Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious rootkits, trojan


  • This topic is locked This topic is locked
28 replies to this topic

#1 Reya

Reya

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 31 December 2011 - 05:14 PM

This computer was a gigantic mess when I got back to it. Ironically, it's the same computer I was cleaning the last time I posted here back in '06 with a couple trojans. It's not mine, I swear. Been overseas for five years and unable to maintain it like it should be.

Anywho. So far the steps I've taken were to remove the 95.p searchhook, a false 'your windows is counterfeit software' bug/virus/pest, and reset the security templates because something prevented access to all anti-malware programs by telling the computer that the administrator wasn't the administrator. A few smaller pieces of malware were taken care of too, at least I can hope. Spybot also removed two things, and CCleaner's been run. Reinstalled AVG on it (recently optained internet again after quite some time of being offline) and did a full system scan removing (or so AVG says) 40 trojans and viruses. Now I'd like a professional's hand in clearing up what's left of this rootkit, because I'm stepping into waters I haven't charted in five years. I've followed all steps in the Guidelines (twice actually, first before AVG, but these logs are from after AVG). Thank you very much for any assistance you're able to lend, I appreciate and understand the hard work and time you guys put into helping those less computer savvy.

DDS said to zip the attach.txt, but Guidelines say just to send it in text format, so I did that. I have the .zip if you need it.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Administrator at 15:31:47 on 2011-12-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.476 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: SfcDisable=-99 (0xffffff9d)
uWinlogon: Shell=c:\documents and settings\administrator\local settings\application data\c15d6e18\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {17F24F6D-0284-4A62-A3B7-FCA9F2084AF4} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Easy Dock]
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Easy Dock]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
LSP: mswsock.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1303435978687
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{39DC3732-AFD5-4E3F-865C-7AFEC4800A79} : DhcpNameServer = 192.168.0.1 205.171.3.25
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pvzh86f3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pvzh86f3.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\dotspot_2k\bar\2.bin\NP2kStub.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-21 13496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-9-11 1723840]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 DotSpot_2kService;DotSpotService;c:\progra~1\dotspo~1\bar\2.bin\2kbarsvc.exe [2011-12-11 42504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-12-22 29184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-12-31 27064]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S4 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
S4 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
.
=============== Created Last 30 ================
.
2011-12-31 19:04:24 -------- d--h--w- C:\$AVG
2011-12-31 18:45:48 -------- d-----w- c:\documents and settings\administrator\application data\AVG2012
2011-12-31 18:41:50 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-31 18:41:50 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-12-31 18:41:22 -------- d-----w- c:\program files\AVG
2011-12-31 15:33:09 -------- d-----w- c:\documents and settings\administrator\local settings\application data\VS Revo Group
2011-12-31 15:33:03 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-12-31 15:33:01 -------- d-----w- c:\program files\VS Revo Group
2011-12-31 03:55:22 57600 ----a-w- c:\windows\system32\drivers\tskDE.tmp
2011-12-31 03:52:03 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-31 01:46:49 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-12-31 01:28:49 -------- d-----w- c:\documents and settings\administrator\local settings\application data\visi_coupon
2011-12-31 01:27:45 -------- d-----w- c:\program files\Trend Micro
2011-12-31 01:09:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-31 01:01:07 -------- d-----w- c:\documents and settings\administrator\Tracing
2011-12-31 01:00:19 -------- d-----w- c:\program files\Microsoft
2011-12-31 01:00:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-12-31 00:50:58 -------- d-----w- c:\program files\common files\Windows Live
2011-12-15 21:27:19 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-15 21:27:18 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-15 00:36:21 -------- d-----w- c:\documents and settings\all users\application data\CenturyLink
2011-12-15 00:33:30 -------- d-----w- c:\program files\Qwest
2011-12-15 00:33:25 -------- d-----w- c:\program files\CenturyLink
2011-12-11 21:15:20 -------- d-sh--w- c:\documents and settings\administrator\local settings\application data\c15d6e18
2011-12-11 13:15:21 -------- d-----w- c:\program files\DotSpot_2k
2011-12-09 22:37:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-09 22:37:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-06 00:56:38 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-12-06 00:56:38 -------- d-----w- c:\documents and settings\administrator\local settings\application data\ApplicationHistory
2011-12-06 00:56:34 -------- d-----w- c:\program files\The Learning Company
2011-12-06 00:56:26 -------- d-----w- c:\documents and settings\administrator\.swt
2011-12-06 00:56:23 -------- d-----w- c:\program files\uTorrent
2011-12-06 00:56:23 -------- d-----w- c:\program files\Conduit
2011-12-06 00:56:23 -------- d-----w- c:\documents and settings\administrator\local settings\application data\uTorrent
2011-12-05 14:35:18 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-12-05 14:34:40 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-12-31 19:05:09 152560 ----a-w- c:\windows\system32\nvsvc32.exe
2011-12-31 04:11:34 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-05 19:24:10 87608 ----a-w- c:\documents and settings\administrator\application data\inst.exe
2011-11-05 19:24:10 47360 ----a-w- c:\documents and settings\administrator\application data\pcouffin.sys
2011-10-07 12:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
============= FINISH: 15:32:29.67 ===============







GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-31 16:14:04
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDT725025VLA380 rev.V5DOA73A
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugrirkod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xBA594F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xBA594FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xBA595080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xBA59511C]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF65A8360, 0x307AC7, 0xE8000020]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2176] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01263690 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2792] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 1045E78C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2792] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1045ED49 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs B9DC4400

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 488263548

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB20666$\1821982215 0 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720 0 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\L 0 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\L\ueaiumho 57600 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\loader.tlb 2632 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U 0 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@000000c0 3072 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@80000000 26112 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@800000c0 32768 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@800000cb 24064 bytes
File C:\WINDOWS\$NtUninstallKB20666$\3244125720\U\@800000cf 31744 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 02 January 2012 - 11:35 AM

Forgive the self-reply, finally got back to the computer to properly attach the text file from DDS.

Attached Files



#3 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 06 January 2012 - 08:40 AM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you still do need our help, please note the following:
  • While working we us, please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please also include a clear description of the problems you're having.
  • After 5 days if your topic is not replied I will assume it has been abandoned and will close it.

Please be patient while I analyze your logs. All of my fixes are checked by higher level forum members before posting.

Thank you.

DR


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 06 January 2012 - 03:59 PM

Hi Reya!

Welcome again! Before we start I need to inform you of a couple of things.

IMPORTANT NOTE: One or more of the identified infections is related to the ZeroAccess rootkit. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
What danger is presented be rootkits?

Rootkits and how to combat them

r00tkit Analysis: What Is A Rootkit
If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

What Should I Do If I've Become A Victim Of Identity Theft?

Identity Theft Victims Guide - What to do
Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?

Help: I Got Hacked. Now What Do I Do?

Where to draw the line? When to recommend a format and reinstall?



We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:




P2P WARNING
-------------------
Going over your logs I noticed that you have µTorrent installed.

•Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

•They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

•Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

•The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."
It is pretty much certain that if you continue to use P2P programs, you will get infected again.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.





Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". You might want to check out these two entries:
Wikipedia on Viewpoint Media Player
Clickz article of Viewpoint Media Player

I suggest you remove the program now. Click on Start>Control Panel>Add or Remove Programs and uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.




Now Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Notes: ComboFix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.


Thanks.

Dave

#5 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 06 January 2012 - 10:37 PM

Hey there Dave, thanks so much for taking your time to headbutt this machine with me.

As to the computer's behavior, there are currently two harddrives in use, the Dell (original) and the Compaq. The Dell (which has had all logs given to you) has not been run in about a week unfortunately, but from what I can see in the past five minutes, things are normal and functioning quickly. I run into no problems and from appearances only, the system appears clean. The Compaq will be scanned after the Dell is cleaned so much as we can manage :)

With the owner's permission, Viewpoint and uTorrent were removed via Revo Uninstaller Pro and scanned moderately for remaining traces.

-------------------------

ComboFix 12-01-06.03 - Administrator 01/06/2012 21:19:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.644 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Desktopicon
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\vso_ts_preview.xml
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\00000001.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\000000c0.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\000000cb.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\000000cf.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\80000000.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\800000c0.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\800000cb.@
c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18\U\800000cf.@
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\Application Data\Desktopicon
c:\program files\CouponAlert_2pEI
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\windows\$NtUninstallKB20666$
c:\windows\$NtUninstallKB20666$\1821982215
c:\windows\$NtUninstallKB20666$\3244125720\@
c:\windows\$NtUninstallKB20666$\3244125720\L\ueaiumho
c:\windows\$NtUninstallKB20666$\3244125720\loader.tlb
c:\windows\$NtUninstallKB20666$\3244125720\U\@00000001
c:\windows\$NtUninstallKB20666$\3244125720\U\@000000c0
c:\windows\$NtUninstallKB20666$\3244125720\U\@000000cb
c:\windows\$NtUninstallKB20666$\3244125720\U\@000000cf
c:\windows\$NtUninstallKB20666$\3244125720\U\@80000000
c:\windows\$NtUninstallKB20666$\3244125720\U\@800000c0
c:\windows\$NtUninstallKB20666$\3244125720\U\@800000cb
c:\windows\$NtUninstallKB20666$\3244125720\U\@800000cf
c:\windows\Dann6032.exe
c:\windows\system32\
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\msconfig.exe
c:\windows\system32\pthreadVC.dll
F:\Autorun.inf
.
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))
.
.
2012-01-07 02:07 . 2012-01-07 02:22 -------- d-----w- C:\ecf01b454a67021e513c232dbf
2012-01-02 20:21 . 2012-01-02 20:22 -------- d-----w- c:\program files\SystemRequirementsLab
2012-01-02 20:21 . 2012-01-02 20:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2011-12-31 19:04 . 2011-12-31 19:04 -------- d-----w- C:\$AVG
2011-12-31 18:45 . 2011-12-31 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG2012
2011-12-31 18:41 . 2012-01-07 02:52 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-31 18:41 . 2011-12-31 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-31 18:41 . 2011-12-31 18:41 -------- d-----w- c:\program files\AVG
2011-12-31 15:33 . 2011-12-31 15:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\VS Revo Group
2011-12-31 15:33 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-12-31 15:33 . 2011-12-31 15:33 -------- d-----w- c:\program files\VS Revo Group
2011-12-31 03:55 . 2011-12-31 03:55 57600 ----a-w- c:\windows\system32\drivers\tskDE.tmp
2011-12-31 03:52 . 2011-12-31 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-12-31 03:25 . 2011-12-31 03:25 -------- d-----w- c:\program files\7-Zip
2011-12-31 01:46 . 2011-12-31 01:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-31 01:28 . 2011-12-31 01:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\visi_coupon
2011-12-31 01:27 . 2011-12-31 01:27 -------- d-----w- c:\program files\Trend Micro
2011-12-31 01:09 . 2011-12-31 01:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-31 01:01 . 2012-01-07 02:48 -------- d-----w- c:\documents and settings\Administrator\Tracing
2011-12-31 01:00 . 2011-12-31 01:00 -------- d-----w- c:\program files\Microsoft
2011-12-31 01:00 . 2011-12-31 01:00 -------- d-----w- c:\program files\Windows Live SkyDrive
2011-12-31 00:59 . 2011-12-31 01:00 -------- d-----w- c:\program files\Windows Live
2011-12-31 00:50 . 2011-12-31 00:50 -------- d-----w- c:\program files\Common Files\Windows Live
2011-12-15 21:27 . 2011-12-15 21:27 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-15 21:27 . 2011-12-15 21:27 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-15 13:23 . 2011-12-15 13:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-12-15 01:42 . 2011-12-15 01:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-15 00:43 . 2011-12-15 00:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-15 00:36 . 2011-12-15 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\CenturyLink
2011-12-15 00:33 . 2011-12-15 00:33 -------- d-----w- c:\program files\Qwest
2011-12-15 00:33 . 2011-12-15 00:33 -------- d-----w- c:\program files\CenturyLink
2011-12-11 21:15 . 2011-12-31 19:05 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\c15d6e18
2011-12-11 13:15 . 2011-12-15 00:40 -------- d-----w- c:\program files\DotSpot_2k
2011-12-09 22:37 . 2011-12-09 22:37 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-31 19:05 . 2009-04-24 20:40 152560 ----a-w- c:\windows\system32\nvsvc32.exe
