Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Malware and Win32 Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 THtweey

THtweey

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:AL
  • Local time:01:54 AM

Posted 27 March 2012 - 11:29 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic447851.html ~ OB

Log files are as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Tammy at 23:08:53 on 2012-03-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.127.11 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
Trusted Zone: womanfreebies.com\www
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1332724265909
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1332724815329
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B79DB6D5-EF5E-4731-BEA3-3BBE8FFCEF7A} : DhcpNameServer = 192.168.2.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
S0 cerc6;cerc6; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-27 20464]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-27 40776]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2001-8-17 9344]
S3 nv3;nv3;c:\windows\system32\drivers\nv3.sys [2012-2-2 198144]
.
=============== Created Last 30 ================
.
2012-03-28 02:31:24 -------- d-----w- c:\program files\AVAST Software
2012-03-28 01:09:33 -------- d-----w- c:\program files\ESET
2012-03-28 00:38:19 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-27 20:29:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-27 20:29:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-27 18:28:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-27 16:26:14 61440 ----a-w- c:\windows\system32\CleanMem.exe
2012-03-27 16:26:09 -------- d-----w- c:\windows\CleanMem
2012-03-27 16:26:09 -------- d-----w- c:\program files\CleanMem
2012-03-27 04:24:51 -------- d-----w- c:\windows\pss
2012-03-27 02:55:56 -------- d-----w- c:\program files\CCleaner
2012-03-26 19:00:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-03-26 19:00:27 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-03-26 03:27:21 -------- d-----w- c:\windows\ie8updates
2012-03-26 03:26:14 602112 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-26 03:26:09 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-26 03:25:58 743424 ----a-w- c:\windows\system32\dllcache\iedvtool.dll
2012-03-26 03:25:47 247808 ----a-w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-26 03:25:47 12800 ----a-w- c:\windows\system32\dllcache\xpshims.dll
2012-03-26 03:25:44 2000384 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2012-03-26 03:24:43 11082240 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2012-03-26 03:06:32 -------- d-----w- c:\program files\Microsoft Download Manager
2012-03-26 01:51:33 272128 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-03-26 01:51:33 272128 ----a-w- c:\windows\system32\dllcache\bthport.sys
2012-03-26 01:45:39 456320 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2012-03-26 01:11:06 -------- d-----w- C:\31814500cdd50bded26e
2012-03-26 00:44:11 3072 ----a-w- c:\windows\system32\iacenc.dll
2012-03-26 00:44:11 3072 ----a-w- c:\windows\system32\dllcache\iacenc.dll
2012-03-26 00:37:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-03-26 00:36:22 -------- d-----w- c:\windows\system32\PreInstall
2012-03-26 00:36:18 -------- d--h--w- c:\windows\$hf_mig$
2012-03-26 00:11:45 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-03-10 06:00:10 -------- d-----w- c:\windows\system32\appmgmt
2012-03-10 04:44:33 2560 ----a-w- c:\documents and settings\all users\application data\microsoft\usmt\iconlib.dll
2012-03-10 04:09:53 -------- d-----w- c:\documents and settings\tammy\local settings\application data\Identities
2012-03-09 21:30:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-09 21:30:00 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-09 21:29:52 -------- d-----w- C:\d562a5c24b57aed0df56648fdfa8
2012-03-09 21:23:54 -------- d-----w- c:\windows\system32\LogFiles
2012-03-09 14:36:03 -------- d-----w- c:\documents and settings\tammy\application data\Malwarebytes
2012-03-09 14:35:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-09 13:49:32 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-03-09 13:49:20 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-03-08 17:56:10 -------- d-----w- c:\program files\Awakening - The Dreamless Castle
2012-03-08 17:50:29 -------- d-----w- c:\documents and settings\all users\application data\Big Fish Games
2012-03-08 17:50:09 -------- d-----w- c:\program files\bfgclient
2012-03-08 17:47:29 -------- d-----w- c:\documents and settings\all users\application data\BigFishGamesCache
2012-03-08 17:37:01 -------- d-sh--w- c:\documents and settings\tammy\IECompatCache
2012-03-08 17:33:27 -------- d-sh--w- c:\documents and settings\tammy\PrivacIE
2012-03-08 17:28:10 -------- d-sh--w- c:\documents and settings\tammy\IETldCache
2012-03-08 17:20:10 -------- d--h--w- c:\windows\ie8
2012-03-07 14:51:46 -------- d-----w- c:\documents and settings\tammy\application data\SUPERAntiSpyware.com
2012-03-07 14:49:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-06 22:55:53 -------- d-----w- c:\documents and settings\tammy\local settings\application data\Google
2012-03-06 22:46:14 -------- d-----w- c:\program files\common files\Java(2)
2012-03-06 22:42:31 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-03-06 22:42:25 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-03-06 22:42:21 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-03-06 22:42:20 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-03-06 22:40:07 -------- d-sh--w- c:\documents and settings\tammy\UserData
.
==================== Find3M ====================
.
2012-03-26 01:33:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-04 00:04:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-04 00:04:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 08:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-09 15:20:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 23:11:11.97 ===============


