Jump to content

Hijacked by ransomware


Bina

Recommended Posts

My computer got hijacked by ransomware today. A restart with the networking cable detached worked so I could follow the steps and run the tests. DDS and MBAM logs as following and GMER / DDS logs attached; as requested in the 'What do I do now' topic.

.

DDS (Ver_2011-08-26.01) - FAT32x86

Internet Explorer: 8.0.6001.18702

Run by Bina at 9:39:47 on 2011-08-27

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1326 [GMT 2:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

D:\AVG\AVG10\avgchsvx.exe

D:\AVG\AVG10\avgrsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

D:\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Google\Update\1.3.21.65\GoogleCrashHandler.exe

D:\AVG\AVG10\avgwdsvc.exe

C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PSIService.exe

D:\AVG\AVG10\avgnsx.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

D:\AVG\AVG10\avgemcx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe

D:\AVG\AVG10\avgtray.exe

D:\FreeMem Standard\freemem.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

D:\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Documents and Settings\Bina\Application Data\Identities\{AAB16DB0-15B6-11DD-84DD-806D6172696F}\svghost.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

D:\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe

C:\WINDOWS\system32\SearchIndexer.exe

D:\iolo\System Mechanic\SMTrayNotify.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = 74.208.15.170:3128

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.google.com

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - d:\avg\avg10\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - d:\avg\avg10\toolbar\IEToolbar.dll

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\tvhbhrsr\dkboxeir.exe,

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\avg\avg10\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - d:\avg\avg10\toolbar\IEToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - d:\avg\avg10\toolbar\IEToolbar.dll

uRun: [FreeMem Pro] "d:\freemem standard\freemem.exe" Startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1

uRun: [{AAB16DB0-15B6-11DD-84DD-806D6172696F}] c:\documents and settings\bina\application data\identities\{aab16db0-15b6-11dd-84dd-806d6172696f}\svghost.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg

mRun: [Pinnacle WebUpdater] "d:\program files\pinnacle\shared files\\programs\webupdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles

mRun: [Disk Monitor] c:\program files\ic\card reader driver v1.9e2\Disk_Monitor.exe

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Malwarebytes Anti-Malware (reboot)] "d:\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [nwiz] nwiz.exe /install

mRun: [AVG_TRAY] d:\avg\avg10\avgtray.exe

mRun: [QuickTime Task] "d:\quicktime\qttask.exe" -atboottime

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjE1NjkzMzg2LVQ0LUJBUjlHKzEtVEI5KzItRkwrOS1RSVgxKzQtWDIwMTArMi1GMTBNKzUtTElDKzc3LUZMMTArMS1TUDErMS1TVUQrMS1TMUkrMS1TVTMrMQ"&"prod=90"&"ver=10.0.1325

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [4Y3Y0C3AYV3U0JXA] c:\recycle.bi\A96C465EF51.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: E&xport to Microsoft Excel - d:\micros~3\office10\EXCEL.EXE/3000

IE: Free YouTube Download - c:\documents and settings\bina\application data\dvdvideosoftiehelpers\youtubedownload.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - d:\icq6.5\ICQ.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - d:\visualroute lite edition\vrie.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263903114905

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209447588312

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 80.69.100.182 80.69.100.230

TCP: Interfaces\{9D5D78FB-1227-48AD-918A-1CC08115B5EA} : DhcpNameServer = 80.69.100.182 80.69.100.230

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - d:\avg\avg10\toolbar\IEToolbar.dll

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\avg\avg10\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 297168]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;d:\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]

R2 AVGIDSAgent;AVGIDSAgent;d:\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;d:\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-24 724664]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-11-24 724664]

R2 PortTalk;PortTalk;c:\windows\system32\drivers\ptbtalk.sys [2008-6-13 3567]

R2 SCANDEV;SCANDEV;c:\windows\system32\drivers\Scandev.SYS [2008-6-22 135776]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-27 24652]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

R2 WinRing0_1_2_0;WinRing0 driver;c:\windows\system32\drivers\ptbring0.sys [2011-8-26 14416]

R3 3xHybrid;Pinnacle PCTV Stereo service;c:\windows\system32\drivers\3xHybrid.sys [2006-12-18 827008]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

S1 e4dade76;e4dade76;c:\windows\system32\drivers\e4dade76.sys --> c:\windows\system32\drivers\e4dade76.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;d:\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-10 1025352]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-9-21 41272]

S3 RTL2832U_IRHID;HID Infrared Remote Receiver;c:\windows\system32\drivers\rtl2832u_irhid.sys --> c:\windows\system32\drivers\RTL2832U_IRHID.sys [?]

S3 RTL2832UBDA;REALTEK 2832U BDA Driver;c:\windows\system32\drivers\rtl2832ubda.sys --> c:\windows\system32\drivers\RTL2832UBDA.sys [?]

S3 RTL2832UUSB;REALTEK 2832U USB Driver;c:\windows\system32\drivers\rtl2832uusb.sys --> c:\windows\system32\drivers\RTL2832UUSB.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-7-19 11520]

.

=============== File Associations ===============

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

=============== Created Last 30 ================

.

2011-08-27 07:10:04 -------- d-sh--w- C:\FOUND.003

2011-08-26 14:26:53 14416 ----a-w- c:\windows\system32\drivers\ptbring0.sys

2011-08-26 03:17:34 -------- d-----w- C:\TDSSKiller_Quarantine

2011-08-16 18:47:00 -------- d-sh--w- C:\FOUND.002

2011-08-10 18:13:08 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll

2011-08-10 18:13:07 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll

2011-08-09 00:51:06 -------- d-sh--w- C:\FOUND.001

2011-08-05 13:27:37 -------- d-----w- c:\documents and settings\bina\application data\Firestorm

2011-08-05 13:27:36 -------- d-----w- c:\documents and settings\bina\local settings\application data\Firestorm

2011-07-30 00:10:28 -------- d-sh--w- C:\FOUND.000

.

==================== Find3M ====================

.

2011-08-10 19:49:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-17 11:00:48 11488 ----a-w- c:\windows\system32\METAbolt_applet.cpl

2011-07-06 17:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 17:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 16:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 16:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OABEA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-19

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

1 ntkrnlpa!IofCallDriver[0xE0BBB1A6] -> \Device\Harddisk0\DR0[0xFAD67AB8]

3 CLASSPNP[0xF66C7FD7] -> ntkrnlpa!IofCallDriver[0xE0BBB1A6] -> \Device\Ide\IdeDeviceP2T0L0-6[0xFAD6DB00]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user != kernel MBR !!!

sectors 312581804 (+0): user != kernel

.

============= FINISH: 9:40:42.21 ===============

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7585

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

27.Aug.11 9:56:40

mbam-log-2011-08-27 (09-56-40).txt

Scan type: Quick scan

Objects scanned: 173015

Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.