Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various infections, WinXP won't boot at all!


  • Please log in to reply
25 replies to this topic

#1 Mistral

Mistral

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 October 2010 - 12:29 AM

Hello everyone.

Just found this forum while searching information about "Variant.Hiloti".

So, I was surfing the web friday night and suddenly caught something really bad. I always run my computer free of antivirus or anti-spyware and all that stuff to keep ressource as low as possible and RARELY get infected, but when I do, it strikes really hard. I have all WinXP Pro SP3 updates since 1 or 2 months ago.

First, when that happened, I had a popup calling itself Windows Antivirus (not sure of the name, but it looked like the genuine Microsoft security software, though it wasn't active when it happened. It showed several infection in my TV software, firefox.exe, plugin-container.exe, Windows Live software, iexplore.exe, etc. Couldn't get rid of that window and couldn't turn my computer off for the night, so I just forced the shutdown (by holding the power button a few seconds).

Later, when I tried to look further into the infection, I coudn't boot Windows AT ALL. I was reaching Microsoft's logo and the progress bar was barely doing one "circle" then it was freezing and going back to the RAM check screen and started all over. I even tried the safe mode and it failed at the screen where you can see "Windows is loading [files].*". It also failed. I also deactivated the immediate reboot to see if there was any error message : it gave me a "Windows stopped to prevent any data loss", or something like that (translation may not be accurate). I then decided to check for bootable antivirus and found F-Secure Rescue CD, which is a trustful software (I used to work with F-Secure online scanner in the past as well as Trendmicro's online scanner for disinfection).

So, after booting onto the CD with F-Secure, I scanned my C: drive and while I was there, my MBR sector. F-Secure found over 40 files infected. Here's the list it gave me after :

- MBR infected
- Generic.Malware.Sdld![...]
- Gen:Trojan.Heur.TP.@q0@b4@a[...]
- Gen:Variant.Kazy.2165
- Gen:Trojan.RegistryDisabler.dihd[...]
- Gen:Variant.Hiloti.4
- Gen:Variant.Hiloti.1

F-Secure successfully renamed all infected files (it's running from the CD into the computer's RAM - it's running on Linux, so absolutely no interaction with Windows) to *.[extension].virus, which was confirmed by a second scan. After the first scan, I booted my computer on Windows XP's CD and used the repair tool in the installation menu. All system files have been copied again in my Windows installation, I rebooted again and went for the Recovery Console from the CD. From there, I knew my MBR was infected, so I launched a fixmbr and after I did a fixboot to make sure nothing bad would load on Windows boot.
After doing all this, I gave it a try to load Windows. First, I tried my usual account. I was on the login screen now. I entered my password, hit Enter and saw what looked like a normal operation to me. Then, the login screen disappeared (which is normal to that point) but a second after that, it went straight back to the RAM check screen. Went back to the login screen to try the Guest account. This one gave me a bluescreen saying the memory is being purged and transfered to the hard drive, or something like that (I'm translating on-the-fly).

I am 99% sure it's not a hardware problem (RAM and all 3 hard drives have been tested and no error showed up - Memtest86+ 4.1 and Western Digital diagnostic software).

I can smell a format and complete reinstallation now, but I'm not giving up so easily. So far, I have failed to boot my computer again (I'm using my laptop if you didn't figure that out yet :P) and if there is any chance to boot my computer again and get rid of the infection, I want to try.

edit : after writing this post, I tried the safe mode. It works, I can use Windows again, but it's pretty limited. While the network is activated, I gave it a go on F-Secure Online scanner, but it doesn't seem to launch. IE though doesn't seem to be able to resolve anything. It loaded my home page but nothing after. I remember having issue with F-Secure scanner and Firefox, but that might be fixed by now. Anyway, I can't do anything right now and still hope I can fix this somehow. Normal mode still crashes, by the way. (I noticed dumprep 0 -k with HiJackThis).

Anyway, thank for any help and sorry for the long explicative post. I can't do anything else for now.

BC AdBot (Login to Remove)

 


#2 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 October 2010 - 12:47 PM

Hello!

I just managed to run a scan with DDS and GMER. These two happened to be very helpful, even more than HiJackThis. :) Though GMER crashed the first time, giving me the "memory purge" message again but succeded the second time.

So, here's the logfiles.

From what I can understand from the scan, the virus tries to load itself but is causing a system crash, which does not appear to be his main purpose. Dude, if you want to mess around with virus, make sure it's actually working the way it's intended or just do not mess with that crap! ><

I believe that by removing the hidden service GMER has found, it would likely fix the crash problem that prevents any chance of booting Windows in normal mode. Though I won't proceed until further notice.

Attached Files



#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 25 October 2010 - 01:09 PM

If you are able to boot in Safe Mode with Networking, get a connection and follow these steps:

Save these instructions as a text file on your desktop.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop

    Driver::
    gfgkdmd

    File ::
    c:\windows\SET127.tmp
    c:\docume~1\mistral\locals~1\applic~1\{C823B944-FE66-4F95-AD98-0370221CD258}
    c:\windows\hexdump.exe.virus
    c:\windows\winamp.exe.virus
    c:\windows\sysedit.exe.virus
    c:\windows\csrss.exe.virus
    c:\windows\svchost.exe.virus
    c:\windows\win.exe.virus
    c:\windows\system32\vi9933.dll.virus
    c:\windows\system32\sis91.dll.virus
    c:\windows\system32\q7105r9.dll.virus
    c:\windows\system32\m0m6np7.dll.virus
    c:\windows\system32\bhmn0f51.dll.virus
    c:\windows\system32\a1yyh8a.dll.virus
    c:\docume~1\mistral\applic~1\19731.bat
    c:\docume~1\mistral\applic~1\hotfix.exe.virus
    c:\windows\SETEC.tmp
    c:\windows\SETE0.tmp
    c:\windows\SETDD.tmp
    c:\windows\Qgudaguwi.bin
    c:\windows\system32\drivers\gfgkdmd.sys
    c:\docume~1\mistral\applic~1\5612ECBF5F8F59279582CADC32531B66


    Posted Image

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 October 2010 - 03:48 PM

Here's ComboFix log file. At first, it stalled at the attempt of making a restore point. Rebooted, launched again and it started scanning. Left the computer at around Step_35. When I came back, I had the "memory purge" message again and ComboFix finished scanning after reboot, back in Safe Mode.

Here's the log. Can't seem to be able to upload the file properly.

ComboFix 10-10-24.06 - Mistral 2010-10-25 16:19:25.1.2 - x86 NETWORK
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.1753 [GMT -5:00]
Lancé depuis: c:\documents and settings\Mistral\Mes documents\disinfect\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Mistral\Mes documents\disinfect\CFScript.txt
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\documents and settings\Mistral\Application Data\hotfix.exe.virus
c:\documents and settings\Mistral\Application Data\inst.exe
c:\documents and settings\Mistral\Local Settings\Application Data\{C823B944-FE66-4F95-AD98-0370221CD258}
c:\documents and settings\Mistral\Local Settings\Application Data\{C823B944-FE66-4F95-AD98-0370221CD258}\chrome.manifest
c:\documents and settings\Mistral\Local Settings\Application Data\{C823B944-FE66-4F95-AD98-0370221CD258}\chrome\content\_cfg.js
c:\documents and settings\Mistral\Local Settings\Application Data\{C823B944-FE66-4F95-AD98-0370221CD258}\chrome\content\overlay.xul
c:\documents and settings\Mistral\Local Settings\Application Data\{C823B944-FE66-4F95-AD98-0370221CD258}\install.rdf
c:\windows\csrss.exe.virus
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GFGKDMD
-------\Service_gfgkdmd


((((((((((((((((((((((((((((( Fichiers créés du 2010-09-25 au 2010-10-25 ))))))))))))))))))))))))))))))))))))
.

2010-10-25 06:12 . 2010-10-25 06:12 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Mozilla
2010-10-25 05:36 . 2010-10-25 05:36 -------- d-----w- c:\documents and settings\Administrateur\Application Data\JGsoft
2010-10-25 01:42 . 2010-10-25 01:42 -------- d-----w- c:\windows\LastGood
2010-10-24 23:41 . 2006-03-02 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-10-24 23:40 . 2006-03-02 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-10-24 23:38 . 2006-03-02 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-24 23:38 . 2006-03-02 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-10-24 23:23 . 2006-03-02 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-24 23:23 . 2006-03-02 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-24 23:23 . 2006-03-02 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-24 23:23 . 2006-03-02 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-24 23:23 . 2006-03-02 12:00 14573 ----a-r- c:\windows\SET127.tmp
2010-10-24 23:23 . 2006-03-02 12:00 14043 ----a-r- c:\windows\SETEC.tmp
2010-10-24 23:23 . 2006-03-02 12:00 1086058 ----a-r- c:\windows\SETE0.tmp
2010-10-24 23:23 . 2006-03-02 12:00 1013912 ----a-r- c:\windows\SETDD.tmp
2010-10-23 07:25 . 2010-10-23 07:25 0 ----a-w- c:\windows\Qgudaguwi.bin
2010-10-23 07:24 . 2010-10-23 07:24 21636 ---ha-w- c:\windows\hexdump.exe.virus
2010-10-23 07:24 . 2010-10-23 07:24 21636 ---ha-w- c:\windows\winamp.exe.virus
2010-10-23 07:24 . 2010-10-23 07:24 21636 ---ha-w- c:\windows\sysedit.exe.virus
2010-10-23 07:24 . 2010-10-23 07:24 60004 ---ha-w- c:\windows\svchost.exe.virus
2010-10-23 07:24 . 2010-10-23 07:24 60004 ---ha-w- c:\windows\win.exe.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\vi9933.dll.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\sis91.dll.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\q7105r9.dll.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\m0m6np7.dll.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\bhmn0f51.dll.virus
2010-10-23 07:24 . 2010-10-23 07:24 30000 ----a-w- c:\windows\system32\a1yyh8a.dll.virus
2010-10-23 07:23 . 2010-10-23 07:23 198 ----a-w- c:\documents and settings\Mistral\Application Data\19731.bat
2010-10-23 07:23 . 2010-10-25 21:22 758272 ----a-w- c:\windows\system32\drivers\gfgkdmd.sys
2010-10-23 07:23 . 2010-10-24 16:40 -------- d-----w- c:\documents and settings\Mistral\Application Data\5612ECBF5F8F59279582CADC32531B66
2010-10-04 20:09 . 2010-10-21 23:04 -------- d-----w- c:\documents and settings\Mistral\Application Data\Mumble
2010-09-30 08:36 . 2010-09-30 08:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-09-30 08:34 . 2010-09-30 08:34 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-30 08:27 . 2010-09-30 08:27 -------- d-----w- c:\program files\MSXML 6.0
2010-09-27 21:13 . 2010-09-27 21:13 -------- d-----w- c:\documents and settings\Mistral\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-21 23:53 . 2008-12-30 19:41 138376 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-21 23:53 . 2008-12-30 19:41 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="d:\daemon tools\daemon.exe" [2007-08-16 167368]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 68856]
"Wowhead_Client"="f:\game utilities\WoW\Wrath\3.3\Wowhead_Client.exe" [2010-10-07 410624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]
"CTHelper"="CTHELPER.EXE" [2005-06-18 16384]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"CMCService"="c:\program files\ATI\Catalyst Media Center\CMCService.exe" [2008-06-06 172032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ATIModeChange"="Ati2mdxx.exe" [2010-03-03 26112]
"SRFirstRun"="srclient.dll" [2006-03-02 67584]

c:\documents and settings\Mistral\Menu D‚marrer\Programmes\D‚marrage\
No-IP DUC.lnk - d:\no-ip\DUC20.exe [2007-1-27 1172992]
TeamSpeak3 Server Beta.lnk - d:\teamspeak 3 server beta\teamspeak3-server_win32\ts3server_win32.exe [2010-5-10 2632960]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-12-29 987136]
Iconize.lnk - d:\iconize\Iconize.exe [2004-8-19 237568]
Wallpaper Master.lnk - d:\wallpaper master\Wallpaper.exe [2010-6-1 321536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Mises à jour planifiées de Quicken.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Mises à jour planifiées de Quicken.lnk
backup=c:\windows\pss\Mises à jour planifiées de Quicken.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mistral^Menu Démarrer^Programmes^Démarrage^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Mistral\Menu Démarrer\Programmes\Démarrage\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-02-15 21:10 57344 ----a-w- c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- d:\cyberlink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-08 01:35 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\Games\\Steam\\Steam.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Games\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-12-30 685816]
S1 atitray;atitray;d:\ray adams\ATI Tray Tools\atitray.sys [2009-11-25 19232]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-12-29 176128]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-07-01 34896]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-12-29 13532]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-03-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-09-29 500480]
S4 msvsmon80;Débogueur distant Visual Studio 2005;d:\microsoft visual studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-12-09 2799808]
.
Contenu du dossier 'Tâches planifiées'

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 22:29]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 22:29]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.di.fm/calendar/calendar.php?type=month&calendar=8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Mistral\Application Data\Mozilla\Firefox\Profiles\81gwpwxo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\Mistral\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mistral\Application Data\Mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\DivX Web Player\npdivx32.dll
FF - plugin: d:\videolan\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
d:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-HijackThis - d:\__trend micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 16:30
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1214440339-573735546-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:71,9d,55,25,06,b0,e2,dd,c9,15,0a,d4,f0,a5,df,c3,7d,be,1b,f6,45,
56,c3,32,8f,41,2e,ae,dc,dc,40,83,bb,a3,16,95,e4,2e,17,14,82,07,8d,59,5b,25,\
"rkeysecu"=hex:8c,b7,3f,fd,77,dc,63,1a,bc,73,ad,50,1d,86,0d,9d
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(1176)
c:\progra~1\FICHIE~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\program files\Fichiers communs\Microsoft Shared\Web Components\10\1036\OWCI10.DLL
c:\progra~1\WINDOW~2\wmpband.dll
.
Heure de fin: 2010-10-25 16:35:22 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-10-25 21:35

Avant-CF: 14 598 148 096 octets libres
Après-CF: 15 261 663 232 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 3F3D79C3AC5BF6D8F2668EA655CCEE62


Why is PunkBuster even there?

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 25 October 2010 - 04:48 PM

Download the enclosed file. Save it next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 October 2010 - 05:58 PM

Just ran ComboFix again with the new script file and all infected file have apparently been removed from the computer.

Looking further into my Windows folder, all files included in the script are gone, but found some more with very similar and random-looking named file or almost identical.

From the script:

c:\windows\SET127.tmp
c:\windows\SETEC.tmp
c:\windows\SETE0.tmp
c:\windows\SETDD.tmp
c:\windows\Qgudaguwi.bin


From my Windows folder:

C:\WINDOWS\SET29.tmp
C:\WINDOWS\SET3.tmp
C:\WINDOWS\SET4.tmp
C:\WINDOWS\SET8.tmp
C:\WINDOWS\Qwukapoyowukati.dat


I believe they all can be deleted as well. At least, they are temporary files, so it shouldn't harm at all... theorically speaking.

Any further notice?


LOG FILE (still unable to upload the log file itself):

ComboFix 10-10-24.06 - Mistral 2010-10-25 18:36:20.2.2 - x86 NETWORK
Microsoft Windows XP Professionnel 5.1.2600.2.1252.2.1036.18.2047.1631 [GMT -5:00]
Lancé depuis: c:\documents and settings\Mistral\Mes documents\disinfect\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Mistral\Mes documents\disinfect\CFScript.txt

FILE ::
"c:\documents and settings\Mistral\Application Data\19731.bat"
"c:\windows\hexdump.exe.virus"
"c:\windows\Qgudaguwi.bin"
"c:\windows\SET127.tmp"
"c:\windows\SETDD.tmp"
"c:\windows\SETE0.tmp"
"c:\windows\SETEC.tmp"
"c:\windows\svchost.exe.virus"
"c:\windows\sysedit.exe.virus"
"c:\windows\system32\a1yyh8a.dll.virus"
"c:\windows\system32\bhmn0f51.dll.virus"
"c:\windows\system32\drivers\gfgkdmd.sys"
"c:\windows\system32\m0m6np7.dll.virus"
"c:\windows\system32\q7105r9.dll.virus"
"c:\windows\system32\sis91.dll.virus"
"c:\windows\system32\vi9933.dll.virus"
"c:\windows\win.exe.virus"
"c:\windows\winamp.exe.virus"
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mistral\Application Data\19731.bat
c:\windows\hexdump.exe.virus
c:\windows\Qgudaguwi.bin
c:\windows\SET127.tmp
c:\windows\SETDD.tmp
c:\windows\SETE0.tmp
c:\windows\SETEC.tmp
c:\windows\svchost.exe.virus
c:\windows\sysedit.exe.virus
c:\windows\system32\a1yyh8a.dll.virus
c:\windows\system32\bhmn0f51.dll.virus
c:\windows\system32\drivers\gfgkdmd.sys
c:\windows\system32\m0m6np7.dll.virus
c:\windows\system32\q7105r9.dll.virus
c:\windows\system32\sis91.dll.virus
c:\windows\system32\vi9933.dll.virus
c:\windows\win.exe.virus
c:\windows\winamp.exe.virus

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-09-25 au 2010-10-25 ))))))))))))))))))))))))))))))))))))
.

2010-10-25 06:12 . 2010-10-25 06:12 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Mozilla
2010-10-25 05:36 . 2010-10-25 05:36 -------- d-----w- c:\documents and settings\Administrateur\Application Data\JGsoft
2010-10-25 01:42 . 2010-10-25 01:42 -------- d-----w- c:\windows\LastGood
2010-10-24 23:41 . 2006-03-02 12:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-10-24 23:40 . 2006-03-02 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-10-24 23:38 . 2006-03-02 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-10-24 23:38 . 2006-03-02 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-10-24 23:23 . 2006-03-02 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-24 23:23 . 2006-03-02 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-24 23:23 . 2006-03-02 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-24 23:23 . 2006-03-02 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-23 07:23 . 2010-10-24 16:40 -------- d-----w- c:\documents and settings\Mistral\Application Data\5612ECBF5F8F59279582CADC32531B66
2010-10-04 20:09 . 2010-10-21 23:04 -------- d-----w- c:\documents and settings\Mistral\Application Data\Mumble
2010-09-30 08:36 . 2010-09-30 08:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2010-09-30 08:34 . 2010-09-30 08:34 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-30 08:27 . 2010-09-30 08:27 -------- d-----w- c:\program files\MSXML 6.0
2010-09-27 21:13 . 2010-09-27 21:13 -------- d-----w- c:\documents and settings\Mistral\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-21 23:53 . 2008-12-30 19:41 138376 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-10-21 23:53 . 2008-12-30 19:41 202448 ----a-w- c:\windows\system32\PnkBstrB.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="d:\daemon tools\daemon.exe" [2007-08-16 167368]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 68856]
"Wowhead_Client"="f:\game utilities\WoW\Wrath\3.3\Wowhead_Client.exe" [2010-10-07 410624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]
"CTHelper"="CTHELPER.EXE" [2005-06-18 16384]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"CMCService"="c:\program files\ATI\Catalyst Media Center\CMCService.exe" [2008-06-06 172032]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]
"V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ATIModeChange"="Ati2mdxx.exe" [2010-03-03 26112]
"SRFirstRun"="srclient.dll" [2006-03-02 67584]

c:\documents and settings\Mistral\Menu D‚marrer\Programmes\D‚marrage\
No-IP DUC.lnk - d:\no-ip\DUC20.exe [2007-1-27 1172992]
TeamSpeak3 Server Beta.lnk - d:\teamspeak 3 server beta\teamspeak3-server_win32\ts3server_win32.exe [2010-5-10 2632960]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-12-29 987136]
Iconize.lnk - d:\iconize\Iconize.exe [2004-8-19 237568]
Wallpaper Master.lnk - d:\wallpaper master\Wallpaper.exe [2010-6-1 321536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Mises à jour planifiées de Quicken.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Mises à jour planifiées de Quicken.lnk
backup=c:\windows\pss\Mises à jour planifiées de Quicken.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mistral^Menu Démarrer^Programmes^Démarrage^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\Mistral\Menu Démarrer\Programmes\Démarrage\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2005-02-15 21:10 57344 ----a-w- c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 08:01 32768 ----a-w- d:\cyberlink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-08 01:35 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"d:\\Games\\Steam\\Steam.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Games\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2008-12-30 685816]
S1 atitray;atitray;d:\ray adams\ATI Tray Tools\atitray.sys [2009-11-25 19232]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-12-29 176128]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-07-01 34896]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-12-29 13532]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-03-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-09-29 500480]
S4 msvsmon80;Débogueur distant Visual Studio 2005;d:\microsoft visual studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-12-09 2799808]
.
Contenu du dossier 'Tâches planifiées'

2010-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 22:29]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 22:29]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.di.fm/calendar/calendar.php?type=month&calendar=8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Mistral\Application Data\Mozilla\Firefox\Profiles\81gwpwxo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - plugin: c:\documents and settings\Mistral\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Mistral\Application Data\Mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\DivX Web Player\npdivx32.dll
FF - plugin: d:\videolan\VLC\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
d:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
d:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés:

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1214440339-573735546-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:71,9d,55,25,06,b0,e2,dd,c9,15,0a,d4,f0,a5,df,c3,7d,be,1b,f6,45,
56,c3,32,8f,41,2e,ae,dc,dc,40,83,bb,a3,16,95,e4,2e,17,14,82,07,8d,59,5b,25,\
"rkeysecu"=hex:8c,b7,3f,fd,77,dc,63,1a,bc,73,ad,50,1d,86,0d,9d
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Heure de fin: 2010-10-25 18:39:46
ComboFix-quarantined-files.txt 2010-10-25 23:39
ComboFix2.txt 2010-10-25 21:35

Avant-CF: 15 279 087 616 octets libres
Après-CF: 15 266 660 352 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9E94540F77736BA3D1D70BB65F4316CA


Edited by Mistral, 25 October 2010 - 06:00 PM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 25 October 2010 - 06:51 PM

Still in Safe Mode?

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 25 October 2010 - 07:48 PM

Yup, since my first post here, I always been working in safe mode, which was already an improvement from Saturday.

Ok so, as you requested, I scanned everything with GMER, all my drives, all 6 of them. C:, D: and registry came up with something but I think the rest of the file is irrelevant. E:, F: and H: are fine but GMER came up with almost every file from my G: and it's 696GB out of 698GB of total space on that drive. It contains no executable file whatsoever. Only AVI, WMV, MP3, ISO, few DVD, few archives (ZIP, RAR, maybe MPQ, etc). The log file is more than 4500 lines long and 750965 caracters long (including spaces) and I believe this forum is limiting message length to 50000 caracters.

FIRST PART:

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-25 20:25:46
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Mistral\LOCALS~1\Temp\ffrirpoc.sys


---- System - GMER 1.0.15 ----

INT 0x01 \??\C:\DOCUME~1\Mistral\LOCALS~1\Temp\mbr.sys F7788A72

Code \??\C:\ComboFix\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Mistral\LOCALS~1\Temp\mbr.sys Le fichier spécifié est introuvable. !
? C:\ComboFix\catchme.sys Le fichier spécifié est introuvable. !

