Jump to content

rootkit cleanup

cardinal17

By cardinal17
in Resolved Malware Removal Logs

 Share

Recommended Posts

cardinal17

cardinal17

Posted
Posted

malwarebytes 1.4.1 does not complete cleanup of rootkit.tdss

infection reappears after cleaning and reboot

mbam log (does not show removal - would have required reboot, done multiple time before)

Malwarebytes' Anti-Malware 1.41

Database version: 2830

Windows 5.1.2600 Service Pack 3

9/20/2009 10:17:27 AM

mbam-log-2009-09-20 (10-17-27).txt

Scan type: Quick Scan

Objects scanned: 103496

Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\iaStor0\ohhrvmba\ohhrvmba\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\Device\Ide\iaStor0\ohhrvmba\ohhrvmba\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:23:50 AM, on 9/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: HttpWatch Basic - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchsc.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll

O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll

O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://192.168.1.120/NetCamPlayerWeb11gv2.cab

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 7064 bytes

any help appreciated..

Link to post
Share on other sites
  • Replies 86
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

sUBs

sUBs

Posted
Posted

I shall require some extra logs from you.

=================================

Downloads and Reports Required:

=================================

Before scanning, make sure all other running programs are closed

There shouldn't be any scheduled antivirus scans running while the scan is being performed.

Do not use your computer for anything else during the scan.

====

DDS:

====

dds_scr.gif

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

=====

GMER:

=====

gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and uncheck the Show all box.
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

===========================

How the logs should be furnished:

===========================

Copy/Paste the contents of 'DDS.txt' to be posted as text to your post

The other two logs ...

* attach.txt

* gmer.txt

... should be zipped/archived before attaching to the post

zipIt.gif

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted

DDS got errors when run - along the lines of 'not enough main memory to sort' (about 6 times)

DDS (Ver_09-07-30.01) - NTFSx86

Run by Dad at 10:47:36.73 on Tue 09/22/2009

Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

uPolicies-explorer: NoThemesTab = 0 (0x0)

uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

uPolicies-system: NoColorChoice = 0 (0x0)

uPolicies-system: NoSizeChoice = 0 (0x0)

uPolicies-system: NoVisualStyleChoice = 0 (0x0)

uPolicies-system: NoDispSettingsPage = 0 (0x0)

uPolicies-system: NoDispAppearancePage = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwatch.dll

LSP: c:\program files\vmware\vmware player\vsocklib.dll

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/d/c/8/dc8362b3-f410-4e7d-b672-209d6bd8fcea/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_02-win.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.120/NetCamPlayerWeb11gv2.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

2008-08-14 21:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081420080815\index.dat

============= FINISH: 10:49:58.84 ===============

other logs attached

Attach.zip

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
DDS got errors when run - along the lines of 'not enough main memory to sort' (about 6 times)

That's okay. The rootkit is interfering with memory.

Please do this ...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@ECHO OFF
DEL %0

Save this as peek.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on peek.bat & allow it to run

Post back to tell me what it says

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Hmm ... this gets interesting. The rootkit isn't showing itself. Let's try digging it out using some other means.

Let's try running some variations of the GMER scan.

-----------

Launch GMER and in the right panel, untick all except the following:

  • Modules
  • Processes
  • Libraries
  • Services
  • Show All

Then click the scan button & show me the log it produces.

------------

2nd GMER Scan

At the top of the GMER interface, click the [>>>] button to reveal the hidden tabs.

Select Registry

Then navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Highlight the Services button and click the Export button located on the upper right to save a log.

The log is huge and cannot be posted. You need to zip it and attach to the next reply.

Gmer-Registry.png

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] winmgmt

Winmgmt is an important service. You shouldnt have disabled it.

--------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Download & save ComboFix to your Desktop but don't run it yet

Open NOTEPAD and copy/paste the text in the quotebox below into it:

DRIVER::
Abel
b5f24
vnmcxjkipmpdripx
COLLECT::
C:\WINDOWS\system32\b5f24.sys
C:\Windows\system32\drivers\vnmcxjkipmpdripx.sys

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted

I didn't disable winmgmt

McAfee uninstalled at this point

downloaded ComboFix, created script, dragged onto app

got the 'open files security warning' clicked run

never got the CMD window showing 'preparing to run'

got a small gray box with a solid blue bar titled 'combofix'

sat for about 10 minutes, box went away, then got a msg 'windows cannot open nircmd.cfxxe' doesn't know program that created it

thought I'd lost control, so opened Task Manager (it took minutes to open) - system at 100%

no log file created

appreciate the help

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
windows cannot open nircmd.cfxxe'

Trouble with some security programs is that despite Owners disabling them, they aren't truly disabled. Only the GUI interface gets silenced but the real meat of the security continues running silently in the background. Please run ComboFix from Safe Mode. If that fails, we shall need to temporarily uninstall McAfee.

