Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Patched_c.JEE & Trojan horse Patched_c.JES / Bamital Infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 S K Y

S K Y

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 06 October 2010 - 10:50 AM

Hi there!

Like many others lately my laptop has been infected with Bamital Trojan.

Date of infection: 2nd, October 2010
Detected by: AVG 9
Infected Files: Explorer.exe with Trojan horse Patched_c.JEE and Winlogon.exe with Trojan horse Patched_c.JES
AVG Result: "Object is white-listed (critical/system file that should not be removed)"
OS: Windows XP

The only things i can remember leading up to the infection was...

1. My IE browser sometimes opens up different sites on other tabs
2. I had downloaded a part of a movie
3. I updated AVG 9 (even though it was just updated approx 2 days prior)

Attempted Resolutions:

1. I've updated and ran malwarebytes but it couldn't detect the virus.
2. I realised my google search results are constantly being redirected to dodgy sites so i've run tdsskiller to remove the malware (but it keeps coming back, not sure if bamital is responsible for this)

Additional Notes:

1. This is the topic the that notified me that i am dealing with the Bamital infection : htttp://www.bleepingcomputer.com/forums/topic351001.html
2. Users in the topic has suggested the use of Kaspersky Tool to remove the infections but i'm not confident to do it on my own
3. This is my friend's laptop so i don't have a copy of his Window's CD...e
4. I cannot close AVG as it keeps detecting the threats over and over

Your help is much appreciated!! Thanks in advance!!



DDS (Ver_10-03-17.01) - NTFSx86
Run by Albert Chung at 22:29:04.35 on Wed 06/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.212 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\GreedyTorrent\GTor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Albert Chung\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [GreedyTorrent] "c:\program files\greedytorrent\GTor.exe" -tray
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [EOUApp] c:\program files\intel\wireless\bin\EOUWiz.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP SchedIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppschedindexer.exe
mRun: [HP AutoIndexer] c:\program files\hewlett-packard\laserjet 33xx\hppautoindexer.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\albert~1\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\program files\hewlett-packard\laserjet 33xx\hppdirector.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219839970943
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\albert~1\applic~1\mozilla\firefox\profiles\uqzovwgx.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-26 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-26 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-26 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-26 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-26 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-5-30 47640]
S0 jkobgnd;jkobgnd; [x]
S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [2010-9-22 68224]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-9-26 431432]
S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [2008-6-21 350720]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2008-7-11 2383256]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-06 10:36:08 0 ----a-w- c:\documents and settings\albert chung\defogger_reenable
2010-10-05 18:25:21 54016 ----a-w- c:\windows\system32\drivers\yhygnstw.sys
2010-10-05 17:20:45 77912 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-10-04 10:59:39 0 d-----w- c:\program files\Cobian Backup 10
2010-10-04 08:08:29 320 ------w- c:\windows\system32\bootdelete.lst
2010-10-04 08:08:29 12872 ------w- c:\windows\system32\bootdelete.exe
2010-10-04 08:02:32 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-04 08:02:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-04 08:02:09 0 d-----w- c:\program files\Hitman Pro 3.5
2010-10-04 04:27:05 0 d-----w- c:\program files\CCleaner
2010-10-03 14:56:25 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-02 06:38:33 0 d-sha-r- C:\cmdcons
2010-10-02 06:35:30 98816 ------w- c:\windows\sed.exe
2010-10-02 06:35:30 77312 ------w- c:\windows\MBR.exe
2010-10-02 06:35:30 256512 ------w- c:\windows\PEV.exe
2010-10-02 06:35:30 161792 ------w- c:\windows\SWREG.exe
2010-09-27 13:08:24 145 ------w- c:\docume~1\albert~1\applic~1\hgksfg.bat
2010-09-25 16:15:56 0 d--h--w- c:\windows\PIF
2010-09-25 15:47:32 0 d-----w- C:\$AVG
2010-09-25 14:55:18 12536 ------w- c:\windows\system32\avgrsstx.dll
2010-09-25 14:55:15 243024 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-09-25 14:55:09 216400 ------w- c:\windows\system32\drivers\avgldx86.sys
2010-09-25 14:54:58 0 d-----w- c:\windows\system32\drivers\Avg
2010-09-25 14:54:56 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-09-25 14:05:06 0 d-----w- c:\program files\AVG
2010-09-23 04:23:10 664 ------w- c:\windows\system32\d3d9caps.dat
2010-09-22 11:43:33 68224 ------w- c:\windows\system32\drivers\oopuhnpkpjv.sys
2010-09-20 08:24:44 41984 ------w- c:\windows\system32\drivers\usbaapl.sys
2010-09-20 08:23:20 3062048 ------w- c:\windows\system32\usbaaplrc.dll
2010-09-19 07:46:19 0 d-----w- c:\docume~1\albert~1\applic~1\Malwarebytes
2010-09-19 07:35:48 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 07:35:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-19 07:35:46 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-09-19 07:35:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 05:36:03 120 ------w- c:\windows\Wvuhesanuzeh.dat
2010-09-19 05:36:03 0 ------w- c:\windows\Nciruwuq.bin
2010-09-15 12:26:59 0 d-----w- c:\docume~1\albert~1\applic~1\WindSolutions
2010-09-15 12:26:58 0 d-----w- c:\docume~1\alluse~1\applic~1\WindSolutions

