Jump to content

backdoor.bot keeps coming back


stu

Recommended Posts

i'v done several scans and this virus keeps coming back, i'v searched all over the internet and found a few posts about this but none that are related to mine (different directories)

this virus seems to only work when i am logged on to msn, it starts to send random messages to my contacts who are online with a link to a "fake" website

heres my scan log:

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 3

28/08/2009 02:22:46

mbam-log-2009-08-28 (02-22-46).txt

Scan type: Quick Scan

Objects scanned: 87167

Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Files Driver (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

ok this is the combo fix log... how do i get a hijack this log?

ComboFix 09-08-27.A0 - Stu 28/08/2009 13:10.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1587 [GMT 1:00]

Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1351 [VPS 090827-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Stu\Desktop\[TorrentReactor.to] - VA-Wigan Pier Presents Bounce----.torrent

c:\documents and settings\Stu\Desktop\[TorrentReactor.to] - VA-Wigan Pier Presents Bounce----.torrent

c:\documents and settings\Stu\Desktop\[TorrentReactor.to] - VA-Wigan Pier Presents Bounce-(2CD)(CLARKEY1269UPLOAD).torrent

c:\documents and settings\Stu\Desktop\[TorrentReactor.to] - VA-Wigan Pier Presents Bounce-(2CD)(CLARKEY1269UPLOAD).torrent

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\NetMonInstaller.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\windows\Installer\156e3f2.msp

c:\windows\Installer\156e3f3.msp

c:\windows\Installer\156e3f4.msp

c:\windows\Installer\156e3f5.msp

c:\windows\Installer\156e3f6.msp

c:\windows\Installer\156e3f7.msp

c:\windows\Installer\156e3f8.msp

c:\windows\Installer\156e3f9.msp

c:\windows\Installer\156e3fa.msp

c:\windows\Installer\3dc423.msp

c:\windows\Installer\3dc424.msp

c:\windows\Installer\3dc425.msp

c:\windows\Installer\3dc426.msp

c:\windows\Installer\3dc427.msp

c:\windows\Installer\3dc428.msp

c:\windows\Installer\3dc429.msp

c:\windows\Installer\3dc42a.msp

c:\windows\Installer\3dc42b.msp

c:\windows\system32\drivers\npf.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\tmp66.tmp

c:\windows\system32\tmp67.tmp

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://www.8ballclub.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-28 00:43 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 00:43 . 2009-08-28 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-28 00:43 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-28 00:32 . 2009-08-28 00:32 -------- d-----w- c:\windows\system32\wbem\Repository

2009-08-28 00:12 . 2009-08-28 00:31 -------- d-----w- c:\documents and settings\Stu\.housecall6.6

2009-08-27 21:19 . 2009-08-27 21:19 -------- d-----w- c:\documents and settings\Stu\Application Data\Malwarebytes

2009-08-27 21:19 . 2009-08-28 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes(2)

2009-08-27 21:00 . 2009-08-28 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-18 14:53 . 2009-08-18 15:03 -------- d-----w- c:\documents and settings\Stu\Application Data\Winamp

2009-08-18 14:53 . 2009-08-18 14:54 -------- d-----w- c:\program files\Winamp

2009-08-16 16:47 . 2009-08-16 18:16 -------- d-----w- c:\program files\TVTool

2009-08-13 19:53 . 2009-08-13 19:53 41872 ----a-w- c:\windows\system32\xfcodec.dll

2009-08-06 18:12 . 2009-08-06 18:12 -------- d-----w- c:\program files\Microsoft ActiveSync

2009-08-06 18:11 . 2009-08-06 18:11 -------- d-----w- c:\windows\ShellNew

2009-08-06 18:08 . 2009-08-06 18:09 -------- d-----w- c:\program files\Microsoft Works

2009-08-06 18:05 . 2009-08-06 18:05 -------- d-----w- c:\program files\Microsoft Works Suite 2002

2009-08-02 12:50 . 2003-01-17 02:59 1984 ----a-w- c:\windows\system32\drivers\papycpu2.sys

2009-08-02 12:50 . 2003-01-17 02:59 1856 ----a-w- c:\windows\system32\drivers\papyjoy.sys

2009-08-02 12:48 . 2009-08-02 12:48 -------- d-----w- C:\Papyrus

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 12:02 . 2009-04-06 10:16 -------- d-----w- c:\program files\Xfire

2009-08-28 00:59 . 2009-04-06 10:16 -------- d-----w- c:\documents and settings\Stu\Application Data\Xfire

2009-08-28 00:38 . 2008-04-30 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-28 00:37 . 2008-09-10 16:07 -------- d-----w- c:\program files\CCleaner

2009-08-28 00:31 . 2008-04-30 00:34 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-27 18:29 . 2008-08-09 11:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-27 18:29 . 2008-08-09 11:59 1100 ----a-w- c:\windows\system32\d3d8caps.dat

2009-08-21 14:31 . 2009-01-07 22:57 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-08-21 14:31 . 2009-01-07 22:57 189672 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-08-20 10:42 . 2008-03-08 01:23 -------- d-----w- c:\program files\Live For Speed

2009-08-17 16:10 . 2003-01-01 05:53 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-17 16:06 . 2003-01-01 05:53 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-17 16:06 . 2003-01-01 05:53 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-17 16:05 . 2008-03-30 18:26 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-17 16:05 . 2008-03-30 18:26 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-17 16:04 . 2003-01-01 05:53 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-17 16:04 . 2003-01-01 05:53 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-17 16:03 . 2003-01-01 05:53 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-17 16:02 . 2003-01-01 05:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-08-16 16:01 . 2008-03-08 12:35 8 ----a-w- c:\windows\system32\nvModes.dat

2009-08-16 15:52 . 2003-01-01 05:03 29296 ----a-w- c:\documents and settings\Stu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-02 12:48 . 2003-01-01 05:23 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-07-23 14:30 . 2009-07-23 14:30 -------- d-----w- c:\program files\Bohemia Interactive

2009-07-22 16:05 . 2009-01-14 16:44 -------- d-----w- c:\program files\City Interactive

2009-07-20 21:52 . 2008-06-30 16:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-18 20:26 . 2009-07-18 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache

2009-07-18 20:24 . 2009-07-18 20:24 -------- d-----w- c:\program files\bfgclient

2009-06-04 20:59 . 2009-01-07 22:57 75064 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-06-03 18:05 . 2009-06-03 18:05 10134 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{7E4B7FD9-4ECE-4298-A910-3160B7918059}\ARPPRODUCTICON.exe

2009-06-03 17:47 . 2009-06-03 17:47 126 ----a-w- c:\documents and settings\Stu\Local Settings\Application Data\fusioncache.dat

2009-06-03 17:43 . 2008-11-03 22:38 22328 ----a-w- c:\documents and settings\Stu\Application Data\PnkBstrK.sys

2009-06-03 17:43 . 2008-11-03 22:38 22328 ----a-w- c:\documents and settings\Stu\Application Data\PnkBstrK.sys

2009-06-03 17:43 . 2008-11-03 22:37 669184 ----a-w- c:\windows\system32\pbsvc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2007-09-25 93208]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"EPSON Stylus C42 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE" [2002-02-19 74240]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

"SnoopFreeUI"="SnoopFreeUI.exe" - c:\windows\SnoopFreeUI.exe [2008-10-21 221184]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Stu\Start Menu\Programs\Startup\

Xfire.lnk - c:\program files\Xfire\Xfire.exe [2009-8-13 3109264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-2 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Stu^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Stu\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=

"c:\\Program Files\\BearShare\\Bearshare.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

"c:\\Program Files\\Live For Speed\\LFS.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=

"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

"c:\\Program Files\\Live For Speed\\CSR.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\BitComet\\tools\\CometBrowser.exe"=

"c:\\Program Files\\Foolish Entertainment\\ATC for Battlefield 2\\atcbf2.exe"=

"c:\\Documents and Settings\\Stu\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=

"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=

"c:\\Program Files\\Live For Speed\\LfsRevLimiter.0.9.exe"=

"c:\\Program Files\\PhoenixRC\\phoenixRC.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=

"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\Program Files\\Bohemia Interactive\\ArmA 2\\arma2.exe"=

"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9330:TCP"= 9330:TCP:BitComet 9330 TCP

"9330:UDP"= 9330:UDP:BitComet 9330 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/30/2008 7:26 PM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/30/2008 7:26 PM 20560]

S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [6/30/2008 5:59 PM 219264]

S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]

S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [5/12/2009 8:09 PM 86696]

S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [5/12/2009 8:09 PM 15016]

S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [5/12/2009 8:09 PM 114472]

S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [5/12/2009 8:09 PM 108200]

S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [5/12/2009 8:09 PM 26024]

S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [5/12/2009 8:09 PM 104616]

S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [5/12/2009 8:09 PM 109736]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

