Jump to content

Malware keeps re-appearing


Recommended Posts

Hi, I have been having trouble with malwares on this computer but since I haven't had time in the last few weeks, i couldn't fix them.

3 weeks ago, i got infected witha rogue. I removed the rogue but the rootkit keeps reappearing.

Malwarebytes' Anti-Malware 1.44

Database version: 3639

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

26-Jan-10 12:19:22 AM

mbam-log-2010-01-26 (00-19-22).txt

Scan type: Full Scan (C:\|)

Objects scanned: 193174

Time elapsed: 2 hour(s), 0 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{988934a4-064b-11d3-bb80-00104b35e7f9} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{a1dd29ed-2598-48e9-9793-64a9cd08ac94} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{87ca3845-37fe-414c-81cf-e08a7d0f6779} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\ComboFix\Combo-Fix.sys (Malware.Trace) -> Not selected for removal.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\bxgti.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

-----------Scan log from 3 weeks ago------------

Malwarebytes' Anti-Malware 1.43

Database version: 3484

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

03-Jan-10 1:25:32 AM

mbam-log-2010-01-03 (01-25-32).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 189351

Time elapsed: 1 hour(s), 56 minute(s), 46 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 5

Registry Data Items Infected: 2

Folders Infected: 2

Files Infected: 14

Memory Processes Infected:

C:\Documents and Settings\Xuenong Chen\Local Settings\Application Data\myaabo\jabnsysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77fef28e-eb96-44ff-b511-3185dea48697} (Trojan.Cinmus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b580cf65-e151-49c3-b73f-70b13fca8e86} (Trojan.Cinmus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\driwvumf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygua8e7yhuiesfha876yfauy8fe (Trojan.Downloader) -> Delete on reboot.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Xuenong Chen\Application Data\DriveCleaner 2006 Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Application Data\DriveCleaner 2006 Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Xuenong Chen\Local Settings\Application Data\myaabo\jabnsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\funshion\update\FunshionInstall1.5.2.15Beta.exe.fc! (Rogue.FusionCodec) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temp\52bb6ca6.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temporary Internet Files\Content.IE5\7VHY2L6L\instRLS[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temporary Internet Files\Content.IE5\7VHY2L6L\uwthqe[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temporary Internet Files\Content.IE5\7VHY2L6L\vzbcco[1].htm (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temporary Internet Files\Content.IE5\7VHY2L6L\wcijgcqd[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbdsock.dll.vir (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mshlps.dll.vir (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\DRIVERS\bxgti.sys (Rootkit.Agent) -> Delete on reboot.

C:\Documents and Settings\Xuenong Chen\Application Data\DriveCleaner 2006 Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Xuenong Chen\Local Settings\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

-------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34:01 AM, on 26-Jan-10

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\SYSTEM32\Brmfrmps.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\keyhook.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\wfxsnt40.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Xuenong Chen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe

O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dic...kDictionary.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: ddcaxwt - ddcaxwt.dll (file missing)

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\SYSTEM32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7305 bytes

so I'm pretty sure the C\WINDOWS\SYSTEM32\DRIVERS\bxgti.sys.vir rootkit is still lurking..I can only detect it with a full scan. I have 2 more logs that show this rootkit from before.

ANy help is greatly appreciated :D

Link to post
Share on other sites

  • Staff

Hi,

so I'm pretty sure the C\WINDOWS\SYSTEM32\DRIVERS\bxgti.sys.vir rootkit is still lurking..I can only detect it with a full scan. I have 2 more logs that show this rootkit from before.

As a matter of fact, it's not, because Malwarebytes detects it here:

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\bxgti.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

You have used Combofix before and Combofix already deleted (moved) that file to its own quarantine folder and that's where malwarebytes was detecting it.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know if you're still having problems.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.