secureme Posted October 4, 2009 ID:137499 Share Posted October 4, 2009 I have some malware that does not want to go away. I run Malwarebytes (database 2889) and it will find problems, but upon rebooting some stuff comes back. I have also run AdAware, Spybot S&D, and SuperAntispyware (Spybot is the only other program to find anything). The malware is blocking most major antivirus sites, so I cannot update Malwarebytes. I am posting here through a proxy. I have seen svchust.exe, sv2.exe, sv3.exe, 3.tmp, and a few others. Previously, FastNetSrv.exe was running, which I have never seen before. The malware tries to access various sites. Presently, the Windows NT Logon Application keeps trying to access ru.brans.pl (218.93.205.30) on port 65520. Also, msdtc.exe is currently running, and I have never seen this run before. The computer will hang if I try to boot to safe mode.The computer is relatively clean right now, but once I reboot I'm sure most of the malware files will come back. Below is the current HJT log. I can post another once I reboot if desirable.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:29:27 PM, on 10/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Atguard\iamserv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\PROGRA~1\Atguard\iamapp.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOTO4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /sO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\WINDOWS\TEMP\E_SAA.tmp" /EF "HKCU"O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXEO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{B6588A00-61B0-4EDE-9670-D183D7CC566C}: NameServer = 208.67.220.220,67.138.54.100O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXEO23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe--End of file - 6587 bytes Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137551 Share Posted October 4, 2009 Hi and welcome to Malwarebytes.Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 4, 2009 Author ID:137577 Share Posted October 4, 2009 Combofix has an error that says: !!ALERT!! It is NOT SAFE to continue! The contents of the ComboFix package has been compromised. Please download a fresh copy from ..."Here is a new HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:59:58 PM, on 10/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Atguard\iamserv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\PROGRA~1\Atguard\iamapp.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOTO4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /sO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [EPSON Stylus Photo RX595 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICLA.EXE /FU "C:\WINDOWS\TEMP\E_SAA.tmp" /EF "HKCU"O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exeO4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXEO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{B6588A00-61B0-4EDE-9670-D183D7CC566C}: NameServer = 208.67.220.220,67.138.54.100O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Admin Works Agent X8 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exeO23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXEO23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exeO23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exeO23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe--End of file - 6743 bytesHi and welcome to Malwarebytes.Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137584 Share Posted October 4, 2009 Download a fresh copy and try again.Rename it to secureme.exe before downloading it though. Save it to your Desktop. Then run it as follows:Navigate to Start --> Run, and enter this command:"%userprofile%\desktop\secureme.exe" /killallSee if it runs now.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 4, 2009 Author ID:137636 Share Posted October 4, 2009 Still no luck. I tried running Malwarebytes to remove most of the problems (I did not reboot) first, but that did not help either. Here is the log file from Malwarebytes:Malwarebytes' Anti-Malware 1.41Database version: 2889Windows 5.1.2600 Service Pack 310/4/2009 12:31:09 AMmbam-log-2009-10-04 (00-31-09).txtScan type: Quick ScanObjects scanned: 96491Time elapsed: 3 minute(s), 5 second(s)Memory Processes Infected: 0Memory Modules Infected: 2Registry Keys Infected: 9Registry Values Infected: 6Registry Data Items Infected: 0Folders Infected: 0Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Net_Login (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\net_login (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netlogin (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogin (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\Temp\VRT1.tmp (Malware.Tool) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\wkiqornsea.tmp (Rootkit.TDSS) -> Delete on reboot.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\L9KS7IZZ\w[1].bin (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\sv3.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\isvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\svchust.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.Download a fresh copy and try again.Rename it to secureme.exe before downloading it though. Save it to your Desktop. Then run it as follows:Navigate to Start --> Run, and enter this command:"%userprofile%\desktop\secureme.exe" /killallSee if it runs now.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137646 Share Posted October 4, 2009 Hi,Keep this computer disconnected from the Internet. Download all required tools from a known, clean computer, and transfer them over via removable media (flash drive, CD, etc.)...It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.avast!AntiVirAVGRun a scan with whichever you choose.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 4, 2009 Author ID:137695 Share Posted October 4, 2009 AVG found nothing. I am rebooting and will run again. Here is the DDS log:DDS (Ver_09-09-29.01) - NTFSx86 Run by robert at 1:53:37.14 on Sun 10/04/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1472 [GMT -5:00]AV: AVG 7.5.503 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\WINDOWS\system32\svchost.exe -k imgsvcsvchost.exe C:\WINDOWS\TEMP\VRT2.tmpC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\explorer.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Atguard\iamapp.exeC:\Program Files\Atguard\iamserv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Grisoft\AVG7\avgwb.datM:\dds.pif============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/keyword/%sBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dllBHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dllEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dlluRun: [EPSON Stylus Photo RX595 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe /fu "c:\windows\temp\E_SAA.tmp" /EF "HKCU"uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exemRun: [iAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"mRun: [intelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOTmRun: [iamapp] c:\progra~1\atguard\iamapp.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /smRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptmRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUPdRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCEStartupFolder: c:\docume~1\robert\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeuPolicies-explorer: MaxRecentDocs = 11 (0xb)IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabTCP: {B6588A00-61B0-4EDE-9670-D183D7CC566C} = 208.67.220.220,67.138.54.100Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: AtiExtEvent - Ati2evxx.dllNotify: igfxcui - igfxdev.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\dbzqu5ja.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}============= SERVICES / DRIVERS ===============R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-10-4 821856]R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-10-4 4224]R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-10-4 27776]R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-10-4 3968]R1 Iamdrv;Iamdrv;c:\program files\atguard\iamdrv.sys [2007-12-2 102976]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-10-4 439296]R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-10-4 70144]R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2009-10-4 427008]R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2009-10-4 4960]R2 iamServ;WRQ IAM;c:\program files\atguard\iamserv.exe [2007-12-2 84480]R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-12-1 6784]R3 DNSFILT;DNSFILT;c:\program files\atguard\dnsfilt.sys [2007-12-2 4960]R3 FWFILT;FWFILT;c:\program files\atguard\fwfilt.sys [2007-12-2 45632]R3 HTTPFILT;HTTPFILT;c:\program files\atguard\httpfilt.sys [2007-12-2 54848]R3 NDISFILT;NDISFILT;c:\program files\atguard\ndisfilt.sys [2007-12-2 20864]RUnknown BtwSrv;BtwSrv; [x]S2 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]S2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2001-8-23 115200]S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]S3 isasdk;isasdk;c:\windows\system32\isasdk.sys [2004-8-4 2304]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]S4 Nasaltr;Nasaltr; [x]SUnknown Net_Login;Net_Login; [x]SUnknown NetLogin;NetLogin; [x]=============== Created Last 30 ================2009-10-04 01:08 <DIR> --d----- c:\docume~1\robert\applic~1\AVG72009-10-04 01:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft2009-10-04 00:57 <DIR> --d----- c:\docume~1\robert\applic~1\AVG82009-10-03 19:36 116,224 a------- c:\windows\sv2.exe2009-10-03 19:35 361,344 ac------ c:\windows\system32\dllcache\TCPIP.SYS2009-10-03 19:35 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL2009-10-03 18:28 <DIR> --d----- c:\program files\Trend Micro2009-10-03 17:33 <DIR> --d-h--- c:\windows\system32\GroupPolicy2009-10-03 17:27 <DIR> --d----- c:\windows\pss2009-10-03 15:55 138 a------- c:\windows\wininit.ini2009-10-02 15:02 <DIR> --d----- c:\docume~1\robert\applic~1\eFax Messenger2009-10-02 15:02 0 a------- c:\windows\system32\eFax_4_4_Port2009-10-02 15:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\eFax Messenger 4.4 Output2009-10-02 15:00 <DIR> --d----- c:\program files\eFax Messenger 4.42009-09-30 17:28 <DIR> --d----- C:\ProgramData2009-09-30 17:28 7,204 a------- c:\windows\system32\ealregsnapshot1.reg2009-09-30 16:54 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll2009-09-30 16:54 467,984 a------- c:\windows\system32\d3dx10_38.dll2009-09-30 16:54 3,850,760 a------- c:\windows\system32\D3DX9_38.dll2009-09-30 16:54 444,776 a------- c:\windows\system32\d3dx10_35.dll2009-09-30 16:54 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll2009-09-30 16:54 3,727,720 a------- c:\windows\system32\d3dx9_35.dll2009-09-30 16:54 <DIR> --d----- c:\windows\Logs==================== Find3M ====================2009-10-03 19:35 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS2009-10-02 15:17 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys2009-08-06 15:46 106,767 a------- c:\windows\system32\WinUpdateMan.exe2009-08-06 12:48 36,864 a------- c:\windows\system32\Msdirectx.exe2009-07-21 11:16 120 a------- C:\drmHeader.bin2009-06-03 11:05 8 ---shr-- c:\windows\system32\6FFB8622F8.sys============= FINISH: 1:55:04.03 ===============Hi,Keep this computer disconnected from the Internet. Download all required tools from a known, clean computer, and transfer them over via removable media (flash drive, CD, etc.)