1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved trojen help

Discussion in 'Malware and Virus Removal Archive' started by whopper, 2010/12/18.

Page 1 of 2
  1. 2010/12/18
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    [Resolved] trojen help

    my computer est nod notified me of a win32/rustock trojen in the latest scan. it is located at c:\WINDOWS\system32\drivers\sysnsenddrv.sys
    I have used the tdss killer, windows recovery mode to disable pe386 and deleting from quarantine with no luck.

    thanks for help

    I will post the logs in more than one post

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5325

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16/12/2553 17:20:42
    mbam-log-2553-12-16 (17-20-42).txt

    Scan type: Quick scan
    Objects scanned: 134360
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    c:\documents and settings\localservice\local settings\application data\Google\Update\googleupdatebeta.exe (Trojan.Agent) -> 1504 -> Unloaded process successfully.

    Memory Modules Infected:
    c:\WINDOWS\system32\geku.eho (Backdoor.Bot) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoogleUpdateBeta (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ididp (Trojan.Sasfis) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\synsend (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse (Trojan.Agent) -> Value: Java developer Script Browse -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Bot) -> Bad: (geku.eho) Good: () -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe geku.eho cajhwh) Good: (Explorer.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\geku.eho (Backdoor.Bot) -> Delete on reboot.
    c:\windows\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.
    c:\documents and settings\localservice\local settings\application data\Google\Update\googleupdatebeta.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\local settings\application data\Google\Update\googleupdatebeta.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    MBR following

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000007fc

    Kernel Drivers (total 128):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF8B64000 \WINDOWS\system32\KDCOM.DLL
    0xF8A74000 \WINDOWS\system32\BOOTVID.dll
    0xF8664000 xoltsey.sys
    0xF8470000 spwm.sys
    0xF8B66000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF8458000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF842A000 ACPI.sys
    0xF8419000 pci.sys
    0xF8674000 isapnp.sys
    0xF8C2C000 pciide.sys
    0xF88E4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8684000 MountMgr.sys
    0xF83FA000 ftdisk.sys
    0xF8B68000 dmload.sys
    0xF83D4000 dmio.sys
    0xF88EC000 PartMgr.sys
    0xF8694000 VolSnap.sys
    0xF83BC000 atapi.sys
    0xF86A4000 disk.sys
    0xF86B4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF839C000 fltmgr.sys
    0xF8385000 KSecDD.sys
    0xF82F8000 Ntfs.sys
    0xF82CB000 NDIS.sys
    0xF86C4000 uagp35.sys
    0xF82B1000 Mup.sys
    0xF87C4000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF817A000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF8166000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF87D4000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF87E4000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF87F4000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF8143000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7D54000 \SystemRoot\system32\drivers\ALCXWDM.SYS
    0xF7D30000 \SystemRoot\system32\drivers\portcls.sys
    0xF8804000 \SystemRoot\system32\drivers\drmk.sys
    0xF895C000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF7D0C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF8964000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7C38000 \SystemRoot\System32\Drivers\auw18auk.SYS
    0xF89CC000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF8814000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF8B5C000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7C24000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF8824000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF89D4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF8C99000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF8834000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF8B60000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7C0D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8844000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF8854000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF89DC000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7BFC000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF8864000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF89EC000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF89F4000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7BCC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF8874000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF89FC000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF8B7E000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF7AA6000 \SystemRoot\system32\DRIVERS\update.sys
    0xF8271000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF8884000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF88C4000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8B80000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8B82000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8D14000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8B84000 \SystemRoot\System32\Drivers\Beep.SYS
    0xEBA3F000 \SystemRoot\system32\DRIVERS\ehdrv.sys
    0xF8A1C000 \SystemRoot\System32\drivers\vga.sys
    0xF8B86000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8B88000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF8A24000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF8A2C000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF8B24000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEBA0C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEB9B3000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xEB98B000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEB965000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF8704000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEB94D000 \SystemRoot\system32\DRIVERS\epfwtdir.sys
    0xBA7DE000 \SystemRoot\System32\drivers\afd.sys
    0xF8714000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF8724000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xBA6C3000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xBA62B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF8734000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEBA62000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF8754000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF8A34000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF8764000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF8A3C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xEBA5E000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA726000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8A4C000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8D80000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF048000 \SystemRoot\System32\ati2cqag.dll
    0xBF080000 \SystemRoot\System32\ati3duag.dll
    0xBF24E000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBA429000 \SystemRoot\system32\DRIVERS\eamon.sys
    0xF8A5C000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xBA75E000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
    0xBA51B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA74E000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xF8BCC000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0x81923000 000006F0
    0xBA0F4000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA231000 \SystemRoot\system32\drivers\sysaudio.sys
    0xBA04E000 \SystemRoot\system32\DRIVERS\srv.sys
    0xBA331000 \SystemRoot\system32\DRIVERS\secdrv.sys
    0xB9A1B000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB9583000 \??\C:\DOCUME~1\JAMESZ~1\LOCALS~1\Temp\pfkcqpob.sys
    0xB94E5000 \SystemRoot\system32\DRIVERS\ar5211.sys
    0xB945C000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF8A64000 \??\D:\My Documents\Downloads\SEAL\Seal Online Plus\apf001.sys
    0xF8A6C000 \??\D:\My Documents\Downloads\SEAL\Seal Online Plus\apl001.sys
    0xB943E000 \??\D:\My Documents\Downloads\SEAL\Seal Online Plus\sealt.sys
    0xF8BEA000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
    0xB935D000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll
    0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