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted

ComboFix 09-09-22.01 - Dad 09/22/2009 16:21.1.2 - NTFSx86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1171 [GMT -4:00]

Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt

file zipped: c:\windows\system32\b5f24.sys

.

PEV Error: PersonalFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Dad\Application Data\Install.dat

c:\windows\Installer\20b55b8c.msi

c:\windows\run.log

c:\windows\system32\b5f24.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ABEL

-------\Legacy_B5F24

-------\Service_Abel

-------\Service_b5f24

-------\Service_vnmcxjkipmpdripx

((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))

.

2009-12-15 08:17 . 2009-12-15 08:17 -------- d-----w- c:\windows\system32\XPSViewer

2009-12-15 08:16 . 2009-12-15 08:16 -------- d-----w- c:\program files\Reference Assemblies

2009-12-15 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-12-15 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-12-15 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-12-15 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-12-15 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-12-15 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-12-15 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2009-12-15 08:15 . 2009-12-15 08:16 -------- d-----w- C:\755532b08fbbb7a16e5aafc41fbd

2009-09-18 17:15 . 2009-09-18 17:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-18 16:24 . 2009-09-18 16:31 15 ----a-w- c:\documents and settings\Dad\settings.dat

2009-09-18 15:23 . 2009-09-18 15:23 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-18 02:27 . 2006-11-17 07:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll

2009-09-15 13:13 . 2009-09-15 13:14 -------- d-----w- c:\program files\Wireshark

2009-09-09 09:02 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-15 08:17 . 2008-10-30 03:56 -------- d-----w- c:\program files\MSBuild

2009-09-22 19:43 . 2004-07-29 19:06 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat

2009-09-22 19:43 . 2004-07-29 19:06 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-10031102}.dat

2009-09-22 14:40 . 2005-08-15 03:42 -------- d-----w- c:\program files\Network Associates

2009-09-22 14:40 . 2005-08-15 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates

2009-09-18 19:27 . 2004-07-29 18:58 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-18 19:18 . 2007-07-17 00:32 -------- d-----w- c:\program files\GoFTP

2009-09-18 18:34 . 2007-03-11 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2009-09-18 18:31 . 2009-06-26 13:07 -------- d-----w- c:\program files\Password Safe

2009-09-18 17:38 . 2007-03-11 12:35 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware

2009-09-18 13:18 . 2009-01-17 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-18 03:16 . 2009-06-23 13:37 89084 ---ha-w- c:\windows\system32\mlfcache.dat

2009-09-18 02:29 . 2008-06-06 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-09-17 16:42 . 2005-08-29 03:07 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-16 15:27 . 2004-07-29 19:13 109440 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-16 15:20 . 2008-10-30 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-16 15:16 . 2008-10-30 03:57 -------- d-----w- c:\program files\Microsoft Works

2009-09-15 13:52 . 2009-01-15 15:23 -------- d-----w- c:\documents and settings\Dad\Application Data\Wireshark

2009-09-15 13:14 . 2006-01-11 11:21 -------- d-----w- c:\program files\WinPcap

2009-09-10 18:54 . 2009-01-17 14:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-01-17 14:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 07:14 . 2008-02-01 00:53 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-19 16:48 . 2009-08-19 16:41 -------- d-----w- c:\documents and settings\Dad\Application Data\ArcSoft

2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\JMicron

2009-08-19 16:40 . 2009-08-19 16:40 -------- d-----w- c:\program files\ArcSoft

2009-08-12 17:51 . 2009-08-12 17:51 -------- d-----w- c:\program files\MSN Messenger

2009-08-10 18:03 . 2009-08-10 18:02 -------- d-----w- c:\documents and settings\Dad\Application Data\MSN6

2009-08-10 18:02 . 2009-08-10 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6

