Jump to content

Detected White Smoke & Palladium


Recommended Posts

Already ran malware bytes multiple times in Safe Mode and using Rkill before. Ran TDSS Killer - found and cured a rootkit virus. Ran combofix after uninstalling AVG. Seems to have helped, but the system is still sluggish. Although it is an older system with only 512mb or memory.

Malware bytes found whitesmoke.pup as well as palladium. This guy really messed up his system. Any help would be greatly appreciated. Sorry to run combofix before instructed, looks like the system survived anyway. I've included the DDS log and attached attach.txt and ark.txt. Unfortunately I deleted the mbytes log. I can run it again if need be.

Please let me know my next steps.

Thanks in advance,

Dustin

DDS LOG

DDS (Ver_10-12-12.02) - NTFSx86

Run by POS at 15:56:37.56 on Wed 03/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.46 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\FedEx\ShipManager\BIN\AdminService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: bankofamerica.com\www

Trusted Zone: fedex.com\www

Trusted Zone: frame.crazywinnings.com

Trusted Zone: frame.crazywinnings.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe

DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1299016249328

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1299016244203

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37999.5327546296

DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://12.149.142.91:8080/program/SonySncRz25View.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bez0xesr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 FedExAdminService;FedEx Administration Service;c:\program files\fedex\shipmanager\bin\AdminService.exe [2010-4-16 24576]

R2 FedExLoggingService;FedEx Logging Service;c:\program files\fedex\shipmanager\bin\FedEx.Gsm.Common.LoggingService.exe [2010-4-16 7168]

R2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\fedex\shipmanager\sqlanywhere\bin32\dbsrv11.exe [2010-4-16 130352]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]

S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-10-2 816672]

S3 FedExShipService;FedEx Shipping Engine;c:\program files\fedex\shipmanager\bin\ShipEngineService.exe [2010-4-16 5120]

S3 FedExTransactionService;FedEx Transaction Engine;c:\program files\fedex\shipmanager\bin\TransEngineService.exe [2010-4-16 6656]

=============== Created Last 30 ================

2011-03-02 22:04:03 -------- d-----w- c:\windows\system32\drivers\AVG

2011-03-02 22:02:11 -------- d-----w- c:\program files\AVG

2011-03-02 21:54:15 -------- d-s---w- C:\Combo-Fix19459C

2011-03-02 21:16:33 -------- d-sha-r- C:\cmdcons

2011-03-02 21:10:12 -------- d-----w- C:\Combo-Fix

2011-03-02 16:36:58 -------- d-----w- c:\docume~1\user\applic~1\Registry Mechanic

2011-03-02 01:41:21 -------- d-----w- c:\docume~1\user\applic~1\AVG10

2011-03-02 01:39:14 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files

2011-03-02 01:33:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10

2011-03-02 01:28:09 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Apple Computer

2011-03-02 01:28:04 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Apple

2011-03-02 01:22:36 -------- d-----w- c:\program files\CCleaner

2011-03-02 01:22:06 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-03-02 01:22:06 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll

2011-03-02 01:22:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-03-02 01:19:31 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll

2011-03-02 01:19:31 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2011-03-02 01:19:30 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2011-03-02 01:19:30 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2011-03-01 23:59:25 -------- d-----w- c:\windows\system32\XPSViewer

2011-03-01 23:58:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-03-01 23:58:27 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-03-01 23:58:27 117760 ------w- c:\windows\system32\prntvpt.dll

2011-03-01 23:58:26 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-03-01 23:58:26 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-03-01 23:58:26 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-03-01 23:58:26 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-03-01 23:58:26 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-03-01 23:58:26 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2011-03-01 23:58:26 -------- d-----w- C:\02d0cd5c942597c1bf6828

2011-03-01 23:43:09 -------- d-sh--w- c:\documents and settings\user\IECompatCache

2011-03-01 23:42:14 -------- d-sh--w- c:\documents and settings\user\PrivacIE

2011-03-01 23:39:07 -------- d-sh--w- c:\documents and settings\user\IETldCache

2011-03-01 22:58:51 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-03-01 22:58:30 -------- d-----w- c:\windows\ie8updates

2011-03-01 22:57:58 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-03-01 22:57:54 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll

2011-03-01 22:57:54 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-03-01 22:57:54 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-03-01 22:57:54 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll

2011-03-01 22:57:53 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-03-01 22:57:53 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll

2011-03-01 22:56:01 -------- dc-h--w- c:\windows\ie8

2011-03-01 22:43:12 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-03-01 22:27:09 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2011-03-01 22:26:03 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll

2011-03-01 22:23:46 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2011-03-01 22:23:46 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2011-03-01 22:23:22 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2011-03-01 22:22:27 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2011-03-01 22:22:21 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2011-03-01 22:22:21 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2011-03-01 22:18:02 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2011-03-01 22:16:21 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2011-03-01 22:12:30 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2011-03-01 22:10:53 45568 ------w- c:\windows\system32\dllcache\wab.exe

2011-03-01 22:01:00 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-03-01 22:01:00 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-03-01 21:51:05 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

2011-03-01 21:45:30 -------- d-----w- c:\program files\Executive Software

2011-03-01 21:37:02 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-03-01 21:32:10 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-03-01 21:28:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2011-03-01 20:18:32 -------- d-----w- c:\program files\CleanUp!

2011-03-01 00:03:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 16:00:05.17 ===============

Attach.zip

Link to post
Share on other sites

ESET ONLINE SCANNER LOG

C:\Documents and Settings\NetworkService\Application Data\exqEdC.js JS/TrojanDownloader.Agent.NWG trojan cleaned by deleting - quarantined

C:\Documents and Settings\NetworkService\Application Data\MKHIp.js JS/TrojanDownloader.Agent.NWG trojan cleaned by deleting - quarantined

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-421ef8d3-25f76842.class Java/Bytverify trojan cleaned by deleting - quarantined

C:\WINDOWS\SYSTEM32\345.js JS/TrojanDownloader.Agent.NWG trojan cleaned by deleting - quarantined

I am still finding infected files. Can anyone help me out?

Thanks,

Dustin

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log. Then grab a fresh copy of TDSSKiller, run it, and post its log. Next, grab a fresh copy of ComboFix, run it, and post its log.

Next, please run the PCPitstop Full Tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.