    Processes (total 28):
    0 System Idle Process
    4 System
    600 C:\WINDOWS\system32\smss.exe
    648 csrss.exe
    676 C:\WINDOWS\system32\winlogon.exe
    720 C:\WINDOWS\system32\services.exe
    732 C:\WINDOWS\system32\lsass.exe
    896 C:\WINDOWS\system32\svchost.exe
    944 svchost.exe
    984 C:\WINDOWS\system32\svchost.exe
    1092 svchost.exe
    1124 svchost.exe
    1328 C:\WINDOWS\system32\spoolsv.exe
    1412 C:\WINDOWS\system32\acs.exe
    1460 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    1516 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    1940 C:\WINDOWS\explorer.exe
    928 C:\Program Files\Unlocker\UnlockerAssistant.exe
    1020 C:\Program Files\TP-LINK\TWCU\TWCU.exe
    1036 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    1064 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    1172 C:\WINDOWS\system32\ctfmon.exe
    2400 alg.exe
    2340 C:\WINDOWS\system32\svchost.exe
    2496 C:\Program Files\Windows Live\Contacts\wlcomm.exe
    3552 C:\WINDOWS\system32\wuauclt.exe
    3064 C:\Program Files\Maxthon\Maxthon.exe
    3256 C:\Documents and Settings\jamesZeRo\Local Settings\Temporary Internet Files\Content.IE5\LQ5YSNUQ\MBRCheck[1].exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000008`8b905a00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800BB-00JHC0, Rev: 05.01C05

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    whopper,
    #1
  2. 2010/12/18
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    Im sorry, but this it too much trouble. I can't post the gmer. I will just re install.. thanks for your help in the past
     
    whopper,
    #2


  3. to hide this advert.

  4. 2010/12/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================================================

    If you tried the above and still a problem, skip GMER for now.
     
    broni,
    #3
  5. 2010/12/18
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    The text that you have entered is too long (1541354 characters). Please shorten it to 55000 characters long.
    The gmer file is too big to post, it runs ok

    attach following


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/10/2553 15:50:30
    System Uptime: 17/12/2553 12:11:14 (3 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | GA-8S661FXM-775
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Socket 775 | 3067/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 34 GiB total, 26.262 GiB free.
    D: is FIXED (NTFS) - 39 GiB total, 30.203 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is CDROM ()
    K: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: SiS 900 PCI Fast Ethernet Adapter
    Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_E0001458&REV_90\3&61AAA01&0&20
    Manufacturer: SiS
    Name: SiS 900 PCI Fast Ethernet Adapter
    PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_E0001458&REV_90\3&61AAA01&0&20
    Service: SISNIC

