Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infection


  • This topic is locked This topic is locked
100 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 07 February 2007 - 12:51 PM

Greetings to the BC Team. :huh:

Once again I'm found in need of your help. (Damn brother of mine and his careless net surfing at 5 in the morning on a Sunday grrr! :thumbsup: )

Here's the symptoms:

Everytime when turning on the computer, it would self reboot, just before the icons would appear in the desktop.
After self rebooting, the computer would then start normally, the desktop would appear normally etc, and there was a Microsoft Windows message, saying that the system had recovered from a serious error.
Avast resident scanner kept reporting about the file C:\Windows\System32\adir.dll (identified as Win32:Trojan-gen. {Other}).
Sygate firewall kept warning of C:Windows\System32\taskdir.exe being connected from a remote machine [81.177.26.27] using post 80.
(On a side note, and in regards to firewalls, I noticed afterwards that XP's own firewall was now turned off. My brother told me already that he didn't turn it off manually, so I'm intrigued of how it got turned off then?...)

Here's the initial HJT log, previous to having done the preliminar cleaning:

Logfile of HijackThis v1.99.1
Scan saved at 15:53:26, on 06-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TEMP\1D.tmp
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Alwil Software\Avast4\setup\avast.setup
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\taskdir.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\1D.tmp".exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

-----

Afterwards I tried to update all malware scanners, but only SpyBot successfully updated, both Ad-Aware and AVG Anti-Spyware failed the update. (I suspect the infection must have something to do with these errors in the updates?...) Luckily though, I had updated them all not so long ago, last Wednesday, when I had run all malware scanners and antivirus for the last time (everything was clean and shiny then... *sigh*).

I cleaned all temp files from both Firefox and IE, and then ran CCleaner to clean all other temp stuff. (Another side note, as when I went to check what was left on C:\Windows\Temp, Avast reported the file tqdlumwr.exe as a virus Win32:Agent-EAD, and so I ran CCleaner again, now having unchecked the option "Only delete files in Windows Temp folders older than 48 hours", so that C:\Windows\Temp would be completely cleaned.)

Then I rebooted into Safe Mode and ran Ad-Aware. Here's what it found (I've removed the MRU's from the log to keep it shorter):

Ad-Aware SE Build 1.06r1
Logfile Created on:terça-feira, 6 de Fevereiro de 2007 16:58:14
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R148 29.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):2 total references
Other(TAC index:5):1 total references
SpywareSheriff(TAC index:4):2 total references
Win32.Trojan.MatrixHasYou(TAC index:10):19 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include alternate data stream details in log file


06-02-2007 16:58:14 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 160
ThreadCreationTime : 06-02-2007 16:56:35
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 208
ThreadCreationTime : 06-02-2007 16:56:49
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\SYSTEM32\
ProcessID : 232
ThreadCreationTime : 06-02-2007 16:56:50
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 06-02-2007 16:56:55
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicação de serviços e controlo
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 288
ThreadCreationTime : 06-02-2007 16:56:55
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 444
ThreadCreationTime : 06-02-2007 16:57:00
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 504
ThreadCreationTime : 06-02-2007 16:57:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 560
ThreadCreationTime : 06-02-2007 16:57:04
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 780
ThreadCreationTime : 06-02-2007 16:57:27
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador do Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : EXPLORER.EXE

#:10 [ad-aware.exe]
FilePath : C:\Programas\Lavasoft\Ad-Aware SE Personal\
ProcessID : 880
ThreadCreationTime : 06-02-2007 16:57:57
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0012617.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0012631.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0013648.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0014673.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0014695.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : A0015701.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : adir.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



SpywareSheriff Object Recognized!
Type : File
Data : fdsf
TAC Rating : 4
Category : Misc
Comment :
Object : C:\WINDOWS\system32\



SpywareSheriff Object Recognized!
Type : File
Data : z11.exe
TAC Rating : 4
Category : Misc
Comment :
Object : C:\WINDOWS\system32\


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 11


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 11


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.MatrixHasYou Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment : Removing Active Desktop. Force remove
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\activedesktop

Win32.Trojan.MatrixHasYou Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment : Removing key.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\system

Win32.Trojan.MatrixHasYou Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment : Removing key.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\policies\system
Value : DisableTaskMgr

Win32.Trojan.MatrixHasYou Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment : Removing key.
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\desktop\general

Win32.Trojan.MatrixHasYou Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wincom32

Win32.Trojan.MatrixHasYou Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wincom32
Value : Start

Win32.Trojan.MatrixHasYou Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wincom32
Value : ErrorControl

Win32.Trojan.MatrixHasYou Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wincom32
Value : ImagePath

Win32.Trojan.MatrixHasYou Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\wincom32
Value : DisplayName

Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : taskdir.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : winsub.xml
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Win32.Trojan.MatrixHasYou Object Recognized!
Type : File
Data : svcp.csv
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Other Object Recognized!
Type : File
Data : TASKDIR.EXE-02B5617A.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\


Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 24

17:16:22 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:08.315
Objects scanned:145750
Objects identified:23
Objects ignored:0
New critical objects:23

-----

I removed everything found, and then rebooted, again into Safe Mode, next to run SpyBot. Here's the log:

--- Report generated: 2007-02-06 17:31 ---

Smitfraud-C.: Biblioteca (Arquivo, nothing done)
C:\WINDOWS\system32\rpcc.dll

Smitfraud-C.: Executável (Arquivo, nothing done)
C:\WINDOWS\system32\z13.exe

Smitfraud-C.: Executável (Arquivo, nothing done)
C:\WINDOWS\system32\z14.exe

Smitfraud-C.: Executável (Arquivo, nothing done)
C:\WINDOWS\system32\z15.exe

Smitfraud-C.: Configurações de auto-execução (Valor do registo, nothing done)
HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskdir

Smitfraud-C.: Configurações (Valor do registo, nothing done)
HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\WindowsSubVersion

Tibs.vq: Configurações (Valor do registo, nothing done)
HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\ColorTable19

Tibs.vq: Configurações (Valor do registo, nothing done)
HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\ColorTable20


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

-----

Again I fixed everything found, and again rebooted into Safe Mode, next to run AVG Anti-Spyware. Here's what it found:

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 19:11:10 06-02-2007

+ Resultado da verificação:


C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\6GZZWMOD\msits[1].exe -> Downloader.Delf.aeu : Nenhuma ação executada.
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\PKC8GTR8\nldr[1].exe -> Downloader.Small : Nenhuma ação executada.
C:\WINDOWS\system32\sdfff -> Downloader.Small.awa : Nenhuma ação executada.
C:\WINDOWS\system32\wincom32.sys -> Dropper.Agent.bbv : Nenhuma ação executada.
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\6GZZWMOD\inst318ss[1].exe -> Dropper.Agent.ol : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015729.exe -> Dropper.Delf.va : Nenhuma ação executada.
C:\WINDOWS\system32\cdegfr -> Dropper.Delf.va : Nenhuma ação executada.
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\PBUJLJNR\mirca[1].exe -> Hijacker.Costrat.e : Nenhuma ação executada.
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\PBUJLJNR\dsb[1].exe -> Logger.BZub.gr : Nenhuma ação executada.
C:\WINDOWS\system32\ipv6mons.dll -> Logger.BZub.hg : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015721.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Nenhuma ação executada.
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\PKC8GTR8\t100[1].exe -> Trojan.Zapchast.ar : Nenhuma ação executada.
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015720.dll -> Worm.Banwarum.f : Nenhuma ação executada.
C:\WINDOWS\system32\wmdrtc32.dll -> Worm.Warezov.et : Nenhuma ação executada.

