Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apparent Sasser/Blaster-type infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 Spinne

Spinne

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 18 May 2011 - 03:17 AM

Greetings, all. I’m trying to resolve what looks like a fairly established malware infestation on a Dell system that used to be mine, but I recently transferred to another room of the house for use by the rest of the family. I thought it was relatively safe, given my own conservative habits online and the updated copies of AVG and ZoneAlarm I’d left on it before the move, but a week or so ago I was told it was taking “much longer” than usual to start up; by my watch it’s about five minutes, with all system tasks markedly slower once it’s running.

Had I still been using the machine, I’d have probably seen the malware files being installed and had a chance to react. In this case, however, I’ve been forced to treat the symptoms: I checked startup processes and didn’t see anything unusual, so I spun up MalwareBytes and got a clean scan. On the off chance I’d missed something I tried a standard ComboFix run…and promptly triggered an” NT Authority” 60-second shutdown timer, claiming lsass.exe had to close due to status code 0.

I’d seen enough at that point to pull the machine’s Ethernet cable and search the shutdown issue from my own computer. While several posts here mention the “shutdown -a” trick from a command prompt to abort an unwanted shutdown, whatever’s in place on this system appears to be locking down all other processes when the timer starts; I can’t Alt-Tab back to Windows, let alone Control-Alt-Delete my way to Task Manager.

The problem is sufficiently well-entrenched to do the same thing after a reboot into Safe Mode, and with Dell’s stock recovery CD not apparently offering a direct boot into Windows off the CD, I’m running short on options. A few other hits mentioned Blaster and Sasser worms in association with the shutdown timer, so I pulled the old Symantec removal tools for each and ran them to see if they’d find anything. No dice, alas.

At this point I’m at something of a stalemate since the computer reportedly wasn’t popping up anything more visible like pop-ups or search redirects, and it can’t currently phone home for further instructions. That said, I’m starting to get complaints about folks not being able to check eBay and Facebook and e-mail unless they come up to use my machine, so...I’d appreciate any advice folks have to offer.

Chris



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:43:06 PM, on 5/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071024
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDc4MTk2MTYyLVQ0LUtWMys3LUJBKzEtWEwrMS1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsxLUxJQysyLUZMMTArMQ"&"prod=90"&"ver=10.0.1204
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5812 bytes

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:49 AM

Posted 23 May 2011 - 03:49 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 25 May 2011 - 04:01 AM

Interesting; I don't recall Daemon Tools being on the machine in question. Makes me think I need to ask people some questions. Anyhow, DDS and GMER logs are as follows.

Chris

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by Chris ***** at 17:17:32 on 2011-05-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2410 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\dds.pif
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - No File
mRun: [nwiz] nwiz.exe /install
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDc4MTk2MTYyLVQ0LUtWMys3LUJBKzEtWEwrMS1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTTEwRCsxLUxJQysyLUZMMTArMQ"&"prod=90"&"ver=10.0.1204
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris *****\application data\mozilla\firefox\profiles\55vkjsl3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - plugin: c:\documents and settings\chris *****\application data\mozilla\firefox\profiles\55vkjsl3.default\extensions\npnelaunch@sonicwall.com\plugins\npNELaunch.dll
FF - plugin: c:\documents and settings\chris *****\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\chris *****\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\chris *****\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: NetExtender Launcher : npNELaunch@sonicwall.com - %profile%\extensions\npNELaunch@sonicwall.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 SASDIFSV;SASDIFSV;c:\docume~1\chrisk~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\chrisk~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-29 532224]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-22 1691480]
S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [2009-10-21 22600]
.
=============== Created Last 30 ================
.
2011-05-16 07:33:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-05-16 07:33:33 -------- d-----w- c:\documents and settings\chris *****\application data\SUPERAntiSpyware.com
2011-05-01 06:37:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-01 06:37:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-01 06:37:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-01 04:34:09 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-01 02:37:36 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-01 02:31:43 -------- d-----w- c:\program files\Bonjour
2011-04-29 03:01:58 -------- d-----w- c:\program files\Eric's Ultimate Solitaire
.
==================== Find3M ====================
.
2011-04-07 00:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-07 00:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-07 00:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2006-03-21 00:37:52 5689344 ----a-w- c:\program files\mplayerc.exe
.
============= FINISH: 17:18:49.29 ===============

