Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Unknown virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 WillyJ

WillyJ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 31 July 2010 - 07:40 PM

This was my daughters laptop computer. She gave it to me to help her get it working.

When she first gave it to me, I was pretty sure it was useless. It would not connect to the internet. It would not run any programs. I tried loading the software tools that are part of the preperation, but dds.scr would not run. It still won't. It just opens Notepad and I just get pages of junk. I was just about to delete the hard drive and reload the operating system but before I did that I did something that I was not supposed to do. I ran Combofix. I still had it from the last time I cleaned up my other computer. Im sorry I did this, but I really did not have a choice. At least after running Combofix I am now able to get onto the internet.

I actually had to run Combofix twice. The comuter seemed better for a while, but then it started acting crazy again. I had to run it again just so that I could run GMER.

I'm not sure what the virus I have is. At one point I ran Malwarebytes and it said something like NGuy32 or something like that. But I have not been able to repeat that result.

Once again, there is no DDS.txt log becase it would not run. But I am pasting the log from the Combofix since I had no choiced but to run it. I will aslo attache the ark.txt file.

ComboFix 10-07-31.01 - Bill 07/31/2010 15:08:44.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.239 [GMT -4:00]
Running from: c:\documents and settings\Bill\Desktop\Clean UP\Special\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Bill\LOCALS~1\Temp\wscsvc32.exe
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Bill\Desktop\spam001.exe
c:\documents and settings\Bill\Desktop\spam003.exe
c:\documents and settings\Bill\Desktop\troj000.exe
c:\system volume information\_restore{d5fffa500b1b}
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\windows\PRAGMAbvtpetusip
c:\windows\PRAGMAbvtpetusip\pragmabbr.dll
c:\windows\PRAGMAbvtpetusip\PRAGMAc.dll
c:\windows\PRAGMAbvtpetusip\PRAGMAcfg.ini
c:\windows\PRAGMAbvtpetusip\PRAGMAd.sys
c:\windows\PRAGMAbvtpetusip\pragmaserf.dll
c:\windows\PRAGMAbvtpetusip\PRAGMAsrcr.dat
c:\windows\system32\drivers\scov.sys
c:\windows\system32\drivers\xaigqhu.sys

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
MBR is infected with the Whistler Bootkit !!

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMABVTPETUSIP
-------\Service_PRAGMAbvtpetusip
-------\Legacy_lhkguudf
-------\Legacy_ynpq
-------\Service_lhkguudf
-------\Service_ynpq


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 19:04 . 2010-07-31 19:04 -------- d-----w- C:\Settings
2010-07-31 18:42 . 2010-07-31 18:42 -------- d-----w- c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com
2010-07-31 18:41 . 2010-07-31 18:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-20 00:44 . 2010-07-31 18:42 -------- d-----w- c:\program files\SUPERAntiSpyware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 02:53 . 2010-05-11 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-12 16:57 . 2005-08-06 10:07 40778 ----a-w- c:\windows\system32\nvModes.dat
2008-12-29 02:04 . 2008-12-18 22:03 4267690 ----a-w- c:\program files\12_28_08 073.jpg
1997-07-22 00:30 . 1997-07-22 00:30 1045776 --sha-w- c:\windows\system32\Msjet35.dll
1997-06-23 08:00 . 1997-06-23 08:00 123664 --sha-w- c:\windows\system32\Msjint35.dll
1997-06-23 17:06 . 1997-06-23 17:06 24848 --sha-w- c:\windows\system32\Msjter35.dll
1997-06-23 17:06 . 1997-06-23 17:06 252176 --sha-w- c:\windows\system32\Msrd2x35.dll
1997-06-23 17:06 . 1997-06-23 17:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-12-01 4636672]
"nwiz"="nwiz.exe" [2004-12-01 921600]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-6 24576]
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2005-11-1 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /M:692628075

[HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^Microsoft Office Outlook 2003.lnk]
path=c:\documents and settings\Bill\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk
backup=c:\windows\pss\Microsoft Office Outlook 2003.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=
"c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/1/2005 4:04 PM 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/1/2005 4:04 PM 119864]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [11/1/2005 4:03 PM 36188]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/6/2005 5:57 AM 80384]
S3 isaxbox;isaxbox;c:\windows\system32\isaxbox.sys [8/11/2004 6:00 PM 2304]
S4 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
S4 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: e-golf.net\morrisparks
DPF: CaptureClient - hxxp://192.168.0.11/CaptureClient.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://www.itis.com.my/atis/sp1/ocxChecker/cab/OCXChecker_8198.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Bill\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'Explorer.EXE'(3616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\WatchGuard\Mobile User VPN\IreIKE.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-31 15:46:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 19:45
ComboFix2.txt 2010-07-20 03:45

Pre-Run: 20,161,761,280 bytes free
Post-Run: 20,726,243,328 bytes free

- - End Of File - - A7202495FCCBA1BA7D207F786B847CAB

Attached Files

  • Attached File  ark.txt   7.48KB   4 downloads


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 09 August 2010 - 09:37 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Sorry for the delay. Since it's been awhile, please take some fresh logs. Delete your old copy of ComboFix and download a new one.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.


  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Download and Run MBRCheck
Please download MBRCheck.exe to your desktop.
  • Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
  • It will open a black window, please do not fix anything (if it gives you an option).
  • Exit that window and it will produce a log (MBRCheck_date_time).
  • Please post that log when you reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 21 August 2010 - 10:26 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users