==================== Find3M ====================

2010-10-06 08:50:03 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-10-03 14:43:40 52480 ------w- c:\windows\system32\drivers\i8042prt.sys

============= FINISH: 22:29:40.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 06 October 2010 - 04:35 PM

Good evening. smile.gif

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 06 October 2010 - 11:07 PM

Hello,

Thanks for the quick response Noviciate!

I dont know if this caused any problems but Combofix had to reboot before backing up my windows registry with the message "Combofix has detected rootkit activity and needs to reboot"...but after that everything else went according to the instructions. smile.gif

*Edit: My google search results are still redirecting to infected sites (successfuly blocked by avg) and the bamital trojans are still there.

Here is the log:


ComboFix 10-10-06.02 - Albert Chung 07/10/2010 14:40:43.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.603 [GMT 11:00]
Running from: c:\documents and settings\Albert Chung\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement.
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-05 18:25 . 2010-10-05 18:25 54016 ----a-w- c:\windows\system32\drivers\yhygnstw.sys
2010-10-05 17:20 . 2010-10-05 17:20 77912 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-10-04 11:00 . 2010-10-04 11:00 -------- d-----w- c:\documents and settings\Albert Chung\Local Settings\Application Data\Safe mirror
2010-10-04 10:59 . 2010-10-04 11:00 -------- d-----w- c:\program files\Cobian Backup 10
2010-10-04 08:08 . 2010-10-04 08:08 12872 ------w- c:\windows\system32\bootdelete.exe
2010-10-04 08:02 . 2010-10-07 02:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-04 08:02 . 2010-10-04 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-04 08:02 . 2010-10-04 08:02 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-04 04:27 . 2010-10-04 04:27 -------- d-----w- c:\program files\CCleaner
2010-10-03 14:56 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-27 13:08 . 2010-09-27 13:08 145 ------w- c:\documents and settings\Albert Chung\Application Data\hgksfg.bat
2010-09-25 16:15 . 2010-09-25 16:15 -------- d--h--w- c:\windows\PIF
2010-09-25 15:47 . 2010-09-25 15:47 -------- d-----w- C:\$AVG
2010-09-25 15:15 . 2010-06-30 04:22 2102600 ------w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-09-25 14:55 . 2010-09-25 14:55 12536 ------w- c:\windows\system32\avgrsstx.dll
2010-09-25 14:55 . 2010-09-25 14:55 243024 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-09-25 14:55 . 2010-09-25 14:55 216400 ------w- c:\windows\system32\drivers\avgldx86.sys
2010-09-25 14:55 . 2010-09-25 14:55 29584 ------w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-25 14:54 . 2010-10-06 12:59 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-25 14:54 . 2010-09-25 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-25 14:05 . 2010-09-25 14:05 -------- d-----w- c:\program files\AVG
2010-09-23 04:23 . 2010-09-23 04:23 664 ------w- c:\windows\system32\d3d9caps.dat
2010-09-22 11:43 . 2010-09-25 14:21 68224 ----a-w- c:\windows\system32\drivers\oopuhnpkpjv.sys
2010-09-20 08:54 . 2010-09-20 08:54 2714848 ------w- c:\documents and settings\Albert Chung\Application Data\WindSolutions\CopyTransControlCenter\Applications\CopyTrans_Suite_v2.150_EN.exe
2010-09-20 08:54 . 2010-09-20 11:40 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\Apple Computer
2010-09-20 08:24 . 2010-04-19 10:47 41984 ------w- c:\windows\system32\drivers\usbaapl.sys
2010-09-20 08:23 . 2010-04-19 10:47 3062048 ------w- c:\windows\system32\usbaaplrc.dll
2010-09-20 08:15 . 2010-09-20 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-20 08:15 . 2010-09-20 08:31 -------- d-----w- c:\program files\Common Files\Apple
2010-09-19 07:46 . 2010-09-19 07:46 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\Malwarebytes
2010-09-19 07:35 . 2010-04-29 05:39 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-19 07:35 . 2010-09-19 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-19 07:35 . 2010-09-19 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-19 07:35 . 2010-04-29 05:39 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-09-19 05:52 . 2010-09-19 05:52 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-19 05:36 . 2010-10-02 03:12 120 ------w- c:\windows\Wvuhesanuzeh.dat
2010-09-19 05:36 . 2010-10-01 14:43 0 ------w- c:\windows\Nciruwuq.bin
2010-09-15 13:43 . 2010-09-15 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-09-15 12:32 . 2010-09-15 12:32 6934200 ------w- c:\documents and settings\Albert Chung\Application Data\WindSolutions\CopyTransControlCenter\Applications\CopyTransManager.exe
2010-09-15 12:27 . 2010-09-20 08:54 2714848 ------w- c:\documents and settings\Albert Chung\Application Data\WindSolutions\CopyTransControlCenter\Applications\CopyTransControlCenter.exe
2010-09-15 12:26 . 2010-09-15 12:46 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\WindSolutions
2010-09-15 12:26 . 2010-09-15 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 03:39 . 2008-04-13 13:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-10-07 02:39 . 2008-08-28 06:12 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\OpenOffice.org2
2010-10-07 02:38 . 2008-05-30 11:02 -------- d-----w- c:\program files\LogMeIn
2010-10-04 04:02 . 2008-08-27 12:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-10-03 14:43 . 2008-04-13 13:48 52480 ------w- c:\windows\system32\drivers\i8042prt.sys
2010-09-25 14:52 . 2010-03-29 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-23 11:47 . 2008-05-30 09:54 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\uTorrent
2010-09-06 03:18 . 2008-08-28 06:15 1 ------w- c:\documents and settings\Albert Chung\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-08-10 17:35 . 2010-08-10 17:35 -------- d-----w- c:\documents and settings\Albert Chung\Application Data\Windows Live Writer
.