HKLM-Run-BVRPLiveUpdate - c:\program files\Avanquest update\Engine\Setup.exe

HKLM-Explorer_Run-VNd70NINZU - c:\documents and settings\All Users\Application Data\jsjkrebc\hylibsdg.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.APEHA.ru

uInternet Connection Wizard,ShellNext = iexplore

IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll

FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\cgqjz4bz.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.co.uk

FF - plugin: c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\cgqjz4bz.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll

FF - plugin: c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\cgqjz4bz.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll

FF - plugin: c:\program files\Dyyno\Dyyno Player\npvlc.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-28 13:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]

"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-1417001333-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"iakfikadjniehiboei"=hex:6a,61,70,6b,6b,65,69,68,65,6d,6d,67,68,6c,6b,62,6c,66,

62,6a,00,ef

"hameomilhcadkipf"=hex:6a,61,70,6b,6b,65,69,68,65,6d,6d,67,68,6c,6b,62,6c,66,

62,6a,00,ef

[HKEY_USERS\S-1-5-21-1659004503-1417001333-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:f4,a6,b1,44,9e,b1,7a,29,4a,20,b8,61,a9,b4,16,00,99,89,44,ab,6f,9e,3f,

f5,85,8e,31,f5,24,13,ba,82,22,42,30,c2,3e,ae,37,03,3b,05,fd,40,16,f9,8c,4f,\

"??"=hex:59,e5,97,70,47,08,a5,1e,f6,13,83,cc,52,0d,a6,6c

[HKEY_USERS\S-1-5-21-1659004503-1417001333-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:41,4d,94,5e,cf,da,b1,4d,13,06,d6,48,80,17,c1,ca,2c,65,68,f2,1d,

32,70,a0,70,93,d5,98,59,87,a7,3c,45,6c,73,fb,57,07,4c,50,27,b6,4a,df,79,00,\

"rkeysecu"=hex:01,a8,a3,d0,1c,32,b3,d5,ab,e9,a0,17,12,71,11,ec

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}\InProcServer32*]

"faifkifdppmg"=hex:70,61,70,6b,6e,61,6b,63,6e,68,6d,63,61,67,6f,64,70,6f,63,66,

6c,63,6e,69,66,68,68,62,65,64,65,65,00,00

"naifeipndhnplhdfmpdcacohnmhc"=hex:64,62,70,65,64,6a,65,63,68,69,69,6b,62,66,

61,6b,6d,64,63,64,70,62,66,6e,6e,63,68,6b,6f,6c,6b,6e,6e,67,62,64,69,6d,69,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-f042-b648e62ea20]

@Denied: (Full) (AuthenticatedUsers)

@Denied: (Full) (Administrators)

"1ug8f6ku2x9in"=hex:61,61,65,35,32,31,30,34,2d,66,66,63,39,2d,34,32,36,38,2d,

38,33,35,65,2d,37,64,32,61,63,65,37,35,33,64,38,65

"1ba9x06spuo94"=hex:65,00,00,00,f8,00,00,00,9b,0b,ea,fb,73,74,75,32,6b,38,00,

00,00,00,00,00,00,00,00,00,04,21,e5,aa,c9,ff,68,42,83,5e,7d,2a,ce,75,3d,8e,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2880)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSENG.DLL

c:\windows\SnoopFreeDll.dll

c:\program files\Xfire\xfire_toucan_38751.dll

c:\program files\Logitech\SetPoint\GameHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\nvwddi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\windows\system32\SnoopFreeSvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\wscntfy.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

.

**************************************************************************

.

Completion time: 2009-08-28 13:21 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 12:21

Pre-Run: 74,035,073,024 bytes free

Post-Run: 73,911,894,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

313 --- E O F --- 2008-03-08 01:05

Link to post
Share on other sites

  • Root Admin

STEP 01

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)

  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D

  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 02

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
PsSdk30
File::
c:\windows\system32\Drivers\PsSdk30.drv
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
RegLock::
[HKEY_USERS\S-1-5-21-1659004503-1417001333-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}\InProcServer32*]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\a61ad301-8580-f5a9-f042-b648e62ea20]
Regnull::
[HKEY_USERS\S-1-5-21-1659004503-1417001333-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E093B48-FDB5-FF38-9487-E7EFEFC897F1}\InProcServer32*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup222_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 04

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

ok i just done another scan with malwarebytes and it has deleted it completely... but this time the scan results came with more than 1 virus... maybe this has sorted it out, i'v been logged on msn for the past few hours now and no messages have been sent to any of my contacts

thanks for your help :)

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.