Attached Files

  • Attached File  gmer.log   32.23KB   1 downloads


#4 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 25 May 2011 - 08:37 AM

Hello Spinne,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were having, we would appreciate you letting us know.

When you ran DDS an Attach.txt log should have been generated. Please attach Attach.txt in your next reply. :)

Step 1.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


Step 2.

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply please include the following:


RKUnhooker log
OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized
Attach.txt (from DDS)



Thanks!!
PW

#5 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 26 May 2011 - 03:27 AM

PW,

Updated logs are all attached. There are bits and pieces that look interesting, like a list of system32 hosts in OTL.txt referencing sites I've never visited; I also saw a few quirky references to sptd.sys here and there. At any rate, it's a lot more data than I've been able to get from the system to date.

Chris

Attached Files



#6 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 26 May 2011 - 10:43 AM

Hi Spinne,

Please do not attach logs unless asked to. Post them directly into the reply box. :thumbup2:

Did you run TDSSKiller?


a list of system32 hosts in OTL.txt referencing sites I've never visited

Can you give me an example?

I also saw a few quirky references to sptd.sys here and there.

Related to sptd.sys SCSI Pass Through Direct Host from Duplex Secure Ltd.


Step 1.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    O3 - HKU\S-1-5-21-3309716862-2423500340-145317149-1005\..\Toolbar\WebBrowser: (no name) - {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - No CLSID value found.
    O15 - HKU\S-1-5-21-3309716862-2423500340-145317149-1005\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    @Alternate Data Stream - 85 bytes -> C:\Documents and Settings\All Users\Desktop:$ES_DESCRIPTOR_PBPUV9VK9V89FMRVCL9YERB3CKN64EKC480B9CKNSGKTBRK4RHETVVJVKVVVVV4VM
    @Alternate Data Stream - 85 bytes -> C:\Documents and Settings\All Users\Application Data\Namco 
    
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled"=-
    
    :commands
    [EmptyTemp]
    [RESETHOSTS]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Note: If youe are using a custom hosts file you will need to reinstall when we are through.


Step 2.

Next, if still there please delete the copy of Combofix from your desktop. <----Important

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to Disable your Security Applications


    Note - If you have AVG or CA installed, due to recent changes in how these AV's target the tool's internal files, they must be uninstalled before running ComboFix. If you have difficulty uninstalling the AV, download Opswat AppRemover http://www.appremover.com/supported-applications <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.If ComboFix will not run in normal mode please try running in safe mode.


Step 3.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Step 4.

Please run a scan with aswMBR next:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


In your next reply please post, (do not attach), the following:

OTLFix report
ComboFix.txt
aswMBR log



Thanks!!
PW

#7 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 27 May 2011 - 09:01 PM

PW,

Sorry for the delay on getting back to you; yesterday was pretty hectic, and today was even more so. I've finally been able to run everything, though. ComboFix had AVG issues even after an AVG uninstall and restart, but was able to run successfully once I used AppRemover to sweep latent elements of AVG from the hard drive. Apparently the initial work with RootkitUnhooker and the others cleared the shutdown-timer block I was experiencing before. ComboFix's deletions list doesn't look too long, but I hadn't realized how many temp files (close to a gig) there were on the machine. It's had a lot of bits shifting around as I wipe my files and move in other family members' data, and I didn't vet what they were bringing over very closely.

Did you run TDSSKiller?


Not recently, but it was one of the first things I tried when I was working on this thing solo under the impression it was something simple. Some of the symptoms looked similar, so I figured it was worth a shot as with the Sasser/Blaster worm removal tools.

