Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32/Alureon.FV


  • This topic is locked This topic is locked
38 replies to this topic

#1 Tom Ketch

Tom Ketch

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 March 2013 - 11:07 AM

Stemmed from an attempt to install Microsoft security Essentials Leading to MIcrosoft Installer not working.  All th enormal attempts at activating via MSIexec/regserver and reinstallation did not work.

 

Ran Microsoft security scanner which found and removed Java/Blacole.FK, JAVA /CVE-2010-8040, JAVA /CVE-2011-3544,,JAVA /CVE-2012-0507,  and JAVA /CVE-2012-1723 . 

 

Afterword, still unable to get mse to install.

 

This morning I ran newest version of MS Safety scanner witch found the following:

MalWare                                    Results:

Trojan: Win32/Alureon.FV         Partially Removed, manual steps required 

Exploit: Java/ CVE-2013-0422   Removed

Trojan: JS/Iframe.BC                  Removed  

Trojan:Win32/FakeSysdef         Removed

 

I'm assuming that there is stuff left  to do by the results message and that this virus might not be gone. Attempted Kaspersky TDSSKiller on advice from your site.  It scanned 316 objects and found no threats.

 

 Still can't get Mirosoft Installer to work: 

 

DDS:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.17.2
Run by TK at 9:41:05 on 2013-03-20
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.1945 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ================
.
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\spoolsv.exe
i:\program files\idt\5902xp_6033v_012208\wdm\STacSV.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
I:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
I:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
I:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
I:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
I:\Program Files\Java\jre7\bin\jqs.exe
I:\Program Files\Common Files\LightScribe\LSSrvc.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
I:\Program Files\Microsoft SQL Server\MSSQL$ALAMODE\Binn\sqlservr.exe
i:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
i:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
I:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
I:\WINDOWS\system32\SearchIndexer.exe
I:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
I:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
I:\WINDOWS\System32\alg.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\IDT\WDM\sttray.exe
I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
I:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
I:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
I:\Program Files\a la mode\Sched\eSched.exe
I:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
I:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
I:\Program Files\QuickTime\QTTask.exe
I:\Program Files\Common Files\Java\Java Update\jusched.exe
I:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\AnVir Task Manager\anvir.exe
I:\Program Files\Windows Desktop Search\WindowsSearch.exe
I:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\system32\msdtc.exe
I:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
I:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
i:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
I:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
I:\Program Files\ATC\Trader 3.5\Trader.exe
I:\DATA\TK_Trader\OECTest_Mark77\TK_OECTest.exe
I:\WINDOWS\system32\ntvdm.exe
I:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
I:\Program Files\Microsoft Office\Office12\EXCEL.EXE
I:\WINDOWS\System32\vssvc.exe
I:\WINDOWS\system32\dllhost.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Microsoft Office\Office12\WINWORD.EXE
I:\Program Files\Internet Explorer\iexplore.exe
I:\WINDOWS\system32\SearchProtocolHost.exe
I:\WINDOWS\system32\SearchFilterHost.exe
I:\WINDOWS\system32\wbem\wmiprvse.exe
I:\WINDOWS\system32\svchost.exe -k DcomLaunch
I:\WINDOWS\system32\svchost.exe -k rpcss
I:\WINDOWS\System32\svchost.exe -k netsvcs
I:\WINDOWS\system32\svchost.exe -k NetworkService
I:\WINDOWS\system32\svchost.exe -k LocalService
I:\WINDOWS\system32\svchost.exe -k LocalService
I:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - i:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
uURLSearchHooks: NetAssistant: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - i:\program files\freeze.com\netassistant\NetAssistant.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - i:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - i:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - i:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - i:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: BetterLinks: {6921710F-6AC6-4113-8AE6-82A1660EBB09} - i:\program files\betterlinks\BetterLinks.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - i:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - i:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - i:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - i:\program files\java\jre7\bin\jp2ssv.dll
BHO: NetAssistant: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - i:\program files\freeze.com\netassistant\NetAssistant.dll
BHO: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - i:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - i:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - i:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - i:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - i:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [LightScribe Control Panel] i:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
uRun: [AnVir Task Manager] "i:\program files\anvir task manager\anvir.exe" Minimized
uRun: [swg] "i:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SysTrayApp] i:\program files\idt\wdm\sttray.exe
mRun: [StartCCC] "i:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Acrobat Assistant 8.0] "i:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [TrueImageMonitor.exe] i:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "i:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [The Assistant] "i:\program files\a la mode\sched\eSched.exe"
mRun: [EEventManager] i:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [APSDaemon] "i:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Carbonite Backup] i:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [QuickTime Task] "i:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "i:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "i:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - i:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Append to existing PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - i:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - i:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - i:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.sitecheck.com/upload/ImageUploader5.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1363114587156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1363114820296
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {A7DB6550-3269-11D4-8C30-0001023CA9DC} - hxxps://vault.alamode.com/cab/vfd.cab
DPF: {CD27EEF6-55B8-4F24-99C5-E1191D814445} - file:///I:/a%20la%20mode/WinTOTAL/Content/cabs/alaWeb5.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{292C0DC0-0F05-4161-8E7C-537F0F07C632} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - i:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "i:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "i:\program files\google\chrome\application\25.0.1364.172\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - i:\documents and settings\tk\application data\mozilla\firefox\profiles\dtr2auh1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=CYB4DF&PC=CYB4&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - component: i:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - component: i:\program files\msn toolbar\platform\5.0.1423.0\firefox\components\DomBridge.dll
FF - plugin: i:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: i:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: i:\program files\microsoft\office live\npOLW.dll
FF - plugin: i:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
FF - plugin: i:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);i:\windows\system32\drivers\tdrpm258.sys [2010-12-1 911680]
R2 afcdpsrv;Acronis Nonstop Backup service;i:\program files\common files\acronis\cdp\afcdpsrv.exe [2010-12-1 2480048]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;i:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 MSSQL$ALAMODE;MSSQL$ALAMODE;i:\program files\microsoft sql server\mssql$alamode\binn\sqlservr.exe [2005-5-4 9158656]
R3 afcdp;afcdp;i:\windows\system32\drivers\afcdp.sys [2010-12-1 160704]
R3 BBUpdate;BBUpdate;i:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;i:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S1 MpFilter;Microsoft Malware Protection Driver;i:\windows\system32\drivers\mpfilter.sys --> i:\windows\system32\drivers\MpFilter.sys [?]
S1 MpKsl24b0fa41;MpKsl24b0fa41;\??\i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9e09e290-b022-4892-bc8e-5163078df532}\mpksl24b0fa41.sys --> i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9e09e290-b022-4892-bc8e-5163078df532}\MpKsl24b0fa41.sys [?]
S1 MpKsl6d31ba17;MpKsl6d31ba17;\??\i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{93a7e235-7347-4e91-8a65-fa2b673a98bb}\mpksl6d31ba17.sys --> i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{93a7e235-7347-4e91-8a65-fa2b673a98bb}\MpKsl6d31ba17.sys [?]
S1 MpKsl7bbc14b1;MpKsl7bbc14b1;\??\i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{18a97571-1972-4c70-963e-b021151c9695}\mpksl7bbc14b1.sys --> i:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{18a97571-1972-4c70-963e-b021151c9695}\MpKsl7bbc14b1.sys [?]
S2 BBSvc;BingBar Service;i:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;i:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Application Updater;Application Updater;i:\program files\application updater\ApplicationUpdater.exe [2012-4-12 784792]
S3 CFcatchme;CFcatchme;\??\i:\docume~1\tk\locals~1\temp\cfcatchme.sys --> i:\docume~1\tk\locals~1\temp\CFcatchme.sys [?]
S3 PLTurbh;Prolific turbo filter driver for hdd;i:\windows\system32\drivers\plturbh.sys [2010-3-21 16384]
S3 PLTurbo;Prolific turbo filter driver for odd;i:\windows\system32\drivers\plturbo.sys [2010-3-21 16640]
S3 SQLAgent$ALAMODE;SQLAgent$ALAMODE;i:\program files\microsoft sql server\mssql$alamode\binn\sqlagent.EXE [2005-5-3 323584]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;i:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;i:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);i:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-9-17 370008]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScript=i:\windows\NOTEPAD.EXE "%1"
.
=============== Created Last 30 ================
.
2013-03-12 19:01:58 12928 -c----w- i:\windows\system32\dllcache\usb8023x.sys
2013-03-11 20:25:07 -------- d-----w- i:\documents and settings\tk\local settings\application data\Sun
2013-03-10 16:02:03 143872 ----a-w- i:\windows\system32\javacpl.cpl
2013-03-10 16:02:02 861088 ----a-w- i:\windows\system32\npDeployJava1.dll
2013-03-10 16:01:45 94112 ----a-w- i:\windows\system32\WindowsAccessBridge.dll
2013-03-10 09:16:34 -------- d-----w- i:\windows\system32\wbem\repository\FS
2013-03-10 09:16:34 -------- d-----w- i:\windows\system32\wbem\Repository
2013-03-10 08:49:56 -------- d-----w- i:\windows\system32\CatRoot2
2013-03-10 02:13:41 -------- d-----w- i:\documents and settings\tk\application data\ElevatedDiagnostics
2013-03-10 01:24:59 2538 ----a-w- I:\FixitRegBackup.reg
.
==================== Find3M  ====================
.
2013-03-13 02:10:40 693976 ----a-w- i:\windows\system32\FlashPlayerApp.exe
2013-03-13 02:10:39 73432 ----a-w- i:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-10 16:01:26 782240 ----a-w- i:\windows\system32\deployJava1.dll
2013-02-12 00:32:23 12928 ----a-w- i:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05:47 916480 ----a-w- i:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ----a-w- i:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ------w- i:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ----a-w- i:\windows\system32\html.iec
2013-01-26 03:55:44 552448 ----a-w- i:\windows\system32\oleaut32.dll
2013-01-07 01:19:45 2148864 ----a-w- i:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- i:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- i:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- i:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- i:\windows\system32\quartz.dll
.
============= FINISH:  9:41:24.79 ===============
 

 

Attach:

 

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 21 March 2013 - 09:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
    Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner
by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • Please post the logs and let me know what problem persists.


#3 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 21 March 2013 - 11:50 AM

Followed your last instructions : ComboFix Produced a warning that  "Microsoft Security Essentials" Was installed and should be disabled before continuing.  However, I don't believe it to be installed and I couldn't find it either through msconfig startup or from the control panel security settings.

 

Proceeded anyway  and Combofix immediately found Zero Access Routkit and  rebooted with sucessful completion.

 

Also loaded ADwCleaner.

 

results :  "combofix.txt" and "adwclearnerS1.txt" are attached.

 

Haven't tried to update MS Security essentials again.  Should I?

 

Getting a security alert message: " you are about to leave a scure internet connection.  It will be possible for others to view information you send"    --- " so you want to continue?"   everytime I go to another page.  I've disabled the message.

 

Thanks,

 

 

Attached Files



#4 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 21 March 2013 - 12:20 PM

BTW:

 

Didn't include info from Checkup: and here it is :

 

Results of screen317's Security Check version 0.99.61 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 17 
 Adobe Flash Player 10 Flash Player out of Date!
 Mozilla Firefox (3.6) Firefox out of Date! 
 Google Chrome 25.0.1364.152 
 Google Chrome 25.0.1364.172 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive I:: 10%
````````````````````End of Log``````````````````````
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 21 March 2013 - 01:33 PM

 
Open notepad and copy/paste the text in the quote box below into it:
 
Folder::
i:\program files\Application Updater
 
Driver::
MpKsl24b0fa41
MpKsl6d31ba17
MpKsl7bbc14b1
CFcatchme
 
ClearJavaCache::
 
 
Save this as CFScript.txt on your desktop.
 
CFScriptB-4.gif
 
Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===
Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.
 
Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows, Adobe Flash Player 11.2.202.273 and earlier versions for Macintosh, and Adobe Flash Player 11.2.202.273 and earlier versions for Linux. 
 
 
On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.
 
You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.
 
For the users of Internet Explorer download version 11.
===
 
Get the latest version of the Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
 
When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
 
Haven't tried to update MS Security essentials again.  Should I?
I think you should it's listed at the beginning of the ComboFix log.


#6 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 21 March 2013 - 03:48 PM

Done:   

 

ComboFix identified Microsoft Security Essentials and requested me to shut it down.   Again, there was no place that it shows up other than combofix. 

 

It identified the Rootkit 'ZeroAccess', followed by shutdown and reboot.  The log is attached.

 

The problem with MS security installation is the the MS installer doesn't work.  Its stopped according to MSCONFIG and things like cmd: 'MSIexec/regserver' gives error message: . ' Winndows cannot find msiexec/regserver' .....   

 

Thanks Again,

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 22 March 2013 - 07:58 AM

Open notepad and copy/paste the text in the quote box below into it:
 
SecCenter::
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}
{EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
 
 
Save this as CFScript.txt on your desktop.
 
CFScriptB-4.gif
 
Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
====

 

 
The problem with MS security installation is the the MS installer doesn't work.  Its stopped according to MSCONFIG and things like cmd: 'MSIexec/regserver' gives error message: . ' Winndows cannot find msiexec/regserver'

 

 
I would first try and re-register the Windows installer: 
 
1. Quit all Windows programs. 
 
2. Click Start, type Run in the Search box and then press Enter, type msiexec /unregister in the Open box, and then click OK. 
 
3. Click Start, type Run in the Search box and then press Enter, type msiexec /regserver in the Open box, and then click OK. 
 
4. Restart your computer.
 
If the issue still exists, please perform System File Checker by the steps below:
 
From the Start menu, select Run. 
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow) 
Select the OK button. 
Follow the prompts throughout the System File Checker process. 
Reboot the computer when System File Checker completes. 
 
Try to reinstall Security Essentials.
 
p.s. If that fails that means that you do not have any virus protection.
 
It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.
If you install AVG it will install Chrome unless you deny it.
