Jump to content

Infected with ovfst variant of CLB Rootkit


Recommended Posts

Hi There,

I am trying to remove the ovfst variant of CLB Rootkit from a friend's computer.

I have followed the instructions from Fatdcuk in the following post:

MBAM wont install or will not run., CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst

http://www.malwarebytes.org/forums/index.php?showtopic=12709

After running the scan files option in RootRepeal, there were many many variants of the ovfst file including more than one with the .sys extension.

I followed the instructions exactly, and I only selected the _\system32\drivers\ovfst_ _ _.sys file and right clicked, and selected Wipe File. I rebooted, and then still could not run mbam-setup.exe (it lets me select the installation language, then after clicking OK the install just shuts down). I have a hunch I should have deleted the other ovfst_ _ _.sys files, sorry I can't recall what directories they were in.

Subsequent scans with RootRepeal bring up only one file that is Locked to the Windows API, and this is _\system32\drivers\435bba6.sys. No more occurrences of the ovfst_ _ _.sys file anywhere. I have taken a chance and wiped this, rebooted and I still cannot get mbam-setup.exe to run.

HJTInstall.exe will not execute either, so I cannot post a HiJackThis log.

Original symptoms are USB ports not recognising pen drives. I was unable to copy mbam-setup.exe to this computer even after renaming it to another file name (I got around this by zipping mbam-setup.exe together with randbam.exe, renaming the zip file and copying it across). In either FF or IE I cannot go to malwarebytes.org either by typing the URL into the browser or via a google search, and a google search for "download Malwarebytes" automatically shuts down the browser. I can browse news sites etc download VLC just nothing malware related.

Please help!

Thanks and regards,

Dylan

Link to post
Share on other sites

Hi Dylan and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as repel.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (repel.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi Negster,

Thanks for the post and the welcome! This is not my first rodeo though :(

OK, I finally got the computer back from my friend to go through the steps in your post.

First step ATF-Cleaner second step Gmer all good, please find below the ARK.txt log from Gmer. As expected many instances of the ovfst_ _ _.sys and 4535bba6.sys rootkit files.

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-05-13 18:07:48

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\4535bba6.sys ZwCreateEvent [0xF7661D2D]

SSDT \SystemRoot\System32\drivers\4535bba6.sys ZwCreateKey [0xF765FE05]

SSDT \SystemRoot\System32\drivers\4535bba6.sys ZwOpenKey [0xF765FEC5]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\System32\drivers\4535bba6.sys Det g

Link to post
Share on other sites

Hello,

I am in EST time zone = GMT - 5

You're friend's PC is extremely infected.

I will try to salvage it but normally in such a case as this i would recommend a full reformat and reinstall.

Can you use another medium other than an infected flash drive to transfer files?

Try this to immunize your flash drive:

Create a folder called autorun.inf in the flash drive root.

Click Properties on the folder, and make it unwriteable by checking read-only.

Close Properties dialogue.

If you can see the following file, can you get me version info on by accessing its Properties dialogue, before we delete it:

c:\windows\system32\drivers\bsfocgiw.sys

I am interested in the textual name description of the driver.

Now for your infections.

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Drivers to delete:bsfocgiw4535bba635a45eedb65b4db1c96b994715a20ae6ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi
Files to delete:c:\windows\system32\drivers\bsfocgiw.sysC:\WINDOWS\System32\drivers\4535bba6.sysc:\cqcsss.exec:\xnev.exec:\windows\system32\cdcffffacd.dllc:\recycler\S-1-5-21-7467345691-3870965195-203722230-0388\hd1.exec:\windows\system32\wumztitk.dllc:\windows\system32\olsvycj.dllc:\windows\system32\wuturoho.dllc:\windows\system32\wuturoho.exec:\windows\system32\lonayemu.dll.virc:\windows\system32\35a45eedb65b4db1c96b994715a20ae6.sysC:\xptfh.exeC:\wwmeoblk.exeC:\pdtivk.exeC:\celkadaa.exeC:\cqcsss.exeC:\xnev.exeC:\kggi.exeC:\windows\system32\drivers\ovfsthmrmpcbxhdsrtlewvmnexrfxlboyigfvp.sysc:\windows\system32\00016865.tmpc:\windows\system32\00031338.tmpc:\windows\system32\00029344.tmpc:\windows\system32\00032673.tmp
Folders to delete:c:\documents and settings\NetworkService\Application Data\jeoduqagc:\documents and settings\Fredrik\Application Data\jeoduqag
Registry keys to delete:HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdcffffacdHKEY_LOCAL_MACHINE\~\Browser Helper Objects\{042f5f91-4de8-46d8-9e9f-7e42859617fe}HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91FC7A08-B473-4AEB-B8A8-005E7EE047BA}
Registry values to delete:HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List | c:\\xnev.exe
Registry values to replace with dummy:HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon | TaskmanHKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List | <NO NAME>
  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

Now, please immediately launch Combofix so I can see if any infectors remain and post back that log, plus the Avenger log.