Can you give me an example?


I don't see sptd.sys referenced too often, but when it is it's reportedly locked. RootkitUnhooker's log from the previous series of apps had:

WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]

Today's work yielded this defogger log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:28 on 27/05/2011 (Chris *****)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-

I uninstalled Daemon Tools because nobody here uses it, so the references could be red herrings. That said, I did a bit of research on the file name, and there's a 2009 hit on Daemon Tools' forum (http://forum.daemon-tools.cc/f19/how-remove-sptd-sys-system-24772/) that suggests picking up an SPTD installer from a firm called DuplexSecure (http://www.duplexsecure.com/en/downloads), then telling it to uninstall. Haven't done that, though.

Anyhow, here's the three requested logs, in the post body rather than attached. While the system's handling a fair deal better already, I haven't yet plugged it back into the net.

Chris



OTL report:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3309716862-2423500340-145317149-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E52BE12D-A44A-4F51-9DC1-34F37A488CC7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E52BE12D-A44A-4F51-9DC1-34F37A488CC7}\ not found.
Registry key HKEY_USERS\S-1-5-21-3309716862-2423500340-145317149-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
ADS C:\Documents and Settings\All Users\Desktop:$ES_DESCRIPTOR_PBPUV9VK9V89FMRVCL9YERB3CKN64EKC480B9CKNSGKTBRK4RHETVVJVKVVVVV4VM deleted successfully.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\Namco .
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Chris *****
->Temp folder emptied: 598724445 bytes
->Temporary Internet Files folder emptied: 43257239 bytes
->Java cache emptied: 74487291 bytes
->FireFox cache emptied: 31813362 bytes
->Flash cache emptied: 2412619 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 375921 bytes
%systemroot%\System32 .tmp files removed: 102417 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10731075 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 80208780 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 78991 bytes
RecycleBin emptied: 14570278 bytes

Total Files Cleaned = 817.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.23.0 log created on 05272011_151134

Files\Folders moved on Reboot...
C:\Documents and Settings\Chris *****\Local Settings\Temp\~DFA5D0.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT01da0.TMP not found!

Registry entries deleted on Reboot...



Combofix.txt:

ComboFix 11-05-27.01 - Chris ***** 05/27/2011 15:52:19.14.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2608 [GMT -8:00]
Running from: c:\documents and settings\Chris *****\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris *****\Desktop\Internet Explorer.lnk
c:\documents and settings\Chris *****\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Chris *****\g2mdlhlpx.exe
c:\documents and settings\Chris *****\Local Settings\Application Data\.#
c:\documents and settings\Chris *****\WINDOWS
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-28 )))))))))))))))))))))))))))))))
.
.
2011-05-01 04:34 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-01 02:47 . 2011-05-01 02:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-01 02:37 . 2011-05-01 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-01 02:31 . 2011-05-01 02:31 -------- d-----w- c:\program files\Bonjour
2011-04-29 03:01 . 2011-04-29 03:02 -------- d-----w- c:\program files\Eric's Ultimate Solitaire
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-07 00:20 . 2011-04-07 00:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-07 00:20 . 2011-04-07 00:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-07 00:20 . 2011-04-07 00:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-11 22:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 22:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2006-03-21 00:37 . 2007-12-26 20:25 5689344 ----a-w- c:\program files\mplayerc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-10-05 1626112]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8491008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-02-25 04:16 136176 ----atw- c:\documents and settings\Chris *****\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-10-05 01:14 81920 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-02-09 03:45 18790432 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"=c:\dell\dsca.exe 3
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bejeweled deluxe\\WinBej.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\beyond good and evil\\CheckApplication.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war dark crusade\\darkcrusade.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red faction\\RedFaction.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red faction\\RF.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red faction guerrilla\\rfg_launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\il 2 sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization iv\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\lego star wars saga\\LEGOStarWarsSaga.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\gratuitous space battles\\GSB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/4/2009 2:50 PM 691696]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\CHRISK~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\CHRISK~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\CHRISK~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\CHRISK~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/22/2010 8:57 PM 1691480]
S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [10/21/2009 10:27 AM 22600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3309716862-2423500340-145317149-1005Core.job
- c:\documents and settings\Chris *****\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-25 04:16]
.
2009-11-27 c:\windows\Tasks\SyncBack Chris.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2009-11-27 21:00]
.
2009-11-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 06:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Chris *****\Application Data\Mozilla\Firefox\Profiles\55vkjsl3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: NetExtender Launcher : npNELaunch@sonicwall.com - %profile%\extensions\npNELaunch@sonicwall.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ShockWave V0.95 - c:\program files\EA Games\Command & Conquer Generals Zero Hour\Uinst_shw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-27 16:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3309716862-2423500340-145317149-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:33,6a,2e,88,ef,a2,d9,cd,2c,e5,75,ac,9a,05,46,8d,7f,62,f0,ee,f2,ee,30,
bf,fa,80,c9,bd,72,e9,03,8e,61,b5,05,5a,93,1b,e3,cb,2a,bf,60,a0,ce,53,f7,56,\
"??"=hex:9d,6d,62,c7,7e,94,d3,01,62,72,da,46,cb,d1,2f,38
.
[HKEY_USERS\S-1-5-21-3309716862-2423500340-145317149-1005\Software\SecuROM\License information*]
"datasecu"=hex:ae,d3,77,96,02,84,5d,1a,43,a6,aa,eb,f4,27,57,3d,1c,7d,21,ae,14,
e8,03,6f,6b,ed,1f,61,c4,21,81,2a,d0,c9,fb,4b,6d,40,d3,68,5c,b4,fa,2f,f9,01,\
"rkeysecu"=hex:92,a3,42,62,b8,86,de,01,c5,e4,74,6b,44,6c,0b,58
.
Completion time: 2011-05-27 16:07:20
ComboFix-quarantined-files.txt 2011-05-28 00:07
.
Pre-Run: 144,776,261,632 bytes free
Post-Run: 144,727,949,312 bytes free
.
- - End Of File - - 7DCBE7820E637C35FDDC63D60AB2B07A



aswMBR report:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-27 16:39:21
-----------------------------
16:39:21.484 OS Version: Windows 5.1.2600 Service Pack 3
16:39:21.484 Number of processors: 2 586 0xF0B
16:39:21.484 ComputerName: ASTRAEA UserName:
16:39:24.421 Initialize success
16:40:32.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:40:32.125 Disk 0 Vendor: ST3320620AS 3.ADG Size: 305245MB BusType: 3
16:40:32.140 Disk 0 MBR read successfully
16:40:32.156 Disk 0 MBR scan
16:40:32.156 Disk 0 Windows XP default MBR code
16:40:32.156 Disk 0 scanning sectors +625121280
16:40:32.218 Disk 0 scanning C:\WINDOWS\system32\drivers
16:40:43.953 Service scanning
16:40:46.781 Disk 0 trace - called modules:
16:40:46.796 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
16:40:46.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac76ab8]
16:40:46.796 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8ad13390]
16:40:46.812 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac7cd98]
16:40:46.812 Scan finished successfully
16:40:59.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris *****\Desktop\MBR.dat"
16:40:59.031 The log file has been saved successfully to "C:\Documents and Settings\Chris *****\Desktop\aswMBR.txt"

#8 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 28 May 2011 - 08:31 AM

Hi Spinne,

Do you know what this is ?

C:\Documents and Settings\Chris *****\Desktop\x130geug.exe

It showed in the OTL report but I don't see it in the Combofix log.


Step 1.

We need to make sure Spybot S&D's "TeaTimer" is disabled

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.
In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.

  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



Step 2.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Step 3.

I need you to run MBAM.
  • Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Step 4.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Note: If nothing is found no log wll be produced.