2011-12-31 04:11 . 2009-04-24 15:00 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-05 19:24 . 2011-11-05 19:24 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2011-12-15 21:27 . 2011-05-07 22:53 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
.
.
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\ie8\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-06-05 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
.
c:\windows\System32\drivers\beep.sys ... is missing !!
c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Canon IJ Status Monitor Canon MX310 series Printer (Copy 2).lnk]
backup=c:\windows\pss\Canon IJ Status Monitor Canon MX310 series Printer (Copy 2).lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^ZooskDesktop.lnk]
backup=c:\windows\pss\ZooskDesktop.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gamevance
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-04-04 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-05-15 01:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 19:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-05-21 21:53 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-01-09 22:25 16859648 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 16:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 13:35 20480 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PD91Engine"=3 (0x3)
"PD91Agent"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Azureus\\tmp\\AZU4655860709073284505.tmp\\Vuze_4.7.0.2b_win32.exe"=
"c:\\Program Files\\DotSpot_2k\\bar\\2.bin\\2kmedint.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\msfeedssync.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\Program Files\\CenturyLink\\Desktop\\CenturyLinkTouchPointAgent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft\\Search Enhancement Pack\\Choice Guard\\CGuard.exe"=
"c:\\Program Files\\Windows Live\\Installer\\wloobe.exe"=
"c:\\WINDOWS\\Driver Cache\\SCAN\\msgr11us.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Yahoo!\\YUpdater\\yupdater.exe"=
"c:\\Program Files\\WinZip\\WINZIP32.EXE"=
"c:\\WINDOWS\\Driver Cache\\SCAN\\7zip-setup.exe"=
"c:\\WINDOWS\\Driver Cache\\SCAN\\sdsetup_revwire207.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/21/2011 8:44 PM 13496]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [9/11/2011 11:25 AM 1723840]
S2 DotSpot_2kService;DotSpotService;c:\progra~1\DOTSPO~1\bar\2.bin\2kbarsvc.exe [12/11/2011 3:24 PM 42504]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [12/22/2010 8:16 PM 29184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [12/31/2011 9:33 AM 27064]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 12:12 PM 693512]
S4 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 12:12 PM 910600]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2011-12-20 c:\windows\Tasks\SmartDefrag_Schedule.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-04-22 22:29]
.
2012-01-07 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-04-22 22:29]
.
2012-01-07 c:\windows\Tasks\User_Feed_Synchronization-{263D8F75-5AE1-4123-9FF0-A0C667478E2C}.job
- c:\windows\system32\msfeedssync.exe [2001-08-23 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pvzh86f3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - (no file)
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
WebBrowser-{17F24F6D-0284-4A62-A3B7-FCA9F2084AF4} - (no file)
ShellIconOverlayIdentifiers-{80A7EB51-ABC5-BCAA-ADB3-0E23C1537ACC} - (no file)
HKCU-Run-Easy Dock - (no file)
HKLM-Run-Easy Dock - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe
SafeBoot-26427335.sys
MSConfigStartUp-Advanced SystemCare 3 - c:\program files\IObit\Advanced SystemCare 3\AWC.exe
AddRemove-Announcements 7.0 - c:\windows\Dann6032.exe
AddRemove-UnityWebPlayer - c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-06 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1078081533-2077806209-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,ca,9c,c4,03,2a,81,49,80,91,8d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,36,af,00,17,11,52,4d,9a,33,d4,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,ca,9c,c4,03,2a,81,49,80,91,8d,\
.
[HKEY_USERS\S-1-5-21-1078081533-2077806209-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d5,3a,7f,db,c4,3e,38,ff,dd,e0,08,07,c5,31,d1,42,6b,d2,98,cb,b2,68,3f,
41,72,f7,ea,01,98,2a,71,55,3f,4b,32,ea,7e,a4,65,fb,27,25,65,8c,a0,cb,c0,bd,\
"??"=hex:c1,c0,39,9d,71,a7,e2,cb,b6,b4,6b,62,95,68,9f,17
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\0b\04\03\064/Ú"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3384)
c:\windows\system32\WININET.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
.
**************************************************************************
.
Completion time: 2012-01-06 21:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-07 03:31
.
Pre-Run: 185,822,502,912 bytes free
Post-Run: 186,048,270,336 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9BE19D20E29082953F4B95CB830BD278


