Rootkit.agent and trojan.downloader

rbk · July 5, 2010

I read an informative thread posted by joaquin involving a pesky rootkit.agent and after browsing around I decided to post this - I have rootkit.agent and trojan.downloader that are impossible to get rid of. I ran malwarebytes a few times that detects this but on reboot these things are never eradicated. Driving me nuts. Is there a particular efficient way to get rid of this stuff?

Maniac · July 5, 2010

Hello rbk! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Post all logs if you can.

rbk · July 6, 2010

Thanks Borislav...much appreciated. Hope it's all here for you...

Here are the logs...

MalwareBytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4278

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/5/2010 4:40:49 PM

mbam-log-2010-07-05 (16-40-49).txt

Scan type: Quick scan

Objects scanned: 143355

Time elapsed: 37 minute(s), 27 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

C:\WINDOWS\Temp\BN1.tmp (Trojan.Downloader) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\BN1.tmp (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Eunice Korol at 20:56:03.21 on Mon 07/05/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.302 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Dell\QuickSet\bak\quickset.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\TELUS eCare\bin\mpbtn.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\TEMP\BN1.tmp

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\Documents and Settings\Eunice Korol\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mytelus.com/

uDefault_Page_URL = hxxp://www.dell.com/

uWindow Title = Microsoft Internet Explorer provided by TELUS Internet Services

uInternet Settings,ProxyOverride = localhost;*.local

mSearchAssistant = hxxp://search.alot.com/sidebar?pr=asst&client_id=4EED6C3001C878B700FA153D&install_time=26-02-2008:13:36&src_id=11031&tb_version=1.1.0.171&q=Updates&url=http%3A%2F%2Fwww%2Emytelus%2Ecom%2F

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [<NO NAME>]

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\bak\quickset.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe

StartupFolder: c:\docume~1\eunice~1\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\teluse~1.lnk - c:\program files\telus ecare\bin\matcli.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: whataboutarabit.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=27986

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-07-06 02:43:31 0 d-sh--w- c:\documents and settings\eunice korol\IECompatCache

2010-07-06 02:23:18 0 ----a-w- c:\documents and settings\eunice korol\defogger_reenable

2010-07-05 15:55:03 0 d-----w- c:\docume~1\eunice~1\applic~1\Malwarebytes

2010-07-05 15:54:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 15:54:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-05 15:54:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-05 15:54:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-10 02:56:30 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-06-27 07:35:37 211072 -c--a-w- c:\windows\system32\drivers\ndis.sys

2010-05-14 21:29:53 40770 ----a-w- c:\docume~1\eunice~1\applic~1\wklnhst.dat

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-16 14:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2008-03-10 02:30:19 192311 --sha-w- c:\windows\system32\lmllm.ini2

============= FINISH: 20:59:50.51 ===============

Attach.zip

ark.zip

Maniac · July 6, 2010

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

Please, uninstall the following applications:

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
LimeWire 4.10.5

You can read, how to do this here:

Step 3

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Step 4

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 5

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s):

JavaRa log
ComboFix log

rbk · July 6, 2010

JavaRa log -

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Jul 06 10:03:30 2010

Found and removed: C:\Program Files\Java\j2re1.4.2_03

Found and removed: C:\Documents and Settings\Eunice Korol\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\Eunice Korol\Application Data\Sun\Java\jre1.6.0_17

Found and removed: C:\Documents and Settings\Eunice Korol\Application Data\Sun\Java\jre1.6.0_18

Found and removed: C:\Documents and Settings\Eunice Korol\Application Data\Sun\Java\jre1.6.0_19

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Jul 06 10:04:15 2010

------------------------------------

Finished reporting.

ComboFix log -

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Eunice Korol\Application Data\alot

c:\documents and settings\Eunice Korol\Application Data\alot\BrowserSearch\BrowserSearch.xml

c:\documents and settings\Eunice Korol\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_0\Button_0.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_0\Button_0.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_1\Button_1.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_1\Button_1.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_10\Button_10.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_10\Button_10.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_11\Button_11.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_11\Button_11.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_2\Button_2.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_2\Button_2.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_3\Button_3.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_3\Button_3.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_4\Button_4.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_4\Button_4.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_5\Button_5.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_5\Button_5.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_6\Button_6.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_6\Button_6.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_7\Button_7.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_7\Button_7.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_8\Button_8.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_8\Button_8.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Button_9\Button_9.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Button_9\Button_9.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\configurator\configurator.xml

c:\documents and settings\Eunice Korol\Application Data\alot\configurator\configurator.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\ErrorSearch\ErrorSearch.xml

c:\documents and settings\Eunice Korol\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\postInstallLayout\postInstallLayout.xml

c:\documents and settings\Eunice Korol\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\products\products.xml

c:\documents and settings\Eunice Korol\Application Data\alot\products\products.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_2\domains.dat

