nighthawk Posted September 26, 2009 ID:133439 Share Posted September 26, 2009 I started this topic and I was told to post logs here, so here they are:Malwarebytes' Anti-Malware 1.41Database version: 2858Windows 5.1.2600 Service Pack 29/26/2009 11:11:49 AMmbam-log-2009-09-26 (11-11-49).txtScan type: Quick ScanObjects scanned: 129791Time elapsed: 9 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)___________________________________Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:32:26 PM, on 9/25/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\VMware\VMware Workstation\vmware-authd.exeC:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\terrorista.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exeO4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -hO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] j:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-PQ10B.exe" /REGO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-1801674531-879983540-839522115-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'milos')O4 - HKUS\S-1-5-18\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user')O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://J:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O17 - HKLM\System\CS1\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O17 - HKLM\System\CS2\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exeO23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe--End of file - 5955 bytes___________________________Last night I copied these three files to winXP virtual machine and tried to execute .exe file. During that time wireshark was running on gateway machine. Exe file briefly pops up in task manager and then it disappears. I double-clicked it at least 50 times, each time it's the same. There was no network traffic.So, any ideas what is is-PQ10B.exe (no pun intended) and why is it there? Link to post Share on other sites More sharing options...
Staff screen317 Posted September 27, 2009 Staff ID:133740 Share Posted September 27, 2009 Hi and welcome to Malwarebytes.Please go to VirusTotal, and upload the following file for analysis:C:\WINDOWS\is-PQ10B.exePost the results in your reply.After that, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.-screen317 Link to post Share on other sites More sharing options...
nighthawk Posted October 4, 2009 Author ID:137711 Share Posted October 4, 2009 DDS (Ver_09-09-24.01) - NTFSx86 Run by ja at 10:05:12.87 on Sun 09/27/2009Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12============== Pseudo HJT Report ===============uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/ieuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exemRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -hmRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /minmRunOnce: [Malwarebytes' Anti-Malware] j:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silentmRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-PQ10B.exe" /REGuPolicies-explorer: NoSMHelp = 01000000uPolicies-explorer: NoSMMyDocs = 01000000uPolicies-explorer: NoSMMyPictures = 01000000uPolicies-explorer: NoActiveDesktop = 01000000IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htmIE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htmIE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htmIE: E&xport to Microsoft Excel - j:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Translate with &Babylon - j:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htmIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - j:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cabTCP: {2AFE39A0-7C71-4953-BC9E-02557DE19A01} = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220AppInit_DLLs: interceptor.dll================= FIREFOX ===================FF - ProfilePath - FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}============= SERVICES / DRIVERS ============================== Created Last 30 ================2009-09-23 11:14 <DIR> --d----- c:\docume~1\ja\applic~1\Dev-Cpp2009-09-21 23:19 <DIR> --d----- c:\program files\Microsoft SQL Server2009-09-21 23:13 <DIR> --d----- c:\program files\common files\Merge Modules2009-09-02 20:39 10,498 a------- c:\windows\is-PQ10B.msg2009-09-02 20:39 460 a------- c:\windows\is-PQ10B.lst2009-09-02 20:39 687,104 a------- c:\windows\is-PQ10B.exe2009-09-02 12:12 <DIR> --d----- c:\program files\Planetarium0130==================== Find3M ====================2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys============= FINISH: 10:05:56.65 =============== Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137955 Share Posted October 4, 2009 What about the first part of my instructions?? Link to post Share on other sites More sharing options...