------- Sigcheck -------

[-] 2008-04-13 . CE7B662547807ABED26FA87AEAB88976 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-13 . 9637B61019970D30310EB19689344596 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-02_06.54.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-07 03:39 . 2010-10-07 03:39 16384 c:\windows\Temp\Perflib_Perfdata_3f0.dat
+ 2008-04-13 18:42 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2008-04-13 18:42 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2001-08-23 10:00 . 2010-10-02 16:44 71912 c:\windows\system32\perfc009.dat
- 2001-08-23 10:00 . 2010-05-30 10:16 71912 c:\windows\system32\perfc009.dat
+ 2007-08-13 08:54 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 08:54 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-13 18:41 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
- 2008-04-13 18:41 . 2008-04-13 18:41 80384 c:\windows\system32\iccvid.dll
+ 2010-01-24 12:07 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
- 2010-01-24 12:07 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-05-30 09:20 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-05-30 09:20 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-13 18:41 . 2010-01-13 14:01 86016 c:\windows\system32\dllcache\cabview.dll
+ 2008-04-13 18:41 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll
+ 2008-04-13 18:41 . 2010-01-13 14:01 86016 c:\windows\system32\cabview.dll
+ 2008-04-13 18:41 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB2183461-IE8\xpshims.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB2183461-IE8\msfeedsbs.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB2183461-IE8\jsproxy.dll
+ 2008-04-13 18:42 . 2009-12-24 06:59 177664 c:\windows\system32\wintrust.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 916480 c:\windows\system32\wininet.dll
- 2008-04-13 18:42 . 2009-12-21 19:14 916480 c:\windows\system32\wininet.dll
- 2008-04-13 18:42 . 2009-03-07 17:33 420352 c:\windows\system32\vbscript.dll
+ 2008-04-13 18:42 . 2010-03-10 06:15 420352 c:\windows\system32\vbscript.dll
+ 2008-04-13 18:42 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
- 2008-04-13 18:42 . 2008-04-13 18:42 406016 c:\windows\system32\usp10.dll
+ 2008-04-13 18:42 . 2010-06-30 12:31 149504 c:\windows\system32\schannel.dll
- 2001-08-23 10:00 . 2010-05-30 10:16 442334 c:\windows\system32\perfh009.dat
+ 2001-08-23 10:00 . 2010-10-02 16:44 442334 c:\windows\system32\perfh009.dat
- 2008-04-13 18:42 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
- 2008-04-13 18:42 . 2009-03-07 17:32 611840 c:\windows\system32\mstime.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
+ 2007-08-13 08:54 . 2010-06-24 12:21 599040 c:\windows\system32\msfeeds.dll
+ 2008-05-30 08:06 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-13 18:42 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-13 18:42 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
- 2008-05-30 17:58 . 2010-03-29 01:53 120544 c:\windows\system32\FNTCACHE.DAT
+ 2008-05-30 17:58 . 2010-10-04 04:02 120544 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-13 18:42 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
- 2008-04-13 18:42 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-13 18:42 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2008-04-13 18:42 . 2009-03-07 17:33 420352 c:\windows\system32\dllcache\vbscript.dll
- 2008-04-13 18:42 . 2008-04-13 18:42 406016 c:\windows\system32\dllcache\usp10.dll
+ 2008-04-13 18:42 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
+ 2008-04-13 18:42 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
- 2008-04-13 18:42 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
- 2008-04-13 18:42 . 2009-03-07 17:32 611840 c:\windows\system32\dllcache\mstime.dll
+ 2008-05-30 09:20 . 2010-06-24 12:21 599040 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-05-30 08:06 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-01-24 12:07 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-13 18:41 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-13 18:41 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-13 18:42 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-13 18:42 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-02-24 13:14 . 2010-02-24 13:14 543232 c:\windows\Installer\4abfec.msp