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_2\images\default_282_alot_map_widget_default.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_3\images\default_275_alot_maps_maptravel.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_4\domains.dat

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_4\images\default_283_alot_maps_weather.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Button_5\images\default_276_alot_ref_mrkt_world_travel_guides.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\domains.dat

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\alot_brand.png

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_bottom.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\Resources\Shared\images\widget_caption.bmp

c:\documents and settings\Eunice Korol\Application Data\alot\TemBC0.tmp

c:\documents and settings\Eunice Korol\Application Data\alot\TimerManager\TimerManager.xml

c:\documents and settings\Eunice Korol\Application Data\alot\TimerManager\TimerManager.xml.backup

c:\documents and settings\Eunice Korol\Application Data\alot\toolbar.xml

c:\documents and settings\Eunice Korol\Application Data\alot\ToolbarSearch\ToolbarSearch.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Updater\Updater.xml

c:\documents and settings\Eunice Korol\Application Data\alot\Updater\Updater.xml.backup

c:\documents and settings\Eunice Korol\My Documents\FIXMAPI.EXE

c:\documents and settings\LocalService\proxy_port

c:\temp\sanR24

c:\windows\jestertb.dll

c:\windows\system32\lmllm.ini

c:\windows\system32\lmllm.ini2

c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - c:\i386\ndis.sys

.

((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))

.

2010-07-06 02:43 . 2010-07-06 02:43 -------- d-sh--w- c:\documents and settings\Eunice Korol\IECompatCache

2010-07-05 19:34 . 2010-07-05 19:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\suunaigpf

2010-07-05 15:55 . 2010-07-05 15:55 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\Malwarebytes

2010-07-05 15:54 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 15:54 . 2010-07-05 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-05 15:54 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-05 15:54 . 2010-07-05 19:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-02 14:24 . 2010-07-02 14:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-07-02 14:20 . 2010-07-02 14:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-27 22:13 . 2010-06-27 22:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-06-10 02:56 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-06 19:20 . 2006-07-16 19:29 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\Skype

2010-07-06 15:22 . 2005-04-24 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-07-06 15:08 . 2006-01-20 19:12 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\Lavasoft

2010-07-06 14:18 . 2009-11-30 18:06 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\skypePM

2010-07-05 19:37 . 2008-06-24 00:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-06-05 17:56 . 2009-01-16 16:02 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-23 00:49 . 2010-05-23 00:49 348160 ----a-w- c:\documents and settings\Eunice Korol\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7edd0ade-n\msvcr71.dll

2010-05-23 00:49 . 2010-05-23 00:49 503808 ----a-w- c:\documents and settings\Eunice Korol\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7edd0ade-n\msvcp71.dll

2010-05-23 00:49 . 2010-05-23 00:49 499712 ----a-w- c:\documents and settings\Eunice Korol\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7edd0ade-n\jmc.dll

2010-05-15 01:06 . 2005-06-25 21:45 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\AdobeUM

2010-05-14 21:29 . 2005-05-11 16:40 40770 ----a-w- c:\documents and settings\Eunice Korol\Application Data\wklnhst.dat

2010-05-08 20:59 . 2007-06-15 04:18 -------- d-----w- c:\program files\iTunes

2010-05-08 19:56 . 2010-05-08 19:56 -------- d-----w- c:\program files\iPod

2010-05-08 18:50 . 2005-12-01 03:01 -------- d-----w- c:\documents and settings\Eunice Korol\Application Data\Apple Computer

2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:56 . 2004-08-10 17:51 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 21:45 . 2010-04-28 21:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-20 05:51 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 14:33 . 2010-05-01 21:00 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll

2010-04-16 14:33 . 2008-07-03 05:22 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2010-04-08 19:20 . 2010-04-08 19:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 19:20 . 2010-04-08 19:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2005-04-24 18:17 . 2004-09-13 21:33 155648 c:\program files\Apoint\bak\Apoint.exe

2006-04-25 01:50 . 2006-04-25 01:50 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2005-04-24 18:22 . 2004-10-12 21:54 57344 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2005-04-24 18:21 . 2004-04-12 01:15 290816 c:\program files\Dell\Media Experience\bak\PCMService.exe

2005-04-24 18:22 . 2005-02-07 13:43 606208 c:\program files\Dell\QuickSet\bak\quickset.exe

2004-06-18 15:30 . 2004-06-18 15:30 290816 c:\program files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe

2007-03-15 17:09 . 2007-03-15 17:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2005-12-04 17:27 . 2005-05-19 20:55 101888 c:\program files\ESPNRunTime\bak\DIGServices.exe

2004-10-30 19:59 . 2004-10-30 19:59 385024 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe

2007-06-01 22:51 . 2007-06-01 22:51 257088 c:\program files\iTunes\bak\iTunesHelper.exe

2010-04-28 21:06 . 2010-04-28 21:06 142120 c:\program files\iTunes\iTunesHelper.exe

2006-07-26 00:53 . 2005-01-18 23:47 458752 c:\program files\Logitech\Video\bak\ISStart.exe

2006-07-26 00:53 . 2005-01-18 23:37 217088 c:\program files\Logitech\Video\bak\LogiTray.exe

2006-07-26 00:53 . 2005-01-18 23:07 196608 c:\program files\Logitech\Video\bak\ManifestEngine.exe

2005-12-17 17:03 . 2005-03-12 14:25 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

2005-04-24 18:30 . 2005-03-12 14:25 110592 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

2007-04-27 15:41 . 2007-04-27 15:41 282624 c:\program files\QuickTime\bak\qttask.exe

2010-03-18 03:53 . 2010-03-18 03:53 421888 c:\program files\QuickTime\QTTask.exe

2007-05-16 02:18 . 2007-04-05 21:29 684118 c:\program files\SAMSUNG\FW LiveUpdate\bak\FWManager.exe

2005-06-21 19:36 . 2006-10-20 14:31 393216 c:\program files\TELUS eCare\SmartBridge\bak\MotiveSB.exe

2005-09-07 19:08 . 2005-08-20 01:34 3084288 c:\program files\Yahoo!\Messenger\bak\ypager.exe

2004-10-08 17:52 . 2004-10-08 17:52 221184 c:\windows\system32\bak\LVCOMSX.EXE

2007-05-16 02:08 . 2006-01-12 22:40 155648 c:\windows\system32\bak\NeroCheck.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"Dell QuickSet"="c:\program files\Dell\QuickSet\bak\quickset.exe" [2005-02-07 606208]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [N/A]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-4-24 24576]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

TELUS eCare.lnk - c:\program files\TELUS eCare\bin\matcli.exe [2005-6-21 217088]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-10-19 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 04:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/23/2008 6:12 PM 335240]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/23/2008 6:12 PM 297752]

S0 bwqcvxor;bwqcvxor; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

.

Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.mytelus.com/

uInternet Settings,ProxyOverride = localhost;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

Trusted Zone: doginhispen.com

Trusted Zone: whataboutadog.com

Trusted Zone: whataboutarabit.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-06 13:18

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2984)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Skype\Phone\Skype.exe

c:\program files\TELUS eCare\bin\mpbtn.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2010-07-06 13:31:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-06 19:31

Pre-Run: 2,867,605,504 bytes free

Post-Run: 4,414,451,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 02EBAD443F4864576C0F217CDB9A3E86

Maniac · July 6, 2010

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

Driver::
bwqcvxor

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\suunaigpf
c:\documents and settings\All Users\Application Data\Viewpoint

AWF::
c:\program files\Apoint\bak\Apoint.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe
c:\program files\Dell\Media Experience\bak\PCMService.exe
c:\program files\Dell\QuickSet\bak\quickset.exe
c:\program files\Dell Photo AIO Printer 922\bak\dlbtbmgr.exe
c:\program files\DellSupport\bak\DSAgnt.exe
c:\program files\ESPNRunTime\bak\DIGServices.exe
c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Logitech\Video\bak\ISStart.exe
c:\program files\Logitech\Video\bak\LogiTray.exe
c:\program files\Logitech\Video\bak\ManifestEngine.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\SAMSUNG\FW LiveUpdate\bak\FWManager.exe
c:\program files\TELUS eCare\SmartBridge\bak\MotiveSB.exe
c:\program files\Yahoo!\Messenger\bak\ypager.exe
c:\windows\system32\bak\LVCOMSX.EXE
c:\windows\system32\bak\NeroCheck.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"vvdsvc"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

rbk · July 6, 2010

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Viewpoint

c:\documents and settings\NetworkService\Local Settings\Application Data\suunaigpf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_bwqcvxor