nighthawk Posted October 4, 2009 Author ID:137994 Share Posted October 4, 2009 Sorryhttp://www.virustotal.com/analisis/5ff1766...bffe-1254688016 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 6, 2009 Staff ID:138654 Share Posted October 6, 2009 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
nighthawk Posted October 7, 2009 Author ID:139271 Share Posted October 7, 2009 During the scan ComboFix found "Rootkit activity" and required a reboot.ComboFix 09-10-06.04 - ja 10/07/2009 16:45.1.1 - NTFSx86Running from: c:\documents and settings\milos\Desktop\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\recycler\S-1-5-21-1116871056-3922734005-1551252272-1003c:\recycler\S-1-5-21-1202660629-1788223648-839522115-1003Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Kitty ate it .((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))).2009-10-05 21:45 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll2009-10-05 21:45 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll2009-10-05 21:45 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe2009-10-05 21:45 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll2009-10-05 21:45 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll2009-10-05 21:45 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv2009-10-05 21:45 . 2009-10-05 21:45 2272 ----a-w- c:\windows\system32\w95inf16.dll2009-10-05 21:45 . 2009-10-05 21:45 4608 ----a-w- c:\windows\system32\w95inf32.dll2009-10-05 08:45 . 2009-10-05 08:45 -------- d-----w- c:\documents and settings\ja\Application Data\gnupg2009-09-23 09:17 . 2009-09-23 09:55 -------- d-----w- c:\documents and settings\milos\Application Data\Dev-Cpp2009-09-23 09:14 . 2009-09-23 09:23 -------- d-----w- c:\documents and settings\ja\Application Data\Dev-Cpp2009-09-21 21:37 . 2009-09-21 21:37 -------- d-----w- c:\documents and settings\milos\Local Settings\Application Data\Microsoft Help2009-09-21 21:19 . 2009-09-21 21:19 -------- d-----w- c:\program files\Microsoft SQL Server2009-09-21 21:17 . 2009-09-21 21:17 -------- d-----w- c:\documents and settings\ja\Local Settings\Application Data\Microsoft Help2009-09-21 21:13 . 2009-09-21 21:14 -------- d-----w- c:\program files\Common Files\Merge Modules2009-09-21 21:13 . 2009-09-21 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-09-21 21:11 . 2009-09-21 21:11 -------- d-----w- c:\program files\Microsoft SDKs2009-09-21 21:09 . 2009-09-21 21:09 157464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\milos\Application Data\KeePass.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-10-07 14:43 . 2007-07-18 10:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware2009-10-05 16:33 . 2008-12-03 14:51 -------- d-----w- c:\documents and settings\milos\Application Data\AIMP2009-10-04 20:58 . 2007-07-18 11:26 -------- d-----w- c:\documents and settings\milos\Application Data\VMware2009-10-02 14:55 . 2009-01-27 16:53 -------- d-----w- c:\documents and settings\milos\Application Data\Free Download Manager2009-09-21 21:37 . 2007-04-17 14:45 69360 ------w- c:\documents and settings\milos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-09-18 20:52 . 2008-12-04 19:39 -------- d-----w- c:\documents and settings\milos\Application Data\codeblocks2009-09-10 12:54 . 2008-12-04 11:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 12:53 . 2008-12-04 11:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-02 18:35 . 2009-09-02 18:35 -------- d-----w- c:\documents and settings\nighthawk\Application Data\Malwarebytes2009-09-02 10:12 . 2009-09-02 10:12 -------- d-----w- c:\program files\Planetarium01302009-08-20 14:04 . 2007-07-14 13:43 -------- d-----w- c:\program files\Google2009-08-12 16:40 . 2009-03-07 20:37 -------- d-----w- c:\documents and settings\gnutella\Application Data\FrostWire.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304]"COMODO Internet Security"="c:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-01-03 1797880]"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]c:\documents and settings\nighthawk\Start Menu\Programs\Startup\Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000"NoSMMyDocs"= 01000000"NoSMMyPictures"= 01000000[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]backup=c:\windows\pss\Privoxy.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk]backup=c:\windows\pss\WordWeb.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^milos^Start Menu^Programs^Startup^Adobe Gamma.lnk]backup=c:\windows\pss\Adobe Gamma.lnkStartupHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall ProHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"OutpostFirewall"=2 (0x2)"SatSrv"=2 (0x2)"Adobe LM Service"=3 (0x3)"KPF4"=2 (0x2)"Alerter"=2 (0x2)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\Miranda IM\\miranda32.exe"="j:\\program files\\Microsoft Games1\\Rise of Nations\\rise.exe"="d:\\Programi\\radni\\internet\\utorrent.exe"="j:\\program files\\SecondLife\\SLVoice.exe"="c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"="c:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"1060:TCP"= 1060:TCP:*:Disabled:torente"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [1/3/2009 12:24 PM 101776]R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/3/2009 12:24 PM 31504]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/20/2009 4:02 PM 133104]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/29/2007 2:01 AM 42512]S3 ZSMC0305;A4 TECH PC Camera V;c:\windows\system32\Drivers\usbVM305.sys --> c:\windows\system32\Drivers\usbVM305.sys [?]S4 SatSrv;Steganos AntiTheft;c:\windows\system32\SatSrv.exe --> c:\windows\system32\SatSrv.exe [?].Contents of the 'Scheduled Tasks' folder2009-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-20 14:01]..------- Supplementary Scan -------.uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htmIE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htmIE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htmIE: E&xport to Microsoft Excel - j:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Translate with &Babylon - j:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmTCP: {2AFE39A0-7C71-4953-BC9E-02557DE19A01} = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220FF - ProfilePath - c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - component: c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dllFF - plugin: c:\program files\Opera\program\plugins\nppl3260.dllFF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-07 16:51Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\pluginreg.dat.bak 6291 bytesc:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\prefs.js.BAK 4152 bytesscan completed successfullyhidden files: 2**************************************************************************.Completion time: 2009-10-07 16:53ComboFix-quarantined-files.txt 2009-10-07 14:53Pre-Run: 1,982,668,800 bytes freePost-Run: 2,102,419,456 bytes free141==========================================And HijackThis:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:55:05 PM, on 10/7/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\VMware\VMware Workstation\vmware-authd.exeC:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Trend Micro\HijackThis\terrorista.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exeO4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -hO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htmO8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htmO8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Translate with &Babylon - res://J:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O17 - HKLM\System\CS1\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O17 - HKLM\System\CS2\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeO23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exeO23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exeO23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe--End of file - 5423 bytes Link to post Share on other sites More sharing options...