+ 2010-10-03 19:23 . 2009-03-07 17:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-10-03 19:23 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-10-03 19:23 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-10-03 19:23 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB2183461-IE8\wininet.dll
+ 2010-10-03 19:23 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2183461-IE8\spuninst\updspapi.dll
+ 2010-10-03 19:23 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2183461-IE8\spuninst\spuninst.exe
+ 2010-10-03 19:23 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB2183461-IE8\occache.dll
+ 2010-10-03 19:23 . 2009-03-07 17:32 611840 c:\windows\ie8updates\KB2183461-IE8\mstime.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB2183461-IE8\msfeeds.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB2183461-IE8\ieproxy.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB2183461-IE8\iepeers.dll
+ 2010-10-03 19:23 . 2009-03-07 17:35 742912 c:\windows\ie8updates\KB2183461-IE8\iedvtool.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB2183461-IE8\iedkcs32.dll
+ 2010-10-03 19:23 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB2183461-IE8\ie4uinit.exe
+ 2008-04-13 14:00 . 2010-06-23 13:44 1851904 c:\windows\system32\win32k.sys
+ 2008-04-13 18:42 . 2010-06-24 12:22 1210368 c:\windows\system32\urlmon.dll
+ 2008-04-13 18:42 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2008-04-13 18:42 . 2010-02-05 18:27 1291776 c:\windows\system32\quartz.dll
- 2008-04-13 18:42 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 5951488 c:\windows\system32\mshtml.dll
+ 2007-08-13 08:34 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
+ 2008-04-13 14:00 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-13 18:42 . 2010-06-24 12:22 1210368 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-13 18:42 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-04-13 18:42 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-04-13 18:42 . 2010-02-05 18:27 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-30 08:06 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2008-05-30 08:06 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2008-04-13 18:42 . 2010-06-24 12:22 5951488 c:\windows\system32\dllcache\mshtml.dll
- 2008-05-30 08:06 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2008-05-30 08:06 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
+ 2008-05-30 09:20 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
+ 2010-04-11 11:17 . 2010-04-11 11:17 4210688 c:\windows\Installer\4abff2.msp
+ 2010-04-11 11:17 . 2010-04-11 11:17 2607104 c:\windows\Installer\4abff1.msp
+ 2010-10-03 19:23 . 2009-12-21 19:14 1208832 c:\windows\ie8updates\KB2183461-IE8\urlmon.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 5942784 c:\windows\ie8updates\KB2183461-IE8\mshtml.dll
+ 2010-10-03 19:23 . 2009-12-21 19:14 1985536 c:\windows\ie8updates\KB2183461-IE8\iertutil.dll
+ 2008-05-30 09:15 . 2010-09-10 03:34 35552200 c:\windows\system32\MRT.exe
+ 2007-08-13 08:54 . 2010-06-24 06:51 11077120 c:\windows\system32\ieframe.dll
+ 2008-05-30 09:20 . 2010-06-24 06:51 11077120 c:\windows\system32\dllcache\ieframe.dll
+ 2010-05-19 02:08 . 2010-05-19 02:08 11408896 c:\windows\Installer\4abfff.msp
+ 2010-10-03 19:21 . 2010-10-03 19:21 15710720 c:\windows\Installer\4abffe.msp
+ 2010-10-03 19:23 . 2009-12-21 19:14 11070464 c:\windows\ie8updates\KB2183461-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-06-30 04:22 2102600 ------w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-06-30 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GreedyTorrent"="c:\program files\GreedyTorrent\GTor.exe" [2007-03-08 2526661]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2005-08-29 102400]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-12-22 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-12-22 688218]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-23 7335936]
"nwiz"="nwiz.exe" [2005-11-23 1519616]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 61952]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX6000"="c:\windows\vVX6000.exe" [2006-12-19 994072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"HP SchedIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe" [2002-01-03 94208]
"HP AutoIndexer"="c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe" [2002-01-03 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-05 2067808]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-10-04 6305088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-07 128512]