2009-08-10 17:14 . 2009-08-10 17:13 -------- d-----w- c:\program files\SecurID Software Token

2009-08-06 13:56 . 2009-04-02 00:12 -------- d-----w- c:\program files\Cisco Systems

2009-08-06 12:38 . 2009-08-06 12:38 -------- d-----w- c:\program files\Common Files\Deterministic Networks

2009-08-05 10:22 . 2005-09-09 17:34 -------- d-----w- c:\program files\Common Files\Adobe

2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-03-19 22:33 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2005-08-15 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2004-03-30 01:48 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-03-30 01:48 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-03-19 22:44 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-03-19 22:42 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-03-19 22:40 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-03-19 22:38 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-02-19 17:23 . 2009-02-21 05:23 44 ---h--w- c:\program files\0eaed41c.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Desktop Firewall Tray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Desktop Firewall Tray.lnk

backup=c:\windows\pss\McAfee Desktop Firewall Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk

backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^JMicron Button Manager.lnk]

path=c:\documents and settings\Dad\Start Menu\Programs\Startup\JMicron Button Manager.lnk

backup=c:\windows\pss\JMicron Button Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dad^Start Menu^Programs^Startup^Password Safe.lnk]

path=c:\documents and settings\Dad\Start Menu\Programs\Startup\Password Safe.lnk

backup=c:\windows\pss\Password Safe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wuauserv"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"WmiApSrv"=3 (0x3)

"Wmi"=3 (0x3)

"WmdmPmSN"=3 (0x3)

"WMDM PMSP Service"=2 (0x2)

"winmgmt"=2 (0x2)

"WebClient"=2 (0x2)

"w32time"=2 (0x2)

"VSS"=3 (0x3)

"VMware NAT Service"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"usnjsvc"=3 (0x3)

"UPS"=3 (0x3)

"ufad-ws60"=3 (0x3)

"TrkWks"=2 (0x2)

"Themes"=2 (0x2)

"TermService"=3 (0x3)

"Tenable Nessus"=2 (0x2)

"TapiSrv"=3 (0x3)

"SwPrv"=3 (0x3)

"Spooler"=2 (0x2)

"Schedule"=2 (0x2)

"RSVP"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NtmsSvc"=3 (0x3)

"MSDTC"=3 (0x3)

"mnmsrvc"=3 (0x3)

"McTaskManager"=2 (0x2)

"McShield"=2 (0x2)

"McAfeeFramework"=2 (0x2)

"lxcd_device"=3 (0x3)

"ImapiService"=3 (0x3)

"idsvc"=3 (0x3)

"HidServ"=2 (0x2)

"helpsvc"=2 (0x2)

"gusvc"=2 (0x2)

"gupdate1c98c8448629ce6"=2 (0x2)

"FireSvc"=2 (0x2)

"Fax"=2 (0x2)

"CVPND"=2 (0x2)

"CiscoVpnInstallService"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"LXCDCATS"=rundll32 \3\LXCDtime.dll,_RunDLLEntry@16

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SkillSoft\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\SYSTEM32\\lxcdcoms.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxcdPSWX.EXE"=

"c:\\Program Files\\ViaVoice\\Bin\\engine.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\audmig.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\speechbar.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\smart.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\userwiz.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\ewiz.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\vocabexp.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\msaadmn.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\navcentral.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\voicepad.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\vtperdic.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\ViaVoice\\Bin\\whatcanisay.exe"=