::Fim do relatório

-----

I chose to quarentine everything found and then rebooted, now to Normal Mode, to go online to run Panda ActiveScan. Here's the log:

Incident Status Location

Adware:adware/blazefind Not disinfected Windows Registry
Virus:Trj/Alanchum.QP Disinfected C:\WINDOWS\system32\adirss.exe
Virus:Trj/Alanchum.QM Disinfected C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\PBUJLJNR\sev2[1].exe
Virus:Trj/Alanchum.QN Disinfected C:\WINDOWS\system32\game0.exe.exe
Virus:Trj/Alanchum.QP Disinfected C:\WINDOWS\system32\game1.exe
Virus:W32/Nurech.A.worm Disinfected C:\WINDOWS\system32\game3.exe
Virus:W32/Sality.Y Not disinfected C:\WINDOWS\system32\wmdrtc32.dl_[C:\WINDOWS\system32\wmdrtc32.dl_]

-----

I rebooted into Normal Mode again, and now the computer didn't self reboot anylonger, and neither Avast reported about C:\Windows\System32\adir.dll nor Sygate about C:\Windows\System32\taskdir.exe. The files aren't there anylonger, either, it seems. (Checking the traffic in the firewall, though, it keeps reporting about this suspicious attempted outgoing traffic to zizza.wuyhahj.biz [208.66.194.9]; this is blocked, however.)

Lastly, and back to Safe Mode, I ran also Avast, just to see what it would still find (but now I chose to take no action on anything of what it found). Here's the log:

C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\SJQ32JSL\abc[1].exe [L] Win32:Tibs-AIE [Trj] (0)
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015738.dll [L] Win32:BZub-BO [Trj] (0)
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015740.dll [L] Win32:Sality-AM (0)
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0015769.exe [L] Win32:Tibs-AHY [Trj] (0)
C:\WINDOWS\system32\abc.exe [L] Win32:Tibs-AIE [Trj] (0)

Running a quick scan on C:\Windows\System32 it also reports about the file wmdrtc32.dl_ as a virus Win32:Sality-AO. (No idea why this one wasn't reported in the scan on-demand?...)
-----

And also here's the final HJT log, after doing everything as mentioned above:

Logfile of HijackThis v1.99.1
Scan saved at 15:41:14, on 07-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TEMP\1D.tmp
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\1D.tmp".exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

-----

Although those initial most visible symptoms (computer self rebooting, and Avast reporting about C:\Windows\System32\adir.dll and Sygate about C:\Windows\System32\taskdir.exe) appear to be gone now, I suppose I'm far from being clean from all the infection yet (and with stuff always being found in the System Restore, I guess that, without flushing it as well, I won't be getting anywhere either), thus I truly appreciate your assistance about what steps to take next, in order to hopefully clean up this mess my brother got us into. (Also I would ask, how grave is it, this infection? From what I read around, in other threads where people also complaint about adir.dll and taskdir.exe, I don't think I like the sounds of it... :flowers: I've dealt with Smitfraud quite a few times already, always "courtesy" of my brother, but somehow I feel like I wished it was "only" the Smitfraud popups this time again... I feel my brother messed it up big, this time, didn't he?... :huh: How serious is this infection?... I ask, almost afraid of the answer... :huh: )

Thank you greatly for all possible help. :huh:

Edited by DeLuk, 08 February 2007 - 11:17 AM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:56 PM

Posted 08 February 2007 - 10:52 PM

Hi and welcome.

ewwww :thumbsup:

You are right. You have one heck of a mess and it will take a while to clean.
Just to give you an idea what is going on you have I suspect a couple rootkits, several mailer bots, looks like some backdoors, possibly a keylogger or 2, a virus and pretty much everything in-between.

Something I suggest you do for your brother.
Make him his own account & set it to limited.
Then password protect your account and the built-in admin account you see in safe mode.

With him running as a limited user whatever he foobars the computer up with will be greatly reduced because unless you are admin...you can't do much. User actions (and the malware if he set something off) has much less effect.
I'll be suggesting some programs to install to help reduce these chances even more.
If he was looking for cracks/porn you can also tell him if you catch him doin it again...he no longer has access to your computer. I think he'll think 2wice before going against your rules. ;)
If only he knew how dangerous these actions are.
So many of these sites lead to massive instant infection just "looking".

One good thing you have going for you is the fact you can get to safe mode.
Sality virus usually trashes that by deleting everything in the registry that lets you load safe mode.

If you use this box for sensitive stuff like online banking, credit card stuff, or any other finincial transactions you will need to have your passwords changed for these sites.
Also advise you to contact your banks, credit card companies to alert them so they can watch your accounts.
Don't use this computer to change passwords or access these accounts till cleaned up

Same story goes for your brother or anyone else that uses this computer.


Because of the nature of your infections in my opinion it would be faster/safer to back up important stuff and do a complete format & re-install if you have the resorces to do so.
Not advisable to back up programs cus they are infected by sality. Sality is a file infector as well as a mass mailer worm. Most of your exes will be infected.
Those you will need to get from known good backups or re-downloaded from internet.

If you don't have the resorces to redo the system I can try my best to help ya clean it but I cannot guarenty it will be the same as before the attack.
By any chance you have another computer we can use to communicate while cleaning this one?
It should go alot smoother if we can keep it offline because being online it will just keep on downloading junk.
We'll be running in circles.

Leme know if we be cleaning or you can re-install.

Thanks!

ps.

Looking at your AVG scan...
This I take it "Nenhuma ação executada" means "cleaned with backup"?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 09 February 2007 - 05:13 PM

Hi Blender, and thank you very much for your response. :huh: Though I wished I hadn't read what I just did... Ratz! :huh: Also I appreciate sincerely all your advicing in regards to "controling" my brother, but the fact is that the computer is actually his, I do use it also, but I'm not the owner of it, although I'm the one always concerned in trying my best to keeping it secure and in good shape. (My brother doesn't even care whether malware scanners and antivirus are up-to-date or run regularly or not, nah; just whenever there are visible symptoms of infection that "mess" with his routines of gaming and chating, then he "cares" and tells me to fix it; keeping a safe attitude online has never been much "his thing", for as much as I keep alerting him for the dangers, it's pretty much vain words to him, sadly and to my frustration, cos it just makes it look as all of my own efforts to keep the computer clean and in shape are all in vain just as much. :huh: But as I say, what else can I do but to "keep the fight at least on my own", the computer is his after all, so I can't be the one to "set the rules". :thumbsup: And no, he's no kiddy, he's as much a grown up as I am, on his way to his thirties. *sigh* Damn!)

As for your suggestion, that it would just be safer and faster to just format and re-install, yes, I figured that too, from reading in the other threads... Unfortunately though, I'm not sure I'd have the resorces to do this, as this computer has been bought in second-hand, and the previous owner kept the XP installation disc. There might be the chance to borrow the XP installation disc from a friend for us to install it in our computer, but then my doubt/fear is whether I'd then have the chance to update it with SP2, now that there's the Windows Genuine Advantage validation?... :flowers: (For instance, now, I only have access to Windows critical updates via the Automatic Updates, but cannot access it via the Windows Update site, since Windows Genuine Advantage tells that our XP isn't genuine; I suppose because the previous owner of this computer must have first registered this copy of XP after installing it in his new computer, and so now our isn't identified as genuine. So I'm supposing that, if we'd install XP from a friend's disc, again we'd be left with it being identified as not genuine, and I don't know whether even the update to SP2 would be blocked then?...) I'm still strongly considering to give it a try, later on, to re-install everything from scratch, to be on the safe side, but, if possible, maybe I'd first try my chances for a clean up?... I'm only worrying of whether this will mean too much trouble and be too much time consuming for you?... (Myself, I'm up for anything, be it a 1 day journey, 1 week, 1 month, just whatever, but... it's hard not to feel bad, at least for me it is, for the much I'll be troubling you because of *my* problem...)

I'd have a few questions, though, prior to going on with the clean up. (Pardon all of my ignorance, in these questions, but my knowledge of computer stuff is rather limited...)

1) Regarding the infection of the .exe files, what exactly does it translate to? I mean, how is it detected that an .exe file has been infected? Does it simply not work, does the program simply not open, is that it? Or?... And does the infection of .exe files happen instantly, i.e. are all .exe files infected at once, or does it go on progressively, or, how does the infection actually "work"?...

2) Also, does the file infection by the virus affect exclusively .exe files, is it? Or does it affect other files as well? (This is a personal computer, and luckily there's no sensitive data, nonetheless I myself am particularly concerned about my personal audio and video collection; is there the possibility of any such files getting affected by the virus and get damaged in any way?... Damn! Just now, that I was preparing to save the rest of my files, and also learn about ERUNT for system back ups, and he comes up with this mess... :huh: *sigh*)

3) Then again, and as for the back up of any such files we want to save (if eventually we later decide to go on with formatting and re-installing), should I do it at once, even before cleaning up, or only after then? And also (I'm sorry if this is a too silly question :huh: but I have to ask it) how do I know whether the CD burner program hasn't also been infected already? (If it works, but eventually has been infected already, then chances are that what I get in the end are corrupted CD's, no? :o)

4) And should I just do the saving of the files (i.e. burn the CD's) in Normal Mode (although keeping the computer offline, disconnected from the Internet), or should/can I do it in Safe Mode (and would it make any difference then, would it be safer this way?)? (I suspect this one to be an even sillier question - I don't even know if CD's can be burned/if the CDRW drive works in Safe Mode at all! - but again, I just have to ask, and also again, pardon my ignorance... :))

5) And then, in regards to mailer bots/worms, do these get active independently of whether the e-mail program is run or not, or only if one runs the e-mail program then the mailer bots/worms get active? In other words, do the mailer bots/worms spread even if the e-mail program isn't run, or? (Either way, I haven't used the e-mail program ever since the computer got infected. In fact, even for composing my posts for the forum, I keep doing it in Safe Mode, and only go on Normal Mode and online only when I come to post or check for replies in the forum, as unfortunately no, we don't have an alternative computer to come online and keep this one off. Also I don't know whether this is even advisable, to keep running the computer in Safe Mode, and then if it makes any difference at all in terms of security and in terms of preventing the infection to spread on the computer, but...)

I truly appreciate all your further help, and time and patience, thank you so much already. :)

And as well, I do would greatly appreciate any additional suggestions, of other programs to install afterwards, in addition to the ones we have already, in order to help reducing the chances of these infections to occur, yes, I would certainly very much appreciate this! (As I was saying, at least let me keep the fight at least on my own, and let me do it in the best way I can!)

P.S. In regards to your question about the AVG log, "nenhuma acção executada" actually means "no action taken", but that's because the log I posted was the one of the "checking", not the one of the "curing". But as I mentioned then, yes, I did choose to quarentine all items found, so yes, all was "cleaned with back up", yes.

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:56 PM

Posted 10 February 2007 - 06:41 AM

Hi

Okie....try & clean we will.

Couple notes & answers to your questions. (none are silly btw)

Part of the problem with a non legit windows install is you can't take advantage of all the updates and stuff offered.
You do have sp2 and can get criticals (delivered via automatic update) but cannot take advantage of many specific patches/fixes for specific problems.
Sooner or later you will be forced to "get legal".
If you do try & use a friends CD to install and also their Product Key....you are right. You won't be able to successfully validate and therefore won't get sp2.

Unless you can convince your brother to clean up his surfing habbits and learn about computer security you are going to be cleaning this machine forever. And as long as you keep cleaning it...He will be happy to keep on infecting it.
"I'm not worried--brother will fix it".
I'm pretty sure you have better/less stressful things to do with your time.

I will give you some suggestions to help keep a tighter/safer ship. Sure will make your job easier! :thumbsup:

Anyways....Your questions:

1. A virus is a program that will attach part of its "code" to make another program "act different". DEpends on what virus it is will depend how this program acts.
Some are really badly made and cause the program not to work at all. Others may corrupt the files and make the program display wierd errors. Others you may not really notice.
Some infect all exes + others, some just certain types of files. Again; it depends on how the virus program was written.

here is some stuff you can read to help you understand this stuff:

http://en.wikipedia.org/wiki/Computer_virus

2.) As far as I know your vid/music collection *should* be fine. We will be running some scanners/cleaners to fix everything possible.
The virus I see did not in my experience do anything malicious to mp3, movies, etc. Pretty much containd itself to exes.
ERUNT is a darn good idea once we get this current mess fixed up.
I love it to death and have already had to use it myself this week. The other day I crashed hard and I couldn't boot.
I had to use the recovery console to use ERUNT to restore the registry backup. Up & running in less than 1/2 hour.

3.) Backing up stuff....
It isn't a bad idea to back up your important stuff to dvds/cds (your video/audio collection)
Since you are not going to put exes on there...should be OK.
Documents should be alright too.
if the burning program itself is infected...it might generate errors trying to run it or freeze/crash while trying to burn a cd.
As precaution though before you use the backed up stuff do run a scan on the CD before you run anything from it..
There are viruses that will put themselves on the CD to autorun as soon as you put cd in but I don't see evidence of this type of infection.
your initial post with logs and stuff gave me pretty darn good idea what is going on. Thumbs up to that! :flowers:

4) Doing as much of the work as possible while offline is a good idea. This way the nasties you are trying to rip out can't call home for more.
Alot of the work we'll be doing in safe mode anyways. Most of the junk don't run in safe mode and can be cleaned up easier if its not running.

5.) Mail bots....
most of these have their own built-in mailing engine. They do not depend on your own email program such as Outlook Express or Outlook, etc to be installed and/or running.
They normally gather email address data stored on the computer (in alot of cases from temp files gathered from checking hotmail accounts for example)

----------------------

On to malware destruction!!!

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Boot to SAFE mode and log into the regular accouont. No internet.

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

Post back with the DrWeb.csv report please. If log is too big to post you can upload it here for me:

http://www.bleepingcomputer.com/submit-mal....php?channel=19

Next:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Please also do this:

1. Download this file and save it to c:\ :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

We will have more work to do.

Let me know how the computer is running at this point.

Thanks!
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 11 February 2007 - 04:41 PM

Hi again Blender, and also again thank you so much, for your reply, and all further instructions and answers. :huh:

My brother, well, he's one tough one to convince, it seems; let's say he's an incurable "let-it-be/so-what" computer user (not only concerning Internet); negligent might be the word... But anyways, I'm even more incurable, in keeping my fight against his bad habbits, and yes sir I will, I will keep on naggin' him (and naggin' and naggin') about safe online behaviour! (And hopefully by his eighties he'll have learned... :thumbsup: *sigh*)

About Windows being legit, well, the one installed in this computer is legit, I mean, it wasn't installed from no pirate copy or such, but from its own original disc. The only "detail" is that the one who is now the owner of the computer (my brother) isn't the owner of the respective original OS installation disc (the previous owner of the computer, who kept it). My brother was a dumbass not having brought the disc/checked that it was included along with the pack of installation CD's enclosed with the computer, and even dumber for not having gone back and complaint/demand for it. (Typical "let-it-be/so-what" of him... *sigh*) Either that, or, if the OS disc not being included with the computer was part of the deal, then that wasn't that much of a good deal either... Well, if anything else, we'll downgrade back to good ol' Win98, which we keep the installation disc from our previous computer which "crashed to death" a few years ago; that should make him learn some! :flowers: I wonder how he'd like playing Counter-Strike on that OS (if at all), ahah!

About SP2, so, considering a re-installation of XP from a friend's disc or whatever isn't much of a solution/option, as so we won't be able to update it with SP2 then, cause of the current Windows Genuine Advantage certification, right? SP2 isn't available/doesn't get installed via Automatic Updates, right? :huh: (SP2 on this XP, I remember to have installed it a long time ago; we have this computer since 4/5 years, it didn't come with SP2 installed when we got it; I think I remember to have installed it via the Windows Update site...)

About virus, yes, I'm aware that the action of a virus depends on what virus it is, yes yes, I know. My question meant to refer to this particular Sality virus which has been identified to be infecting the computer and which you've mentioned earlier. :huh:

About ERUNT, yes, from what I had been reading around (after it's been suggested to me last time I came for help in the HJT forum), I see it's one must-have program which I've been missing. Though, from what I had been reading, from the manual, I think I'm still not very sure of myself about how to properly use/set it :huh: especially coming to how for making it make auto backups on start up, and then have these deleted after a certain time so they won't accumulate indefinitely... But anyways, if/when I'm done with this current issue, I'll try and learn some more about it, do some more re-reading, and if doubts remain, I'll maybe try and post about it in some appropriate section of the forum...

As to my initial post and all the logs, yes, sorry about all those! :huh: But given the symptoms at first, I feared at once that this might be a more serious issue, and so I thought I'd include all logs, of all scanners I had run for the preliminary clean up, instead of just a final HJT log, hoping that, who knows, that might eventually come in handy for a full evaluation of the whole situation. Good that it was helpful after all.

I have now completed all steps as you instructed in your last post. Here are all requested reports:


------------------------------------------------------------------------
------------------------------------------------------------------------


DrWeb CureIt log (I'm pasting from notepad, hope that's ok?...)

abc[1].exe;C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\SJQ32JSL;Trojan.Packed.12;Eliminado.;
SUPPORT.DOT;C:\Programas\Microsoft Office\Office10\Macros;W97M.Draw;Curado.;
A0008393.dll;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP39;IRC.Flood;Eliminado.;
A0015703.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
A0015722.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
A0015731.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.DownLoader.18291;Eliminado.;
A0015738.dll;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.PWS.Tanspy;Eliminado.;
A0015739.sys;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;BackDoor.Groan;Eliminado.;
A0015740.dll;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Win32.Sector.28682;Eliminado.;
A0015766.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
A0015767.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
A0015768.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
A0015769.exe;C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42;Trojan.Packed.9;Eliminado.;
abc.exe;C:\WINDOWS\system32;Trojan.Packed.12;Eliminado.;
game2.exe;C:\WINDOWS\system32;Trojan.Packed.9;Eliminado.;
game4.exe;C:\WINDOWS\system32;Trojan.Packed.9;Eliminado.;
game5p.exe.exe;C:\WINDOWS\system32;Trojan.Packed.9;Eliminado.;
lnwin.exe;C:\WINDOWS\system32;Trojan.Packed.9;Eliminado.;
wmdrtc32.dl_;C:\WINDOWS\system32;Win32.Sector.28682;Eliminado.;
zxczxc;C:\WINDOWS\system32;Trojan.DownLoader.18291;Eliminado.;
Furious_calc_Cracked.exe;F:\Vários\Programa Desbloqueio\calc;BackDoor.Seed.11;Incurável.Movido.;

-----

Note: Translating from Portuguese, "eliminado" = "eliminated/deleted", "curado" = "cured", "incurável" = "incurable", "movido" = "moved".

Also, a detail (which was a doubt in the first place); regarding the selection of the drives to scan, in the instructions was written "Select all drives.", I assumed those to be all hard drives?... I selected only the hard drives (anyway the DVD drive, the CDRW drive and the floppy drive, all were empty); I'm not sure I did right, I hope yes?...

Then again, I go on being concerned about items kept being found in System Restore. Should it be flushed? Or still not yet?

I'm also concerned now about that item found on F:; that's from some cellphone's unblocking program of my brother or something; is that something dangerous, or? Should I alert him about this, and should this program just be uninstalled/deleted, or?


------------------------------------------------------------------------
------------------------------------------------------------------------


SDFix log

SDFix: Version 1.64

Run by: q - 11-02-2007 @ 15:14:28.04

Microsoft Windows XP [VersÆo 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe - Deleted
C:\WINDOWS\system32\TFTP372 - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Rootkit PE386 maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programas\\Valve\\Steam\\Steam.exe"="C:\\Programas\\Valve\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978\\counter-strike\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\ICQ\\Icq.exe"="C:\\Programas\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\Programas\\Kazaa Lite Resurrection\\kazaalite.kpp"="C:\\Programas\\Kazaa Lite Resurrection\\kazaalite.kpp:*:Enabled:kazaalite"
"C:\\Brave\\eXtreme\\mirc32.exe"="C:\\Brave\\eXtreme\\mirc32.exe:*:Enabled:mIRC"
"C:\\Programas\\The All-Seeing Eye\\eye.exe"="C:\\Programas\\The All-Seeing Eye\\eye.exe:*:Enabled:The All-Seeing Eye"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\counter-strike\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:Partilha de aplicações RTC"
"C:\\Programas\\NetMeeting\\conf.exe"="C:\\Programas\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Documents and Settings\\q\\Os meus documentos\\Jogos\\C.S 1.6 offline\\CS 1.6\\hl.exe"="C:\\Documents and Settings\\q\\Os meus documentos\\Jogos\\C.S 1.6 offline\\CS 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\WS_FTP\\WS_FTP95.exe"="C:\\Programas\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\Programas\\Valve\\Steam\\SteamApps\\just1986\\counter-strike\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\just1986\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\half-life\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\deathmatch classic\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\deathmatch classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\ricochet\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\ricochet\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\day of defeat\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\team fortress classic\\hl.exe"="C:\\Programas\\Valve\\Steam\\SteamApps\\brave1978wm\\team fortress classic\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programas\\Yahoo!\\Messenger\\YPager.exe"="C:\\Programas\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Programas\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programas\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Programas\\GameSpy Arcade\\Aphex.exe"="C:\\Programas\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Programas\\Internet Explorer\\iexplore.exe"="C:\\Programas\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Programas\\BitComet\\BitComet.exe"="C:\\Programas\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Programas\\eMule\\emule.exe"="C:\\Programas\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Programas\\HLSW\\hlsw.exe"="C:\\Programas\\HLSW\\hlsw.exe:*:Enabled:HLSW"
"C:\\Brave\\eXtreme\\mirc.exe"="C:\\Brave\\eXtreme\\mirc.exe:*:Enabled:mIRC"
"E:\\BRAVE\\eXtreme\\mirc32.exe"="E:\\BRAVE\\eXtreme\\mirc32.exe:*:Enabled:mIRC"
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"="C:\\Programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Programas\\DAP\\DAP.exe"="C:\\Programas\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Brave\\eXtreme\\mIRC\\mirc.exe"="C:\\Brave\\eXtreme\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Executar uma DLL como uma aplicação"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe:*:Enabled:Assistência Remota - Windows Messenger e Voz"
"C:\\Programas\\FlashGet\\flashget.exe"="C:\\Programas\\FlashGet\\flashget.exe:*:Enabled:Flashget"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"="C:\\Programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\Tools\AC2K.exe
C:\WINDOWS\system32\Tools\AC98.exe
C:\WINDOWS\system32\Tools\ACL98.exe
C:\WINDOWS\system32\Tools\ACLME.exe
C:\WINDOWS\system32\Tools\All.exe
C:\WINDOWS\system32\Tools\AutoClick.exe
C:\WINDOWS\system32\Tools\Change.exe
C:\WINDOWS\system32\Tools\CheckPath.exe
C:\WINDOWS\system32\Tools\Counter.exe
C:\WINDOWS\system32\Tools\DelDv.exe
C:\WINDOWS\system32\Tools\DeleteFiles.exe
C:\WINDOWS\system32\Tools\DelT2.exe
C:\WINDOWS\system32\Tools\DelT2Dv.exe
C:\WINDOWS\system32\Tools\DelTools.exe
C:\WINDOWS\system32\Tools\LostRun.exe
C:\WINDOWS\system32\Tools\RegClean.exe
C:\WINDOWS\system32\Tools\Regexe.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\system32\Tools\RunAP.exe
C:\WINDOWS\system32\Tools\RunRegexe.exe
C:\WINDOWS\system32\Tools\SDW98ME.exe
C:\WINDOWS\system32\Tools\SoundDrv.exe
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\AmbB.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\AmbBh.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\AmbBs.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Off8.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Off8h.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Off8s.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Pro2.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Pro2h.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Pro2s.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Qui9h.tmp
C:\Documents and Settings\q\Application Data\Microsoft\Office\Shortcut Bar\Qui9s.tmp

Finished

-----

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 11 February 2007 - 04:51 PM

ComboFix log

"q" - 07-02-11 15:29:19 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Programas\INSTALL.LOG
C:\WINDOWS\system32\command.pif
C:\INSTALL.LOG


((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 15:27 880,702 --a------ C:\combofix.exe
2007-02-11 13:53 <DIR> d-------- C:\SDFix
2007-02-11 11:10 <DIR> d-------- C:\DOCUME~1\q\DoctorWeb


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2007-02-11 15:28 -------- d-------- C:\Programas\flashget
2007-02-11 15:27 -------- d-------- C:\Programas\mozilla firefox
2007-02-11 15:25 -------- d-------- C:\Programas\lx_cats
2007-02-11 13:55 24 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000000-00000000-0000000b-00001102-00000002-80641102}.dat
2007-02-11 13:55 24 --a------ C:\WINDOWS\system32\dvcstate-{00000000-00000000-0000000b-00001102-00000002-80641102}.dat
2007-02-07 15:43 -------- d-------- C:\Programas\hijackthis
2007-02-06 19:40 -------- d-------- C:\Programas\spywareguard
2007-02-06 19:36 -------- d-------- C:\Programas\messengerplus! 3
2007-02-06 19:36 -------- d-------- C:\Programas\messenger
2007-02-06 19:36 -------- d-------- C:\Programas\lexmark 2400 series
2007-02-06 19:34 -------- d-------- C:\Programas\hdd thermometer
2007-02-04 14:46 -------- d-------- C:\Programas\emule
2007-01-31 19:57 -------- d-------- C:\Programas\spywareblaster
2007-01-15 17:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
2007-01-15 17:26 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-15 17:25 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-15 17:23 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-01-09 18:09 -------- d-------- C:\Programas\java
2007-01-09 18:09 -------- d-------- C:\Programas\Ficheiros comuns\java
2007-01-09 18:04 -------- d-------- C:\DOCUME~1\q\Application Data\apple computer
2007-01-09 18:02 -------- d-------- C:\Programas\quicktime
2007-01-09 17:59 -------- d-------- C:\DOCUME~1\q\Application Data\lavasoft
2007-01-09 17:58 -------- d-------- C:\Programas\lavasoft
2007-01-09 17:56 -------- d-------- C:\DOCUME~1\q\Application Data\adobe
2007-01-09 17:55 -------- d-------- C:\Programas\Ficheiros comuns\adobe
2007-01-09 14:34 -------- d--h----- C:\Programas\installshield installation information
2007-01-08 20:40 -------- d-------- C:\Programas\winamp
2007-01-08 20:18 -------- d-------- C:\DOCUME~1\q\Application Data\real
2007-01-08 20:16 -------- d-------- C:\Programas\Ficheiros comuns\xing shared
2007-01-08 20:16 -------- d-------- C:\Programas\Ficheiros comuns\real
2007-01-08 20:15 -------- d-------- C:\Programas\real
2007-01-08 17:17 -------- d-------- C:\Programas\ccleaner
2007-01-05 20:58 3770 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-03 11:36 41904 --a------ C:\DOCUME~1\q\Application Data\gdipfontcachev1.dat
2006-12-26 20:55 -------- d-------- C:\Programas\abbyy finereader 6.0 sprint
2006-12-20 23:56 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-20 23:56 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-12-20 23:51 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-09 01:00 73216 --a------ C:\WINDOWS\st6unst.exe
2006-12-09 01:00 249856 --------- C:\WINDOWS\setup1.exe
2006-12-07 06:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-15 11:12 2903 --a------ C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"
"RSD_HDDThermo"="\"C:\\Programas\\HDD Thermometer\\HDD Thermometer.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"RemoteCenter"="C:\\Programas\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Programas\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="C:\\Programas\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"CTStartup"="C:\\Programas\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MessengerPlus3"="\"C:\\Programas\\MessengerPlus! 3\\MsgPlus.exe\""
"SmcService"="\"C:\\PROGRA~1\\Sygate\\SPF\\smc.exe\" -startgui"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RunDLL32.exe\" NvMCTray.dll,NvTaskbarInit"
"lxcrmon.exe"="\"C:\\Programas\\Lexmark 2400 Series\\lxcrmon.exe\""
"EzPrint"="\"C:\\Programas\\Lexmark 2400 Series\\ezprint.exe\""
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"SunJavaUpdateSched"="\"C:\\Programas\\Java\\jre1.6.0\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070107-182407-801
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
backup-20070102-214602-120
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
backup-20070102-214602-937
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
backup-20060516-153137-825
O4 - HKLM\..\Run: [websx] C:\Programas\websx\int310785.exe -auto
backup-20060516-153137-689
O4 - HKLM\..\Run: [User Management Configuration] msumc.exe
backup-20060516-153137-128
R3 - Default URLSearchHook is missing

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\PfModNTc

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\prodrv06r

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql108020

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasAcdbe

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\Rksamplegistry

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvrt

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\sfmanpy

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\SLIPIC

HKLM\SYSTEM\CurrentControlSet\Services\SoftFaxice

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\SSKBFDV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\swwdv

HKLM\SYSTEM\CurrentControlSet\Services\sym_hix

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprv

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\Tonesvr

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbccgpo

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\usbscant

HKLM\SYSTEM\CurrentControlSet\Services\V124TOR

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdee

HKLM\SYSTEM\CurrentControlSet\Services\VSSatant

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAp

HKLM\SYSTEM\CurrentControlSet\Services\wg3nlient

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtf

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNP Service

HKLM\SYSTEM\CurrentControlSet\Services\WmimPmSN

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLt

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcL

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrv

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run???????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????w???w????????\???\???????????U??w???w\???\???????(?`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 55
hidden files: 0

********************************************************************

Completion time: 07-02-11 15:31:29

-----

After ComboFix scan finished, there were two messages from SpywareGuard (I did not disable it previously to running the scan, maybe I should have?), both saying that IE's homepage had been changed (initially I had it set to blank). Both times I chose to keep the new value (IE's homepage is now http://www.microsoft.com/isapi/redir.dll?p...amp;ar=msnhome; after all the clean up I'll change it back to blank, no problem here, I guess?).

Also, speaking of IE defaults, I do have one quicky doubt that is bugging me, hope it's ok if I ask it here?... But I'll leave that to the end, in any case, when we're done with the cleaning...


------------------------------------------------------------------------
------------------------------------------------------------------------


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 15:51:27, on 11-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TEMP\1D.tmp
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\1D.tmp".exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe


------------------------------------------------------------------------
------------------------------------------------------------------------


As for how the computer is running at this point, hmm, it's I guess pretty much the same as before having completed these new fixes and after having completed the preliminary clean up, i.e. in terms of the "behaviour" of the computer, I don't notice anything strange, no visible signs that there's anything wrong; apparently at least all is "behaving" normal... (As I mentioned before, after completing the preliminary clean up, i.e. Ad-Aware/SpyBot/AVG Anti-Spyware/Panda ActiveScan, there were no longer any visible symptoms of infection...) Additionally, after all the new fixes, I ran a quick scan with Avast just on C:\Windows just to check, and nothing came up...

Also, a note, regarding traffic detected by the firewall. After the last time I came to post in the forum, on Friday, each next time I turned on the computer to check for replies, I chose to always do it offline (with the modem cable disconnected), and only after the computer finished booting (desktop loaded, antivirus, firewall, etc), then I would connect the cable to the modem and go online. That I've noticed, checking the firewall traffic log, in these times there was no attempted outgoing traffic to that host which I mentioned before (and which I suppose must be suspicious?), that zizza.wuyhahj.biz [208.66.194.9]. Then again, this last time I rebooted the computer (after all fixes completed), for running HJT for a new log, I decided to do it all "the normal way" again (so that, if there was anything bad to be detected by HJT, it would be), i.e. have the cable connected to the modem to let the computer go online from the start. And this time, checking the firewall traffic log, I could notice (suspicious?) attempted outgoing traffic (which was blocked however) to both www.worldbank.org [192.86.99.140] and www.gamespress.com [64.202.163.76], as well as several attempts of outgoing traffic to host 208.66.194.9 (now it wasn't identified as zizza.wuyhahj.biz for the host name, but the host number is the same as that previous one); I don't know if any of this is a sign of anything (and if of anything bad)?... :thumbsup:

Standing by for the more work to be done. And once more, thank you so greatly, for your assistance! :huh:


P.S. Just wondering, back to viruses, and file infectors (a new silly question :flowers:); isn't there a way/program for detecting if a file/which files (of those which were good ones) have been infected/damaged?... (Also I wonder, is to prevent this what somehow Avast's Virus Recovery Data Base is for? I mean, to that, when a system/crucial file which once was a good one gets infected/damaged, it can be replaced by a good backed up copy of it which is kept in Avast's VRDB; is that it? I've never created Avast's VRDB cause I've never been too sure I had understood what it was... :huh:)

P.S. 2) Opening Firefox now, to post in the forum, just got the message that it isn't my default browser; some of the fixes must have changed this setting too, I guess?...

P.S. 3) After about 20 min online, still no outgoing traffic attempt to 208.66.194.9, so far, nothing... (This time again I turned on the computer offline, and only after booting, I connected the modem cable.)

Edited by DeLuk, 11 February 2007 - 05:09 PM.


#7 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 11 February 2007 - 04:59 PM

Oh dear, both previous posts are rather hard to read, cause of the length of the text, caused by parts of the logs; sorry, I don't know how/if that can be fixed somehow?... :thumbsup: (I did have "wrap text" enabled in notepad...) Sorry again! :flowers:

#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 11 February 2007 - 05:14 PM

Just to test, I rebooted, now again having the modem cable connected from the start, and what do you know, attempted outgoing traffic to 208.66.194.9 and to zizza.wuyhahj.biz [208.66.194.9] have already been logged by the firewall (and keep being, several attemps). Hmm...

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:56 PM

Posted 12 February 2007 - 10:53 AM

Hi

Don't worry too much about the posts being a little borked. I can still read it.

Warnings from your SpywareGuard...
If you want IE to be about:Blank you can change that later. Some of these tools do reset IE settings to default.
This also means if your FF was default browser you can change this back as well.
There may be a few other settings yoyu will need to re-do to put them back to where you had em.

Avast VRDB....
"Millerroy" explains it fair well here:
http://forums.firingsquad.com/firingsquad/...;message.id=591

I just started with Avast myself so I am in the learning stages of it as well. Sounds like a pretty good idea.

Coupled with ERUNT and your other security software you will have things covered pretty well as long as common sense is used while surfing, downloading, etc is used.

Still have some pretty nasty stuff running around. At least one rootkit. This one is hammering out spam emails and possibly hiding a bunch more crap.
We are not going to make much progress till we rip that bazaa outa there.

Doing the DrWeb scan like you did was correct. If the floppy & CD drives were empty...no need to check em.
We ran DrWeb first to remove remains of Sality so the tools we are working with don't give up the ghost.

System restore.....
We'll leave that till last to flush out. If something goes wrong during the cleanup and you can't boot I'll take an infected restore point over nothing.
Thing is working with the nature of infections you have...never know what is going to happen. I like to work with safety net. :thumbsup:
There is still active junk onboard and a fair bit of work to do yet.

This:

Furious_calc_Cracked.exe;F:\Vários\Programa Desbloqueio\calc;BackDoor.Seed.11;Incurável.Movido.;

I see a fair number of AV programs flag it but I really can't find enough info on the malware to determine what exactly this one does.
Where did your brother get that program?
What does this translate to?:
F:\Vários\Programa Desbloqueio

I see that file has been moved...
Can you zip up and upload this to me?

C:\Documents and settings\q\DoctorWeb\quarantaine <--zip this
C:\SDFix\Backups.zip <--sent this also

Upload both files to this site please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

In the comment section please put the link to this thread.

Okie...on to removing this rootkit.

Download
http://www.uploads.ejvindh.net/rustbfix.exe
And save it to your desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the content of these logfiles along with a new HijackThis log and a new combofix log.

Will be more work to do.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 12 February 2007 - 04:38 PM

as long as common sense is used while surfing, downloading, etc


Wise words. Common sense - oh if only everyone shared of (at least a bit of) that?...

Thanks once more Blender, for the new reply and instructions.

Regarding Furious_calc_Cracked.exe;F:\Vários\Programa Desbloqueio\calc;BackDoor.Seed.11;Incurável.Movido.; and the related program, where my brother got it, well, it must have been on some Internet site, or then some mate sent it to him via MSN or IRC, I can guess it must have been that; but I'll confirm it with him later and let you know for sure.

"F:\Vários\Programa Desbloqueio" translates to "F:\Various\Unblocking Program". But this is, I suppose, just a random folder where the program was located, don't think it's an actual installation folder; I guess it's not a program really installed (as in showing in the Add/Remove Programs list, at least); it must have just been unzipped to the folder where it runned from, or something like that, I suppose. But I'll try to confirm this too with my brother (if he knows about it at all; he's not of paying much attention to details, as it's no wonder by now). (I'll also ask him if he still has the setup/zip file of this program and, if so, I may also send that to you for further analysis, if you wish. Or I may even just zip the whole directory where that was located, though that's ca. 10 MB... :-S)

Following to this post, I'll upload both zips you've requested. (Hope I'll do it right; never uploaded no attachement here in the forum...)

And also, here's all requested logs: (Again, I ran every other scan offline except HJT, which I ran online.)

------------------------------------------------------------
------------------------------------------------------------


Avenger log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mhkohksa

*******************

Script file located at: \??\C:\Program Files\qpgvivae.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


------------------------------------------------------------
------------------------------------------------------------


Rustbfix pelog log

************************* Rustock.b-fix -- By ejvindh *************************
12-02-2007 17:39:36.44

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66088
Total size: 66088 bytes.
Attempting to remove ADS...
system32: deleted 66088 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


------------------------------------------------------------
------------------------------------------------------------


HJT log (Although HJT was the last scan I ran I'm posting its log next and will leave the one of ComboFix for a separated individual post to follow so that only that post gets "borked" eventually...)

Logfile of HijackThis v1.99.1
Scan saved at 18:39:33, on 12-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TEMP\1D.tmp
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\1D.tmp".exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe


------------------------------------------------------------
------------------------------------------------------------

Once again thank you so much for all your time and help! :thumbsup: Standing by for follow up instructions... (I see ComboFix still displays the same rootkit alert as before which I'm guessing isn't that good news... :-S)

#11 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 12 February 2007 - 04:41 PM

(Edit: replaced previous repeated log with new correct one.)

ComboFix log

-----

"q" - 07-02-12 17:48:06 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\"

((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-12 17:43 <DIR> d-------- C:\avenger
2007-02-12 17:39 <DIR> d-------- C:\Rustbfix
2007-02-11 15:27 880,702 --a------ C:\combofix.exe
2007-02-11 13:53 <DIR> d-------- C:\SDFix
2007-02-11 11:10 <DIR> d-------- C:\DOCUME~1\q\DoctorWeb


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-12 17:48 -------- d-------- C:\Programas\flashget
2007-02-12 17:44 -------- d-------- C:\Programas\lx_cats
2007-02-12 17:41 24 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000000-00000000-0000000b-00001102-00000002-80641102}.dat
2007-02-12 17:41 24 --a------ C:\WINDOWS\system32\dvcstate-{00000000-00000000-0000000b-00001102-00000002-80641102}.dat
2007-02-12 17:32 -------- d-------- C:\Programas\mozilla firefox
2007-02-11 15:51 -------- d-------- C:\Programas\hijackthis
2007-02-06 19:40 -------- d-------- C:\Programas\spywareguard
2007-02-06 19:36 -------- d-------- C:\Programas\messengerplus! 3
2007-02-06 19:36 -------- d-------- C:\Programas\messenger
2007-02-06 19:36 -------- d-------- C:\Programas\lexmark 2400 series
2007-02-06 19:34 -------- d-------- C:\Programas\hdd thermometer
2007-02-04 14:46 -------- d-------- C:\Programas\emule
2007-01-31 19:57 -------- d-------- C:\Programas\spywareblaster
2007-01-15 17:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
2007-01-15 17:26 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-15 17:25 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-15 17:23 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-01-09 18:09 -------- d-------- C:\Programas\java
2007-01-09 18:09 -------- d-------- C:\Programas\Ficheiros comuns\java
2007-01-09 18:04 -------- d-------- C:\DOCUME~1\q\Application Data\apple computer
2007-01-09 18:02 -------- d-------- C:\Programas\quicktime
2007-01-09 17:59 -------- d-------- C:\DOCUME~1\q\Application Data\lavasoft
2007-01-09 17:58 -------- d-------- C:\Programas\lavasoft
2007-01-09 17:56 -------- d-------- C:\DOCUME~1\q\Application Data\adobe
2007-01-09 17:55 -------- d-------- C:\Programas\Ficheiros comuns\adobe
2007-01-09 14:34 -------- d--h----- C:\Programas\installshield installation information
2007-01-08 20:40 -------- d-------- C:\Programas\winamp
2007-01-08 20:18 -------- d-------- C:\DOCUME~1\q\Application Data\real
2007-01-08 20:16 -------- d-------- C:\Programas\Ficheiros comuns\xing shared
2007-01-08 20:16 -------- d-------- C:\Programas\Ficheiros comuns\real
2007-01-08 20:15 -------- d-------- C:\Programas\real
2007-01-08 17:17 -------- d-------- C:\Programas\ccleaner
2007-01-05 20:58 3770 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-03 11:36 41904 --a------ C:\DOCUME~1\q\Application Data\gdipfontcachev1.dat
2006-12-26 20:55 -------- d-------- C:\Programas\abbyy finereader 6.0 sprint
2006-12-20 23:56 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-12-20 23:56 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-12-20 23:51 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-12-09 01:00 73216 --a------ C:\WINDOWS\st6unst.exe
2006-12-09 01:00 249856 --------- C:\WINDOWS\setup1.exe
2006-12-07 06:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-15 11:12 2903 --a------ C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"
"RSD_HDDThermo"="\"C:\\Programas\\HDD Thermometer\\HDD Thermometer.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""
"RemoteCenter"="C:\\Programas\\Creative\\MediaSource\\RemoteControl\\RCMan.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\CTStartup]
"CTStartup"="\"C:\\Programas\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="C:\\Programas\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"CTStartup"="C:\\Programas\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MessengerPlus3"="\"C:\\Programas\\MessengerPlus! 3\\MsgPlus.exe\""
"SmcService"="\"C:\\PROGRA~1\\Sygate\\SPF\\smc.exe\" -startgui"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RunDLL32.exe\" NvMCTray.dll,NvTaskbarInit"
"lxcrmon.exe"="\"C:\\Programas\\Lexmark 2400 Series\\lxcrmon.exe\""
"EzPrint"="\"C:\\Programas\\Lexmark 2400 Series\\ezprint.exe\""
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"SunJavaUpdateSched"="\"C:\\Programas\\Java\\jre1.6.0\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run???????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2????w???w????????\???\???????????U??w???w\???\????????u`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 17:50:55
C:\ComboFix2.txt ... 07-02-11 15:31

Edited by DeLuk, 13 February 2007 - 04:03 PM.


#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 12 February 2007 - 07:39 PM

Back about Furious_calc_Cracked.exe, checked with my brother and, as I was guessing, he did get that from some Internet site. (About the setup/zip file of this program, he doesn't know if he has that anymore...)

Then, and still back about System Restore, just one more basic question, may I? :thumbsup: (Please enlighten me about this detail, as this is what always makes me worry in the end...) Do malicious items stored in System Restore may infect the computer (even) if System Restore isn't used for restoring the system? I mean, if System Restore is itself infected, if there is any malicious item stored in it, then, if one uses System Restore to restore the system, I take it as obvious that that action will of course cause the system to become (re)infected (right?). But what in the case of System Restore not being used; do malicious items stored in there still may infect the system nonetheless (i.e. independently of System Restored being run or not, after an infection), is there this possibility? (Sorry if this is again one too silly doubt... :flowers: )

And also, still on the System Restore subject, just a little something else: if a malicious item is found in System Restore by antivirus/malware scanners, if one chooses to delete/eliminate/quarentine it, it does get deleted/eliminated/quarentined, correct? (In other words, System Restore isn't "untouchable" by antivirus/malware scanners; these can/do effectively clean it, if chosen to, right? Or?)

On a side note, additionally I just ran a new full Avast scan, just for checking up, and one item alone was found by this time:

C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP42\A0016063.exe [L] Win32:Tibs-AIE [Trj] (0)

(I took no action on it, really just ran a scan to check up.)

Edited by DeLuk, 12 February 2007 - 07:40 PM.


#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:56 PM

Posted 13 February 2007 - 04:10 AM

Hi :flowers:

Your rustbfix log and avenger log show it has removed the rustock.b rootkit. :huh:

You got the files I asked for uploaded OK. Thanks. I will look at them shortly.

Thanks for the translation on that folder. Most likely it was unzipped to that location.
I think this is a tool that is supposed to be able to "activate" cell phones or something. Generates codes?
It doesn't look to be a program that would "Install" as in add/remove programs.

Only 2 detections at Virus total for that file:
DrWeb 4.33 02.13.2007 BackDoor.Seed.11
UNA 1.83 02.09.2007 I-Worm.Bagle.av

Looks like it may have been downloaded from a torrent maybe?
I found this: (Your brother may know/remember)
http://www.demonoid.com/files/details/3903...;ref=1152965116

When I attempted to download it my Avast went crazy detecting hackarmy trojan.

Once I finally got it downloaded/unzipped one file in there was same as the one you uploaded.
Same detections.

Regaarding system restore....

In many cases antivirus/antispyware apps cannot access system restore. Windows protects restore folder so no programs can modify it. You won't even be able to open its folder. So in theory no programs should be able to access either. (cept windows itself)
I guess in theory something nasty could pull infected files from restore and run them (which I won't explain for obvious reasons) but generally files are safe there as long as you don't actually use system restore to go back to infected restore point.
I like to leave restore alone till we are done working cus I don't want to loose my only backup if something really goes wrong. I am very careful in what I do but I can/do make mistakes and often the malware involved can throw in a huge monkey wrench into the whole deal.
If I have to resort to bring back the system to infected state via restore....so be it. We just try something else.
But without restore we have nothing.

If your AV does detect items there and wants to delete/quarentine them...you can let it. Avast seems to be able to access/deal with restore. They have their own special permissions to deal with these files safely.
REason I like to flush it anyway is because even if nasty files are gone.....there are corrupt registry keys in there. If you used restore you would end up with corrupted registry items.

And would you quit calling your questions silly?? :thumbsup:
I think they are good questions worth answering.

----------------------------

I'd like to know more about this service:

O23 - Service: Macromedia Updater (mmupdate) - Unknown owner - C:\WINDOWS\TEMP\1D.tmp".exe (file missing)

Hijackthis reports it missing file but I don't think this is so.

Go here:

C:\Windows\temp

See if you can locate these files: 1D.tmp, 1D.tmp".exe

If found please upload them here:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Just like you did the others.

Some registry info I want.

Click start> run> type: cmd.exe and hit enter.
Copy this line:

regedit /a /e c:\reg1.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mmupdate"

Right click in open cmd window and choose "paste"
Hit enter.
That will get me the registry inffo I need. Keep the cmd window open.

next:

Type these commands and hit enter after each one:

sc stop mmupdate
sc delete mmupdate


May get error on first one-- if error continue anyways.
Second command should say success.

Close the cmd window & reboot to SAFE mode.

Delete entire contents of:

C:\Windows\Temp

Open Internet options in control panel
Click "Delete files" and check to "delete offline content" then OK. This may take a few minuites.

Click start> run> type: cleanmgr and hit enter.
have checked ONLY:

Temorary Internet files
Temporary files
Recycle bin

Hit OK to clean. This may take a few minuites.

Reboot back to normal mode.

Please post:

New Hijackthis log
Contents of C:\reg1.txt

I think you posted combofix2.txt. That is the old scan. Can you post combofix.txt please? That is the new one.

Let me know how machine is running.

Thanks! :huh:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:02:56 AM

Posted 13 February 2007 - 04:21 PM

Hi, and once more thank you, for the prompt reply. :huh:

First of, sorry so much for the mix up with the ComboFix logs; indeed, ComboFix2.txt was the one I posted. :huh: I guess it was that line at the end, C:\ComboFix2.txt ... 07-02-11 15:31, that led me to assume this would be the file of the new log, that I didn't even notice the date! *dumb me* I'm so very sorry, again. :huh: I have now edited the respective previous post with the new correct log. (So the rootkit alert was gone already then! Good news after all? :o)

And back about System Restore, thanks so much also for all further explanations. :) Yes, I know that, without restore we have nothing, case one needs to go back, and then an infected system is always better than one dead at all, yes indeed. Anyways I'll leave to worry with it last, okie. (And okie, I'll quit calling my questions silly, deal. :huh:)

Then, about Furious_calc_Cracked.exe, yes, as I mentioned previously, that's it, that's a program/part of a program to "unlock/activate" cell phones, exactly. To generate codes, yes, think that's it. My brother doesn't recall it having been downloaded from that site you pointed, must've been from elsewhere, he doesn't know where anymore anyway. (As I was saying before, maybe it's just been some of his mates on MSN or IRC who gave him some download link, as with everything, and he just go there to get the program, I can bet it's been something like this...)

All in all, I have zipped the whole folder "Programa Desbloqueio", and have uploaded it, in case it's useful for anything at all in case you might wish to do some further analysis on any of those programs/files in there. There are a few setup files in there, I suppose each for a different program (my brother does actually have 3 of those installed; at least showing here in the Add/Remove Programs list, it's 3; don't know if that Furious_calc_Cracked.exe actually relates to any of them) or maybe for some crack to those programs or something, I have no idea, but in any case, may you wish to have a look at that stuff... I've uploaded the zip to the temporary hosting service YouSendIt (as it's ca. 8 MB and I didn't know whether I could or even should upload it to BC database when it is of such a big size, and then without having been requested to do so), hope there's no inconvenient to it?... Here's the download link -> http://download.yousendit.com/9594E22D50AC98B1

But so, back on issue, I have now completed the new instructions.

Regarding files 1D.tmp and 1D.tmp".exe, only 1D.tmp existed, 1D.tmp".exe didn't. (I did also perform a search, just for the sake of it, having hidden and system files showing, and 1D.tmp".exe wasn't found anywhere in the computer.) I've just uploaded 1D.tmp (zipped) for you as requested.

Also, a couple notes about this file 1D.tmp.

At the primary stage of infection (i.e. before even doing the preliminary clean up/when I first turned on the computer after my brother had infected it), besides Sygate firewall reporting about C:Windows\System32\taskdir.exe being connected from remote machine [81.177.26.27] using post 80, as I then referred in my initial post; it also did report about C:\Windows\Temp\1D.tmp attempting to connect to [85.255.119.235] using port 80. (And actually there were two other messages, one about services.exe being contacted from remote machine [218.147.94.166] by port 11271, and the other about also services.exe, then attempting to connect to [84.97.117.74], as well by port 11271.) At the time I did block all these connection attempts at once, and later (those of services.exe didn't show again) as those for both taskdir.exe and 1D.tmp kept appearing each new time the computer was booted, so I blocked them permanently (i.e. chose for Sygate firewall to remember my answer so that it wouldn't keep displaying the warn message).

At the time, and as I then saw that file being referred in the HJT log as relating to this supposed Macromedia Updater service, so I didn't take it as a possible symptom/something malicious, and thought that might be just a coincidence and that it did just relate to some updating service for any of the Macromedia (now Adobe's) webplayers we have installed, Flash or Shockwave (think I recall having set Flash for autoupdating when I installed it); thus why I also didn't mention about this file and respective Sygate message in my initial post. And that also despite this particular file having actually been created at the very same date and time (04-02-2007 at 05:00) as those other ones, taskdir.exe and adir.dll, which were detected as malicious (when there's some infection, some file is detected by the antivirus or whatever, one of the first things I always do is to search what additional files have the same creation date/time just to have an idea/take for reference); but again, I thought that could just be coincidence. Nonetheless I kept this file blocked by the firewall all of the time (as if there was something to be updated on any Macromedia players, so I thought, I didn't want it to be updated in the middle of an infection anyway, but rather afterwards when everything would hopefully be clean again; I always like to make sure that every new stuff is installed in a clean environment).

But now with you asking about it, and looking back, I see that maybe none of it was coincidence and this was "one of the nasties" after all, would it be?... :thumbsup: (There are various attempted outgoing traffic reports for this file, every day, in the firewall log, the last one being from today, before the file was now deleted; after that, no more traffic logged to host 85.255.119.235 from any file...)

I also submitted it for analysis at Jotti's Online Malware Scan and a few scanners actually identified something:

BitDefender -> Behaves.Like:Win32.Backdoor (probable variant)
Fortinet -> Bdoor.ACK!tr
VirusBuster -> TrojanUpdater.H
VBA32 -> MalwareScope.Trojan-Proxy.Horst.1

Then again, and as I mentioned in my initial post, in the step of running CCleaner, I did run it even having disabled the option to delete only the files which are older than 48 hours in the Windows Temp folders. But this particular file actually didn't get deleted, even then. So I wanted to just test it, now again. (Previously I had saved the file in a zip for sending to you, of course, so that in case it would get deleted this time I would still have your sample.) So I ran CCleaner; first I ran the analyzer, and in the list of files set for deletion there indeed was C:\Windows\Temp\1D.tmp; then I ran the cleaner, yet however the file wasn't deleted.

So next I went on with the rest of the new instructions.

Here's what was displayed after performing the command ss stop mmupdate:

SERVICE_NAME: mmupdate
TYPE: 10 WIN32_OWN_PROCESS
STATE: 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE: 0 (0x0)
SERVICE_EXIT_CODE: 0 (0x0)
CHECKPOINT: 0x0
WAIT_HINT: 0x0

And after performing ss delete mmupdate:

[SC] DeleteService SUCCESS

Next I completed the rest of the steps to do. Only a note, though; when I was going to reboot back to Normal Mode, there was a "Terminate program" message for explorer.exe, showing a progress bar, and after the progress bar completed, it still said "This program is not responding", but a few seconds after it disappeared and the reboot went on normally. (Maybe I went for reboot just a moment too early after cleanmgr had finished, maybe that was the reason for that message?...)

Next are both reports you requested, new HJT log and reg1.txt saved from regedit /a /e c:\reg1.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mmupdate".

---------------------------------------------
---------------------------------------------


HJT log (that line referring to that Macromedia Updater service is gone now at least)

-----

Logfile of HijackThis v1.99.1
Scan saved at 16:31:56, on 13-02-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Java\jre1.6.0\bin\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\SpywareGuard\sgmain.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\Programas\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Programas\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programas\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RSD_HDDThermo] "C:\Programas\HDD Thermometer\HDD Thermometer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iol.pt/
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe


---------------------------------------------
---------------------------------------------


reg1.txt

-----

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mmupdate]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,43,3a,5c,57,49,4e,44,4f,57,53,5c,54,45,4d,50,5c,31,44,2e,\
74,6d,70,22,20,2f,63,68,65,63,6b,3d,31,64,00
"DisplayName"="Macromedia Updater"
"ObjectName"="LocalSystem"
"Description"="Support of the Macromedia Products update process"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mmupdate\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mmupdate\Enum]
"0"="Root\\LEGACY_MMUPDATE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


---------------------------------------------
---------------------------------------------

About how the machine is running at present, well, all looks normal, as before, that I notice there's nothing to visibly show anything going wrong... (Would there be anything specific that I should take notice of?... I don't quite know what exactly to answer to this question, when you ask it... :flowers: As I say, I'm no computer expert, AT ALL, totally on the contrary, so I fear that my eye may not be so sharp as to recognise what should be detected, or then even just to know what to look for... :huh: BTW just to add also that not anytime again no more traffic was logged to that zizza host 208.66.194.9...)


Thank you so very much, one time again, for your assistance! :)


P.S. At this time I have Windows updates ready for transfer. Should I allow those to be downloaded at this point, and when tranferred, go on and install? (Or should I rather hold on for any download/update untill clean up is all completed and finished?) Please advise.

Edited by DeLuk, 14 February 2007 - 06:37 AM.


#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:09:56 PM

Posted 14 February 2007 - 10:20 PM

Hi

Logs look much better.
Thanks for editing that combofix log with the updated one. :flowers:

The lack of malicious traffic you see in your firewall logs tells us we are making progress. :huh:

All these observations you are making is pretty darn good IMO. All helps pinpoint the problems so I can throw the right tools at ya. :thumbsup:

That 1D.tmp might not be deleting cus XP likes to hang onto some temps for 24 hours. Generally speaking this is normal. (since windows really dunno what is good/bad)
Still....I want it gone lol.

See if we can rip it out on reboot.

Open Hijackthis
Click "open misc tools options"
Click "delete a file at reboot"

Paste in this path then click "open":

C:\WINDOWS\TEMP\1D.tmp

You will be prompted to reboot. Go ahead and reboot.

Let me know if that little bazaa is gone.

Out of caution I would like to see another couple logs.

1.) Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Thanks :huh:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users