---- User code sections - GMER 1.0.15 ----

.text D:\Mozilla Firefox\plugin-container.exe[1536] USER32.dll!TrackPopupMenu 77D64F16 5 Bytes JMP 10403687 D:\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text D:\Mozilla Firefox\firefox.exe[1888] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 004013F0 D:\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB7 0x5F 0xF5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0x7C 0x68 0x83 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7F 0xCD 0x2E 0xE2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEB 0x2F 0xCE 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9E 0x99 0x0F 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x04 0x09 0xF8 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB7 0x5F 0xF5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFA 0xC9 0x8F 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x57 0x2A 0xC9 0xB0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x59 0xF2 0xA8 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x59 0xF2 0xA8 0x43 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x59 0xF2 0xA8 0x43 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB7 0x5F 0xF5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0x7C 0x68 0x83 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7F 0xCD 0x2E 0xE2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEB 0x2F 0xCE 0x1B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9E 0x99 0x0F 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x04 0x09 0xF8 0xAB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB7 0x5F 0xF5 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0x7C 0x68 0x83 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7F 0xCD 0x2E 0xE2 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEB 0x2F 0xCE 0x1B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9E 0x99 0x0F 0x33 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x04 0x09 0xF8 0xAB ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 25 October 2010 - 09:18 PM

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Some CD Emulators use a hidden driver which can be seen as a rootkit, and can also interfere with a correct read of the state of the machine by our tools.

The following should be uninstalled via the Control Panel:

Daemon Tools and Daemon Tools Lite
Alcohol 120% and 52%
AstroBurn
StarBurn

For a complete uninstall, and so our tools may run unhindered, please also follow the steps on DuplexSecure's page for uninstalling the SPTD driver which these emulators use.

Scroll down to:

Quote:

Q: How can I remove SPTD driver on 32-bit OS?
Follow the instructions.

Quote:

Q: How can I remove SPTD driver on 32-bit OS?

A: To remove SPTD, simply download SPTD setup file "SPTDinst-v162-x86.exe" for Windows 2000/XP/2003/Vista (32-bit) [911,856 bytes] and execute it.

In dialog that appears press "Uninstall" button and then SPTD will remove itself from your Windows installation.


Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Edited by JSntgRvr, 25 October 2010 - 09:21 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 26 October 2010 - 03:16 PM

Back on disinfection duty today!

SPTD was not found on my computer, as well as Deamon Tool, which is weird actually. I had it running prior to the infection, always, and never uninstalled it. Anyway, it's no critical.

TDSS found only unsigned file and I know most of them, unless infected since, but not likely.

MBR Check didn't find anything as well.

Reports are negative sir!

I might try to boot in normal mode really soon.

In the meantime, I'll rerun F-Secure Rescue CD and see if it finds anything again. Will scan C: and MBR only.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 26 October 2010 - 03:50 PM

Be patient. Running scanners blindfolded may make things worst.

I find no reference for this file:

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    C:\WINDOWS\System32\Drivers\SjyPkt.sys

  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Right click on a Notepad document and select Paste. That will empty the contents of the Clipboard on the document. Then Copy and Paste the contents of the Notepad document in your next reply.

Edited by JSntgRvr, 26 October 2010 - 03:53 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 26 October 2010 - 06:49 PM

Scans are negative. The file's details state it's a genuine Windows file, "Sample NDIS 5.0 Protocol Driver" and some guy on VirusTotal said it's part of the Realtek Wireless Driver, which would make sense (P5B Deluxe, having a wireless on-board chip on my motherboard). Already scanned on both VirSCAN and VirusTotal, both had negative result from past upload (though my file has not been tested yet on VirusTotal, I'm #623 in queue).

Second, as I stated earlier, I rescanned my drive and my MBR with F-Secure and all it found was in the ComboFix quarantine folder or some file in Windows and System32 that have not been moved, which I did after without any problem.


Anyway, this one's a tough guy! I recovered from a few Vundo and Virtumonde infection in the past but one (when I first encountered it) with a 3-step disinfection method.

So, theorically, I should be good for a try in normal mode. I'm getting tired of the safe mode...

Let me know if you have any trick in your bag! Any tool is good for future infection! ;)

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 26 October 2010 - 07:04 PM

I don't see a problem to boot in Normal Mode.

Are you in Safe mode just because you want, or the system is not allowing you to do so?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Mistral

Mistral
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 26 October 2010 - 07:20 PM

I couldn't because it was crashing right after I entered my password. Haven't tried since but will right about now and keep you up-to-date.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:32 PM

Posted 26 October 2010 - 07:21 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users