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\3&61AAA01&0&58
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_11C1&DEV_0620&SUBSYS_062011C1&REV_00\3&61AAA01&0&58
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    ?Torrent
    Adobe Acrobat Reader 3.0
    Advanced SystemCare 3
    ESET NOD32 Antivirus
    Global Operations
    Grand Theft Auto Vice City
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Junk Mail filter update
    Malwarebytes' Anti-Malware
    Managed DirectX (0901)
    Maxthon Browser (remove only)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Need for Speed Underground 2
    PlayNCLauncher
    PointBlank
    PowerISO
    Realtek AC'97 Audio
    Seal Online Plus v.54
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Skype? 5.0
    Software Update for Web Folders
    TalesRunner 1.777_20100810
    Talesrunner Launcher 1.0
    TP-LINK Client Installation Program
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2362765)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows XP Service Pack 3
    WinRAR archiver
    Your Uninstaller! 2010

    ==== Event Viewer Messages From Past Week ========

    16/12/2553 17:05:54, error: Service Control Manager [7034] - The TP-LINK Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    16/12/2553 17:05:54, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    15/12/2553 18:15:44, error: Service Control Manager [7034] - The Google Update Service service terminated unexpectedly. It has done this 1 time(s).
    11/12/2553 12:36:49, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
    10/12/2553 16:34:41, error: Dhcp [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 0019E06DF2F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/12/2553 14:20:57, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0019E06DF2F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/12/2553 12:20:51, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0019E06DF2F0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/12/2553 12:07:51, error: Service Control Manager [7028] - The hcmrfa Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

    ==== End Of File ===========================

    dds following


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by jamesZeRo at 15:49:16.21 on Fri 12/17/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.511.245 [GMT 7:00]

    AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\TP-LINK\TWCU\TWCU.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Maxthon\Maxthon.exe
    C:\Documents and Settings\jamesZeRo\Local Settings\Temporary Internet Files\Content.IE5\7OTTBS7D\dds[1].scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://easynetseek.com
    mWinlogon: Shell=Explorer.exe rundll32.exe cajhwh
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
    mRun: [TWCU] "c:\program files\tp-link\twcu\TWCU.exe" -nogui
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286532665281
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1286532622609
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, myxkbbyh.dll

    ============= SERVICES / DRIVERS ===============

    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-4-7 114984]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-4-7 95872]
    R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-4-7 810120]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-10-11 54752]
    R3 apf001;apf001;d:\my documents\downloads\seal\seal online plus\apf001.sys [2010-8-26 10872]
    S1 synsend;synsend;\??\c:\windows\system32\drivers\synsenddrv.sys --> c:\windows\system32\drivers\synsenddrv.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 Tseal;Tseal;c:\windows\system32\sealt.sys [2010-10-9 70264]
    SUnknown hcmrfa;hcmrfa; [x]

    =============== Created Last 30 ================

    2010-12-16 10:15:13 -------- d-----w- c:\docume~1\jamesz~1\applic~1\Malwarebytes
    2010-12-16 10:15:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-16 10:15:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-16 10:15:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-16 10:15:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-16 01:34:51 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
    2010-12-16 01:34:08 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 01:33:52 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-09 08:21:19 -------- d-sh--r- C:\cmdcons
    2010-12-09 08:21:17 -------- d-----w- c:\windows\setup.pss
    2010-12-09 08:20:51 -------- d-----w- c:\windows\setupupd
    2010-12-05 07:27:15 -------- d-----w- C:\Acrobat3
    2010-12-05 07:27:04 298496 ----a-w- c:\windows\uninst.exe
    2010-12-05 07:26:30 306688 ----a-w- c:\windows\IsUninst.exe
    2010-12-05 07:25:44 -------- d-----w- c:\documents and settings\jameszero\WINDOWS
    2010-12-01 12:52:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
    2010-11-25 11:01:18 12920 ----a-w- c:\windows\system32\apl001.sys
    2010-11-25 11:01:17 10872 ----a-w- c:\windows\system32\apf001.sys
    2010-11-24 04:23:00 -------- d-----w- c:\program files\Managed DirectX (0901)
    2010-11-23 12:29:18 696320 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
    2010-11-23 12:29:18 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
    2010-11-23 12:29:18 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
    2010-11-23 12:29:18 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
    2010-11-23 12:29:18 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
    2010-11-23 12:29:13 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
    2010-11-23 12:29:13 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
    2010-11-20 12:47:07 -------- d-----w- c:\program files\winMd5Sum