nighthawk Posted October 7, 2009 Author ID:139277 Share Posted October 7, 2009 I hate to doublepost, but I don't see an option to edit message.Those is-PQ10B.exe files are now removed.Log says that something was removed, can you tell what kind of malware was that, if it was a keylogger it would be vary bad for me. Link to post Share on other sites More sharing options...
nighthawk Posted October 7, 2009 Author ID:139373 Share Posted October 7, 2009 I've done some work on my own. After scan with ComboFix I noticed that the virtual drive is gone. I used Alcohol 120% (1.9.2.1705) since 2007 without any problem, but after this it became suspicious. This is what VirusTotal says about it's installation file (I took it from a friend who probably got it from torrent network). Installed .exe seems to be clean. Then I ran HijackThis and Combofix on virtual machine with the same OS (winXP SP2), installed from the same CD, before and after the installation of Alcohol 120%. After installation it found a rootkit and required reboot. The same file (atapi.sys) was infected. Here are the logs:HijackThis++++++++++++before++++++++++++++Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:38:08 PM, on 10/7/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\VMware\VMware Tools\VMwareTray.exeC:\Program Files\VMware\VMware Tools\VMwareUser.exeC:\Program Files\VMware\VMware Tools\VMwareService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Documents and Settings\virt1\Desktop\otmica.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://scroogle.org/O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exeO4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{AA191B09-9081-4731-850A-A7BBF32A76A5}: NameServer = 208.67.222.222,208.67.220.220O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exeO23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe--End of file - 1986 bytes+++++++++++after+++++++++++++Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:46:43 PM, on 10/7/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\VMware\VMware Tools\VMwareTray.exeC:\Program Files\VMware\VMware Tools\VMwareUser.exeC:\Program Files\GNU\GnuPG\dirmngr.exeC:\Program Files\VMware\VMware Tools\VMwareService.exeC:\WINDOWS\system32\cmd.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Documents and Settings\virt1\Desktop\otmica.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://scroogle.org/O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exeO4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{AA191B09-9081-4731-850A-A7BBF32A76A5}: NameServer = 208.67.222.222,208.67.220.220O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exeO23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe--End of file - 2035 bytes==================================Combofixbefore++++++++++++++++ComboFix 09-10-06.04 - virt1 10/07/2009 20:13.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.48 [GMT 2:00]Running from: c:\documents and settings\virt1\My Documents\Downloads\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))).2009-10-04 12:41 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys2009-10-04 12:39 . 2009-10-04 12:39 -------- d-----w- c:\program files\NMRC2009-10-04 12:35 . 2009-10-04 12:35 -------- d-----w- c:\documents and settings\virt1\Application Data\gtk-2.02009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\Chromium2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\.kde2009-10-04 12:28 . 2009-10-04 12:28 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\GNU2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg2009-10-04 12:27 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\gnupg2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\program files\GNU2009-09-28 19:41 . 2009-10-04 12:32 -------- d-----w- c:\program files\PHPLiveEdit 20052009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\program files\7-Zip2009-09-26 17:45 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\Tor2009-09-26 17:45 . 2009-09-26 17:46 -------- d-----w- c:\documents and settings\virt1\Application Data\Vidalia2009-09-26 17:45 . 2009-09-26 17:45 -------- d-----w- c:\program files\Vidalia Bundle2009-09-26 17:09 . 2009-09-26 17:09 -------- d--h--w- c:\windows\system32\GroupPolicy2009-09-26 16:51 . 2009-09-26 16:52 -------- d-----w- c:\documents and settings\virt1\Application Data\TrueCrypt2009-09-26 16:51 . 2009-09-26 16:51 235840 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-09-26 16:51 . 2009-09-26 16:51 -------- d-----w- c:\program files\TrueCrypt.(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2006-11-13 56112]"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2006-11-13 109360]"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 158208][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnkbackup=c:\windows\pss\Privoxy.lnkCommon Startup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/13/2006 9:50 PM 17840]R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2/2/2008 1:49 PM 85704]R2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [11/13/2006 9:50 PM 142128]R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/13/2006 9:50 PM 11568]R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/13/2006 9:50 PM 22704]R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/13/2006 9:50 PM 29488]S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [9/28/2009 6:15 PM 242176]..