Malware reappears after scan & reboot.

Jakubas · August 29, 2010

My laptop has Windows XP SP2.

The virus disabled task manager, regedit and likes to shut down .exe extensions.

I've got a HijackThis log :

Logfile of HijackThis v1.99.1

Scan saved at 11:00:42 PM, on 8/28/2010

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\gatewayxpv_12\wdm\STacSV.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wpabaln.exe

C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winwhtuxk.exe

C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla RootkitRevealer.zip\RootkitRevealer.exe

C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\DO.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\chcp.com

C:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe

C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe" /service (file missing)

O23 - Service: DO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\DO.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\gatewayxpv_12\wdm\STacSV.exe

Jakubas · August 29, 2010

Here's my malware log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4495

Windows 5.1.2600 Dodatek Service Pack 2

Internet Explorer 6.0.2900.2180

8/28/2010 11:31:59 PM

mbam-log-2010-08-28 (23-31-59).txt

Scan type: Quick scan

Objects scanned: 118867

Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System \DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Jakubas · August 29, 2010

Here's a OTS scan log:

Edited August 29, 2010 by Maurice Naggar

Jakubas · August 29, 2010

GMER LOG:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-29 11:13:43

Windows 5.1.2600 Dodatek Service Pack 2

Running: 1v98x46e.exe; Driver: C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\fwkcifob.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\nhmjfn.sys Nie mo?na odnale?? okre?lonego pliku. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[1520] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- EOF - GMER 1.0.15 ----

Maurice Naggar · August 29, 2010

Hello Jakubas,

Can you tell me what is Dodatek?

You will want to print out or copy these instructions to Notepad for offline reference!

If you are a casual viewer, do NOT try this on your system!

If you are not Jakubas and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 3

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

Double-click FixPolicies.exe.
Click the "Install" button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Step 4

Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

Step 5

Please download Rooter.exe and save to your desktop.

alternate download link

Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
Click the Scan button to begin.
Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
Rooter will automatically close. If it doesn't, just press the Close button.
Copy and paste the contents of Rooter_#.txt in your next reply.

Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Step 6

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

the contents of OTL.txt
the contents of Extras.txt
the contents of checkup.txt
the contents of Rooter log

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Jakubas · August 29, 2010

HAD TO UPLIAD TOO BIG FOR 1 POST

OTL.Txt

Jakubas · August 29, 2010

OTL Extras logfile created on: 8/29/2010 6:32:13 PM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Dark Knight\Pulpit

Windows XP Home Edition Dodatek Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: Stany Zjednoczone | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 96.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 111.79 Gb Total Space | 104.11 Gb Free Space | 93.13% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 576.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: SKYNET-FBC1CAEC

Current User Name: Dark Knight

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"FirewallOverride" = 1

"UpdatesDisableNotify" = 1

"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"56671:TCP" = 56671:TCP:*:Enabled:Pando Media Booster

"56671:UDP" = 56671:UDP:*:Enabled:Pando Media Booster

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Dark Knight\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe:*:Enabled:ipsec -- (Google Inc.)

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:ipsec -- (Malwarebytes Corporation)

"C:\Documents and Settings\Dark Knight\Moje dokumenty\Downloads\OTS.exe" = C:\Documents and Settings\Dark Knight\Moje dokumenty\Downloads\OTS.exe:*:Enabled:ipsec -- (OldTimer Tools)

"C:\Documents and Settings\Dark Knight\Moje dokumenty\Downloads\1v98x46e.exe" = C:\Documents and Settings\Dark Knight\Moje dokumenty\Downloads\1v98x46e.exe:*:Enabled:ipsec -- ()

"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)

"C:\Nexon\NEXON_EU_Downloader\NEXON_EU_Downloader_Engine.exe" = [string data over 1000 bytes]

"C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winfqlhfq.exe" = C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winfqlhfq.exe:*:Enabled:ipsec -- ()

"C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winqqoc.exe" = C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winqqoc.exe:*:Enabled:ipsec -- File not found

"C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\tjqg.exe" = C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\tjqg.exe:*:Enabled:ipsec -- File not found

"C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winmnoc.exe" = C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\winmnoc.exe:*:Enabled:ipsec -- File not found

"C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\wingeglsw.exe" = C:\DOCUME~1\DARKKN~1\USTAWI~1\Temp\wingeglsw.exe:*:Enabled:ipsec -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{350C9415-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{AB3F9176-E74A-4F28-9A09-4F22349B145E}" = livebox tp

"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio

"AnVir Task Manager Pro" = AnVir Task Manager Pro

"BitTorrent" = BitTorrent

"CCleaner" = CCleaner

"ERUNT_is1" = ERUNT 1.1j

"Game Booster_is1" = Game Booster

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 1.99.1

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8/28/2010 12:43:28 PM | Computer Name = SKYNET-FBC1CAEC | Source = Application Hang | ID = 1002

Description = Aplikacja zawieszajaca explorer.exe, wersja 6.0.2900.2180, modul zawieszenia