Jump to content

Recommended Posts

Had sustantial malware that was removed with malwarebytes 1.24, saved the file on another computer will post soon. No network services running and will not start manually.

any thoughts appreciated.

Thanks,

Heavus

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:47, on 2008-08-18

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-2977829087-2574050279-514187110-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--

End of file - 4392 bytes

Link to post
Share on other sites

Vet,

That system is out of my control, waiting for the final logs from the user. I know after the combofix was run he was clean on his Malwarebytes logs. I have asked him to send but he has not.

MH

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.24

Database version: 1012

Windows 5.1.2600 Service Pack 2

1:39:48 PM 8/18/2008

mbam-log-8-18-2008 (13-39-48).txt

Scan type: Quick Scan

Objects scanned: 52131

Time elapsed: 20 minute(s), 28 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 1

Registry Keys Infected: 12

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

C:\WINDOWS\SYSTEM32\AFinding.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\WServing.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\routing.exe (Trojan.Agent) -> Unloaded process successfully.

C:\WINDOWS\SYSTEM32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\Proxy.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afinding (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wserving (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfs (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\AFinding.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\WServing.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\Proxy.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\SYSTEM32\routing.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Gary Anderson\Local Settings\Temp\us0105.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

That system is out of my control, waiting for the final logs from the user. I know after the combofix was run he was clean on his Malwarebytes logs. I have asked him to send but he has not.

How is it that you once had control of that computer and now you don't? If you are performing the "fix" instructions as a favor for the owner of that computer, why then would you return it before it was cleaned?

I would still prefer that we finish up with one log/thread, per user, before we start on another. If this new user is another friend for which you are also attempting to follow the "fix" instructions, why not just have your friend register here and post the logs himself? We're easy to get along with...and I will certainly do my best to make any instruction as simple as possible to follow.

Link to post
Share on other sites

I don't know what else to tell you. I returned his computer to him upon his request, it was working better that when I got it, it had the rootkit still on it but he wanted it back. I gave him the instruction as offered here, he did it, I posted it, that's the last one I recieved from him. I have asked for more but .... It's his computer and his choice. Sorry.

Link to post
Share on other sites

OK...please post logs that relate to only your computer(s) and recommend to your friends to register here and post their own logs in a new thread. By doing so, at least we can assume the user will continue with us until a successful completion.

The reasoning for this recommendation involves the other forum users who often enough will read through a set of "fix" instructions and apply them to their own systems which may be experiencing similar issues. Regardless of the recommendations to the contrary, users tend to overlook the warnings and follow through with the posted instructions.

This type of scenario is dangerous enough as it is...but having a partially completed log that still contains a rootkit infection is nothing less than a train wreck about to happen. Thanks for understanding!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.