Link to post
Share on other sites

Hi again Negster,

Thanks for the reply! Shame about the time difference I'm in Europe GMT +1. . . ah well . . .

I have looked at the driver in question via msinfo32 in the System Drivers section, the description of the driver is simply it's name, bsfocgiw . . . it is listed as Kernel Driver, it's status is started, Start Mode=boot,

I already have used Flash Disinfector on my drive and it created the Read Only autorun.inf folder. However, that Trojan still got through. NOD32 gets it every time I attach it to my computer though.

I am running Avenger now will do ComboFix after and let you know what I found. If there is anything additional I need to do about the bsfocgiw.sys driver please let me know.

Thanks again,

Dylan

Link to post
Share on other sites

Me again - I could download avenger onto my friends computer, unzip it to a folder on the desktop, but then was unable to run it. The opening dialog box flashes up for a split second, and is then closed down straight away before I can click OK, obviously by the rootkit. Renaming the .exe file didn't work either :(

If you think it is not worth it going any further please just let me know, and we will do a re-install of XP for my friend. Of course it's an Eee with no optical drive so another set of challenges there as we don't have an external optical drive :)

NOD32 is totally worth paying for! As is MBAM which I have bought and have the threat protection module running. Anyways interestingly enough that Trojan still manages to get back onto the pen drive despite that autorun.inf folder?

Thanks again,

Dylan

Link to post
Share on other sites

Me again AGAIN - also whenever I connect to the internet I notice that 100s of megabytes are being sent and received by the computer even though I'm not browsing and haven't downloaded anything bigger than avenger.zip. Another bad sign that whatever is on there is VERY active. :(:)

I'll be back online to receive your reply tomorrow, please let me know what you think.

Over and out,

Dylan

Link to post
Share on other sites

Just got back.

Since you are able to run Combofix, I will translate the Avenger script into a CFScript.

Then if that is successful in removing the major part of your infection(s), we can use avenger to mop up any remnants,

I have had trouble with that driver I pointed out to you before (properties description one), morphing and respawning when using solely Combofix:

c:\windows\system32\drivers\bsfocgiw.sys

But we should be able to knock out most everything else with Combofix.

I am up for the challenge so let's see how far we can get.

I would physically disconnect the PC from the internet so there is no background data transmission.

It's hard to say what purpose the PC is being used for, but that network activity is not a good sign, as you've correctly surmised.

Be back later with a CFScript.

Link to post
Share on other sites

Hello, as promised here is the CFScript.

We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

Very Important! Before completing the next step - disable any security programs you have running ( this can usually be accomplished by right-clicking a security program's system tray icon, and selecting the disable option from the context menu).

KillAll::
Driver::bsfocgiw4535bba635a45eedb65b4db1c96b994715a20ae6ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi
File::c:\windows\system32\drivers\bsfocgiw.sysC:\WINDOWS\System32\drivers\4535bba6.sysc:\cqcsss.exec:\xnev.exec:\windows\system32\cdcffffacd.dllc:\recycler\S-1-5-21-7467345691-3870965195-203722230-0388\hd1.exec:\windows\system32\wumztitk.dllc:\windows\system32\olsvycj.dllc:\windows\system32\wuturoho.dllc:\windows\system32\wuturoho.exec:\windows\system32\lonayemu.dll.virc:\windows\system32\35a45eedb65b4db1c96b994715a20ae6.sysC:\xptfh.exeC:\wwmeoblk.exeC:\pdtivk.exeC:\celkadaa.exeC:\cqcsss.exeC:\xnev.exeC:\kggi.exeC:\windows\system32\drivers\ovfsthmrmpcbxhdsrtlewvmnexrfxlboyigfvp.sysc:\windows\system32\00016865.tmpc:\windows\system32\00031338.tmpc:\windows\system32\00029344.tmpc:\windows\system32\00032673.tmp
Folder::c:\documents and settings\NetworkService\Application Data\jeoduqagc:\documents and settings\Fredrik\Application Data\jeoduqag
Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdcffffacd][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{042f5f91-4de8-46d8-9e9f-7e42859617fe}][-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91FC7A08-B473-4AEB-B8A8-005E7EE047BA}][HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\xnev.exe"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Taskman"=-[HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"<NO NAME>"=-

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe (leper.exe).