------- Supplementary Scan -------.TCP: {AA191B09-9081-4731-850A-A7BBF32A76A5} = 208.67.222.222,208.67.220.220.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-07 20:27Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(1108)c:\program files\VMware\VMware Tools\hook.dllc:\windows\System32\hgfs.dll.Completion time: 2009-10-07 20:32ComboFix-quarantined-files.txt 2009-10-07 18:32Pre-Run: 1,451,847,680 bytes freePost-Run: 1,478,549,504 bytes free79++++++++++++++++++++++++++++++++++++++++++++AfterComboFix 09-10-06.04 - virt1 10/07/2009 21:03.2.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.108 [GMT 2:00]Running from: c:\documents and settings\virt1\Desktop\ComboFix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Kitty ate it .((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))).2009-10-07 18:40 . 2004-04-30 07:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys2009-10-07 18:40 . 2004-04-30 07:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys2009-10-07 18:40 . 2009-10-07 18:40 -------- d-----w- c:\program files\Alcohol Soft2009-10-04 12:41 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys2009-10-04 12:39 . 2009-10-04 12:39 -------- d-----w- c:\program files\NMRC2009-10-04 12:35 . 2009-10-04 12:35 -------- d-----w- c:\documents and settings\virt1\Application Data\gtk-2.02009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\Chromium2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\.kde2009-10-04 12:28 . 2009-10-04 12:28 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\GNU2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg2009-10-04 12:27 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\gnupg2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\program files\GNU2009-09-28 19:41 . 2009-10-04 12:32 -------- d-----w- c:\program files\PHPLiveEdit 20052009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\program files\7-Zip2009-09-26 17:45 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\Tor2009-09-26 17:45 . 2009-09-26 17:46 -------- d-----w- c:\documents and settings\virt1\Application Data\Vidalia2009-09-26 17:45 . 2009-09-26 17:45 -------- d-----w- c:\program files\Vidalia Bundle2009-09-26 17:09 . 2009-09-26 17:09 -------- d--h--w- c:\windows\system32\GroupPolicy2009-09-26 16:51 . 2009-09-26 16:52 -------- d-----w- c:\documents and settings\virt1\Application Data\TrueCrypt2009-09-26 16:51 . 2009-09-26 16:51 235840 ----a-w- c:\windows\system32\drivers\truecrypt.sys2009-09-26 16:51 . 2009-09-26 16:51 -------- d-----w- c:\program files\TrueCrypt.(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))..((((((((((((((((((((((((((((( SnapShot@2009-10-07_18.28.01 ))))))))))))))))))))))))))))))))))))))))).+ 2004-08-03 20:59 . 2004-08-03 20:59 95360 c:\windows\system32\dllcache\atapi.sys+ 2009-10-07 18:40 . 2009-10-07 18:40 49152 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe+ 2009-10-07 18:40 . 2009-10-07 18:40 5120 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe+ 2009-10-07 18:40 . 2009-10-07 18:40 958464 c:\windows\Installer\3280b9.msi.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2006-11-13 56112]"VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2006-11-13 109360][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnkbackup=c:\windows\pss\Privoxy.lnkCommon Startup[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"=R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2009-09-28 242176]S0 vmscsi;vmscsi;c:\windows\system32\DRIVERS\vmscsi.sys [2006-11-13 17840]S2 hgfs;hgfs;c:\windows\system32\DRIVERS\hgfs.sys [2006-11-13 85704]S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2006-11-13 142128]S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2006-11-13 11568]S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2006-11-13 22704]S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys [2006-11-13 29488]..------- Supplementary Scan -------.uInternet Connection Wizard,ShellNext = hxxp://scroogle.org/TCP: {AA191B09-9081-4731-850A-A7BBF32A76A5} = 208.67.222.222,208.67.220.220.- - - - ORPHANS REMOVED - - - -AddRemove-HijackThis - c:\documents and settings\virt1\Desktop\HijackThis.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-10-07 21:18Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2009-10-07 21:23ComboFix-quarantined-files.txt 2009-10-07 19:23ComboFix2.txt 2009-10-07 18:32Pre-Run: 1,473,699,840 bytes freePost-Run: 1,471,930,368 bytes free91This doesn't explain is-PQ10B files, I used Alcohol for over two years and they didn't appear, and there were no such files on virtual machine. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 8, 2009 Staff ID:140001 Share Posted October 8, 2009 Edit: Sit tight; I'll be back with you as soon as possible.But why did you run ComboFix from your VM? Link to post Share on other sites More sharing options...
