2009-05-13 492808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-3-14 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 03:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-08-22 14:46 227328 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-07-21 21:50 86016 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 21:48 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-07-21 21:47 81920 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 13:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 06:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nmservice"=2 (0x2)
"nmraapache"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"56804:TCP"= 56804:TCP:Trend Micro Client/Server Security Agent Listener

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slClient.exe [10/15/2007 12:08 PM 527360]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/30/2009 10:59 AM 50192]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [5/21/2009 9:02 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [5/21/2009 9:00 PM 36368]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe [2/8/2007 1:06 AM 49152]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [3/19/2010 6:48 PM 55016]
R3 dsdd;dsdd;c:\windows\system32\drivers\dsvideo.sys [9/6/2007 10:31 AM 2111]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [3/10/2009 5:05 PM 335376]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [10/1/2009 12:02 PM 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [10/1/2009 12:02 PM 685320]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [5/8/2006 7:10 PM 347648]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\USR_CD2.sys [11/19/2008 9:36 AM 216064]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - dsgrab_01c7f092a4fb872c
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\Defrag Wednesday.job
- C:\Defrag.bat [2008-05-13 17:19]

2010-07-24 c:\windows\Tasks\LoadKK.job
- c:\kk\kkrun.bat [2009-06-26 16:06]

2010-07-19 c:\windows\Tasks\Restart Mon & Wed.job
- C:\Restart.bat [2008-05-28 17:20]

2010-07-25 c:\windows\Tasks\User_Feed_Synchronization-{48DCDE7B-ED3F-41A9-8320-E0586E195BEC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{7197dcfc-b355-42ee-9122-f6d69aa6b364} - c:\windows\system32\radohomi.dll
SharedTaskScheduler-{f7559020-216e-4441-8556-0f340281ff7c} - c:\windows\system32\harunano.dll
SharedTaskScheduler-{d3fd4acd-bbc4-4a99-b9e1-620b5cbc8821} - c:\windows\system32\rilukumi.dll
SharedTaskScheduler-{241aa54d-8390-412c-ba3c-958fc154e04a} - c:\windows\system32\vitirunu.dll
SharedTaskScheduler-{38164193-0cf4-49a8-aa70-f1108ca49248} - (no file)
SSODL-vilorimun-{7197dcfc-b355-42ee-9122-f6d69aa6b364} - c:\windows\system32\radohomi.dll
SSODL-zajujukar-{f7559020-216e-4441-8556-0f340281ff7c} - c:\windows\system32\harunano.dll
SSODL-yowupokif-{d3fd4acd-bbc4-4a99-b9e1-620b5cbc8821} - c:\windows\system32\rilukumi.dll
SSODL-jomatapap-{241aa54d-8390-412c-ba3c-958fc154e04a} - c:\windows\system32\vitirunu.dll
SSODL-jigojepey-{38164193-0cf4-49a8-aa70-f1108ca49248} - (no file)
MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-kehufehiz - c:\windows\system32\sedetini.dll
MSConfigStartUp-SysWsa32 - c:\windows\system32\wsa32.exe
AddRemove-CrystalVoiceClick-to-Talk - c:\program files\CrystalVoice\Click-to-Talk\V4
AddRemove-imtclient - c:\windows\Downloaded Program Files\Oracle\iMeeting\01c7f0827937683c\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 21:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\program files\Kyocera\FileUtility\SFUSVC.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
.
**************************************************************************
.
Completion time: 2010-07-24 21:27:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 01:27

Pre-Run: 45,811,707,904 bytes free
Post-Run: 46,204,706,816 bytes free

- - End Of File - - D0F5E0B98AD6C129F9447ABFF041E71B

Thanks for helping,

Tim


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 24 July 2010 - 10:01 PM

Looking good to me too. thumbup2.gif A few things to do to secure the computer and to be sure it's good now :

c:\program files\Adobe\Reader 8.0 <------this is out of date, which means it's vulnerable to attack. It needs to be updated.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Now also please have another scan with MBAM and post the report if there is anything to post. You should know better how it's behaving now as well. thumbup2.gif

Thanks,
tea

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dtimothy

dtimothy
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 25 July 2010 - 11:20 AM

Things are still looking good. thumbup.gif

Before I had a chance to run MBAM, Micro Trend found and cleaned a threat it named "PE_TDSS.A". According to the Micro Trend web site this signature was added to their system on 7/22. Just my luck to run into it two days before that.

Both Trend Micro and MBAM now show clear scans. Also, now that I've had time to run the PC more I feel confident that the keyboard and performance issues are gone.

I've updated Adobe Reader and Java as you recommended. Is there anything else you think needs to be done? In today's malware environment I don't think you can ever be 100% safe but I feel comfortable that we've done about as much as possible on this event. What do you think?

Thanks,
Tim

#6 dtimothy

dtimothy
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 25 July 2010 - 11:31 AM

Just a quick addition. I took a deeper look at the Trend Micro logs. The PE_TDSS.A threat that it found was in the kbdhid.sys file that ComboFix found and replaced. Trend Micro found two copies of the file, one in a restore file and one in the QooBox folder. So both of these are just leftovers from the cleaning done by ComboFix.

I'd say that this makes things look even better. clapping.gif

Thanks,
Tim

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 25 July 2010 - 12:05 PM

Hi there Tim smile.gif

Glad you saw where and what those were. wink.gif So now please delete ComboFix and its folder C:\Qoobox since we're done and that will be gone too! thumbup2.gif Set a new Restore Point by creating a new one and that will get rid of the infected one. Then you should have no traces of it at all in the system, and a clean restore point if needed as well.

The rootkit is gone, and you say it's good, so I believe we're done here! thumbup.gif

Have a great one,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 dtimothy

dtimothy
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:04:13 PM

Posted 25 July 2010 - 12:23 PM

Thanks very much for your help.

Tim

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 25 July 2010 - 12:28 PM

You're most welcome. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 PM

Posted 02 August 2010 - 08:18 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users