Jump to content

Same computer, new problem (Trojan.Agent)


Recommended Posts

Got rid of almost everything with MWB, but this Trojan.Agent has stuck around for a few days. Logs follow. Please advise...

Malwarebytes' Anti-Malware 1.36

Database version: 2069

Windows 5.1.2600 Service Pack 2

5/3/2009 4:09:52 AM

mbam-log-2009-05-03 (04-09-52).txt

Scan type: Quick Scan

Objects scanned: 76329

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

{-----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:53:42 AM, on 5/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\HPQ\shared\hpqwmi.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: VPN Client.lnk = ?

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [java_sun] Java (Sun)

O11 - Options group: [searching] Search from the Address bar

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe

O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

End of file - 6482 bytes

Not sure if it makes a difference, but XP has been repaired to fix the crap the malware from this trojan messed up. Ok, thanks in advance for response!

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as resist.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

  • Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post your antirootkit log (ARK.txt), C:\ComboFix.txt, and a new MBAM log in your next reply.

Link to post
Share on other sites

Hi Pointman,

I have to review your logs, but I want to let you know that you are seriously infected with several rootkits and a patched system file (userinit.exe) which was kindly replaced with a legit, clean copy courtesy Combofix.

Combofix removed two of the rootkits but Rustock.b remains to be cleaned, plus a lot of other infected malware.

Please do not use your computer for any financial transactions and if you have you should change passwords from a clean, secure computer.

If you have access to another computer, I'd advise you to use that one until this one is cleaned up.

Link to post
Share on other sites

I am going to have your launch Combofix with a script that specifically targets your malicious items.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::
Driver::8371e0d3
File::c:\windows\system32\ejluqmtffutwwzn.exe
rootkit::c:\windows\system32\drivers\8371e0d3.sys

Launching Combofix

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe on your desktop (snoog.exe)

This will cause ComboFix to run.

Please post back the log that is opens (C:\Combofix.txt) when it finishes.

Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder

  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.
Link to post
Share on other sites

ComboFix 09-05-03.1 - Mark 05/04/2009 14:07.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.656 [GMT -4:00]

Running from: c:\documents and settings\Mark\Desktop\snoog.exe

Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

FILE ::

c:\windows\system32\ejluqmtffutwwzn.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\8371e0d3.sys

c:\windows\system32\ejluqmtffutwwzn.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_8371e0d3

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))

.

2009-05-03 21:34 . 2009-05-03 21:34 38408 ----a-w c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-03 07:53 . 2009-05-03 07:53 -------- d-----w c:\program files\Trend Micro

2009-04-30 19:21 . 2009-04-30 19:21 -------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes

2009-04-29 07:25 . 2009-05-03 18:18 -------- d-----w c:\program files\zMUD

2009-04-29 07:20 . 2009-04-29 07:28 -------- d-----w c:\documents and settings\Mark\Application Data\BitTorrent

2009-04-29 07:11 . 2009-04-29 07:11 -------- d-----w c:\documents and settings\All Users\Application Data\CCP

2009-04-29 07:11 . 2009-04-29 07:11 -------- d-----w c:\documents and settings\Mark\Local Settings\Application Data\CCP

2009-04-29 07:07 . 2009-04-29 07:07 -------- d-----w c:\documents and settings\Mark\Local Settings\Application Data\Mozilla

2009-04-29 07:02 . 2009-04-30 19:53 -------- d-----w c:\documents and settings\Mark

2009-04-29 06:53 . 2004-08-04 12:00 9728 -c--a-w c:\windows\system32\dllcache\rwnh.dll

2009-04-29 06:52 . 2004-08-04 12:00 7680 -c--a-w c:\windows\system32\dllcache\migregdb.exe

2009-04-29 06:51 . 2004-08-04 12:00 42496 -c--a-w c:\windows\system32\dllcache\davcdata.exe

2009-04-29 06:50 . 2004-08-04 12:00 68608 -c--a-w c:\windows\system32\dllcache\isatq.dll

2009-04-29 06:47 . 2004-08-04 12:00 16384 -c--a-w c:\windows\system32\dllcache\isignup.exe

2009-04-29 06:08 . 2004-08-04 12:00 480256 -c--a-w c:\windows\system32\dllcache\cintsetp.exe

2009-04-29 06:08 . 2004-08-04 12:00 198656 -c--a-w c:\windows\system32\dllcache\cintime.dll

2009-04-29 06:08 . 2004-08-04 12:00 173568 -c--a-w c:\windows\system32\dllcache\chtskf.dll

2009-04-29 06:08 . 2004-08-04 12:00 56320 -c--a-w c:\windows\system32\dllcache\chtskdic.dll

2009-04-29 06:08 . 2004-08-04 12:00 97792 -c--a-w c:\windows\system32\dllcache\chtmbx.dll

2009-04-29 06:08 . 2004-08-04 12:00 10240 -c--a-w c:\windows\system32\dllcache\tmigrate.dll