c:\documents and settings\Albert Chung\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP LaserJet Director.lnk - c:\program files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe [2009-5-30 204800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-25 14:55 12536 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 01:27 110592 ------w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-06 06:08 87352 ------w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\GreedyTorrent\\GTor.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/09/2010 1:55 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26/09/2010 1:55 AM 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [26/09/2010 1:53 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [26/09/2010 1:53 AM 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 4:31 PM 12856]
S0 jkobgnd;jkobgnd; [x]
S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [22/09/2010 10:43 PM 68224]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [26/09/2010 1:54 AM 431432]
S3 u3kmini;ASUS My Cinema-U3000 Mini;c:\windows\system32\drivers\u3kmini.sys [21/06/2008 8:40 PM 350720]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [11/07/2008 7:42 PM 2383256]
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\User_Feed_Synchronization-{02AABFD7-D89C-410A-BC7B-E6149799EDD4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
.
------- Supplementary Scan -------
.
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Albert Chung\Application Data\Mozilla\Firefox\Profiles\uqzovwgx.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F4C03F]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7580f28
\Driver\ACPI -> ACPI.sys @ 0xf73f3cb8
\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2ed
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Coppe -> SendCompleteHandler -> 0x86fc9930
PacketIndicateHandler -> NDIS.sys @ 0xf7262a0d
SendHandler -> NDIS.sys @ 0xf7276b40
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-10-07 14:47:15
ComboFix-quarantined-files.txt 2010-10-07 03:47
ComboFix2.txt 2010-10-02 08:03
ComboFix3.txt 2010-10-02 06:58