This will cause ComboFix to run again.

Please post back the log that opens when it finishes. Re-enable any security programs you had disabled.

Link to post
Share on other sites

Dearest Negster,

Thanks for the replies and for the script, glad that you are up for the challenge!

All went well, I ran the script using ComboFix (leper.exe). As requested please find below the latest log from ComboFix:

ComboFix 09-05-12.06 - Fredrik 2009-05-15 12:05.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1015.721 [GMT 2:00]

K

Link to post
Share on other sites

I'm glad things are much better and your mega transmission problems are solved! :P

I think that "fake" Firefox random named folder is associated with that network activity.

Unfortunately, that pesky infected driver I mentioned is still there and so is at least one other infected file.

I am going to give you an Avenger script again and hopefully it will run and clobber it.

Let me go over your Combofix log now to target all remaining entries.

Also, please try to turn on Windows automatic updates and see if that can be done.

Can you see if you can find a zipped Submission folder in this directory:

C:\Qoobox\Quarantine\

Also, can you please post the content of this file:

C:\Qoobox\ComboFix-quarantined-files.txt

MBAM manual updating:

If you encounter any problems while downloading the updates, manually download them from here:

http://malwarebytes.gt500.org/mbam-rules.exe

Then double-click on mbam-rules.exe to install.

Link to post
Share on other sites

Hello, back again! :P

Please see my above post also, with a couple requests for submissions and some commentary.

I want to try deleting the infected driver with an Avenger script. In the event it was damaged by the resident malware, it is probably best to acquire and unzip a fresh copy of the Avenger program before attempting to run the CFScript:

  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Drivers to delete:zasappesLegacy_zasappesBSFOCGIWLegacy_bsfocgiwLegacy_35a45eedb65b4db1c96b994715a20ae635a45eedb65b4db1c96b994715a20ae6ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi
Files to delete:c:\windows\system32\inst_e82.exec:\windows\system32\xuszdmv.dllc:\windows\system32\drivers\zasappes.sys
Registry values to replace with dummy:HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List | <NO NAME>
  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

After Avenger reboots, please immediately launch Combofix (leper.exe) with the following new CFScript and post back that log, too. Even if Avenger was blocked from running like before and you could not run the Avenger script, I want you to still run Combofix again with this new script!

Important: Please disable all security program active protection before running this script and then re-enable afterward!

KillAll::
File::c:\windows\system32\inst_e82.exec:\windows\system32\xuszdmv.dllc:\windows\system32\drivers\zasappes.sys
Dirlook::c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
FileLook::c:\windows\system32\msln.exe
Driver::zasappesLegacy_zasappesBSFOCGIWLegacy_BSFOCGIWLegacy_35a45eedb65b4db1c96b994715a20ae6Legacy_bsfocgiw35a45eedb65b4db1c96b994715a20ae6bsfocgiwovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi

Please post back C:\Combofix.txt

I'd like to investigate the content of this newly created batch file in the CF log, by piping the content to a TXT file and posting back here:

c:\windows\archivo.bat

To do that, open command prompt by clicking start -> run, typing cmd, and then hitting Enter key.

Copy and paste the following (one line) command:

type c:\windows\archivo.bat > "%userprofile%\documents\archivo.txt" && notepad "%userprofile%\documents\archivo.txt"

Please post back the contents of (if short), or attach the file archivo.txt that opens in your documents folder.

So to sum it up I'd like to see the following:

1. C:\Avenger.txt

2. C:\Combofix.txt

3. %userprofile%\documents\archivo.txt

Thanks!

Link to post
Share on other sites

Thanks for the latest posts and scripts Negster! Hopefully we can get this thing licked . . . :P

First up, Windows automatic updates is turned on, no issues there. It was set to download automatically and prompt to install, and I set it to fully automatic with no problems. Last Friday the notebook installed 5 recent updates after we managed to get ComboFix to run with the script you gave me.

Second, there is a zipped Submission folder in this directory:

C:\Qoobox\Quarantine\

Here is the title of that folder: [4]-SUBMIT_2009-05-15_12.05.20.ZIP

Should I do anything with it?