In your next reply please include the following:


MBAM log
ESET scan results (if any)



Thanks!!
PW

#9 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 31 May 2011 - 12:47 AM

PW,

Apologies for the delay on getting back to you over the holiday weekend. No worries on x130geug.exe; that's a randomized-name copy of GMER, which I downloaded after ComboFix got locked out of the system.

In fact, no worries at all judging from what I've seen over the last few days. In general the machine's handling better than it was, and the MalwareBytes and ESET logs didn't find much of anything. I plugged the Ethernet cable back in today to run ESET and nothing seemed to explode, so I'm taking that as a good sign.

Chris



MalwareBytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6726

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/30/2011 11:19:26 AM
mbam-log-2011-05-30 (11-19-26).txt

Scan type: Quick scan
Objects scanned: 163375
Time elapsed: 8 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ESET log:

C:\Documents and Settings\All Users\Documents\Chris *****\Local Settings\Temporary Internet Files\Content.IE5\4OTJAXXK\photo_big[1].htm HTML/TrojanClicker.IFrame.NAC trojan cleaned by deleting - quarantined
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application deleted - quarantined

#10 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 31 May 2011 - 08:27 AM

Hi Spinne,

You now appear to be all clean. :thumbsup:


Step 1.

Please make sure your antivirus is reinstalled/inabled and updated.

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software.
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

If you want to try another antivirus some free Antivirus solutions are Avira Antivir, Avast and Microsoft Security Essentials


Step 2.

This small application you may want to keep and use to keep the computer clean.
Download CCleaner from here http://www.ccleaner.com/
  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

    Note: Please don't use the registry cleaner of CCleaner or any other registry cleaner unless you know what you are doing.


We need to do a little house cleaning.

Step 3.


Re-enable emulation

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger might ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

The following two procedures need to be done in the order listed. If you can not do so please let me know.


Step 4.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

Please advise if this step is missed for any reason as it performs some important functions.


Step 5.

Please open OTL
  • Double click on the Posted Image icon on your desktop.
  • Click the "Cleanup" checkbox.
  • You will be asked, "Begin Cleanup Process"
  • Select Yes
  • You will be prompted to restart your computer.
You can now uninstall any other programs we may have used and delete any logs that may have been generated.


Step 6.

Here are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however, by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. You can find microsoft updates here

I recommend that you visit the link above and either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

Make sure you use a firewall. A tutorial on understanding and using firewalls may be found here. For most users the built in Windows Firewall is sufficient. Only use one firewall at a time though.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

If you have any questions please do not hesitate to ask.


Any questions? :)


Thanks!!
PW

#11 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 02 June 2011 - 03:49 AM

PW,

I've successfully completed Steps 1 through 3, but the ComboFix uninstall is apparently being blocked by the replacement copy of AVG I installed to be on the safe side in terms of updates. I've tried to read up on disabling AVG for ComboFix to run, which used to work once upon a time, but apparently the current consensus is that it has to be uninstalled and reinstalled. Just wanted to double-check that before I proceeded.

Chris

#12 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 02 June 2011 - 07:54 AM

Hi Spinne,

Please uninstall AVG then follow the rest of the instructions. :thumbup2:




Thanks!
PW

#13 Spinne

Spinne
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 05 June 2011 - 06:32 AM

PW,

Just finished the AVG uninstall to confirm the ComboFix deletion. It's a bit labor-intensive, given that the AVG dashboard likes to hang around after a standard uninstall, necessitating an Opswat scan and removal to clear the remaining components, but it looks like things are back to normal. Thanks again for your help, especially since I was feeling fairly stonewalled on the rootkit issue...I'll need to do some detective work as to who installed what on the machine, although I have a suspect in mind for at least Daemon Tools.

Chris

#14 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:09:49 AM

Posted 05 June 2011 - 07:21 AM

Hi Spinne,


Thanks again for your help

You are very welcome. It has been a pleasure working with you. :thumbup2:

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users