Pre-Run: 232,079,360 bytes free
Post-Run: 275,709,952 bytes free

- - End Of File - - 8958C1D9C8D7F3A03D72921C3B137E08

Edited by S K Y, 06 October 2010 - 11:46 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 07 October 2010 - 02:41 PM

Good evening. smile.gif

The problem is that two of your PC's system files have been infected and it is necessary to replace them to solve the issue. Unfortunately ComboFix wasn't able to find copies on the system and handle this automatically.
Do you have access to another machine running XP that you could acquire copies of files from?

So long, and thanks for all the fish.

 

 


#5 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 07 October 2010 - 09:41 PM

Hi Noviciate,

I hope you've had a good day.

I dont have immediate access to another computer running xp however i have managed to find my own windows xp cd and i might have a copy of the flies stored on my external hard drive from backing up my old computer (i'm not sure if it backed up windows).

Will the trojans be able to infect my external HD if i plug it into this comp? Or should i plug it into a clean comp and extract the files on a USB?

OR is it easier to use my windows xp cd? It's not the same CD that installed the windows on this laptop though, so im not sure if this will affect anything.

Looking forward to your reply smile.gif

*Edit: I've run AVG again (but didnt delete anything) and it has found winlogon.exe (1084) infected with Trojan horse Patched_c.JES and Explorer.EXE (300) infected with Trojan horse Patched_c.JEE as well. I am not sure where those two extra files came from....

*Edit: I'm so sorry to be a pain but after AVG detected those two new infections a log popped up saying it'll delete the two new files upon reboot (the two original infected files were left alone). I didn't restart comp fearing it might affect anything. But overnight the stup!d thing shut down itself for some reason so when I woke this morning and tried to turn it on, there was only a blank screen after booting. Being desperate I found people suggesting to load explorer.exe using task manager but my ctrl alt del keys didnt bring it up (and never did in the past) I also tried ctrl shift esc, rebooting in safe mode, rebooting in last know good configuration and even repair install using the windows cd. None of these worked.

I really don't know what to do sad.gif Is reformatting my only option left? I would prefer not to as it's not my laptop.
And I understand if u need to refer me to someone else to fix...

Edited by S K Y, 08 October 2010 - 09:00 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 09 October 2010 - 01:33 PM

Good evening. smile.gif

I would say that AVG has just borked your installation, which is nice of it! There may be a way to repair the damage, but as i've not specifically tried this on my own system, it will take more time than perhaps you'd like as i'll need to double check everything before I post the instructions - if I can't understand it, there's no point me expecting you to!

Reinstall is quickest and best if you are in a hurry, but i'm happy to work through the repair with you if you'd prefer. It's really down to you to decide how you wish to continue.

If you do want to reinstall Windows, I can guide you through backing-up any important files you have on the system with a boot disk, if necessary.

Let me know what you decide.

So long, and thanks for all the fish.

 

 


#7 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 10 October 2010 - 09:11 AM

Hi Noviciate smile.gif

I hope you're enjoying the weekend!

