Jump to content

Trojan.bho reformatted twice i am dying inside.....

thiscouldbeurroom
 Share

Recommended Posts

thiscouldbeurroom

thiscouldbeurroom

Posted
Posted

Hi all I just cant kill it and its driving me crazy. I did a clean wipe TWICE but everytime it just keeps coming back. Is it hiding in the reocvery partition ? Am I just retarded ? Here are the logs... pls help thanks all

Malwarebytes' Anti-Malware 1.41

Database version: 3140

Windows 5.1.2600 Service Pack 3

11/10/2009 9:11:21 AM

mbam-log-2009-11-10 (09-11-21).txt

Scan type: Quick Scan

Objects scanned: 91433

Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

TMJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:25:12 AM, on 11/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\Energy Management\utility.exe

C:\Program Files\Lenovo\Energy Management\Energy Management.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\Gary\LOCALS~1\Temp\isDel.bat"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

--

End of file - 4258 bytes

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here
  • Only if the ARK program alerts you to rootkit activity and invites you to complete a complete scan - click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as getout.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix (getout.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post:

1. ARKQ.txt

2. Ark.txt (if full scan was indicated by rootkit activity alert)

3. C:\ComboFix.txt in your next reply.

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

ComboFix 09-11-09.02 - Gary 11/10/2009 21:15.1.2 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1508 [GMT 8:00]

Running from: c:\documents and settings\Gary\My Documents\Downloads\saucepan.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Gary\LOCALS~1\Temp\install_flash_player.exe

.

((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))

.

2009-11-10 01:46 . 2009-11-10 01:46 -------- d-----w- c:\documents and settings\Gary\Application Data\Talkback

2009-11-10 01:46 . 2009-11-10 01:46 0 ----a-w- c:\windows\nsreg.dat

2009-11-10 01:46 . 2009-11-10 01:46 -------- d-----w- c:\documents and settings\Gary\Application Data\Thunderbird

2009-11-10 01:46 . 2009-11-10 01:46 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Thunderbird

2009-11-10 01:45 . 2009-11-10 01:45 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-11-10 01:32 . 2008-04-25 11:41 218624 ----a-w- c:\windows\system32\dllcache\uxtheme.dll

2009-11-10 01:30 . 2009-11-10 01:30 -------- d-----w- c:\program files\7-Zip

2009-11-10 01:16 . 2009-11-10 01:16 -------- d-----w- c:\program files\Trend Micro

2009-11-10 01:03 . 2009-11-10 01:03 -------- d-----w- c:\program files\CCleaner

2009-11-10 00:57 . 2009-11-10 00:57 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes

2009-11-10 00:57 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-10 00:57 . 2009-11-10 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-10 00:57 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-10 00:57 . 2009-11-10 00:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-10 00:51 . 2009-11-10 00:51 -------- d-----w- c:\program files\ESET

2009-11-10 00:51 . 2009-11-10 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2009-11-10 00:31 . 2009-11-10 00:31 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Temp

2009-11-10 00:30 . 2009-11-10 00:30 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Google

2009-11-10 00:30 . 2009-11-10 00:30 15912 ----a-w- c:\documents and settings\Gary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-10 00:29 . 2009-11-10 00:30 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Deployment

2009-11-10 00:28 . 2009-11-10 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Windows Live Toolbar

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-29 05:05 . 2009-09-29 05:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2009-09-29 05:02 . 2009-09-29 05:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2009-09-29 04:56 . 2009-09-29 04:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-29 16805888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [9/24/2008 3:32 PM 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [9/24/2008 3:32 PM 47680]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [9/24/2008 3:59 PM 9472]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [9/24/2008 3:07 PM 157696]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [9/24/2008 3:32 PM 81192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*NewlyCreated* - PROCEXP113

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3938808188-353137363-1134245293-1005Core.job

- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-10 00:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.live.com/

uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-10 21:21

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-11-10 21:22

ComboFix-quarantined-files.txt 2009-11-10 13:22

Pre-Run: 22,067,527,680 bytes free

Post-Run: 22,052,962,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DAAF5CD6BFD09BA1F814BF9BB2FAC964

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:24:18 PM, on 11/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

--

End of file - 3160 bytes

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit quick scan 2009-11-10 21:41:47

Windows 5.1.2600 Service Pack 3

Running: z1hzrt2f.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kgecyfow.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 895D5930

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit quick scan 2009-11-10 21:42:47

Windows 5.1.2600 Service Pack 3

Running: z1hzrt2f.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kgecyfow.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 895D5930

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

GMER 1.0.15.15163 - http://www.gmer.net

Rootkit scan 2009-11-10 21:46:48

Windows 5.1.2600 Service Pack 3

Running: z1hzrt2f.exe; Driver: C:\DOCUME~1\Gary\LOCALS~1\Temp\kgecyfow.sys

---- System - GMER 1.0.15 ----

SSDT 895D78A0 ZwAssignProcessToJobObject

SSDT 895D6CB0 ZwOpenProcess

SSDT 895D70D0 ZwOpenThread

SSDT 895D76D0 ZwSuspendProcess

SSDT 895D74F0 ZwSuspendThread

SSDT 895D6EE0 ZwTerminateProcess

SSDT 895D7310 ZwTerminateThread

Code \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C10 8050449C 2 Bytes [A0, 78]

.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 2 Bytes [D0, 76]

.text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504854 2 Bytes [E0, 6E] {LOOPNZ 0x70}

? C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2724] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EAFC

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EB6D

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90EC9B

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 15, 00]

.text C:\Documents and Settings\Gary\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3648] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)

---- Threads - GMER 1.0.15 ----

Thread System [4:376] 895D5930

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Those two MBAM detections are registry keys related to Internet Explorer toolbar buttons:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f}

MBAM did not find any malicious executable files that are loaded by a threat associated with these keys, so I can only assume that the CLSID = (6096e38f-5ac1-4391-8ec4-75dfa92fb32f}

Is what caused these hits.

Therefore, I'm going to have you search your Registry for that CLSID to see if an executable file is referenced by it.

Download RegSearch by Bobbi Flekmann:

http://www.bleepingcomputer.com/files/regsearch.php

1. Extract the contents of the zip file.

2. Double-click the icon for RegSearch.exe to launch the program.

3. In the upper set of boxes enter (copy and paste) in the first box the following text in bold:

6096e38f-5ac1-4391-8ec4-75dfa92fb32f

4. Click OK, and it will search the registry for this CLSID string.

4. After completion Notepad will be opened with all the found instances of the string.

The resulting file is saved in the same location as RegSearch.exe.

Please post those results.

Link to post
Share on other sites
negster22

negster22

Posted
Posted

According to your RegSearch results, there are no other registry references for that suspicious CLSID we searched for. Therefore, I don't believe these keys represent anything more than harmless registry remnants at this point.

Still, we can still see if Combofix can remove those keys:

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Registry::
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f}]

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk any security program scans that you may have scheduled. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into ComboFix.exe (saucepan.exe)

This will cause ComboFix to run again.

Please post back the log that opens (C:\Combofix.txt) when it finishes.

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

ComboFix 09-11-13.04 - Gary 11/12/2009 15:30.1.2 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1604 [GMT -10:00]

Running from: c:\documents and settings\Gary\My Documents\saucepan.exe

Command switches used :: c:\documents and settings\Gary\My Documents\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))

.

2009-11-12 20:17 . 2009-11-12 20:17 -------- d-----w- c:\windows\Driver Cache

2009-11-12 05:02 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll

2009-11-12 05:02 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll

2009-11-12 05:02 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe

2009-11-12 05:02 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll

2009-11-12 05:02 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe

2009-11-12 05:02 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-11-12 05:02 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll

2009-11-12 05:02 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll

2009-11-12 04:56 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-11-12 04:49 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys

2009-11-12 04:37 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-11-12 04:35 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys

2009-11-12 04:35 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-12 04:35 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys

2009-11-12 04:35 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll

2009-11-12 04:23 . 2009-11-12 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Digsby

2009-11-12 04:21 . 2009-11-12 04:21 -------- d-----w- c:\documents and settings\Gary\Application Data\Digsby

2009-11-12 04:21 . 2009-11-12 04:21 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Digsby

2009-11-12 04:20 . 2009-11-12 04:20 -------- d-----w- c:\program files\Digsby

2009-11-12 04:20 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll

2009-11-12 04:17 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-11-12 04:17 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-11-12 04:17 . 2009-08-04 14:20 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-11-12 04:13 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

2009-11-12 04:13 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll

2009-11-12 04:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-11-12 04:07 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

2009-11-12 04:03 . 2008-12-16 12:30 354304 ------w- c:\windows\system32\dllcache\winhttp.dll

2009-11-11 20:30 . 2009-11-11 20:30 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Temp

2009-11-11 20:30 . 2009-11-11 20:30 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Google

2009-11-11 20:29 . 2009-11-11 20:29 15912 ----a-w- c:\documents and settings\Gary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-11 20:29 . 2009-11-11 20:29 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Deployment

2009-11-11 20:26 . 2008-09-25 02:03 703 ----a-w- c:\windows\system32\config\systemprofile\set_env.bat

2009-11-11 20:26 . 2008-09-25 01:57 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-11-11 20:26 . 2008-09-25 01:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield

2009-11-11 20:26 . 2008-09-25 02:03 703 ----a-w- c:\documents and settings\Default User\set_env.bat

2009-11-11 18:17 . 2009-11-11 18:17 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Opera

2009-11-11 18:16 . 2009-11-11 18:16 -------- d-----w- c:\program files\Opera

2009-11-11 18:00 . 2009-11-11 18:00 -------- d-----w- c:\program files\CCleaner

2009-11-11 17:56 . 2008-04-26 05:41 218624 ----a-w- c:\windows\system32\dllcache\uxtheme.dll

2009-11-11 17:54 . 2009-11-11 17:54 -------- d-----w- c:\program files\7-Zip

2009-11-11 17:22 . 2009-11-11 17:22 -------- d-----w- c:\documents and settings\Gary\Application Data\Talkback

2009-11-11 17:22 . 2009-11-11 17:22 0 ----a-w- c:\windows\nsreg.dat

2009-11-11 17:22 . 2009-11-11 17:22 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\Thunderbird

2009-11-11 17:22 . 2009-11-11 17:22 -------- d-----w- c:\documents and settings\Gary\Application Data\Thunderbird

2009-11-11 17:22 . 2009-11-11 17:22 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-11-11 17:11 . 2009-11-11 17:11 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes

2009-11-11 17:11 . 2009-09-11 00:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-11 17:11 . 2009-11-11 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-11 17:11 . 2009-09-11 00:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-11 17:11 . 2009-11-11 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-11 17:04 . 2009-11-11 17:04 -------- d-----w- c:\program files\ESET

2009-11-11 17:04 . 2009-11-11 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-11 20:27 . 2009-11-11 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Windows Live Toolbar

2009-09-29 23:05 . 2009-09-29 23:05 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2009-09-29 23:02 . 2009-09-29 23:02 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2009-09-29 22:56 . 2009-09-29 22:56 116008 ----a-w- c:\windows\system32\drivers\eamon.sys

2009-09-11 14:18 . 2004-08-04 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-04 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 07:36 . 2004-08-04 22:00 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-04 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-04 22:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-26 08:00 . 2004-08-04 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-30 16805888]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]

R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [9/24/2008 3:32 PM 430080]

R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [9/24/2008 3:32 PM 47680]

R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [9/24/2008 3:59 PM 9472]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [9/24/2008 3:07 PM 157696]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [9/24/2008 3:32 PM 81192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3392833755-1436563763-3799711605-1005Core.job

- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 20:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://lenovo.live.com/

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-12 15:38

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2060)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

Completion time: 2009-11-12 15:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-13 01:40

Pre-Run: 20,900,069,376 bytes free

Post-Run: 20,866,007,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 261BC4DBB68E50EE791B21521601B905

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted
OK, your Combofix log is clean. Now update MBAM and then do a quick scan. Post the MBAM log.

Malwarebytes' Anti-Malware 1.41

Database version: 3158

Windows 5.1.2600 Service Pack 3

11/12/2009 4:29:13 PM

mbam-log-2009-11-12 (16-29-13).txt

Scan type: Quick Scan

Objects scanned: 91435

Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
negster22

negster22

Posted
Posted

Well, the MBAM log is perfectly clean so we'll finish up now - good job!

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"c:\documents and settings\Gary\My Documents\saucepan.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

I ran a MBAM full scan after uninstalling combofix and this came up.

Malwarebytes' Anti-Malware 1.41

Database version: 3158

Windows 5.1.2600 Service Pack 3

11/12/2009 8:47:13 PM

mbam-log-2009-11-12 (20-47-13).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 123544

Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{F8136B96-1D4C-4145-839F-7B8F940A9052}\RP11\A0005098.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites
thiscouldbeurroom

thiscouldbeurroom

Posted
  • Author
Posted

So I had a hunch I wanted to test out. I did a clean wipe but deleted the livetoolbar and explorer 7 using ccleaner then I ran MBAM.

Malwarebytes' Anti-Malware 1.41

Database version: 3166

Windows 5.1.2600 Service Pack 3

11/13/2009 1:39:07 PM

mbam-log-2009-11-13 (13-39-07).txt

Scan type: Quick Scan

Objects scanned: 91328

Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{6096e38f-5ac1-4391-8ec4-75dfa92fb32f} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.