Please find below the content of this file:

C:\Qoobox\ComboFix-quarantined-files.txt

2009-05-15 10:08:43 . 2009-05-15 10:08:43 4,556 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi.reg.dat

2009-05-15 10:08:43 . 2009-05-15 10:08:43 7,168 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_bsfocgiw.reg.dat

2009-05-15 10:08:42 . 2009-05-15 10:08:42 4,024 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_35a45eedb65b4db1c96b994715a20ae6.reg.dat

2009-05-15 10:08:42 . 2009-05-15 10:08:42 1,276 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_bsfocgiw.reg.dat

2009-05-15 10:08:42 . 2009-05-15 10:08:42 1,508 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_35a45eedb65b4db1c96b994715a20ae6.reg.dat

2009-05-15 10:06:23 . 2009-05-15 10:06:23 567,467 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_wumztitk_.dll.zip

2009-05-15 10:06:22 . 2009-05-15 10:06:22 201,975 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_olsvycj_.dll.zip

2009-05-15 10:06:21 . 2009-05-15 10:06:21 507 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_bsfocgiw_.sys.zip

2009-05-15 10:06:19 . 2009-05-15 10:06:20 244,779 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\_cdcffffacd_.dll.zip

2009-05-15 10:05:47 . 2009-05-15 10:05:48 1,339,806 ----a-w C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-15_12.05.20.ZIP

2009-05-14 08:58:15 . 2009-05-14 08:58:15 554 ----a-w C:\Qoobox\Quarantine\Registry_backups\Notify-__c004baa1.reg.dat

2009-05-14 08:58:02 . 2009-05-14 08:58:02 134 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-A00FE1C7C.exe.reg.dat

2009-05-14 08:57:57 . 2009-05-14 08:57:57 237 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-pidle.reg.dat

2009-05-14 08:57:55 . 2009-05-14 08:57:55 542 ----a-w C:\Qoobox\Quarantine\Registry_backups\BHO-{2b58af08-4cc9-41b5-83d0-2329eb329190}.reg.dat

2009-05-14 08:51:55 . 2009-05-14 08:51:55 149,018 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_4535bba6_.sys.zip

2009-05-14 08:51:26 . 2009-05-14 08:51:26 2,176 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_ekmmuutd.reg.dat

2009-05-14 08:51:26 . 2009-05-14 08:51:26 74 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_4535bba6.reg.dat

2009-05-14 08:51:25 . 2009-05-14 08:51:25 1,092 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_ekmmuutd.reg.dat

2009-05-14 08:51:04 . 2009-05-15 10:08:30 6,723 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-05-13 16:15:26 . 2009-05-15 10:06:24 2,641 ----a-w C:\Qoobox\Quarantine\catchme.log

2009-05-13 16:03:11 . 2009-05-13 16:03:11 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\prefs.js.vir

2009-05-13 15:58:01 . 2009-05-13 15:58:01 367 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\prefs.js.vir

2009-05-13 15:38:32 . 2009-05-13 15:38:32 3,512 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\pluginreg.dat.vir

2009-05-13 15:38:26 . 2009-05-13 15:38:26 510 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\localstore.rdf.vir

2009-05-13 15:38:19 . 2009-05-13 15:58:13 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\webappsstore.sqlite.vir

2009-05-13 15:38:18 . 2009-05-13 15:38:18 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\formhistory.sqlite.vir

2009-05-13 15:38:17 . 2009-05-13 16:02:09 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\places.sqlite-journal.vir

2009-05-13 15:38:17 . 2009-05-13 15:58:23 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\places.sqlite.vir

2009-05-13 15:38:17 . 2009-05-13 15:38:17 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\key3.db.vir

2009-05-13 15:38:17 . 2009-05-13 15:40:35 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\cert8.db.vir

2009-05-13 15:38:16 . 2009-05-13 15:38:17 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\secmod.db.vir

2009-05-13 15:38:12 . 2009-05-13 16:02:57 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\cookies.sqlite.vir

2009-05-13 15:38:09 . 2009-05-13 15:38:10 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\permissions.sqlite.vir

2009-05-13 15:38:09 . 2009-05-13 15:58:01 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\compreg.dat.vir

2009-05-13 15:38:06 . 2009-05-13 15:58:00 96,155 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\xpti.dat.vir

2009-05-13 15:38:06 . 2009-05-13 15:58:00 195 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\Profiles\ml2m9ddh.default\compatibility.ini.vir

2009-05-13 15:38:06 . 2009-05-13 15:38:06 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\jeoduqag\profiles.ini.vir

2009-05-13 15:32:25 . 2009-05-13 15:32:25 3,512 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\pluginreg.dat.vir

2009-05-13 15:32:23 . 2009-05-13 15:32:23 510 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\localstore.rdf.vir

2009-05-13 15:32:14 . 2009-05-13 16:03:26 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\webappsstore.sqlite.vir

2009-05-13 15:32:13 . 2009-05-13 15:32:13 4,096 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\formhistory.sqlite.vir

2009-05-13 15:32:12 . 2009-05-13 16:06:21 0 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\places.sqlite-journal.vir

2009-05-13 15:32:12 . 2009-05-13 16:03:33 131,072 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\places.sqlite.vir

2009-05-13 15:32:12 . 2009-05-13 15:32:12 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\key3.db.vir

2009-05-13 15:32:12 . 2009-05-13 15:35:31 65,536 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\cert8.db.vir

2009-05-13 15:32:11 . 2009-05-13 15:32:12 16,384 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\secmod.db.vir

2009-05-13 15:32:09 . 2009-05-13 16:18:24 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\cookies.sqlite.vir

2009-05-13 15:32:06 . 2009-05-13 15:32:07 2,048 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\permissions.sqlite.vir

2009-05-13 15:32:06 . 2009-05-13 16:03:11 127,885 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\compreg.dat.vir

2009-05-13 15:32:04 . 2009-05-13 16:03:09 96,155 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\xpti.dat.vir

2009-05-13 15:32:04 . 2009-05-13 16:03:09 195 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\Profiles\v8wyajyf.default\compatibility.ini.vir

2009-05-13 15:32:04 . 2009-05-13 15:32:04 111 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\jeoduqag\profiles.ini.vir

2009-05-07 14:06:17 . 2009-05-07 14:06:17 135,168 ----a-w C:\Qoobox\Quarantine\C\Program\Jcore\Jcore2.dll.vir

2009-04-29 19:57:33 . 2009-05-07 15:05:06 43 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkbalifqgfpfbuhhvedivxkppjdxvcvai.dat.vir

2009-04-29 19:56:29 . 2009-04-29 19:56:29 18,944 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthnptxstghnwpmynvdxmcrhbbnmtssposy.dll.vir

2009-04-29 19:56:29 . 2009-04-29 19:56:29 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqrfhxninmliwwcrvtyqtmxtwlqgptaau.dll.vir

2009-04-29 19:56:29 . 2009-05-07 15:05:27 29,563 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthrbvpnrterthidectqkfuctfpymestxbk.dat.vir

2009-04-29 19:55:58 . 2009-04-29 19:55:58 60,928 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqxdstinlnqjonoqyfbyamcpmphemdnbd.dll.vir

2009-04-29 19:53:42 . 2009-04-29 19:53:42 143,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\00031338.tmp.vir

2009-04-29 19:53:42 . 2009-04-29 19:53:42 27,648 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\00016865.tmp.vir

2009-04-29 18:15:11 . 2009-04-29 19:39:32 43 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvfudnqinripibeejvalxbsblfkmxbfpo.dat.vir

2009-04-29 18:14:08 . 2009-04-29 18:14:08 18,944 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvpqphesutkpvgstuxubqjuyqtwdtpuwi.dll.vir

2009-04-29 18:14:08 . 2009-04-29 18:14:08 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthgeibpricpoobwwhxvnxteacpktsypets.dll.vir

2009-04-29 18:14:08 . 2009-04-29 19:39:32 6,097 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthpqdwdreeistkjtpeumtnvratnfampxmx.dat.vir

2009-04-29 18:13:38 . 2009-04-29 18:13:38 60,928 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkiqorjxibcofvcchxjucwptimusspmar.dll.vir

2009-04-29 18:10:09 . 2009-04-29 18:10:09 143,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\00032673.tmp.vir

2009-04-29 18:10:09 . 2009-04-29 18:10:09 27,648 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\00029344.tmp.vir

2009-04-29 13:27:09 . 2009-05-13 15:21:04 27,648 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\__c004BAA1.dat.vir

2009-04-29 13:27:08 . 2009-04-29 13:27:08 39,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir

2009-04-28 21:00:09 . 2009-05-15 10:05:35 39,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\35a45eedb65b4db1c96b994715a20ae6.sys.vir

2009-04-28 20:53:35 . 2009-04-28 20:53:04 135,168 ----a-w C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-7467345691-3870965195-203722230-0388\hd1.exe.vir

2009-04-28 20:53:15 . 2009-04-28 20:53:16 705 ----a-w C:\Qoobox\Quarantine\C\xptfh.exe.vir

2009-04-28 20:53:13 . 2009-04-28 20:53:15 101,888 ----a-w C:\Qoobox\Quarantine\C\wwmeoblk.exe.vir

2009-04-28 20:53:12 . 2009-05-15 10:05:31 205,824 ----a-w C:\Qoobox\Quarantine\C\pdtivk.exe.vir

2009-04-28 20:53:06 . 2009-05-15 10:05:26 7,680 ----a-w C:\Qoobox\Quarantine\C\celkadaa.exe.vir

2009-04-28 20:53:05 . 2009-05-15 10:05:28 29,696 ----a-w C:\Qoobox\Quarantine\C\cqcsss.exe.vir

2009-04-28 20:53:04 . 2009-05-15 10:05:47 135,168 ----a-w C:\Qoobox\Quarantine\C\xnev.exe.vir

2009-04-28 20:53:02 . 2009-05-15 10:05:30 184,848 ----a-w C:\Qoobox\Quarantine\C\kggi.exe.vir

2009-04-27 22:40:19 . 2009-04-29 17:46:20 43 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthufdkuwvxaocslkxkermfhvltmlufftuu.dat.vir

2009-04-27 22:39:18 . 2009-04-27 22:39:18 18,432 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkianektaouiscjhgierbgtdkhloevkpe.dll.vir

2009-04-27 22:39:18 . 2009-04-27 22:39:18 18,944 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthuvtchxboisbcnotwmmvsexjyikdnsrcq.dll.vir

2009-04-27 22:39:16 . 2009-04-29 17:46:20 53,884 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthbpqkcmyvrjkcoasnhxwimlsgpykytbkg.dat.vir

2009-04-27 22:39:13 . 2009-04-27 22:39:13 60,928 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthictoycppbamqxptfvxrqudbwakqbayfb.dll.vir

2009-04-27 22:39:13 . 2009-04-27 22:39:13 83,968 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthmrmpcbxhdsrtlewvmnexrfxlboyigfvp.sys.vir

2009-04-27 22:38:57 . 2009-04-29 19:54:38 56,832 ----a-w C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\pidle\pidle.exe.vir

2009-01-27 22:44:15 . 2009-05-15 10:05:41 87,040 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\lonayemu.dll.vir.vir

2009-01-27 22:44:15 . 2009-05-15 10:05:45 50,688 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wuturoho.exe.vir

2008-07-17 09:30:47 . 2008-04-15 12:00:00 23,424 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\bsfocgiw.sys.vir

2008-07-17 09:30:47 . 2008-04-15 12:00:00 103,936 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\olsvycj.dll.vir

2008-07-17 09:30:47 . 2009-05-14 08:51:14 143,872 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\wumztitk.dll.vir

2006-05-20 04:28:05 . 2009-05-15 10:06:20 312,847 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\system32\cdcffffacd.dll.vir

And now Im running the scripts you sent me for Avenger and ComboFix . . . will post those logs shortly!

Thanks for the continuing help,

Dylan

Link to post
Share on other sites

Alrighty! Ran both scripts in (a fresh copy of) avenger.exe and ComboFix. One small hiccup I didnt disable AVG antivirus properly, I thought I had turned everything off but it was still running in the background apparently. ComboFix did prompt me about this and disable AVG by itself I believe (all in Swedish . . . unfortunately!).

one other thing the huge activity on the network connection has actually continued, there was only one session on this computer when it abated. In particular the Packets:Sent is a huge number, when the computer is idle it still is sending a lot of packets??

As it,s much shorter Ill paste in the archivo.txt infoormation first (had to rename to the Swedish equivalents for documents to make this command run):

@echo off

del C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Please find below the Avenger log, followed by the ComboFix log (no rootkits found by Avenger?). Please let me know whats next! Thanks again . . .

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\zasappes" not found!

Deletion of driver "zasappes" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_zasappes" not found!

Deletion of driver "Legacy_zasappes" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\BSFOCGIW" not found!

Deletion of driver "BSFOCGIW" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_bsfocgiw" not found!

Deletion of driver "Legacy_bsfocgiw" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_35a45eedb65b4db1c96b994715a20ae6" not found!

Deletion of driver "Legacy_35a45eedb65b4db1c96b994715a20ae6" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\35a45eedb65b4db1c96b994715a20ae6" not found!

Deletion of driver "35a45eedb65b4db1c96b994715a20ae6" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi" not found!

Deletion of driver "ovfsthjlkdwkrirpuxnbmqfoostuqlteppjxvi" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "c:\windows\system32\inst_e82.exe" deleted successfully.

File "c:\windows\system32\xuszdmv.dll" deleted successfully.

File "c:\windows\system32\drivers\zasappes.sys" deleted successfully.

Error: could not query size of registry value "HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List|<NO NAME>"

Replacement with dummy of registry value "HKLM\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List|<NO NAME>" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

ComboFix 09-05-17.05 - Fredrik 2009-05-18 15:57.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1015.622 [GMT 2:00]

K

Link to post
Share on other sites

We managed to kill the malicious driver I was talking about!!