"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:*:Disabled:TCP Port 5001

"5002:TCP"= 5002:TCP:*:Disabled:TCP Port 5002

"5003:TCP"= 5003:TCP:*:Disabled:TCP Port 5003

"5004:TCP"= 5004:TCP:*:Disabled:TCP Port 5004

"5005:TCP"= 5005:TCP:*:Disabled:TCP Port 5005

"5006:TCP"= 5006:TCP:*:Disabled:TCP Port 5006

"5007:TCP"= 5007:TCP:*:Disabled:TCP Port 5007

"5008:TCP"= 5008:TCP:*:Disabled:TCP Port 5008

"5009:TCP"= 5009:TCP:*:Disabled:TCP Port 5009

"5010:TCP"= 5010:TCP:*:Disabled:TCP Port 5010

"5011:TCP"= 5011:TCP:*:Disabled:TCP Port 5011

"5012:TCP"= 5012:TCP:*:Disabled:TCP Port 5012

"5013:TCP"= 5013:TCP:*:Disabled:TCP Port 5013

"5014:TCP"= 5014:TCP:*:Disabled:TCP Port 5014

"5015:TCP"= 5015:TCP:*:Disabled:TCP Port 5015

"5016:TCP"= 5016:TCP:*:Disabled:TCP Port 5016

"5017:TCP"= 5017:TCP:*:Disabled:TCP Port 5017

"5018:TCP"= 5018:TCP:*:Disabled:TCP Port 5018

"5019:TCP"= 5019:TCP:*:Disabled:TCP Port 5019

"5020:TCP"= 5020:TCP:*:Disabled:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R2 vmci;VMware vmci;c:\windows\SYSTEM32\DRIVERS\vmci.sys [9/18/2008 11:06 PM 54960]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [8/1/2008 8:59 AM 31592]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [12/23/2008 11:35 AM 50704]

S3 PsSdk41;PsSdk41;c:\windows\SYSTEM32\DRIVERS\pssdk41.sys [2/13/2009 7:50 AM 36928]

S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\DRIVERS\vpnva.sys --> c:\windows\system32\DRIVERS\vpnva.sys [?]

S4 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Dad\LOCALS~1\Temp\INSTAL~1.EXE --> c:\docume~1\Dad\LOCALS~1\Temp\INSTAL~1.EXE [?]

S4 gupdate1c98c8448629ce6;Google Update Service (gupdate1c98c8448629ce6);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2009 4:06 PM 133104]

S4 Tenable Nessus;Tenable Nessus;c:\program files\Tenable\Nessus\nessusd.exe [7/31/2008 5:16 PM 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-06 12:11]

2009-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 20:06]

2009-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 20:06]

2009-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2777565657-1593043325-674389114-1006Core.job

- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 00:17]

2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2777565657-1593043325-674389114-1006UA.job

- c:\documents and settings\Dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 00:17]

2005-08-16 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2004-03-19 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Player\vsocklib.dll

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} - hxxp://192.168.1.120/NetCamPlayerWeb11gv2.cab

FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\rgvkdjc2.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

AddRemove-{45EBDA59-D33B-433A-956E-B2F236468B56} - c:\progra~1\MUSICM~1\MUSICM~2\unmatch.exe

AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-22 16:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,96,17,45,30,42,

22,3e,fc,e2,63,26,f1,3f,c8,ff,68,77,0e,00,e4,5c,14,21,fd,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,55,74,77,71,df,

db,69,d6,6a,9c,d6,61,af,45,84,18,8a,3b,56,dc,71,f0,a3,41,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,49,0a,e4,e3,c3,

63,ce,b4,ff,7c,85,e0,43,d4,0e,fe,a7,74,2d,4e,ad,58,8a,d9,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,76,9d,fd,98,85,

cf,42,90,86,8c,21,01,be,91,eb,e7,63,33,d5,0d,e2,19,b4,1d,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,06,fb,46,d6,d3,

c5,63,15,f5,1d,4d,73,a8,13,5c,05,0d,07,43,f5,0c,a7,ae,3c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,5c,41,3d,d3,65,

79,97,6f,df,20,58,62,78,6b,cf,c8,35,0c,f9,b9,e9,54,4c,f7,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,c8,00,58,ca,d0,

7d,be,07,fb,a7,78,e6,12,2f,9a,ea,e9,a0,6e,16,e9,b4,a9,62,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,22,b8,1e,65,6f,

62,67,18,01,3a,48,fc,e8,04,4a,f1,09,07,5f,c6,65,0a,aa,4d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,14,1f,76,7c,92,

45,e8,02,f6,0f,4e,58,98,5b,89,c9,42,0c,5d,27,d4,c6,44,1f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,ab,6b,fa,e9,94,

eb,5a,0b,3d,ce,ea,26,2d,45,aa,78,95,97,0a,52,06,61,62,28,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,7c,bb,59,da,49,

75,30,54,2a,b7,cc,b5,b9,7f,41,e7,0c,57,26,9d,d6,1e,17,cc,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,3b,4a,02,5b,f2,

a6,ef,f8,6c,43,2d,1e,aa,22,2f,9c,56,d4,58,ee,ee,b5,fc,dd,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1344)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3832)

c:\windows\system32\WININET.dll

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\ulptntrd\ulptntrd\tdlwsp.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\ati2evxx.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe

c:\program files\Java\jre6\bin\jqs.exe

.

