Jump to content

Recommended Posts

Tried following the instructions in "I'm infected -- what do I do now?" thread, with the following results:

1. MBAM log didn't find anything -- attached

2. Defogger: gave an "ok" message, but didn't prompt reboot and created defogger_disable file on desktop

3. DDS logs below and attached

4. GMER did not complete (gave up after 3 tries): got the "blue screen of death" with the error "page_fault_in_nonpaged_area" in file "pxxoykow.sys" (which brings up nothing on google -- the windows error report help text is attached and refers to some driver issue)

Please help! I'm not at all knowledgeable about this kind of thing -- Norton seems to classify this as a relatively low risk issue, but everything else I've seen sounds bad to me; plus the PC isn't quite right -- it's not as bad as some others I've seen here, but I'm guessing it's just a matter of time.

Thanks in advance!

----------------

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86

Run by Admin at 23:01:56.56 on Wed 05/12/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.358 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\MozyHome\mozystat.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Dell Support Center\gs_agent\dsc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219794864437

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100512.005\naveng.sys [2010-5-12 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100512.005\navex15.sys [2010-5-12 1347504]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]

S3 utqwodiy;AVZ Kernel Driver;c:\windows\system32\drivers\utqwodiy.sys [2010-5-12 7168]

=============== Created Last 30 ================

2010-05-13 02:57:30 0 ----a-w- c:\documents and settings\admin\defogger_reenable

2010-05-13 02:34:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-13 02:34:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-13 01:55:55 7168 ----a-w- c:\windows\system32\drivers\utqwodiy.sys

2010-05-10 01:44:20 0 d-----w- c:\docume~1\admin\applic~1\Malwarebytes

2010-05-10 01:44:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-10 01:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2008-08-30 15:24:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 23:02:49.00 ===============

Attach.txt

DDS.txt

Link to post
Share on other sites

Forgot a few attachments:

1. MBAM log

2. Windows error message from the GMER blue screen -- not that it's very helpful

Also, realized that I should have been clearer about what's going on:

- Neither Norton AV nor MBAM detects anything when doing a full (or quick) scan

- However, Norton autoprotect pops up on a regular basis with the message that "auto protect has acted on the risks" -- for some reason, I can't seem to copy the info it's providing, but basically, there are 4 lines (that all look the same to me) that are identified as the backdoor.tidserv!inf threat, filename A0032836.sys, original location C:\system volume information\_restore{a bunch of stuff}\RP624, with action description "clean was partially successful"

- Clicking on the link in the popup window brings you to a page where Norton/symantec is basically saying it's a low threat (http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-111113-1112-99) and says that to remove the threat I need to "restore systems files using Recovery Console" -- which is something I've never done and am a little nervous to do (never mind whether or not I have everything needed to use it)

- Finally, I've tried using tdsskiller from Kaspersky as well as Norman TDSS cleaner, and neither found or did anything

Thanks again for any assistance...

P.S.: for some reason, the defogger disable file won't upload, but the contents are:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 22:57 on 12/05/2010 (Admin)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

mbam_log_2010_05_12__22_54_46_.txt

Microsoft_Windows_Error_Reporting.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.