I would love it if you could help me try and find a way to repair the system as I think reformatting would be my absolute final option.

Thanks so much for continuing to help out and I'm willing to be patient and wait for your instructions smile.gif

#8 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 October 2010 - 03:48 AM

Good evening!

I've got great news!

Tried logging on in safe mode again today and I got in! I have no idea what happened and I haven't tried logging in normally because I'm scared everything will go down again. AVG hasn't popped up in safe mode so don't know if the virus is still there. I'm not going to touch anything now until I get instructions from you smile.gif

Explorer.exe seems to be functioning normally at the moment but I've got no access to the Internet.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 11 October 2010 - 01:59 PM

Good evening. smile.gif

You won't have access to the internet in Safe Mode, only Safe Mode with Networking. As your anti-virus may not work fully in Safe Mode it isn't advisable to use the Networking option to go online as you run the risk of further infection.

Can you check and see if the following file is present:

c:\windows\system32\winlogon.exe

This is the one that I think AVG ate and caused your system to get poorly-sick.

So long, and thanks for all the fish.

 

 


#10 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 11 October 2010 - 11:13 PM

Good Afternoon,

AVG must have regurgitated it back out because it's there smile.gif

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 12 October 2010 - 01:43 PM

Good evening. smile.gif

Will you try booting into Normal Mode and see what happens.

So long, and thanks for all the fish.

 

 


#12 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 12 October 2010 - 04:21 PM

Good morning :D

Tried booting into mode as requested but the first thing that appeared was the black screen asking me to choose whether I wanted to load Microsoft Windows XP or the recovery console. It will give you 30 secs to choose or it will load the highlighted option. I chose Windows XP of course and it booted into the blank screen again sad.gif

Then i tried safe mode again and thankfully it still works.

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 12 October 2010 - 04:34 PM

Do you have a flashdrive that you can use as a home for a small operating system - 125 Mb will be plenty.

So long, and thanks for all the fish.

 

 


#14 S K Y

S K Y
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:43 AM

Posted 12 October 2010 - 05:14 PM

Yep!!

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:10:43 PM

Posted 13 October 2010 - 02:16 PM

Good evening. smile.gif

Please read through all the instructions BEFORE you begin and ask any questions that you may have first.
  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download the zipped folder that i've attached and extract the two files to your USB - that's explorer.exe and winlogon.exe.

    Getting the PC to run the new OS is a little tricky as the process differs on different machines. If you are lucky, then the F12 method below will work - if it doesn't, let me know and we'll go for a different angle.

  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.

  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • The rest will be pretty much what you do with Windows, but with Linux, so it's not very exciting i'm afraid.

  • Open the mnt folder as you would normally.
  • You are going to identify the folder that represents to your flash drive - sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Open the flash drive folder and check that you can see the two files that you unzipped earlier.

  • Note that all the folders in mnt will be visible in the left hand pane once you have opened one, so you can access them from there.

  • Open the folder that corresponds to your hard drive, which is probably sda1 and open the Windows folder which you should in there.
  • Locate your copy of explorer.exe, right click it and Rename it to oldexplorer.exe.
  • This will disable it, but keep it intact just in case we have further need for it.
  • Now go back to the flash drive folder, right click the clean explorer.exe and Copy it.
  • Now head back to the Windows folder and Paste the new file there.
  • This gives you a clean copy of explorer.exe in the right place for Windows to work properly.

  • Now open the system32 folder that you should see in the Windows folder
  • Locate your copy of winlogon.exe, right click it and Rename it to oldwinlogon.exe.
  • Again, this will disable it, but keep it intact just in case we have further need for it.
  • Now go back to the flash drive folder, right click the clean winlogon.exe and Copy it.
  • Now head back to the system32 folder and Paste the new file into it.
  • This gives you a clean copy of winlogon.exe in the right place for Windows to work properly.
  • Assuming all went well, you're done.

  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and boot your PC into Normal Mode and let me know what happens.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users