Jump to content

Delete on Reboot(Always)


Recommended Posts

Malwarebytes' Anti-Malware 1.34

Database version: 1800

Windows 5.1.2600 Service Pack 3

2/25/2009 12:27:03 PM

mbam-log-2009-02-25 (12-27-03).txt

Scan type: Quick Scan

Objects scanned: 58433

Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ea4f3845-929b-4e9a-abb0-07d44d83b336} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ea4f3845-929b-4e9a-abb0-07d44d83b336} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ostkl.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\intes\Local Settings\Temp\vtccmtku.dat (Rootkit.Agent) -> Delete on reboot.

What does this mean.... are they really Trojans?

It keeps on saying Delete on reboot after scans.

But after reboot and i scan again.

They are still detected.. and still there.

Same Log Report over and over again.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:01:13 PM, on 3/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

  • Root Admin

Please update MBAM and scan again.

YOUR VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1800

CURRENT VERSION

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

MBAM LOG

Malwarebytes' Anti-Malware 1.34

Database version: 1825

Windows 5.1.2600 Service Pack 3

3/7/2009 7:53:40 PM

mbam-log-2009-03-07 (19-53-40).txt

Scan type: Quick Scan

Objects scanned: 59381

Time elapsed: 4 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ea4f3845-929b-4e9a-abb0-07d44d83b336} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ea4f3845-929b-4e9a-abb0-07d44d83b336} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ostkl.dll (Trojan.BHO.H) -> Delete on reboot.

C:\Documents and Settings\intes\Local Settings\Temp\vtccmtku.dat (Rootkit.Agent) -> Delete on reboot.

HiJack This Log

------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:06:11 PM, on 3/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Ok the MBAM log is identifying that you have Rootkit Sentinel variant onboard.

There is another element at play that is reloading the whole infection and hence why MBAM is failing to complete the cleanup.

Based on previous encounters with this infection then there is going to be another driver(.sys) file doing the restoration job.

Unfortunetly HJT is very limited so if possible can you use the following daignostic tool to assist me in catching the culprit.

Download and install Autoruns.

http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

Can you please then copy and paste the contents of that text file into your next reply for analysis.

Thanks in advance.

Link to post
Share on other sites

Sorry for the wrong click. the zip file is error. but theres another link in the site.

So here it is... the contents of the text file.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AVG8_TRAY AVG Tray Monitor (Verified) AVG Technologies c:\program files\avg\avg8\avgtray.exe

+ nwiz NVIDIA nView Wizard, Version 111.29 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe

+ SunJavaUpdateSched Java Platform SE binary (Verified) Sun Microsystems, Inc. c:\program files\java\jre6\bin\jusched.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ HP Digital Imaging Monitor.lnk HP Digital Imaging Monitor (Not verified) Hewlett-Packard Co. c:\program files\hp\digital imaging\bin\hpqtra08.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ SpybotSD TeaTimer System settings protector (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\teatimer.exe

+ Uniblue SpeedUpMyPC SpeedUpMyPC (Verified) Uniblue Systems c:\program files\uniblue\speedupmypc 3\speedupmypc.exe

HKLM\SOFTWARE\Classes\Protocols\Handler

+ linkscanner Safe Search pluggable protocol (Verified) AVG Technologies c:\program files\avg\avg8\avgpp.dll

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

+ 0 File not found: About:Home

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

+ WinRAR c:\program files\winrar\rarext.dll

+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll

HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes c:\program files\malwarebytes' anti-malware\mbamext.dll

HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Directory\Shellex\DragDropHandlers

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

+ MBAMShlExt Malwarebytes' Anti-Malware (Verified) Malwarebytes c:\program files\malwarebytes' anti-malware\mbamext.dll

+ WinRAR c:\program files\winrar\rarext.dll

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

+ 00nView NVIDIA Desktop Explorer, Version 111.29 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll

+ VDOToolShlExt TBPanelExt Module c:\program files\vdotool\tbpanelext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ AVG8 Shell Extension AVG Shell Extension (Verified) AVG Technologies c:\program files\avg\avg8\avgse.dll

+ Desktop Explorer NVIDIA Desktop Explorer, Version 111.29 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Desktop Explorer Menu NVIDIA Desktop Explorer, Version 111.29 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll

+ Display Panning CPL Extension File not found: deskpan.dll

+ nView Desktop Context Menu NVIDIA Desktop Explorer, Version 111.29 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll

+ WinRAR shell extension c:\program files\winrar\rarext.dll

+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ &Yahoo! Toolbar Helper Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn\yt.dll

+ AVG Safe Search Safe Search for Internet Explorer (Verified) AVG Technologies c:\program files\avg\avg8\avgssie.dll

+ AVG Security Toolbar [[[DESCRIPTION]]]----------------------------------------------- (Verified) AVG Technologies c:\program files\avg\avg8\avgtoolbar.dll

+ Java Plug-In 2 SSV Helper Java Platform SE binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre6\bin\jp2ssv.dll

+ JQSIEStartDetectorImpl Class Java Quick Starter binary (Not verified) Sun Microsystems, Inc. c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

+ Spybot-S&D IE Protection SBSD IE Protection (Verified) Safer Networking Ltd. c:\program files\spybot - search & destroy\sdhelper.dll

+ Yahoo! IE Services Button Yahoo! IE Services (Verified) Yahoo! Inc. c:\program files\yahoo!\common\yiesrvc.dll

+ {EA4F3845-929B-4E9A-ABB0-07D44D83B336} c:\windows\system32\ostkl.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ Yahoo!

Link to post
Share on other sites

Hi ya,

+ omkdsmci Universal Serial Bus Camera Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\omkdsmci.sys

I strongly suspect this to be the culprit for restoring the infection but will need to get my hands on a copy to confirm.

If you are fammiliar with searching folders for files etc could you please locate omkdsmci.sys

Please zip it up and upload to a new topic in the following forum.

http://www.malwarebytes.org/forums/index.php?showforum=55

Thanks in advance.

Link to post
Share on other sites

i will post here the file itself? can it not cause errors if i remove that file from my PC

If its loaded then it ill not allow you to delete it by traditional methods but you will be able to copy& paste it into another location e.g My Documents and then zip/compress that copy to upload.

The reason i ask for uploading is that if it is the culprit i can then analysise it and update MBAM defs inorder to remove it from your PC and any other unfortunate folks that also have it on their pc's.

Also if its a legit file then you dont want to be removing it....

Thanks in advance.

Link to post
Share on other sites

Hi,

I can confirm that is our culprit and have flagged it as Rootkit.Sentinel

I have forwarded the takedown for it off to MBAM HQ and it should be availiable in 1 of the updates later today:)

So cleanup will be with you shortly :D

Link to post
Share on other sites

The new Defs are not in that DB.

They will be in 1 of the next 2 updates(1827 or 1828).Not sure which one as i do not update the main DB which feeds updates to all MBAM user's.

You will know when they have been added as they will detect and remove the driver that you have uploaded and the rest of the infection will be dead once and for all.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.