2009-04-29 06:08 . 2004-08-04 12:00 455168 -c--a-w c:\windows\system32\dllcache\tintsetp.exe

2009-04-29 06:08 . 2004-08-04 12:00 44032 -c--a-w c:\windows\system32\dllcache\tintlphr.exe

2009-04-29 06:08 . 2004-08-04 12:00 59392 -c--a-w c:\windows\system32\dllcache\imscinst.exe

2009-04-29 06:08 . 2004-08-04 12:00 67584 -c--a-w c:\windows\system32\dllcache\pmigrate.dll

2009-04-29 06:08 . 2004-08-04 12:00 70144 -c--a-w c:\windows\system32\dllcache\pintlphr.exe

2009-04-29 06:07 . 2004-08-04 12:00 10096640 -c--a-w c:\windows\system32\dllcache\hwxcht.dll

2009-04-29 06:07 . 2004-08-04 12:00 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll

2009-04-29 06:07 . 2004-08-04 12:00 13312 ----a-w c:\windows\system32\irclass.dll

2009-04-29 06:07 . 2004-08-04 12:00 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll

2009-04-29 06:07 . 2004-08-04 12:00 24661 ----a-w c:\windows\system32\spxcoins.dll

2009-04-29 06:05 . 2009-04-29 06:05 -------- d-s---w c:\windows\system32\config\systemprofile\History

2009-04-17 14:55 . 2009-04-17 15:18 -------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent

2009-04-17 14:55 . 2009-04-17 14:55 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\DNA

2009-04-17 14:55 . 2009-04-29 05:43 -------- d-----w c:\program files\DNA

2009-04-17 14:55 . 2009-04-29 05:43 -------- d-----w c:\documents and settings\Administrator\Application Data\DNA

2009-04-17 14:54 . 2009-04-17 14:55 -------- d-----w c:\program files\BitTorrent

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-04 18:09 . 2008-12-13 17:31 428 ----a-w c:\windows\Tasks\Symantec NetDetect.job

2009-05-04 18:09 . 2008-12-13 16:27 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-05-04 00:12 . 2009-01-14 18:35 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-03 23:49 . 2008-12-13 17:30 -------- d-----w c:\program files\Norton AntiVirus

2009-04-30 19:21 . 2009-04-30 19:06 2585 ----a-w c:\windows\Internet Logs\tvDebug.zip

2009-04-29 07:09 . 2008-12-13 17:11 -------- d-----w c:\program files\Java

2009-04-29 06:49 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini

2009-04-29 06:46 . 2008-12-13 16:19 23348 ----a-w c:\windows\system32\emptyregdb.dat

2009-04-06 19:32 . 2009-01-14 18:35 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 19:32 . 2009-01-14 18:35 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-02 17:36 . 2009-04-02 17:35 -------- d-----w c:\program files\QuickTime

2009-04-02 17:35 . 2009-04-02 17:35 -------- d-----w c:\program files\Apple Software Update

2009-03-14 04:19 . 2008-12-13 17:33 546 ----a-w c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job

2009-03-13 23:27 . 2009-03-13 22:49 -------- d-----w c:\program files\CCP

2009-03-09 09:19 . 2008-12-17 19:51 410984 ----a-w c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_00.03.57 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-04 18:10 . 2009-05-04 18:10 16384 c:\windows\temp\Perflib_Perfdata_2d8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-22 344064]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]

"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-09 71328]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-12-13 95960]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-9 113664]

DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-12-13 184320]

VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-2-3 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Administrator.job

- c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 15:46]

2009-05-04 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2008-12-13 23:38]

.

.

------- Supplementary Scan -------

.

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\4uo5pwhx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.malwarebytes.org/forums/index.php?showtopic=15027

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-04 14:10

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?1?8?8??????? ???B?????????????H<C? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3056)

c:\windows\system32\shdoclc.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE

c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe

c:\windows\system32\wscntfy.exe

c:\program files\HPQ\shared\hpqwmi.exe

.

**************************************************************************

.

Completion time: 2009-05-04 14:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-04 18:14

ComboFix2.txt 2009-05-04 00:09

Pre-Run: 63,479,173,120 bytes free

Post-Run: 63,475,535,872 bytes free

178 --- E O F --- 2009-03-15 23:51

MBAM log -

Malwarebytes' Anti-Malware 1.36

Database version: 2074

Windows 5.1.2600 Service Pack 2

5/4/2009 2:25:19 PM

mbam-log-2009-05-04 (14-25-19).txt

Scan type: Quick Scan

Objects scanned: 75008

Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

==============================

Will get back to you after I analyze the above.