There's the gold for ya, log says computer was rebooted, but it actually happened twice xD What do you think?

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 07 January 2012 - 12:55 PM

hi Reya.

Great, thanks. I would not worry about the double boot at this time. :thumbup2:


Can you tell me though, is this a work computer with limited access preferred? :whistle:

Or is this a home computer where the user should have total access? (Or have you tightened up the user permissions yourself?)

The answer will tell us whether we need to include some particular directions.

Thanks.

Dave

#7 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 07 January 2012 - 02:04 PM

This is a home computer. I recently had to reset security settings as it would not allow me to access hijackthis and regseeker (recently replaced with CCleaner as per my preferences anyway) saying that there were no user rights to open said programs. Internet Explorer, Firefox, and other programs opened with no problems. I'd recieved secedit.exe and secedit.chm from my boyfriend overseas (miracle worker when systems aren't behaving) and extracted them, those allowed me to reset permissions to open, view and change programs. Everything should have simply reset to default. In short, the User should have all permissions and access. There is only this one administrative account which should have access to all.

Aha! Found the original article- http://support.microsoft.com/kb/313222/

"secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose" was used in the command prompt once the secedit files were in place. Once that was finished, I was able to open computer security programs.

Edited by Reya, 07 January 2012 - 02:36 PM.


#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 07 January 2012 - 09:57 PM

Hi Reya!

A question about the second hard drive. It is another complete installation of Windows?

If it is a storage drive, you might want to connect that as well, to make sure it is also disinfected.


But for now, we need to first uninstall the Vuze program (another P2P program).

First, click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Vuze


Then please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *beep*
    *wscntfy*
    *regsvc*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Now let's check out a file.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


C:\ecf01b454a67021e513c232dbf



Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Thanks.

Dave

#9 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 07 January 2012 - 10:08 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 21:10 on 07/01/2012 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "*beep*"
C:\Program Files\Phantom EFX\ReelDealLive\MiniGames\ExtravaPanda1024\Sounds\EPCountdownBeep.ogg --a---- 5883 bytes [15:58 30/07/2009] [15:58 30/07/2009] EC56672AAD0286D4B0F5ADE422741EEE
C:\Program Files\Phantom EFX\ReelDealLive\Slots\BlackbeardsRevenge\MadMoney\Sounds\MMBeep.ogg --a---- 5381 bytes [13:01 04/08/2008] [13:01 04/08/2008] 75D53D35F9ABDB95FD11CDF2629D84DA
C:\Program Files\Yahoo!\Messenger\Media\misc\beep_bmp.cab --a---- 1357 bytes [23:23 24/04/2009] [08:41 29/08/2011] F494F0CF1AA6CC37705A20FBAE276975
C:\Program Files\Yahoo!\Messenger\Media\misc\beep_mp3.cab --a---- 5891 bytes [23:23 24/04/2009] [08:41 29/08/2011] CA803898892BE55269A205C400B1BCBF
C:\Program Files\Yahoo!\Messenger\Media\RingTones\beep.wav --a---- 11764 bytes [23:23 24/04/2009] [08:41 29/08/2011] A3C490481B099536A6A957ABCF5C5631

Searching for "*wscntfy*"
No files found.

Searching for "*regsvc*"
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config --a---- 351 bytes [05:47 24/10/2007] [05:47 24/10/2007] 178538C50E21FB4FCF6B091DB4B254D2
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.rtm.config --a---- 351 bytes [00:41 09/04/2002] [00:41 09/04/2002] 178538C50E21FB4FCF6B091DB4B254D2
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe --a---- 12288 bytes [11:25 21/02/2003] [11:25 21/02/2003] DFF482FACFB1EB74718D305CA7FA82A9
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config --a---- 353 bytes [00:30 21/02/2003] [00:30 21/02/2003] 7447443B22778BBB3AE40B83BEE03C5D
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe --a---- 32768 bytes [16:17 25/07/2008] [16:17 25/07/2008] 05BB1EE851DC01C8B75B8663E66ABB74
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config --a---- 181 bytes [05:47 24/10/2007] [05:47 24/10/2007] 0366F988E5EA426D80338070D8FA241B
C:\WINDOWS\Prefetch\REGSVCS.EXE-11A17120.pf --a---- 41420 bytes [09:08 07/01/2012] [09:14 07/01/2012] 5DF20E4D05A8C06F462418EBAA6B084A

-= EOF =-


Jotti automatically selected the single file within your selected folder, browseui.dll
What an amazing resource, thanks for showing me this little treasure. ^^

It seems to be frozen on uploading, please wait. Tried the same in Internet Explorer and it says the file is empty with zero bytes. Trying now with your alternative link.