...It is really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free antiviruses. Be sure to only install one.avast!AntiVirAVGRun a scan with whichever you choose.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137703 Share Posted October 4, 2009 I don't know where you found that copy of AVG, but it's an old version. The link I gave points to AVG 8.5, not 7.5...http://free.avg.com/download?prd=afeUninstall your version, get 8.5, then run a scan. Try running ComboFix after that.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 5, 2009 Author ID:138104 Share Posted October 5, 2009 I used the older AVG because I already had it on a CD, and I could only find the download manager version of the new one. It was updated to the latest defintions. I looked again and did find the new version. First scan resulted in 4000+ files infected. It removed ~1/2 and rebooted. I could no longer load the taskbar, had to use the task manager to run programs. I did a repair install of the OS, but it did not help. I ran the scan again and it found around 2000 and removed all but 150. I tried Combofix but it would not run. It said it was unable to find NircmdB.exe. I then ran Dr. Web scanner and it fixed a few items, and deleted taskmgr.exe (it could not fix). Now I cannot run the task manager.I booted to the Windows CD and taskmgr.exe is in the system32 folder, so I am not sure what is going on. Has the system32 system folder been changed to another location? I still cannot boot to safe mode, and if I boot normally, I cannot figure out a way to run anything. Ideas?I don't know where you found that copy of AVG, but it's an old version. The link I gave points to AVG 8.5, not 7.5...http://free.avg.com/download?prd=afeUninstall your version, get 8.5, then run a scan. Try running ComboFix after that.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 5, 2009 Author ID:138106 Share Posted October 5, 2009 I forgot to mention that the virus is Win32.Virut. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 6, 2009 Staff ID:138667 Share Posted October 6, 2009 Hi,I'm afraid I have some very bad news...The infection that you have, Virus.Win32.Virut, is what we call a file-infector.These are particularly malicious, in that they infect all of your legitimate programs.The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.What I highly recommend now is a reformat and a reinstallation of Windows XP.Please let me know if you are prepared to do so.You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.-screen317 Link to post Share on other sites More sharing options...
secureme Posted October 6, 2009 Author ID:138770 Share Posted October 6, 2009 I'm not sure I'm ready to give up just yet. But either way, at this point I am at a loss as to how to access the system to further attack this or backup files. I cannot boot in safe mode, and when I boot normally, I get only the desktop background. There are no icons, no taskbar, no task manager, right clicking does nothing, Windows key-R will not bring up the run command. I think explorer.exe is not loading or missing (perhaps deleted by AVG). Hi,I'm afraid I have some very bad news...The infection that you have, Virus.Win32.Virut, is what we call a file-infector.These are particularly malicious, in that they infect all of your legitimate programs.The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.What I highly recommend now is a reformat and a reinstallation of Windows XP.Please let me know if you are prepared to do so.You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 6, 2009 Staff ID:138918 Share Posted October 6, 2009 I'm not sure I'm ready to give up just yet. But either way, at this point I am at a loss as to how to access the system to further attack this or backup files. I cannot boot in safe mode, and when I boot normally, I get only the desktop background. There are no icons, no taskbar, no task manager, right clicking does nothing, Windows key-R will not bring up the run command. I think explorer.exe is not loading or missingPlease do not take this the wrong way, but I believe you do not fully understand the implications of this virus. Allow me to elaborate..explorer.exe is not missing; it is infected. The virus does a poor job of infecting it though, rendering it inoperable.It infects all .exe (in addition to other file types) files, rendering your system useless at this point, since every time you try to launch a program, the virus is loaded again, causing more havoc and destruction.Please believe me when I say my professional opinion is to format your system, especially since my background taught me to only format as a final last resort.This virus cannot be attacked because of the way it misinfects files. The damage already done has already been witnessed by you.I cannot boot in safe mode, and when I boot normally, I get only the desktop background.Not only that, but usually accompanying the infection are payloads which attempt to steal data; the longer you continue to attempt to use the computer in this state, the more damage will be done. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 25, 2009 Staff ID:148288 Share Posted October 25, 2009 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts