Jump to content
matthewc

trojan keeps returning after reboot

Recommended Posts

Hi,

Our home computer was hit with viruses a few days ago and thanks to Malwarebytes a lot of things have been cleaned up. However, there is one trojan that keeps resurfacing after the computer is booted up...

Malwarebytes' Anti-Malware 1.30

Database version: 1397

Windows 5.1.2600 Service Pack 3

11/14/2008 5:14:12 AM

mbam-log-2008-11-14 (05-14-12).txt

Scan type: Quick Scan

Objects scanned: 48255

Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-14 05:45:58

PROTECTIONS: 2

MALWARE: 10

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Symantec Antivirus Corporate Edition 8.0 No Yes

Norton Antivirus Edition 7.5 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00003805 adware/ezula Adware No 0 Yes No hkey_classes_root\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}

00003805 adware/ezula Adware No 0 Yes No hkey_local_machine\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52}

00003805 adware/ezula Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE}

00003805 adware/ezula Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E}

00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search page_bak

00020302 adware/ncase Adware No 0 Yes No hkey_local_machine\software\180solutions

00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search bar_bak

00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}

00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}

00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}

00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}

00024383 spyware/clearsearch Spyware No 1 Yes No HKEY_CLASSES_ROOT\Interface\{0f2a4adc-dabf-4980-8db4-19f67d7b1f95}

00035917 adware/ist.sidefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\tsl installer

00039204 adware/cws Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\start page_bak

00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\swrt01.rt

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{e0d3b292-a0b0-4640-975c-2f882e039f52}

00039209 adware/virtualbouncer Adware No 0 Yes No hkey_local_machine\software\classes\swrt01.rt

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{d52433a9-a44c-43ab-a013-24b3c756dd2b}

00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b}

00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{8940e505-72c6-44de-be85-1d746780efbf}

00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{417386c3-8d4a-4611-9b91-e57e89d603ac}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398d0-dc2f-4118-a69c-592273ba9c2b}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5e594162-60a9-487d-84b8-dbdd716cb862}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{8940e505-72c6-44de-be85-1d746780efbf}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{a986f4db-792e-4571-8974-0bb6e024766f}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{bccab53d-0895-40c3-a942-a03538ce227a}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{49db48ff-02b5-4645-b676-94a4df1aa026}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{830d3aed-2fa9-454f-b266-d931862bbf34}

00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}

00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\lycos

00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}

00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}

00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06}

00043761 adware/addestroyer Adware No 0 Yes No hkey_classes_root\swlad1.swlad

00043761 adware/addestroyer Adware No 0 Yes No hkey_classes_root\popoops2.popoops

00043761 adware/addestroyer Adware No 0 Yes No hkey_local_machine\software\classes\swlad1.swlad

00043761 adware/addestroyer Adware No 0 Yes No hkey_local_machine\software\classes\popoops2.popoops

00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B}

00046761 adware/xupiter Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{805AF2C8-98C7-4F3C-A7C9-25EBF27567F3}

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location s

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description s

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:47:32 AM, on 11/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\system32\cba\pds.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel File Transfer - Intel

Share this post


Link to post
Share on other sites

Yes this is a bit of a nasty one. Please try this and let me know if you have trouble running it.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Share this post


Link to post
Share on other sites

Hi, thanks for your help. Here's the gmerlog.

Yes this is a bit of a nasty one. Please try this and let me know if you have trouble running it.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

gmerlog.zip

gmerlog.zip

Share this post


Link to post
Share on other sites
Hi, thanks for your help. Here's the gmerlog.

Hello Matthewc,

I have had a chance to examine your GMER log, and it seems you are indeed infected with a RootKit.TDSS variant.

If you can, please visit here and follow the instructions.

http://www.gmer.net/faq.php

Just in case you can't access it via website url, here's the IP

http://204.152.184.145/faq.php

Replace the rootkit.rustok with tdss, The instructions are the same regardless of this particular variant we're dealing with. :blink:

Share this post


Link to post
Share on other sites

Hi,

I deleted the tdss service in gmer. I was wondering if I should also remove the module and other associated registry files, but haven't taken any of that action yet.

Thank you for your quick responses!

Attached is the gmerlog post deletion.

quote name='Raid' date='Nov 15 2008, 12:50 AM' post='34946']

Hello Matthewc,

I have had a chance to examine your GMER log, and it seems you are indeed infected with a RootKit.TDSS variant.

If you can, please visit here and follow the instructions.

http://www.gmer.net/faq.php

Just in case you can't access it via website url, here's the IP

http://204.152.184.145/faq.php

Replace the rootkit.rustok with tdss, The instructions are the same regardless of this particular variant we're dealing with. :blink:

gmerlog.zip

gmerlog.zip

Share this post


Link to post
Share on other sites

Yes, you need to remove everything related to TDSS in the gmer log

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\TDSSmhct.sys (*** hidden *** ) BA7A6000-BA7B8000 (73728 bytes)

that one too, please. :blink:

Once this is done, we should be able to bring MBAM online and finish up.

Share this post


Link to post
Share on other sites

Hi folks,

Removing the modules and etc. associated files in gmer wasn't as straight forward as deleting the service. All i could do is dump the module (and to be honest I had no idea what that meant or did). For the registry values there don't seem to be many options in gmer. Any advice on that?

Thank you, I appreciate the help.

Share this post


Link to post
Share on other sites

Well if you've killed off the Service and Malwarebytes runs please go to the UPDATE tab and update the program and run a Quick Scan. Choose FIX SELECTED if anything found and fix it and reboot the computer.

Then run a HJT scan and save the log and post back both please.

Share this post


Link to post
Share on other sites

Earlier in the afternoon, after I deleted the rootkit service in gmer, I ran mbam in safe mode and this is what it picked up:

Malwarebytes' Anti-Malware 1.30

Database version: 1401

Windows 5.1.2600 Service Pack 3

11/15/2008 4:42:45 PM

mbam-log-2008-11-15 (16-42-45).txt

Scan type: Quick Scan

Objects scanned: 47202

Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\taro\Local Settings\Temp\TDSS8d23.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\taro\Local Settings\Temp\TDSS8daf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

After doing that things seem to be back to normal. Here are my most recent mbam and hjt logs:

Malwarebytes' Anti-Malware 1.30

Database version: 1401

Windows 5.1.2600 Service Pack 3

11/16/2008 1:22:42 AM

mbam-log-2008-11-16 (01-22-42).txt

Scan type: Quick Scan

Objects scanned: 48381

Time elapsed: 7 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:58:16 AM, on 11/16/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel File Transfer - Intel

Share this post


Link to post
Share on other sites

Sweet... I suspected once we nuetered the rootkit we could get his friends.

Go ahead and reboot into normal mode, Update mbam, scan again, post it's log and let us know how your computer is acting.

Share this post


Link to post
Share on other sites

Things are looking good for now. Is there anything else I should look out for? Again, thanks for your help. You guys are great!

Malwarebytes' Anti-Malware 1.30

Database version: 1403

Windows 5.1.2600 Service Pack 3

11/16/2008 9:37:08 PM

mbam-log-2008-11-16 (21-37-08).txt

Scan type: Quick Scan

Objects scanned: 48386

Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:37:48 PM, on 11/16/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intel File Transfer - Intel

Share this post


Link to post
Share on other sites

Hello Matt,

Not sure what happened as I could swear that I posted back to you last night but the post is not here.

Anyways... Please uninstall Adobe Reader 7 from the Add/Remove in Control Panel as well as all old versions of Java. They used different names at different times so look from top to bottom in the Add/Remove and remove all versions older than 6 Update 10

Here is the typical canned message I use for the Java.

Update
Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is:
Java Runtime Environment (JRE) 6 Update 10
.
  • Go to
    http://java.sun.com/javase/downloads/index.jsp
  • Go to
    Java Runtime Environment (JRE) 6 Update 10
    about half way down the page and click on the
    Download
    button.

  • In Platform box choose Windows.

  • Check the box to
    Accept License Agreement
    and click Continue.

  • Click on
    Windows Offline Installation,
    click on the link under it which says
    "jre-6u10-windows-i586-p.exe"
    and save the downloaded file to your desktop.

  • Go to
    Start
    =>
    Control Panel
    =>
    Add or Remove Programs

  • Uninstall
    all
    all old versions of
    Java
    (Java 3 Runtime Environment, JRE or JSE), etc...

  • Browse to C:\Program Files\Java and remove the
    JAVA
    folder.

  • Once ALL older versions are removed you will no longer need to remove them in the future. This update includes a new method of updating that will update the files in place. So with the next version 11 update it will actually update 10 instead of a new installation.

  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.

  • Reboot your computer

After you've updated both of those programs let me know if the computer is still running well with no Malware issues and I'll provide you some information on helping to keep the computer clean.

Share this post


Link to post
Share on other sites

Hi,

I updated to Adobe Reader 9 and followed your instructions for Java 6u10.

As far as I can tell the system seems to be running smoothly and is free of any viruses/malware.

Thank you very much!

Share this post


Link to post
Share on other sites

Great that's good news. I'll close this thread now then and if you do have further issue please post again, but please review the information below that can help you keep your system clean.

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy

Download it from
here
. Just choose a mirror and off you go.

Find here the tutorial on how to use Spybot properly
here

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.