Jump to content

Antivirus Live Infection

Oranje

By Oranje
in Resolved Malware Removal Logs

 Share

Recommended Posts

Oranje

Oranje

Posted
Posted

Hi Guys

My laptop has been infected, MBAM does not run, but I have managed to execute HiJackThis and got the log...

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 21:40:08, on 30/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\ZCfgSvc.exe

D:\WINDOWS\Explorer.exe

D:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\Iexplore.exe

D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe wjqd.rqo avqbc

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\sdra64.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [RegistryMonitor1] D:\WINDOWS\system32\qtplugin.exe

O4 - HKLM\..\Run: [ucjgbqeh] D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [richtx64.exe] D:\DOCUME~1\shah\LOCALS~1\Temp\richtx64.exe

O4 - HKCU\..\Run: [Malware Defense] "D:\Program Files\Malware Defense\mdefense.exe" -noscan

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [RegistryMonitor1] "D:\WINDOWS\system32\qtplugin.exe"

O4 - HKCU\..\Run: [ucjgbqeh] D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - D:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--

End of file - 4506 bytes

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hello Oranje

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    /md5stop

    CREATERESTOREPOINT


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.

Link to post
Share on other sites
Oranje

Oranje

Posted
  • Author
Posted

I have managed to have the system scanned

OTL logfile created on: 31/12/2009 13:54:20 - Run 1

OTL by OldTimer - Version 3.1.20.1 Folder = D:\Documents and Settings\shah\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

511.00 Mb Total Physical Memory | 400.00 Mb Available Physical Memory | 78.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 94.00% Paging File free

Paging file location(s): D:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files

Drive C: | 1.95 Gb Total Space | 0.75 Gb Free Space | 38.59% Space Free | Partition Type: FAT

Drive D: | 51.98 Gb Total Space | 47.66 Gb Free Space | 91.70% Space Free | Partition Type: NTFS

Drive E: | 3.79 Gb Total Space | 3.78 Gb Free Space | 99.81% Space Free | Partition Type: FAT32

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: TOSHIBA-AFFEDFA

Current User Name: shah

Logged in as Administrator.

Current Boot Mode: SafeMode

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - D:\Documents and Settings\shah\Desktop\OTL.exe (OldTimer Tools)

PRC - D:\WINDOWS\system32\ZCfgSvc.exe (Intel Corporation)

PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - D:\Documents and Settings\shah\Desktop\OTL.exe (OldTimer Tools)

MOD - D:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (EhttpSrv) -- D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)

SRV - (ekrn) -- D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)

SRV - (SLService) -- D:\WINDOWS\System32\slserv.exe (Smart Link)

SRV - (NVSvc) -- D:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

SRV - (ose) -- D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (NetSvc) -- D:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel® Corporation)

SRV - (SoundMAX Agent Service (default)) -- D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

========== Driver Services (SafeList) ==========

DRV - (kdmtmyv) -- D:\WINDOWS\system32\01.tmp ()

DRV - (hwusbfake) -- D:\WINDOWS\system32\drivers\ewusbfake.sys (Huawei Technologies Co., Ltd.)

DRV - (hwdatacard) -- D:\WINDOWS\system32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)

DRV - (epfwtdir) -- D:\WINDOWS\system32\drivers\epfwtdir.sys ()

DRV - (easdrv) -- D:\WINDOWS\system32\drivers\easdrv.sys (ESET)

DRV - (eamon) -- D:\WINDOWS\system32\drivers\eamon.sys (ESET)

DRV - (w29n51) Intel® -- D:\WINDOWS\system32\drivers\w29n51.sys (Intel

ark.txt

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites
Oranje

Oranje

Posted
  • Author
Posted

Luckily enough I have not been doing any financial stuff while I had been using this laptop, however I would like to format the machine but I don't have a external drive to use and my laptop doesnt have a CD Rom.

So at this current time i would like to just remove it, what actions would I have to do?

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    DRV - (kdmtmyv) -- D:\WINDOWS\system32\01.tmp ()
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O4 - HKLM..\Run: [RegistryMonitor1] D:\WINDOWS\system32\qtplugin.exe ()
    O4 - HKLM..\Run: [ucjgbqeh] D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe (tzuk)
    O4 - HKCU..\Run: [Malware Defense] D:\Program Files\Malware Defense\mdefense.exe File not found
    O4 - HKCU..\Run: [RegistryMonitor1] D:\WINDOWS\System32\qtplugin.exe ()
    O4 - HKCU..\Run: [richtx64.exe] D:\DOCUME~1\shah\LOCALS~1\Temp\richtx64.exe File not found
    O4 - HKCU..\Run: [ucjgbqeh] D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe (tzuk)
    O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found
    O20 - HKLM Winlogon: Shell - (wjqd.rqo) - D:\WINDOWS\System32\wjqd.rqo ()
    O20 - HKLM Winlogon: Shell - (avqbc) - File not found
    O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\sdra64.exe) - D:\WINDOWS\system32\sdra64.exe (Hewlett-Packard Development Company, L.P.)
    O33 - MountPoints2\{4cda6880-f0cc-11de-988e-00037a0bb73d}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
    O33 - MountPoints2\{4cda6882-f0cc-11de-988e-00037a0bb73d}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
    [2009/12/30 13:05:47 | 00,000,000 | ---D | C] -- D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf
    [2009/12/29 10:22:20 | 00,000,000 | -HSD | C] -- D:\WINDOWS\System32\lowsec
    [2009/12/31 13:45:09 | 00,000,123 | ---- | M] () -- D:\WINDOWS\System32\srcr.dat
    [2009/12/31 13:30:59 | 00,000,873 | ---- | M] () -- D:\WINDOWS\System32\krl32mainweq.dll
    [2009/12/29 10:21:03 | 00,021,505 | ---- | M] () -- D:\WINDOWS\System32\wjqd.rqo

    :Services
    H8SRTd.sys

    :Reg
    [-HKLM\SYSTEM\ControlSet002\Services\xkhbnp]

    :files
    D:\WINDOWS\system32\udgwg.dll
    D:\WINDOWS\system32\drivers\H8SRTessivwbbne.sys
    D:\WINDOWS\system32\H8SRTnuiqfelmqo.dll

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

=================

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

Link to post
Share on other sites
Oranje

Oranje

Posted
  • Author
Posted

OTL

All processes killed

========== OTL ==========

Service kdmtmyv stopped successfully!

Service kdmtmyv deleted successfully!

D:\WINDOWS\system32\01.tmp moved successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\RegistryMonitor1 deleted successfully.

D:\WINDOWS\system32\qtplugin.exe moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ucjgbqeh deleted successfully.

D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Malware Defense deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\RegistryMonitor1 deleted successfully.

File D:\WINDOWS\System32\qtplugin.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\richtx64.exe deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ucjgbqeh deleted successfully.

File D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf\phycsysguard.exe not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:rundll32.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:wjqd.rqo deleted successfully.

D:\WINDOWS\system32\wjqd.rqo moved successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:avqbc deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:D:\WINDOWS\system32\sdra64.exe deleted successfully.

D:\WINDOWS\system32\sdra64.exe moved successfully.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4cda6880-f0cc-11de-988e-00037a0bb73d}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4cda6880-f0cc-11de-988e-00037a0bb73d}\ not found.

File E:\AutoRun.exe not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4cda6882-f0cc-11de-988e-00037a0bb73d}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4cda6882-f0cc-11de-988e-00037a0bb73d}\ not found.

File E:\AutoRun.exe not found.

D:\Documents and Settings\shah\Local Settings\Application Data\nbwqdf folder moved successfully.

D:\WINDOWS\System32\lowsec folder moved successfully.

D:\WINDOWS\system32\srcr.dat moved successfully.

D:\WINDOWS\system32\krl32mainweq.dll moved successfully.

File D:\WINDOWS\System32\wjqd.rqo not found.

========== SERVICES/DRIVERS ==========

Error: No service named H8SRTd.sys was found to stop!

Unable to stop service H8SRTd.sys!

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xkhbnp\ deleted successfully.

========== FILES ==========

D:\WINDOWS\system32\udgwg.dll moved successfully.

File\Folder D:\WINDOWS\system32\drivers\H8SRTessivwbbne.sys not found.

File\Folder D:\WINDOWS\system32\H8SRTnuiqfelmqo.dll not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: shah

->Temp folder emptied: 165306025 bytes

->Temporary Internet Files folder emptied: 198429282 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

Windows Temp folder emptied: 52881802 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 397.00 mb

OTL by OldTimer - Version 3.1.20.1 log created on 01012010_160239

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ComboFix

ComboFix 09-12-31.A1 - shah 01/01/2010 16:29:57.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.340 [GMT 0:00]

Running from: d:\documents and settings\shah\Desktop\kahdah.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

d:\windows\system32\drivers\H8SRTessivwbbne.sys

d:\windows\system32\H8SRTelcmytnowx.dat

d:\windows\system32\H8SRTnuiqfelmqo.dll

d:\windows\system32\H8SRTtijooejpwm.dll

d:\windows\system32\srcr.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_H8SRTd.sys

-------\Legacy_H8SRTd.sys

((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))

.

2010-01-01 16:16 . 2010-01-01 16:16 871 ----a-w- d:\windows\system32\krl32mainweq.dll

2010-01-01 16:02 . 2010-01-01 16:02 -------- d-----w- D:\_OTL

2009-12-30 21:34 . 2009-12-03 16:14 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 21:34 . 2009-12-30 21:42 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware

2009-12-30 21:34 . 2009-12-30 21:34 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-30 21:34 . 2009-12-03 16:13 19160 ----a-w- d:\windows\system32\drivers\mbam.sys

2009-12-30 21:25 . 2009-12-30 21:25 388096 ----a-r- d:\documents and settings\shah\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2009-12-30 21:25 . 2009-12-30 21:25 -------- d-----w- d:\program files\TrendMicro

2009-12-30 13:13 . 2009-12-30 13:13 42752 ----a-w- d:\documents and settings\shah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-24 20:41 . 2009-12-24 20:41 -------- d-----w- d:\documents and settings\shah\Application Data\Birdstep Technology

2009-12-24 20:41 . 2009-12-24 20:41 -------- d-----w- d:\documents and settings\All Users\Application Data\Birdstep Technology

2009-12-24 20:39 . 2009-02-17 19:34 112640 ----a-w- d:\windows\system32\drivers\ewusbnet.sys

2009-12-24 20:39 . 2008-12-30 10:55 102656 ----a-w- d:\windows\system32\drivers\ewusbfake.sys

2009-12-24 20:39 . 2008-12-13 10:26 102400 ----a-w- d:\windows\system32\drivers\ewusbmdm.sys

2009-12-24 20:39 . 2008-04-14 08:36 621056 ----a-w- d:\windows\system32\drivers\mod7700.sys

2009-12-24 20:39 . 2007-08-09 03:13 24448 ----a-w- d:\windows\system32\drivers\ewdcsc.sys

2009-12-24 20:39 . 2009-12-24 20:39 -------- d-----w- d:\program files\Huawei Modems

2009-12-24 20:39 . 2009-12-24 20:39 70667 ----a-w- d:\windows\Huawei ModemsUninstall.exe

2009-12-24 20:39 . 2007-05-28 17:00 10240 ------w- d:\windows\system32\drivers\mdvrmng.sys

2009-12-24 20:39 . 2009-12-24 20:39 -------- d-----w- d:\program files\3 Mobile Broadband

2009-12-24 20:38 . 2004-08-03 22:59 57472 -c--a-w- d:\windows\system32\dllcache\redbook.sys

2009-12-24 20:38 . 2004-08-03 22:59 57472 ----a-w- d:\windows\system32\drivers\redbook.sys

2009-12-20 00:13 . 2004-08-03 23:08 31616 -c--a-w- d:\windows\system32\dllcache\usbccgp.sys

2009-12-20 00:13 . 2004-08-03 23:08 31616 ----a-w- d:\windows\system32\drivers\usbccgp.sys

2009-12-17 21:58 . 2009-12-18 22:42 -------- d-----w- d:\documents and settings\shah\Local Settings\Application Data\Adobe

2009-12-17 21:57 . 2009-12-17 21:57 -------- d-----w- d:\documents and settings\shah\Local Settings\Application Data\ESET

2009-12-16 20:24 . 2009-12-16 20:24 -------- d-s---w- d:\documents and settings\shah\UserData

2009-12-16 20:16 . 2010-01-01 16:37 -------- d-----w- d:\documents and settings\shah\Tracing

2009-12-12 07:41 . 2009-12-12 07:41 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-29 10:23 . 2004-08-03 22:59 95360 ----a-w- d:\windows\system32\drivers\atapi.sys

2009-12-24 20:39 . 2009-11-06 22:46 -------- d--h--w- d:\program files\InstallShield Installation Information

2009-11-08 10:03 . 2009-11-07 16:35 -------- d-----w- d:\program files\Windows Live

2009-11-07 16:36 . 2009-11-07 16:36 -------- d-----w- d:\program files\Microsoft

2009-11-07 16:35 . 2009-11-07 16:35 -------- d-----w- d:\program files\Windows Live SkyDrive

2009-11-07 16:30 . 2009-11-07 16:30 -------- d-----w- d:\program files\Common Files\Windows Live

2009-11-07 13:28 . 2009-11-06 22:28 86327 ----a-w- d:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-11-07 12:57 . 2009-11-07 12:57 -------- d-----w- d:\program files\Atheros

2009-11-07 12:56 . 2009-11-06 22:46 -------- d-----w- d:\program files\Common Files\InstallShield

2009-11-07 12:42 . 2009-11-07 12:42 -------- d-----w- d:\program files\Toshiba

2009-11-06 23:38 . 2009-11-06 23:38 -------- d-----w- d:\program files\ESET

2009-11-06 23:38 . 2009-11-06 23:38 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET

2009-11-06 23:34 . 2009-11-06 23:34 -------- d-----w- d:\program files\Common Files\Adobe

2009-11-06 23:11 . 2009-11-06 23:11 -------- d-----w- d:\program files\Microsoft.NET

2009-11-06 23:10 . 2009-11-06 23:10 -------- d-----w- d:\program files\Microsoft ActiveSync

2009-11-06 22:50 . 2009-11-06 22:49 -------- d-----w- d:\program files\Intel

2009-11-06 22:46 . 2009-11-06 22:46 -------- d-----w- d:\program files\Analog Devices

2009-11-06 22:30 . 2009-11-06 22:30 -------- d-----w- d:\program files\microsoft frontpage

2009-11-06 22:25 . 2009-11-06 22:25 21640 ----a-w- d:\windows\system32\emptyregdb.dat

.

------- Sigcheck -------

[-] 2009-09-17 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . d:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"egui"="d:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2004-08-04 99840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]

2006-08-03 03:20 188482 ----a-w- d:\windows\system32\LgNotify.dll

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=d:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 22:16 39792 ----a-w- d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

2004-08-04 01:56 15360 ------w- d:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2004-04-15 15:05 4866048 ----a-w- d:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2004-04-15 15:05 323584 ----a-w- d:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]

2005-07-07 06:08 135168 ----a-w- d:\program files\Intel\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

2004-08-06 08:27 860160 ----a-w- d:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

2004-04-01 10:52 1368064 ----a-w- d:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]

2006-08-03 03:19 639040 ----a-w- d:\windows\system32\ZCfgSvc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6393:TCP"= 6393:TCP:yqdtcj

R1 epfwtdir;epfwtdir;d:\windows\system32\drivers\epfwtdir.sys [18/08/2008 09:27 34312]

R2 ekrn;Eset Service;d:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21/12/2007 04:21 468224]

R3 WacomPen;Wacom Serial Pen HID Driver;d:\windows\system32\drivers\wacompen.sys [06/11/2009 22:19 13568]

S2 xkhbnp;Security Boot;d:\windows\system32\svchost.exe -k netsvcs [06/11/2009 22:06 14336]

S3 hwusbfake;Huawei DataCard USB Fake;d:\windows\system32\drivers\ewusbfake.sys [24/12/2009 20:39 102656]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

xkhbnp

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-01 16:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS portcls.sys smwdm.sys ks.sys >>UNKNOWN [0xF3871000]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf8578fc3

\Driver\ACPI -> ACPI.sys @ 0xf84ebcb8

\Driver\atapi -> atapi.sys @ 0xf845f7b4

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe

ParseProcedure -> ntoskrnl.exe @ 0x80570a6e

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe

ParseProcedure -> ntoskrnl.exe @ 0x80570a6e

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)

d:\windows\system32\sirenacm.dll

d:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3200)

d:\windows\system32\msi.dll

.

------------------------ Other Running Processes ------------------------

.

d:\windows\system32\nvsvc32.exe

d:\program files\Analog Devices\SoundMAX\SMAgent.exe

d:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-01-01 16:40:13 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-01 16:40

Pre-Run: 51,553,771,520 bytes free

Post-Run: 51,529,019,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\="Microsoft Windows"

- - End Of File - - 6CB982A489F0D419F1D487F773CCB09B

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
 D:\WINDOWS\system32\drivers\atapi.sys |  D:\WINDOWS\system32\dllcache\atapi.sys

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6393:TCP"=-


Driver::
xkhbnp

File::
d:\windows\system32\krl32mainweq.dll

MIA::
d:\windows\system32\sfcfiles.dll

NetSvc::
xkhbnp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.