Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Diagnostic Virus (Fake AV infection)


  • This topic is locked This topic is locked
2 replies to this topic

#1 axthos

axthos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 22 May 2011 - 01:53 PM

Description:
First of all, I hope I'm not being too extensive in my description but I thought I'd write in complete detail about what happened. On Wednesday, May 18th, my laptop got infected with the "Windows Diagnostic" virus via a drive by download. My outdated Norton AV detected the virus' request but suggested to permit the connection, I wasn't paying attention and clicked OK rather than googling the file name to trace it's origin. A few minutes later the standard procedure of this virus commenced. I disconnected the Internet and was able to shut down the laptop, I then turned it on again and the virus continued its procedure.

I used another pc to do some research and that's how I found out about bleepingcomputer.com. I followed the dedicated guide; I downloaded rkill and transfered it to the laptop via a flash drive, unfortunately both the pc and the flash drive had an autorun worm which I managed to delete later on. I renamed Rkill as ieplore.exe but it didn't run in complete accordance to the guide; I manually killed some of the processes I read where typical of the virus (eg. [random].exe), and the laptop was finally stable. I ran an outdated Malwarebytes Antimalware full scan (which lasted 2 hrs). After the reboot the virus started executing once more and I used rkill to stop it. I reconnected the Internet and tried to download the mbam updates to the laptop but I got an error message (program_error_updating (12150, 0, WinHttpQueryHeaders) so again I used the desktop to download the latest version of mbam and its updates and after I scanned and cleaned(?) both the pc and the flash drive off the autorun worm, I transferred the rules file to the laptop. I ran another full scan and 3 hrs later mbam informed of some new infections. The following is a summary of the results of the multiple scans I did using Mbam, some are written by hand because I cannot find the logs but I had written down the information.
----------------------------
18/5/2011
1)Trojan.Downloader - ...\Cryptload115\ocr\filer.net\ocr_by_spider_6\version4.exe (ignored)
2)Keygen (ignored)
3) Hijack.TaskManager(Registry) - HKLM\SOFTW\Microsoft\Windows\CV\Policies\System\DisableTaskMgr - quarantined and deleted

19/5/2011 8:00:10 pm
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\User\local settings\Temp\bcil.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\User\...\keygen.exe (Malware.Packer.Gen) -> Not selected for removal.
c:\system volume information\_restore{b7dad257-c7e4-4a52-98ae-0589dced9376}\RP1169\A0277962.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

20/5/2011 8:35:13 pm
Files Infected:
c:\documents and settings\User\...\keygen.exe (Malware.Packer.Gen) -> Not selected for removal.
g:\6ruaqx.exe (Spyware.Password) -> Quarantined and deleted successfully. <=#flash drive#
-----------------------------
In between the scans, after some more research I found out about some files, dlls and registry data that are common to this virus and I deleted some of them if I thought they were infected, the odd thing was that I could not use a specific scan with mbam any longer, ie: I was not able to scan a file by choosing mbam form the right click context menu.

At some point a mbam scan came clean so I followed the rest of the guide and was able to make the laptop look pretty much the way it did before the virus. Still, I grew curious of the fact that there were multiple iexplore.exe processes running even though I had deleted rkill and weren't using Internet explorer. Moreover, the Internet connection seemed slower and some sites would take minutes to load.
I checked the firefox connection settings and found out they were changed into using a proxy and I restored them to no proxy. I tried to download XP Service Pack 3 (I use SP2) but I got an error message about volsnap.sys. I repeatedly killed every iexplore process but they reappeared continuously, so I downloaded TDSSKiller but it would not run. I was certain I hadn't got ridden of the virus.
I read somewhere that this virus might hide inside the system restore files and be unaccessible to detection programs, so I disabled and re-enabled the system restore; iexplore.exe hasn't run ever since.

Some additional info and summarizing points:
  • I searched the Norton AV log to see what happened when the virus was installed and found the name of the file that I mistakenly allowed to download. It was calc[1].exe, with a description as Cluster Analysis and found the following path using Windows search: C\Doc&Settings\User\Temporary Internet Files\Content.IE5\8GERYIDX\calc[1].exe - I have deleted this file!
  • At some point Windows search didn't work normally, I would type for example firefox and it would not give me any results. It is now fixed somehow.
  • I have noticed multiple svchost.exe processes running.
  • I ran RKUnhooker on Friday and showed malware presence, ran it again yesterday: no malware presence.
  • I ran Gmer on Friday and showed the presence of a malware module; I ran it again yesterday but computer crashed and rebooted; the log I've attached is from today.
  • A scan report form a program (I don't remember which one) read about an infection in the system restore file.
  • I uploaded my volsnap.sys file to virustotal and it reported it as modified by malware.
  • I used an external hard drive for back up (as per Preparation Guide's guidelines) which now contains the file 8ng8w.com which I'm pretty sure is the autorun virus but neither mbam identifies it nor it has any effect on the drive.
  • I have manually deleted some files form my temp folder as well as other folders and registry, based on information I found on-line.
  • I have cleared the cache folder.
  • I cannot scan a specific file or folder with mbam, just quick or full scan the entire drive.
  • I had made some modifications to the startup processes which I have now restored.
  • 18538276.exe was an application the virus was using, I've deleted it, its path was C\Doc&Settings\All Users\Application Data\18538276. Norton AV had granted it permission to contact distant servers but I have modified its configuration now.
  • mbam still doesn't update
  • All of a sudden msmsgs.exe process is continuously running even after I kill it.
  • I kept the laptop offline for two days until now. Before that Norton had given me some notifications about servers trying to connect to me, these are the ips I wrote down: 207.99.23.198 and 63.149.98.90

I kindly request your assistance! I've also done the gmer scan but the guide didn't ask to include it so I haven't. Thanks in advance!