In the meantime can you post the contents of this log file please:

C:\Qoobox\ComboFix-quarantined-files.txt

Link to post
Share on other sites

2009-05-04 18:08:18 . 2009-05-04 18:08:18 60,241 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_8371e0d3_.sys.zip

2009-05-04 18:08:07 . 2009-05-04 18:08:07 74 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_8371e0d3.reg.dat

2009-05-04 18:06:48 . 2009-05-04 18:06:48 0 ----a-w C:\Qoobox\Quarantine\catchme.txt

2009-05-04 00:08:57 . 2009-05-04 00:08:57 469 ----a-w C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953}.reg.dat

2009-05-04 00:08:53 . 2009-05-04 00:08:53 138 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Diagnostic Manager.reg.dat

2009-05-04 00:08:53 . 2009-05-04 00:08:53 138 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-uidenhiufgsduiazghs.reg.dat

2009-05-04 00:08:48 . 2009-05-04 00:08:48 456 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{c2ba40a1-74f3-42bd-f434-12345a2c8953}.reg.dat

2009-05-04 00:00:54 . 2009-05-04 00:00:54 800 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_MSDVDR.reg.dat

2009-05-04 00:00:42 . 2009-05-04 18:08:00 8,508 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-05-03 23:53:24 . 2009-05-03 23:53:24 1,845 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_ovfsthxoinaurke.reg.dat

2009-05-03 23:45:23 . 2009-05-04 18:08:18 357 ----a-w C:\Qoobox\Quarantine\catchme.log

2009-05-03 21:49:14 . 2009-05-03 21:49:14 46 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\p2hhr.bat.vir

2009-05-03 21:48:48 . 2009-05-03 21:48:48 15,000 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\afnoinkdsfe.dll.vir

2009-05-03 21:48:48 . 2009-05-03 21:48:48 17,920 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ak1.exe.vir

2009-04-29 07:58:55 . 2009-04-29 08:00:21 1,452 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir

2009-04-29 07:58:55 . 2009-04-29 08:00:21 101 ----a-w C:\Qoobox\Quarantine\C\xcrashdump.dat.vir

2009-04-29 07:58:13 . 2009-04-29 07:58:13 1 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\uniq.tll.vir

2009-04-17 15:27:11 . 2009-05-03 21:34:43 43 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxkfnppiyt.dat.vir

2009-04-17 15:16:03 . 2009-04-17 15:16:03 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxaydxmnmg.dll.vir

2009-04-17 15:16:03 . 2009-04-17 15:16:03 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxekyjckdm.dll.vir

2009-04-17 15:16:02 . 2009-05-03 21:49:14 129,156 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxdntxilwt.dat.vir

2009-04-17 15:16:00 . 2009-04-17 15:16:00 60,928 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxmnardoyj.dll.vir

2009-04-17 15:16:00 . 2009-04-17 15:16:00 83,456 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtqdxlwxr.sys.vir

2009-04-17 15:16:00 . 2009-05-04 18:08:52 83,308 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8371e0d3.sys.vir

2009-04-17 15:15:29 . 2009-04-17 15:15:29 9,728 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ejluqmtffutwwzn.exe.vir

2004-08-04 12:00:00 . 2009-04-29 07:58:21 104,960 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir

Link to post
Share on other sites

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:

http://www.malwarebytes.org/forums/index.p...amp;#entry78412

Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_8371e0d3_.sys.zip

Then click 'Send File'

Please repeat submission for these two files, as well:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\8371e0d3.sys.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\ejluqmtffutwwzn.exe.vir

-----------

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=4052 (20090504)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=a0b72f277ee29c4f8c6b93052e3d97c1

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2009-05-04 10:49:13

# local_time=2009-05-04 06:49:13 (-0500, Eastern Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 2

# scanned=356318

# found=9

# scan_time=2576

C:\Documents and Settings\Administrator\My Documents\Downloads\Adobe-Dreamweaver-CS4_Keygen_TrZ\activation Win32/TrojanDropper.VB.NGV trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\Documents and Settings\Administrator\My Documents\Downloads\Adobe-Dreamweaver-CS4_Keygen_TrZ\Adobe Dreamweaver CS4 - Keygen [TrZ]\DreamweaverCS4-KeyGen.exe Win32/TrojanDropper.VB.NGV trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\ejluqmtffutwwzn.exe.vir probably a variant of Win32/TrojanDownloader.Small.EDB trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/FakeInit.L trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxtqdxlwxr.sys.vir Win32/Olmarik.HN trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{C954225D-6182-42B1-9923-90082051A247}\RP3\A0000005.sys Win32/Olmarik.HN trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{C954225D-6182-42B1-9923-90082051A247}\RP3\A0000030.exe Win32/FakeInit.L trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{C954225D-6182-42B1-9923-90082051A247}\RP3\A0000031.exe Win32/FakeInit.L trojan (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{C954225D-6182-42B1-9923-90082051A247}\RP3\A0000128.exe probably a variant of Win32/TrojanDownloader.Small.EDB trojan (unable to clean - deleted) 00000000000000000000000000000000

Link to post
Share on other sites

Good job! Your computer is clean now. :mellow:

Thank you for the files!

Those threats detected by ESET are inactive in quarantine or in system restore data. We will purge them now.

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\snoog.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

Delete the contents of the C:\ARK folder and then the folder itself.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

-----------

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.