Jump to content

malware problem


Recommended Posts

hi, i am 100% sure im infected the litinika.dll malware.so being the usual panic pc user i searched for a soln here and there and tried some things.

1st i tried tho was combofix.im not sure what version but deleted some stuff and every thing seems fine but after some tme its back.after running the combofix for a few times i gave up as the problem still persisted.

so i turned to mbam.but after installing it i had the problems stated in the "Procedures to help resolve issues preventing MBAM from running".(since i didnt knew it was the malware thats does this before joining here).i simply uninstalled the mbam and tried other soln wch is deleting the quarantine folder of combofix and downloaded the latest version of combofix, run the thing again and up to now every thing looks fine.

so now i have downloaded a new version of mbam but im not sure whether to install it or not since i dont know if my pc is free from the malicious programs.

i dont have hjt, and havent done any other steps but the above.im also posting the combofix log.

.another burning question i have is is it safe to delete the "quarantine folder" of combofix??if i delete it does the contents in it will exploit the features of TuneUp utility called "tuneUp undelete" and come back??

i really am not sure if my system is free or not an am in need of help thank you in advance.

combofix log:

ComboFix 10-01-23.05 - Mafia 01/24/2010 17:06:12.4.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2711 [GMT 8:00]

Running from: c:\documents and settings\Mafia\My Documents\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\bebuviza.dll

c:\windows\system32\dezuzara.dll

c:\windows\system32\jikotato.dll

c:\windows\system32\kagavuva.dll

c:\windows\system32\tegavipo.dll

c:\windows\system32\tubiwewa.dll

c:\windows\system32\vojedayu.dll

c:\windows\Tasks\kqbnnvmt.job

c:\windows\Temp\tmp3.tmp

.

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))

.

2010-01-23 22:50 . 2010-01-23 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-01-22 07:49 . 2010-01-23 21:56 -------- d-----w- c:\documents and settings\Mafia\Application Data\BitComet

2010-01-04 17:16 . 2010-01-07 14:52 -------- d-----w- c:\windows\system32\Hummbird

2010-01-01 18:58 . 2010-01-01 18:58 -------- d-----w- c:\documents and settings\Mafia\Application Data\Braid

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-24 09:01 . 2009-05-17 14:19 -------- d-----w- c:\program files\mIRC

2010-01-23 23:16 . 2009-06-15 15:37 -------- d-----w- c:\documents and settings\Mafia\Application Data\uTorrent

2010-01-23 23:02 . 2009-05-17 15:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-01-23 22:32 . 2009-05-17 16:54 -------- d-----w- c:\documents and settings\Mafia\Application Data\ReGet Software

2010-01-17 20:25 . 2009-05-17 15:33 -------- d-----w- c:\documents and settings\Mafia\Application Data\Free Download Manager

2010-01-01 13:48 . 2009-12-06 11:17 -------- d-----w- c:\documents and settings\Mafia\Application Data\runic games

2009-12-05 10:52 . 2009-05-17 17:09 -------- d-----w- c:\program files\Winamp

2009-12-05 10:07 . 2009-12-05 10:07 67584 ----a-w- c:\windows\system32\xanalyze.dll

2009-12-05 10:07 . 2009-12-05 10:07 19299 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat

2009-12-05 10:07 . 2009-05-17 18:44 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe

2009-12-03 17:51 . 2009-12-03 17:51 -------- d-----w- c:\documents and settings\Mafia\Application Data\Malwarebytes

2009-12-03 17:51 . 2009-12-03 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

------- Sigcheck -------

[-] 2008-07-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-17 148888]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-16 13877248]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-16 86016]

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

2007-05-15 07:55 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2004-10-13 08:04 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-01 07:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-18 09:01 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]

2007-05-15 07:55 1628208 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McAfeeFramework"=2 (0x2)

"TuneUp.ProgramStatisticsSvc"=2 (0x2)

"TuneUp.Defrag"=3 (0x3)

"InCDsrv"=2 (0x2)

"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Free Download Manager\\fdm.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\ReGet Software\\ReGet Deluxe\\ReGetDx.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Documents and Settings\\Mafia\\My Documents\\TBM\\HTTP Tunnel Genius.exe"=

"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [5/18/2009 2:01 PM 155136]

R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [5/18/2009 2:01 PM 5248]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/18/2009 1:28 AM 108289]

R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [3/9/2009 12:25 PM 38304]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.manutd.com/

uInternet Settings,ProxyOverride = local

IE: Do&wnload by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_Link.htm

IE: Download A&ll by ReGet Deluxe - c:\program files\Common Files\ReGet Shared\CC_All.htm

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Mafia\Application Data\Mozilla\Firefox\Profiles\sxtgfwq3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.talksoccer.net/forum/italian-football/

FF - component: c:\documents and settings\Mafia\Application Data\Mozilla\Firefox\Profiles\sxtgfwq3.default\extensions\{93EAA62A-6E42-4891-927A-DFFC6A684F7A}\components\MozillaFFExtension.dll

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

- - - - ORPHANS REMOVED - - - -

BHO-{e8968037-2846-40ae-b932-d93820f970b4} - tubiwewa.dll

HKLM-Run-futubivez - c:\windows\system32\bebuviza.dll

HKLM-Run-zohohunudo - kagavuva.dll

SharedTaskScheduler-{f80fd5f0-67e4-456c-8c84-408446d834a7} - c:\windows\system32\bebuviza.dll

SSODL-zebapowuh-{f80fd5f0-67e4-456c-8c84-408446d834a7} - c:\windows\system32\bebuviza.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-24 17:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A32A438]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28

\Driver\ACPI -> ACPI.sys @ 0xb7f59cb8

\Driver\atapi -> 0x8a32a438

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7ddfbb0

PacketIndicateHandler -> NDIS.sys @ 0xb7dcea0d

SendHandler -> NDIS.sys @ 0xb7de2b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2492)

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2010-01-24 17:11:40 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-24 09:11

Pre-Run: 11,212,943,360 bytes free

Post-Run: 11,187,118,080 bytes free

- - End Of File - - CD15162720A55A302A19A9F71F5B1BBB

Link to post
Share on other sites

  • Root Admin

Please do the following.

STEP 01

Put the CD in (exit out if it auto launches) and then do the following.

Assuming your CD is the D: drive do the following. (if your CD-ROM is not D: then use the correct drive letter)

Click on START - RUN and copy or type exactly the code box below into the run line and then click OK

CMD /K EXPAND D:\I386\SFCFILES.DL_ C:\SFCFILES.DDD

This should produce a message similar to this

Microsoft

Link to post
Share on other sites

Disconnect from the Internet.
It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.

ok il run the steps.but im confused a bit about the recovery console thin.do i download it first then disconnect to the internet??since if im not mistaken will require an active connection right?

Link to post
Share on other sites

  • Root Admin

I assumed from your previous responses that you did not have connectivity to the Internet. I'm sorry if I'm mistaken on that. If you do have connectivity then I would download and install it, but currently with the unsigned files issues it doesn't look like the Windows installer service would run anyways.

For now if you can just try to run the script as shown. Create the new text file with that entry you've already done. Then drag and drop it on top of Combofix again and let it run.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.