Use Regedit to delete the value data for the following key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List |

"<NO NAME>"= c:\\cqcsss.exe

Instructions;

Click start -> run, type regedit, and hit Enter the Registry will open.

Expand the Registry tree by clicking the + signs next to the keys I indicate, as follows:

  • Click the "+" sign next to HKEY_LOCAL_MACHINE
  • Click the "+" sign next to Services
  • Click the "+" sign next to System
  • Click the "+" sign next to CurrentControlSet
  • Click the "+" sign next to Services
  • Click the "+" sign next to SharedAccess
  • Click the "+" sign next to Parameters
  • Click the "+" sign next to FirewallPolicy
  • Click the "+" sign next to StandardProfile
  • Click the "+" sign next to AuthorizedApplications
  • Click the "+" sign next to List
  • Double-click the "+" sign next to List
  • Locate the following value in the right pane:
    "<NO NAME>"= c:\\cqcsss.exe
  • If the value name is really "<NO NAME>", then delete the value by right-clicking it and selecting delete.
  • If the value name with value data = c:\\cqcsss.exe is "default", then delete only the value data by doing the following:
    • Double-click the value and a data editor window will open
    • Delete the data "c:\\cqcsss.exe" in the value data field
    • Click OK

Now, I would like to collect some samples from you with the aim of improving malware definitions:

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy and paste the url to this topic as follows:

http://www.malwarebytes.org/forums/index.php?showtopic=15204

Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:

C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-15_12.05.20.ZIP

In the "Leave any comments, further information about this file, or contact information:"

just input your user name

Then click 'Send File'

Please also submit the following zipped Avenger folder in the same way:

C:\avenger\backup.zip

Thank you!

I am going to review you Combofix log some more to make sure nothing was missed.

That is troubling about the excessive network activity but so far I have not seen anything else amiss. If it keeps up there are some troubleshooting tools you can download to assess it.

After you submit the samples, I would like you to run a complete system scan with one of the following two scanners (DrWeb or ESET)- directions for both are included below. Expect some detections in Qoobox and system volume information (they will not be active malware so don't worry):

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

______________________________________________

As an alternative, to an online antivirus scan, you can run a scan with Dr. Web CureIt!. This scanner is an executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient.

1. Please download DrWeb-CureIt by clicking the "Download now!!!" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.

2. Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, an Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode.

3. Double-click the randomly named executable file to start the program. An "Express Scan of your PC" notice will appear.

4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".

5. Once the short scan has finished, Click Options --> Change settings

6. Choose the "Scan tab" and UNcheck "Heuristic analysis"

7. Back at the main window, click "Complete Scan"

8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.

9. When done, a message will be displayed at the bottom advising if any threats were found.

10. Click "Yes to all" if it asks if you want to cure/move the file.

11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".

(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.

13. Save the DrWeb.csv report to your desktop.

14. Exit Dr.Web Cureit when done.

15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.

16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.

In your next reply, please include the following:

  • Dr.Web Log or ESET log
  • A new HJT log
Link to post
Share on other sites

Hopefully we are getting there Negster! :P

One area of concern - the suspicious network activity. I have noticed a difference in Swedish in the way this is displayed iin the Network Connection Status dialog box, it is displayed as "Byte" which may not correspond to "Packets" in English? If it does, then today just going onto the MBAM forum, doing the ESET scan and replying to you, a total of 2 317 746 "Bytes" were sent and a huge 25 238 755 were received. On my notebook Ive been surfing all day the corresponding numbers are 37,179 Packets sent and 22,768 received.

The regedit was successful. The key looked slightly different in this Swedish Windows, it was more like

<Standard>"= c:\\cqcsss.exe

And also in the value data field there was a "K:enabled" in the data field after the above text. I just deleted the entire data field, i trust that was the correct step.

I was honoured to be asked to submit my malware! I submitted the C:\Qoobox\Quarantine\[4]-SUBMIT_2009-05-15_12.05.20.ZIP file with no problem. However, i don.t have a C:\avenger\backup.zip file, there isnt an avenger folder at all, I just have avenger.exe on the desktop.

I also have to confess I updated MBAM and ran a full scan last night, and afterwards realised I shouldnt do this unless instructed to. And this scan and clean may have deleted the Trojans from the C:\Qoobox\Quarantine folder that you would have been interested in?? Sorry about this if that is in fact the case. Here is that MBAM log in any case FYI:

Malwarebytes' Anti-Malware 1.36

Database version: 2110

Windows 5.1.2600 Service Pack 3

2009-05-18 17:05:58

mbam-log-2009-05-18 (17-05-57).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 124912

Time elapsed: 34 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 25

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Fredrik\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:

C:\Qoobox\Quarantine\C\Documents and Settings\Fredrik\Application Data\pidle\pidle.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkiqorjxibcofvcchxjucwptimusspmar.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\00016865.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\00029344.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\00031338.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\00032673.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthnptxstghnwpmynvdxmcrhbbnmtssposy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqrfhxninmliwwcrvtyqtmxtwlqgptaau.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqxdstinlnqjonoqyfbyamcpmphemdnbd.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthuvtchxboisbcnotwmmvsexjyikdnsrcq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthvpqphesutkpvgstuxubqjuyqtwdtpuwi.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\winglsetup.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\__c004BAA1.dat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthgeibpricpoobwwhxvnxteacpktsypets.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthkianektaouiscjhgierbgtdkhloevkpe.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001280.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001282.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001284.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001285.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001286.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001287.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001288.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001289.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{457B2514-7950-4E5D-B9DE-A5A440449268}\RP11\A0001290.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jtstapvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I ran the ESET online scanner, and it seems the only threats it found were in the ComboFix Quarantine:

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=4086 (20090519)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=c2597284e74aea438f5847dfe27672ab

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2009-05-19 10:20:06

# local_time=2009-05-19 12:20:06 (+0100, V

Link to post
Share on other sites

Hi Dylan,

Thank you for that treasure trove of malware! It is much appreciated. :P

I am not seeing any more malware evident in your logs, and ESET and MBAM are only identifying quarantined malware files, except for this one Vundo DLL that MBAM successfully located and deleted:

C:\WINDOWS\system32\jtstapvs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Neither MBAM or ESET found anything in the Avenger backup.zip so I am wondering what happened to that archive.

The archivo.bat content is puzzling because it deletes the Windows hosts file.

@echo off

del C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Please open this file in Notepad and then copy and paste the content back in your next reply. If the file is large, attach it.

C:\WINDOWS\SYSTEM32\drivers\etc\hosts

There are two programs you can install to help reduce devious network activity.

1. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button.

2. Download and install the The MVPS HOSTS file (hosts.zip):

http://www.mvps.org/winhelp2002/hosts.htm

The location to install the hosts file in Windows XP:

C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Download: (146 kb)

http://www.mvps.org/winhelp2002/hosts.zip

How To: Download and Extract the HOSTS file

http://www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions

http://www.mvps.org/winhelp2002/hostsfaq.htm

To monitor network activity you need the following programs:

1. Download and install TCPView for Windows:

http://technet.microsoft.com/en-us/sysinte...s/bb897437.aspx

2. Download and install Process Explorer for Windows:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

3. Your firewall program log (to see what processes are maintaining open ports and what remote IPs they are communicating with)

4. A sniffer - packet capture program like Wireshark aka Ethereal:

http://www.wireshark.org/

or even Port Explorer which can spy on a particular port and capture and record to disk, the packets that are transmitted. Port Explorer has a free 30 day trial period and is available here:

http://diamondcs.com.au/portexplorer/

The basic steps to catch transmitting malware in the act are:

1. Use TCPView to inspect which processes have open ports. You can also use Port Explorer to do this which is a port to process mapper that also can capture packets (see below). The processes wil be identified by name and PID (process ID)

2. Run Process Explorer in the background to map the svchost processes to the PIDs listed in TCPView or Port Explorer. This way you can identify what services (DLLs) are loaded by any svchost in question. You can also identify which processes are engaged in intensive I/O activity by examining the I/O Read and Write bytes (View -> Select Collumns -> Process Performance)

3. Correlate data in 1 & 2 to see if any of the of the processes are malicious or if any of the DLLs loaded by svchost with network connections are malicious.

Sometimes benign programs running in the background (like Skype) are responsible for network activity but using the steps above - you should be able to narrow down what process or service is at fault.

4. If a malicious process is identified, then you can capture the packets that are being sent and/or received. Then you can inspect them with Wireshark or Ethereal. Each packet header contains the source and destination IP addresses of your computer and the remote computer information is being exchanged with, plus additional data.

Here is a Wireshark/Ethereal tutorial:

http://www.wireshark.org/news/20060714.html

One thing I forgot to mention is that you have a leftover Symantec service is running on your computer.

c:\program\Symantec\LiveUpdate\AluSchedulerSvc.exe <== should not be runniing if AVG8 is your active AV

Got to the Control Panel -> Add/Remove programs and remove LiveUpdate.

If you can't find it there, you should be able to stop and disable the service from the command prompt by issuing this command:

sc stop "automatic liveupdate scheduler" && sc config "automatic liveupdate scheduler" start= disabled

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.