Edited by Reya, 07 January 2012 - 10:20 PM.


#10 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 07 January 2012 - 10:25 PM

Virustotal continuously loads in Firefox, and reloads in IE with no change whatsoever, just continues asking for the file to be scanned. =/ Testy git, this. Thanks for the hand :)

Oooh and about the compaq harddrive, yes it has a complete installation of Windows XP and belongs in a compaq tower that currently has an electrical issue I'll be (trying to be) fixing during the week. When I first scanned the Dell with AVG, it found many trojans over there on E: (the Comcrap), so I imagine the endeavor to secure that harddrive will be almost as fun as with this one :crazy:

Edited by Reya, 07 January 2012 - 10:29 PM.


#11 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 08 January 2012 - 07:43 AM

Hi Reya.

OK, so that install is not in any way involved with this one, no? That is better, so we can do one at a time.

I will get back to you ASAP with your next instructions.

BTW, do you have the original Windows Install CD?

Dave


One other thing. Are you getting error messages about these 3 files?

c:\windows\System32\drivers\beep.sys
c:\windows\System32\wscntfy.exe
c:\windows\System32\regsvc.dll

Edited by rigacci, 08 January 2012 - 08:11 AM.


#12 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 08 January 2012 - 09:38 AM

Unfortunately no cds, for neither of the systems.

No error messages about the files that I've seen.

Thanks again for your time on this Dave :)

#13 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 08 January 2012 - 10:25 AM

Hi Reya!

Before we run any more cleaning, I just want to be sure of what that suspicious file is.

Please follow the directions below.


Send me a copy of a suspicious file for analysis

1. Please go to here.
2. Where it asks for the "Link to topic where this file was requested" copy and paste in

http://www.bleepingcomputer.com/forums/topic435563.html/page__gopid__2542987

3. Where it says "Browse to the file you want to submit", browse to

C:\ecf01b454a67021e513c232dbf

4. Press the Send File button.

Let me know whaen that is done and we can go from there.

Thanks.

Dave

#14 Reya

Reya
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:20 PM

Posted 08 January 2012 - 11:02 AM

I pressed the send button in Firefox and got no response. Tried in internet explorer and got

There was an error uploading your file.

Your file is either 0 bytes or has exceeded the maximum file size of 5MB that we allow to be uploaded.


The file you're trying to investigate is actually a folder that contains "browseui.dll".

#15 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 08 January 2012 - 04:06 PM

Hi Reya.

Ok, don't worry about that.

For now I would like you to do the following. This should replace those 3 missing files.

Extracting File from WinXPSP3

Please follow these instructions:

(If you already have 7-zip installed on your computer, skip to step 3)

  • Download the 7zip file extractor/compressor from here. Save it to your Desktop.
  • Install 7zip on your computer.
  • Download Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers from here. Save it to your Desktop.
  • Right-Click on the downloaded SP3 install package
  • In the secondary menu that opens, move the mouse pointer down to 7zip, then choose Extract to (The folder name will be the same name as the SP3 install package)
  • Once the extraction completes, you should have the new folder on your Desktop. Inside that folder should be another folder titled i386.
  • Right-Click on the i386 folder, and click Copy
  • Now Paste the i386 folder into your root directory C:\ (This may take a few minutes)
  • Click Start > Run, then type cmd to open the Command Prompt window, then type cd\ and hit ENTER to get back to c:\
  • Type the following at the c:\

    expand c:\i386\beep.sy_ c:\beep.sys and hit Enter

    expand c:\i386\wscntfy.ex_ c:\wscntfy.exe and hit Enter

    expand c:\i386\regsvc.dl_ c:\regsvc.dll and hit Enter
    (Note the underscore ( _ ) at the end of the file to be expanded and the space between _ and c)
  • Close the command prompt window

Please let me know whether this is successful.

Thanks

Dave

Edited by thcbytes, 08 January 2012 - 04:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users