Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Projekt 1 virus - deleting files and changing folders permission


  • This topic is locked This topic is locked
3 replies to this topic

#1 psycodyn

psycodyn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 18 March 2011 - 09:05 AM

Hello. I have a domain controller (Windows Server 2008 SP2) and yeastarday was infected with Sality vírus, them i use a removal tool from kaspersky on all my pcs (with network disable) to take care of it (http://support.kaspersky.com/downloads/utils/sality_off.zip). Now today the screen was "crashed with a messange Projeck1 got a error, or something like that, them i notice that many files was deleted and some folder permissions where change. It use the "HelpUser" account, so i disable this account.
I wanna have sure if they are gone and i dont have other malicious files.
ps: sorry for my poor english, i am from Brazil
ps2: Gmer dont give option check/uncheck most itens you ask, so i did a default scan (the system is only the C: and Show All option was unchecked)
ps3: Gmer dont find anything, the log was empity.
ps4: I did a onlinescan from the file that infect my pc with Projekt1, here it´s the link, dont know if help in any way. http://www.virustotal.com/file-scan/report.html?id=4fa63eaf1b2cffb94390ed29ed3c36b6ae06ef2a1764653f1b0382cdcd22d20f-1300451654

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Administrator at 10:18:40,26 on 18/03/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Server® 2008 Standard 6.0.6002.2.1252.55.1033.18.8186.4516 [GMT -3:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\xampplite\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Windows\system32\DFSRs.exe
C:\Windows\system32\dns.exe
C:\Windows\System32\ismserv.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\xampplite\apache\bin\httpd.exe
C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\xampplite\mysql\bin\mysqld.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\dfssvc.exe
C:\Windows\System32\svchost.exe -k tapisrv
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Broadcom\BACS\BacsTray.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files (x86)\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files (x86)\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files (x86)\Openfire\bin\openfire.exe
C:\Program Files (x86)\Openfire\bin\openfired.exe
C:\Windows\system32\rdpclip.exe
C:\Sality_off.exe
C:\Windows\SysWOW64\conime.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\mmc.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = res://iesetup.dll/HardAdmin.htm
uDefault_Page_URL = res://iesetup.dll/HardAdmin.htm
uWindow Title = Internet Explorer provided by Dell
mDefault_Page_URL = hxxp://www1.la.dell.com/content/default.aspx?c=la&l=en&s=gen
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\4.1\pdfforgeToolbarIE.dll
uRun: [Spark] C:\Program Files (x86)\Spark\Spark.exe
mRun: [Firebird] "C:\Program Files (x86)\Firebird\Firebird_1_5\bin\fbguard.exe" -a
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [svchost] C:\Users\helpuser\AppData\Roaming\svchost1.exe
mRun: [WinUpdater] C:\Users\helpuser\AppData\Roaming\WinUpdater.exe.exe
mRunOnce: [GrpConv] grpconv -o
mExplorerRun: [svchost] C:\Users\helpuser\AppData\Roaming\svchost1.exe
StartupFolder: C:\Users\ADMINI~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_UNINS~1.LNK - C:\Users\Administrator\AppData\Local\Temp\1\_uninst_setup_9.0.0.722_15.03.2011_11-34.exe.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDSMAR~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {C558E5D8-D66B-4D5A-B82F-D1FC6A85627B} = 127.0.0.1
SecurityProviders: credssp.dll, pwdssp.dll
LSA: Notification Packages = scecli RASSFM
mASetup: {3FFBB3EE-8FFE-DF4B-BDDC-CDF8A5CFA4BA} - C:\Users\helpuser\AppData\Roaming\svchost1.exe
mASetup: {A509B1A7-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin
mASetup: {A509B1A8-37EF-4b3f-8CFC-4F3A74704073} - %systemroot%\system32\rundll32.exe iesetup.dll,IEHardenUser
mRun-x64: [bacstray] C:\Program Files\Broadcom\BACS\BacsTray.exe
mRun-x64: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 b06bdrv;Broadcom NetXtreme II VBD;C:\Windows\System32\drivers\bxvbda.sys [2008-1-19 474664]
R1 DfsDriver;DFS Namespace Server Filter Driver;C:\Windows\System32\drivers\dfs.sys [2008-1-19 45112]
R2 Apache2.2;Apache2.2;C:\xampplite\apache\bin\httpd.exe [2010-5-5 29416]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2010-10-22 386560]
R2 DNS;DNS Server;C:\Windows\System32\dns.exe [2009-12-3 639488]
R2 IsmServ;Intersite Messaging;C:\Windows\System32\ismserv.exe [2008-1-19 59392]
R2 kdc;Kerberos Key Distribution Center;C:\Windows\System32\lsass.exe [2009-8-28 11264]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-9-29 373640]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2008-8-11 15928]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2009-12-17 72216]
R2 MsDtsServer;SQL Server Integration Services;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 195288]
R2 MSSQL$MICROSOFT##SSEE;Windows Internal Database (MICROSOFT##SSEE);C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe -sMICROSOFT##SSEE --> C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe -sMICROSOFT##SSEE [?]
R2 WDDMService.exe;WD SmartWare Drive Manager Service;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-9-4 116224]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 l2nd;Broadcom NetXtreme II BXND;C:\Windows\System32\drivers\bxnd60a.sys [2009-8-1 80248]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2009-2-13 14464]
RUnknown 95907762;95907762; [x]
RUnknown setup_9.0.0.722_15.03.2011_11-34drv;setup_9.0.0.722_15.03.2011_11-34drv; [x]
S0 sacdrv;sacdrv;C:\Windows\System32\drivers\sacdrv.sys [2008-1-19 103992]
S2 PcounterData;Pcounter Data Server;C:\Windows\System32\PCNTDATA.EXE --> C:\Windows\System32\PCNTDATA.EXE [?]
S2 PcounterPrint;Pcounter Printer Control;C:\Windows\System32\PCOUNTER.EXE --> C:\Windows\System32\PCOUNTER.EXE [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-3 89920]
S3 FCRegSvc;Microsoft Fibre Channel Platform Registration Service;C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted [2008-1-19 27648]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-19 27648]
S3 NtFrs;File Replication;C:\Windows\System32\ntfrs.exe [2009-12-3 1019392]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-19 19968]
S3 RSoPProv;Resultant Set of Policy Provider;C:\Windows\System32\rsopprov.exe [2009-12-3 91648]
S3 sacsvr;Special Administration Console Helper;C:\Windows\System32\svchost.exe -k netsvcs [2008-1-19 27648]
S4 b06diag;Broadcom NetXtreme II Diag Driver;C:\Windows\System32\drivers\bxdiaga.sys [2009-8-1 81920]
S4 BXOIS;Broadcom NetXtreme II Offload iSCSI Driver;C:\Windows\System32\drivers\bxois.sys [2009-8-1 714792]
S4 ebdrv;Broadcom NetXtreme II 10 GigE VBD;C:\Windows\System32\drivers\evbda.sys [2009-8-1 3306024]
S4 ioatdma;Intel® QuickData Technology Device;C:\Windows\System32\drivers\qd260x64.sys [2008-1-19 35328]
S4 storvsc;storvsc;C:\Windows\System32\drivers\storvsc.sys [2008-1-19 28160]
S4 storvsp;Microsoft Virtual Disk Server Driver;C:\Windows\System32\drivers\storvsp.sys [2008-1-19 133120]
S4 Vid;Virtualization Infrastructure Driver;C:\Windows\System32\drivers\Vid.sys [2008-1-19 221696]
S4 vmbus;VMBus;C:\Windows\System32\drivers\vmbus.sys [2008-1-19 243256]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-03-18 12:51:25 -------- d-----w- C:\bkp
2011-03-15 13:09:33 249856 ----a-w- C:\Sality_off.exe
.
==================== Find3M ====================
.
2010-12-28 16:08:18 466944 ----a-w- C:\Windows\System32\odbc32.dll
2010-12-28 15:55:03 413696 ----a-w- C:\Windows\SysWow64\odbc32.dll
.
============= FINISH: 10:18:53,28 ===============

Attached Files


Edited by psycodyn, 18 March 2011 - 09:07 AM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:06 PM

Posted 25 March 2011 - 12:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a log from the RKUnhooker anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Please note that if you are running a 64-bit version of Windows you will not be able to run RKUnhooker and you may skip this step.


Why we request you disable CD Emulation when receiving Malware Removal Advice

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
    Copy the entire contents of the report and paste it in a reply here.
Note** You may get this warning:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Just ignore it, click Cancel, then Accept. :thumbup2:

Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:06 PM

Posted 29 March 2011 - 08:24 AM

Do you still need help?

Best Regards,
oneof4.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:06 PM

Posted 06 April 2011 - 06:56 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users