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-27 20:44:34
-----------------------------
20:44:34.228 OS Version: Windows 5.1.2600 Service Pack 3
20:44:34.228 Number of processors: 1 586 0x502
20:44:34.418 ComputerName: TAMMY-B259C05FD UserName: Tammy
20:44:46.906 Initialize success
20:50:08.899 AVAST engine defs: 12032702
20:51:08.075 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:51:08.185 Disk 0 Vendor: QUANTUM_FIREBALL_CX13.6A A3F.0B00 Size: 13066MB BusType: 3
20:51:08.275 Disk 0 MBR read successfully
20:51:08.305 Disk 0 MBR scan
20:51:12.341 Disk 0 Windows XP default MBR code
20:51:12.391 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 13060 MB offset 63
20:51:16.306 Disk 0 scanning sectors +26748225
20:51:17.608 Disk 0 scanning C:\WINDOWS\system32\drivers
20:52:03.564 Service scanning
20:52:54.267 Modules scanning
20:53:24.651 Disk 0 trace - called modules:
20:53:24.741 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
20:53:24.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81265030]
20:53:24.901 3 CLASSPNP.SYS[fc4fcfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x812a8030]
20:53:26.183 AVAST engine scan C:\WINDOWS
20:53:30.469 AVAST engine scan C:\WINDOWS\system32
20:59:51.908 AVAST engine scan C:\WINDOWS\system32\drivers
21:00:20.849 AVAST engine scan C:\Documents and Settings\Tammy
21:01:30.610 File: C:\Documents and Settings\Tammy\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe **INFECTED** Win32:Malware-gen
21:01:31.130 File: C:\Documents and Settings\Tammy\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
21:01:38.541 File: C:\Documents and Settings\Tammy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe **INFECTED** Win32:Trojan-gen
21:01:59.822 File: C:\Documents and Settings\Tammy\Local Settings\Temp\_av4_\data\aswar0.dll **INFECTED** Win32:Malware-gen
21:02:01.174 File: C:\Documents and Settings\Tammy\Local Settings\Temp\_av4_\data\updldr0.bin **INFECTED** Win32:Malware-gen
21:04:08.527 AVAST engine scan C:\Documents and Settings\All Users
21:04:28.015 Scan finished successfully
21:05:13.630 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tammy\My Documents\MBR.dat"
21:05:13.751 The log file has been saved successfully to "C:\Documents and Settings\Tammy\My Documents\aswMBR.txt"

Attached Files


Edited by Orange Blossom, 28 March 2012 - 12:10 AM.


BC AdBot (Login to Remove)

 


#2 THtweey

THtweey
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:AL
  • Local time:01:54 AM

Posted 28 March 2012 - 11:37 AM

Thank you! I won't do anything further until I am directed to do so then.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 31 March 2012 - 08:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.

===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the logs and let me know what problem persists.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:54 AM

Posted 06 April 2012 - 09:54 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users