AVAST will install the Google Chrome if not already installed. If you do not want to keep it just remove it using the Add/Remove Programs list. 
====
 
The reference by Combofix to a ZeroAccess could be trigger by some remant item in the registry.
Lets see what we can find.
 
Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop. 
 
 
Quit all running programs.
 
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
 
Click Scan to scan the system. 
When the scan completes > Close out the program > Don't Fix anything!
 
Don't run any other options, they're not all bad!!!!!!!
 
Post back the report which should be located on your desktop.
====


#8 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 March 2013 - 09:58 AM

Done.  Resutls for Combofix and RougeKiller Attached.

 

Combofix: Similar reults: REcommended Disable of MS Security Essentials, which I still don't think I have,  Required down load of MS Win Recovery followed by sucessful download, found ZeroAcess, Rebooted, completed sucesfully.

 

MSIExec: Windows couldn't find it. Checked REgistry for appropriate installation: under :HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer  ---  I:\Windows\System32\msiexec.exe /V   , all things are correct and "I:" is the correct drive.   Rebooted and attemted MSIExec commands in safe mode with similar unsucessful results.

 

Installed AVG and rebooted

 

RogueKiller: Results attached.

 

Thanks again



#9 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 March 2013 - 10:00 AM

 And here are the results from RogueKiller and ComboFix

Attached Files



#10 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 March 2013 - 10:03 AM

Also,  SFC /Scannow required disks that I can't find.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 22 March 2013 - 10:21 AM

You may need to find a copy, check with friends.

ComboFix 13-03-21.02 - TK 03/22/2013 7:32.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2758 [GMT -6:00]
Running from: i:\documents and settings\TK\My Documents\ComboFix.exe
Command switches used :: i:\documents and settings\TK\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

For some unknown reason ComboFix did not remove the Security Essentials entries.

===

Let try to remove all traces with this tool.
Download Revo Uninstaller and remove any programs you are having difficulties in completing the removal using the Add/Remove Programs list.

http://majorgeeks.com/Revo_Uninstaller_d5706.html
<<<>>>


Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these item below and uncheck the rest: (if found)

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


Now click Delete on the right hand column under Options

Post back the report which should be located on your desktop.
===

Did you get any error message when you tried to register and unregister msiexec?

#12 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 March 2013 - 10:58 AM

Downloaded REvo Unistaller.  It didn't find MS Security essentials, so couldn't remove it.

 

RougeKiller  : Deleted items as indicated: Results attached; 

 

I get this message when attempting either command in msiexec: 

 

" Windows cannot find 'msiexec/regserver'  [.. or misexec/unregister ]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search" 

 

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 22 March 2013 - 12:39 PM

Make sure you have included a space before /unregister and / regserver.

msiexec /unregister
msiexec /regserver


If you still get the error let find out if msiexec.exe is missing.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    msiexec.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt


#14 Tom Ketch

Tom Ketch
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 22 March 2013 - 02:06 PM

Thanks, 

 

Turns out the spaces make a difference.  Didn't complain about either command.   However, got an error upon attempting to install MSE: "Cannot complete the Security Essentials installation .  An error has prevented the Security Essentials setup wizar from completing successfully.  Please restart you computere and try again.   Error code : 0x80007064A"

 

Did as advised with same error as a result.  Uninstalled AVG and attempted again with same result.  

 

system look info :

 

SystemLook 30.07.11 by jpshortstuff
Log created at 12:52 on 22/03/2013 by TK
Administrator - Elevation successful

========== filefind ==========

Searching for "msiexec.exe"
I:\WINDOWS\$NtUninstallKB942288-v3$\msiexec.exe -----c- 78848 bytes [17:20 08/08/2010] [12:00 14/04/2008] 5879D691E842574A20FE63817CB76DF9
I:\WINDOWS\system32\msiexec.exe --a---- 95744 bytes [12:00 14/04/2008] [07:57 19/05/2008] 7F7BC88C8FB6B52989E0E93084B5E678
I:\WINDOWS\system32\dllcache\msiexec.exe --a--c- 95744 bytes [12:00 14/04/2008] [07:57 19/05/2008] 7F7BC88C8FB6B52989E0E93084B5E678

-= EOF =-

 

 

TK



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:27 PM

Posted 23 March 2013 - 07:22 AM

Try the fix for XP from this Microsoft site.

http://support.microsoft.com/kb/958055


Edited by nasdaq, 24 March 2013 - 09:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users