Staff screen317 Posted October 9, 2009 Staff ID:140255 Share Posted October 9, 2009 Hi,Apparently Atapi.sys relates to your IDE drives, and Alcohol should have its own drivers. Reboot and see if the virtual drives return. Link to post Share on other sites More sharing options...
nighthawk Posted October 9, 2009 Author ID:140331 Share Posted October 9, 2009 But why did you run ComboFix from your VM?I wanted to find out more about this infection and I wanted to check the installation of Alcohol that I used on my real machine.Today I repeated the test on clean VM. After Combofix virtual drive was gone, but it was back after reboot, or just after starting Alcohol (no reboot).When I restored clean VM (windows XP SP2 with some services disabled for faster performance, nothing installed) I booted live linux cd and copied original atapi.sys (didn't want to use unlocker) to another drive. After installation of Alcohol i went back to linux and again copied atapi.sys. The I ran ComboFix and again copied atapi.sys. Each time md5 signature of the file was the same, so, in fact atapi.sys was not changed after installation of Alcohol, nor after ComboFix. None of the AV engines on VirusTotal reported anything. So, it looks like the ComboFix gave a false positive, or at least it was wrong about atapi.sys. Drivers installed by Alcohol are also clean.After this I tried (on VM) several Anti Rootkit programs: Rootkit Revealer, BitDefender, AVG, F-Secure BlackLight and gmer. No infection was found, gmer caused BSOD right on start, and after reboot and logging in system was totally unresponsive, I couldn't even start Task Manager (it is so nice when a VM gets busted like this, isn't it).Now I'm scanning my real machine with RR, it will take better part of the day to finish, but so far C: is done and it seems clean. Link to post Share on other sites More sharing options...
nighthawk Posted October 10, 2009 Author ID:141016 Share Posted October 10, 2009 I'm now fairly sure that my machine is clean, so let's get back to the reason why I registered here in the first place.is-PQ10B.exe was found in c:\windows together with .lst and .msg file with the same name, as I said here. I regularly scan my pc with HijackThis, and between two scans I only installed Asynx Planetarium and Microsoft Visual c++ and updated Malwarebytes. My memory is not too good, but time of the creation of is-PQ10B files rougly matches the time of update. Malwarebytes requested system restart after update which I refused, I shut down my pc several hours later. The is-PQ10B.lst points to Malwarebytes. is-PQ10B.exe doesn't seem to be malicious, no AV or AS has identified it as malware and it doesn't attempt to access network.So, I would like (if it is possible) that someone with good knowledge of Malwarebytes (say, someone from development team) confirms that these files belong to Malwarebytes. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 10, 2009 Staff ID:141069 Share Posted October 10, 2009 in fact atapi.sys was not changed after installation of Alcohol,Because it's not an Alcohol related driver; I said that in post 11...So, it looks like the ComboFix gave a false positive, or at least it was wrong about atapi.sys.How do you figure..?I haven't known MBAM to create those files, otherwise there would be many thousands of results on Google from it. Yours and one other case are the only documented ones I can see.Here's an idea:Rename is-PQ10B.lst, is-PQ10B.exe, and is-PQ10B.msg to is-PQ10B.xxx, is-PQ10B.xxxx, and is-PQ10B.xxxxx respectively.Reboot. If the files aren't missed after a while, delete them. Certainly something will prompt you if the files are 'missing,' yet it requires to use those files...-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 26, 2009 Staff ID:148627 Share Posted October 26, 2009 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts