Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaned out sirefef.dt, combofix says taskman.exe is infected


  • This topic is locked This topic is locked
5 replies to this topic

#1 sgc_meltdown

sgc_meltdown

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 June 2012 - 12:58 PM

Hi, I need to know if my system is still at risk or if this is just an anomalous message.

Some context:
Nod32 detected sirefef.dt/win32 variant, I cleaned most of it out but one instance remained in svchost.exe which could not be removed by the antivirus.

I googled and found a similar topic in this forum where the use of combofix was required, so downloaded it from the posted link and ran it.

It found an (I'm paraphrasing) 'troublesome rootkit embedded in the tcp-ip stack' at first but it was removed after the first scan, except a log entry about taskman.exe being infected. I ran combofix again, and here are the log results for the second run.

And just for the heck of it I sent taskman.exe to virustotal but none of their scanners picked up anything. So, is my system in the clear yet? :)



ComboFix 12-06-21.02 - Meltdown 06/22/2012 1:43.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2651 [GMT 8:00]
Running from: c:\documents and settings\Meltdown\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 5.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TASKMAN.EXE . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 17:21 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2012-06-21 17:16 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-06-21 17:13 . 2008-04-13 18:41 52352 ----a-w- c:\windows\system32\drivers\Volsnap.sys
2012-06-21 16:25 . 2012-06-21 16:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2012-06-21 16:23 . 2012-06-21 16:23 -------- d-----w- c:\documents and settings\Meltdown\Local Settings\Application Data\ESET
2012-06-21 16:20 . 2012-06-21 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2012-06-21 16:19 . 2012-06-21 16:22 -------- d-----w- c:\program files\Nod32
2012-06-21 15:44 . 2012-06-21 15:44 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2012-06-08 22:07 . 2012-06-08 22:07 -------- d-----w- c:\documents and settings\Meltdown\Application Data\capy
2012-05-26 06:39 . 2012-05-26 06:39 -------- d-----w- c:\documents and settings\Meltdown\Local Settings\Application Data\Activision
2012-05-23 06:05 . 2012-05-23 06:05 -------- d-----w- c:\documents and settings\Meltdown\Application Data\com.cipherprime.auditorium
2012-05-22 20:16 . 2012-05-22 20:16 -------- d-----w- c:\documents and settings\Meltdown\Local Settings\Application Data\Freelancer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-21 15:48 . 2012-04-20 17:14 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-21 15:48 . 2012-04-20 17:14 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-03 22:11 . 2012-04-03 22:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-03 22:11 . 2010-10-23 19:16 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-26 21:03 . 2012-03-26 21:03 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2012-03-26 21:03 . 2012-03-26 21:03 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-21_17.23.02 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 11:00 . 2012-06-21 17:02 82328 c:\windows\system32\perfc009.dat
+ 2004-08-04 11:00 . 2012-06-21 17:27 82328 c:\windows\system32\perfc009.dat
+ 2004-08-04 11:00 . 2012-06-21 17:27 490544 c:\windows\system32\perfh009.dat
- 2004-08-04 11:00 . 2012-06-21 17:02 490544 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2010-10-23 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168]
"cFosSpeed"="c:\program files\cFosSpeed\cFosSpeed.exe" [2009-02-11 876760]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-19 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"egui"="c:\program files\Nod32\egui.exe" [2012-03-07 3117344]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-04-14 99840]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech SetPoint\SetPoint.exe [2009-10-31 573440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MaxRecentDocs"= 18 (0x12)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\Games\\Steam\\Steam.exe"=
"f:\\Games\\Civ 4\\Civilization4.exe"=
"f:\\Games\\Civ 4\\Warlords\\Civ4Warlords.exe"=
"f:\\Games\\Civ 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"f:\\Games\\World in Conflict\\wic.exe"=
"f:\\Games\\World in Conflict\\wic_online.exe"=
"f:\\Games\\World in Conflict\\wic_ds.exe"=
"f:\\Games\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"f:\\Games\\Mass Effect 2\\MassEffect2Launcher.exe"=
"f:\\Games\\Anno 1404\\tools\\AddonWeb.exe"=
"f:\\Games\\Anno 1404\\tools\\Anno4Web.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Revo Uninstaller Pro\\RevoUninPro.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"f:\\Games\\Bulletstorm\\Binaries\\Win32\\ShippingPC-StormGame.exe"=
"c:\\Program Files\\Charon\\Charon.exe"=
"f:\\Games\\FrozenSynapse\\FrozenSynapse.exe"=
"f:\\Games\\SRow3\\saintsrowthethird.exe"=
"f:\\Games\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD.exe"=
"f:\\Games\\Steam\\steamapps\\common\\serious sam hd the first encounter\\Bin\\SamHD_Demo.exe"=
"f:\\Games\\RoL\\legends.exe"=
"f:\\Games\\AZMD\\Binaries\\Win32\\ShippingPC-Bzb2Game.exe"=
"f:\\Games\\Steam\\steamapps\\common\\hoard\\win32\\Reuben.exe"=
"f:\\Games\\Steam\\steamapps\\common\\nation red\\NationRed.exe"=
"f:\\Games\\DS\\DeSmuME.exe"=
"f:\\Games\\EYEDC\\EYE.exe"=
"f:\\Games\\Steam\\steamapps\\common\\ai war fleet command\\AIWar.exe"=
"f:\\Games\\Steam\\steamapps\\common\\dungeons of dredmor\\Dungeons of Dredmor.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 phylock;phylock;c:\windows\system32\drivers\phylock.sys [2/25/2012 1:28 AM 21344]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/4/2009 2:15 AM 685816]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/14/2012 8:40 AM 120152]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/14/2012 8:40 AM 104160]
R2 ekrn;ESET Service;c:\program files\Nod32\ekrn.exe [3/7/2012 3:40 PM 913144]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [12/25/2011 2:44 AM 27064]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [2/25/2012 1:28 AM 87648]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2/16/2012 4:41 AM 258048]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 218.186.2.16 218.186.1.58 218.186.2.6
FF - ProfilePath - c:\documents and settings\Meltdown\Application Data\Mozilla\Firefox\Profiles\v5lh8hir.default\
FF - prefs.js: browser.search.selectedEngine - Surf Canyon
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/en-US/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
FF - prefs.js: network.proxy.ftp - 91.93.37.58
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 91.93.37.58
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 91.93.37.58
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 91.93.37.58
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 91.93.37.58
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: SmoothWheel (mozdev.org): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: SmoothWheel (AMO): {5F590AA2-1221-4113-A6F4-A4BB62414FAC} - %profile%\extensions\{5F590AA2-1221-4113-A6F4-A4BB62414FAC}
FF - Ext: Popup ALT Attribute: {61FD08D8-A2CB-46c0-B36D-3F531AC53C12} - %profile%\extensions\{61FD08D8-A2CB-46c0-B36D-3F531AC53C12}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Locationbar²: locationbar2@design-noir.de - %profile%\extensions\locationbar2@design-noir.de
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent
FF - Ext: Multiproxy Switch: {BB080420-8088-F650-3D47-13799CCD6159} - %profile%\extensions\{BB080420-8088-F650-3D47-13799CCD6159}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-22 01:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1482476501-1326574676-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
[HKEY_USERS\S-1-5-21-1482476501-1326574676-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:f8,15,2b,4a,38,4c,b1,64,f1,38,b6,02,fc,3f,41,cc,e4,34,84,1a,fe,a6,60,
bf,c4,5a,19,f7,6c,62,28,09,16,8a,b6,66,96,78,fb,57,de,6a,8a,ac,d9,e0,48,a1,\
"??"=hex:a1,40,4d,d6,e1,bc,65,31,25,2f,92,55,f3,52,bb,5f
.
[HKEY_USERS\S-1-5-21-1482476501-1326574676-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:58,c1,c1,05,87,d0,4c,9a,51,d6,f6,63,f4,9a,7d,0c,d1,e3,2c,69,ed,
93,ee,25,38,42,64,bb,20,42,a4,00,56,11,54,e6,7a,0c,fa,54,be,2f,af,d0,9d,35,\
"rkeysecu"=hex:ff,e2,59,82,89,5e,d1,91,3c,ea,82,c4,0c,76,24,45
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1228)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3844)
c:\program files\Logitech SetPoint\GameHook.dll
c:\program files\Logitech SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-06-22 01:46:08
ComboFix-quarantined-files.txt 2012-06-21 17:46
ComboFix2.txt 2012-06-21 17:24
.
Pre-Run: 696,131,584 bytes free
Post-Run: 683,294,720 bytes free
.
- - End Of File - - 7F651A36CA287BA5DA055D079BF700B9

BC AdBot (Login to Remove)

 


#2 sgc_meltdown

sgc_meltdown
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 June 2012 - 05:37 PM

also, here are my gmer and dds logs post-combofix. Thanks again!

Attached Files



#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:03 PM

Posted 24 June 2012 - 04:23 PM

Hello sgc_meltdown and welcome to BC!!! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

No, your machine is not yet fully cleaned! Please review the following and report back!:

==========

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available!
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.

==========

:step1:

I see you have run Combofix before I started helping you. Please post that log in addition to the below steps! The log can be found at C:\Qoobox\Combofix2.txt

==========

:step2:

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links.. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results. And attach.txt will be minimized.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

:step3:

I also need a new log from the GMER anti-rootkit Scanner, please also do the following:

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


==========

What I would like to see in your next reply!

  • The combofix2.txt log
  • The DDS log
  • The minimized attach.txt from the DDS scan
  • The GMER log

Some additional questions:

And just for the heck of it I sent taskman.exe to virustotal but none of their scanners picked up anything. So, is my system in the clear yet? :)

Could you please show me those results? Link the results by right-clicking on the URL of the results page, copy and paste it here.

Did you manually set any proxy servers?
In what part of the world are you located?

bloopie

#4 sgc_meltdown

sgc_meltdown
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 24 June 2012 - 07:42 PM

Hello bloopie, thank you very much for your reply but I think I've solved the problem in the past few days. :) I've kept the required logs though and will followup if something does turn up. Thanks again!

#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:05:03 PM

Posted 24 June 2012 - 08:52 PM

Hi again,

Thank you very much for letting us know!! :thumbsup:

Indeed, if you still have problems please let me/us know!

Best regards,

bloopie

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,076 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:03 AM

Posted 24 June 2012 - 11:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users