One final notice: I have the Greek version of Windows XP so the logs contain some greek words. Here's the list of their translation:
  • dds.txt: Επιφάνεια εργασίας = Desktop
  • dds.txt: Ε&ξαγωγή στο = Extract to (E&xtract to)
  • dds.txt: Υπηρεσία = Service
  • dds.txt: Δεν ήταν δυνατή η προσπέλαση του αρχείου από τη διαδικασία, επειδή χρησιμοποιείται ήδη από κάποια άλλη διαδικασία. = The process cannot access the file because it is being used by another process.
  • attach.txt: Σημείο ελέγχου συστήματος = System CheckPoint
  • ark.txt: Δεν είναι δυνατή η εύρεση του καθορισμένου αρχείου από το σύστημα. = The system cannot find the file specified.
Here's the dds.txt:
I've edited my post because I had forgotten to use defogger. Now that I have, I replaced the dds.txt and the attach as well. I've also added the gmer log.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by User at 23:24:57 on 2011-05-22
Microsoft Windows XP Home Edition 5.1.2600.2.1253.30.1032.18.1014.532 [GMT 3:00]
.
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *Disabled*
FW: Norton Internet Security 2006 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User\Επιφάνεια εργασίας\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\textware\quickf~1\plugins\IEHelp.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
uRun: [MSNmaphid] rundll32.exe "c:\documents and settings\user\local settings\application data\usrpathlog\MSNmaphid.dll",eapapiCres WinNetmon2
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Start WingMan Profiler]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\e29f~1.lnk - c:\program files\today\TODAY.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\f2da~1\599a~1\e29f~1.lnk - c:\program files\today\TODAY.EXE
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305915635578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: {0A45CBD7-933F-4FA3-ADAA-F6EC151107BE} = 195.170.0.1,196.170.2.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 210.249.144.166 we9stun.winning-eleven.net
Hosts: 217.112.88.118 pes6gate-ec.winning-eleven.net
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\4s7uldz0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/search?q=grammateia+management+master%27s&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:el:official&client=firefox-a
FF - prefs.js: network.proxy.ftp - 63.149.98.90
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.gopher - 63.149.98.90
FF - prefs.js: network.proxy.gopher_port - 80
FF - prefs.js: network.proxy.http - 207.99.23.198
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 63.149.98.90
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 63.149.98.90
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Greek-EnglishSpelling dictionary: el-en@dictionaries.addons.mozilla.org - %profile%\extensions\el-en@dictionaries.addons.mozilla.org
FF - Ext: English - Greek Spelling dictionary: el-en@dictionaries.addons.mozilla.org - %profile%\extensions\el-en@dictionaries.addons.mozilla.org
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\user\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-27 53896]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-5-21 67584]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-10-7 139888]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2c\RpcAgentSrv.exe [2008-6-6 98488]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-31 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080131.004\NAVENG.Sys [2008-1-31 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080131.004\NavEx15.Sys [2008-1-31 895312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-27 334984]
S2 Cadence License Manager;Cadence License Manager;c:\orcad\license_manager\lmgrd.exe --> c:\orcad\license_manager\lmgrd.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2009-7-16 69120]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-12-30 13224]
S3 gupdatem;Υπηρεσία Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-14 135664]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\drivers\s115bus.sys [2009-12-30 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\drivers\s115mdfl.sys [2009-12-30 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\drivers\s115mdm.sys [2009-12-30 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2009-12-30 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2009-12-30 98568]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [2010-2-24 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [2010-2-24 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [2010-2-24 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [2010-2-24 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [2010-2-24 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [2010-2-24 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [2010-2-24 97704]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-27 198368]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-28 1251720]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-7-1 17792]
.
=============== File Associations ===============
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"
.
=============== Created Last 30 ================
.
2011-05-20 23:30:58 -------- d-----w- c:\documents and settings\user\local settings\application data\Safe mirror
2011-05-20 23:30:16 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-20 20:43:30 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-20 20:17:49 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-20 20:17:49 18288 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-20 18:13:55 -------- d-----w- c:\documents and settings\user\local settings\application data\Secunia PSI
2011-05-20 18:13:43 -------- d-----w- c:\program files\Secunia
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): Δεν ήταν δυνατή η προσπέλαση του αρχείου από τη διαδικασία, επειδή χρησιμοποιείται ήδη από κάποια άλλη διαδικασία.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864111ED]<<
_asm { PUSH EBP; MOV EBP, ESP; MOV EAX, [EBP+0x8]; CMP DWORD [EAX+0x2c], 0x7; PUSH EBX; MOV EBX, [EBP+0xc]; PUSH ESI; PUSH EDI; MOV EDI, [EBX+0x60]; JNZ 0xf7; MOV ESI, [EDI+0x4]; MOV EAX, [ESI+0xc]; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x86D89AB8]
3 CLASSPNP[0xF765F05B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\00000090[0x86D60A28]
5 ACPI[0xF74D4620] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Ide\IAAStorageDevice-0[0x86D7D030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
detected disk devices:
detected hooks:
\Driver\iaStor -> 0x864111ed
user != kernel MBR !!!
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 23:26:27.79 ===============

Attached File  attach.txt   18.83KB   0 downloads
Attached File  ark.txt   18.87KB   0 downloads

Edited by axthos, 23 May 2011 - 08:27 AM.


BC AdBot (Login to Remove)

 


#2 axthos

axthos
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 25 May 2011 - 05:40 AM

I decided it would be safer to reformat from my recovery partition, so I went on and did that. Downloaded all the updates, including SP3. I guess I got rid of the rootkit, right?
You can close the topic!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 AM

Posted 25 May 2011 - 07:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users