**************************************************************************

.

Completion time: 2009-09-22 17:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-22 21:00

Pre-Run: 33,150,472,192 bytes free

Post-Run: 33,033,359,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

379 --- E O F --- 2009-09-14 18:30

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
- - - - - - - > 'explorer.exe'(3832)

tdlwsp.dll 10000000 36864 \\?\globalroot\Device\Ide\iaStor0\ulptntrd\ulptntrd\tdlwsp.dll

This entry still prevails. That's no good.

We need to do a search for that file.

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@echo off
PEV -tf %systemdrive%\tdlwsp.dll >Logit.txt
Start Logit.txt
del %0

Save this as seek.bat Choose to "Save type as - All Files"

It should look like this: bat_icon.gif

Double click on seek.bat & allow it to run

Post back to tell me what it says

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Appears that the file is memory resident and self deleting. That's why conventional searches and rootkit scanners won't see it proper. Rather than focus on tdlwsp.dll, we should try looking for the file that loads it. It's possible that one or more of your system files has been hijacked by a malware copy. For that, we need a deeper scan.

Please download RUNSCANNER to your desktop and run it.

  • Select Beginner Mode
  • On the next page select Save a binary .Run file then click Scan Computer at the top. Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log.
  • Save the files to your desktop. You will see the .run file on your desktop.
  • Please zip the .run file by right clicking and selecting send to Zip file
  • Then upload that as an attachment in your next post.

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

That unfortunately didn't bring much dividends. Log for most parts appears to be in good order. I'm not seeing where this tdswsp.dll is getting dropped from.

I have something for you to test. Please refer to the picture below

rscan.png

Launch RunScanner again and click on the 'Loaded Modules" tab.

Locate the tdlwsp.dll entry and right click on it to bring up the context menu.

Tell me what happens when you select each of these options

  • Upload file to VirusTotal
  • Open Location
  • Show file properties

----

I would also like for you to download and run this file > http://download.bleepingcomputer.com/sUBs/SignedFiles.exe

It shall create a report which shall be zipped into a file located at C:\FileScan.zip

Please attach the zipped file to your next reply

Link to post
Share on other sites
cardinal17

cardinal17

Posted
  • Author
Posted

open location - the path: \\?\globalroot\Device\Ide\iaStor0\ulptntrd\ulptntrd\tdlwsp.dll does not exist or is not a directory

properties shows Application Extension size 0 bytes all attributes unchecked

not sure what you want on the virustotal - large screens are returned

on tdlwsp.dll 9 of 41 detected it

on wininet.dll 0 of 41

fileScan attacted :

FileScan.zip

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
not sure what you want on the virustotal - large screens are returned

Please give me the links (urls) to those VT results.

Also kindly scan this file as well - C:\Windows\system32\drivers\iaStor.sys

open location - the path: \\?\globalroot\Device\Ide\iaStor0\ulptntrd\ulptntrd\tdlwsp.dll does not exist or is not a directory

properties shows Application Extension size 0 bytes all attributes unchecked

on tdlwsp.dll 9 of 41 detected it

For a file that purports to be 0 bytes, it would seem strange that 9/41 scanners would deem it as malware. :)

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Checking a few hundred files is slow tedious work but I have something for you to check out in the meantime

Earlier on, I had you run ComboFix to remove a malware service.

DRIVER::

b5f24

vnmcxjkipmpdripx

COLLECT::

C:\WINDOWS\system32\b5f24.sys

C:\Windows\system32\drivers\vnmcxjkipmpdripx.sys

Only one file was zipped/removed.

c:\windows\system32\b5f24.sys

ComboFix should have asked for you to upload that file. Did you allow it to do so? If you haven't done so yet, it should be located at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

-------

I would also like to confirm that those 2 services has not regenerated. Kindly repeat this step

2nd GMER Scan

At the top of the GMER interface, click the [>>>] button to reveal the hidden tabs.

Select Registry

Then navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

Highlight the Services button and click the Export button located on the upper right to save a log.

The log is huge and cannot be posted. You need to zip it and attach to the next reply.

Gmer-Registry.png

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.