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 11:11:03 684031 ----a-w- c:\windows\unins000.exe
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-09 05:10:58 70264 ----a-w- c:\windows\system32\sealt.sys

    ============= FINISH: 15:50:12.79 ===============

    thanks for your help
     
    whopper,
    #4
  6. 2010/12/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Split it between 3 replies.
     
    broni,
    #5
  7. 2010/12/18
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    Hi Broni,

    the gmer text is 1,541,254 characters long. Each post limits me to 55,000. it would take me about 14 posts to finish it. Is there another way ?

    thanks for your help.
     
    whopper,
    #6
  8. 2010/12/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #7
  9. 2010/12/20
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    whopper,
    #8
  10. 2010/12/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let me paste GMER's crucial part....

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\TEMP\mkkmhr.sys (*** hidden *** ) [AUTO] hcmrfa <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@ImagePath \??\C:\WINDOWS\TEMP\mkkmhr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@DisplayName hcmrfa
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@Start 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@RulesData 0x03 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@krnl_sleepfreq 0x84 0x03 0x00 0x00
    Reg HKLM\SYSTEM\CurrentControlSet\Services\hcmrfa@krnl_servers_list 0x68 0x74 0x74 0x70 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBE 0xFE 0xF4 0x5C ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x87 0x7D 0x9A ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x07 0x34 0x51 0x0D ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBE 0xFE 0xF4 0x5C ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x87 0x7D 0x9A ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x07 0x34 0x51 0x0D ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo® video 5.10 Compression Filter@EncoderType 1
    Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\1549354084\Groups@@\16\36\0167\16H\16-\16\31\16#\16H\16'\16!\16\a\0162\16\31\16 1

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\str.sys 33354 bytes
    File C:\WINDOWS\Temp\mkkmhr.sys 48640 bytes executable <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
    broni,
    #9
  11. 2010/12/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #10
  12. 2010/12/21
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    the computer is working well. only a couple glitches now and then. EST NOD still indicates win32 rustock trojan.............thanks

    combo fix log following

    ComboFix 10-12-20.02 - jamesZeRo 12/21/2010 15:09:15.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.511.180 [GMT 7:00]
    Running from: c:\documents and settings\jamesZeRo\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\str.sys
    c:\windows\TEMP\mkkmhr.sys

    c:\windows\system32\calc.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_GOOGLEUPDATEBETA
    -------\Legacy_HCMRFA
    -------\Legacy_SYNSEND
    -------\Service_hcmrfa
    -------\Service_synsend


    ((((((((((((((((((((((((( Files Created from 2010-11-21 to 2010-12-21 )))))))))))))))))))))))))))))))
    .

    2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\documents and settings\jamesZeRo\Application Data\Malwarebytes
    2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-16 10:15 . 2010-11-29 10:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-16 10:15 . 2010-12-16 10:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-16 10:15 . 2010-11-29 10:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-16 01:34 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll
    2010-12-16 01:34 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-16 01:33 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-05 07:27 . 2010-12-05 07:27 -------- d-----w- C:\Acrobat3
    2010-12-05 07:27 . 1996-10-21 08:36 298496 ----a-w- c:\windows\uninst.exe
    2010-12-05 07:26 . 1998-10-29 09:45 306688 ----a-w- c:\windows\IsUninst.exe
    2010-12-05 07:25 . 2010-12-05 07:25 -------- d-----w- c:\documents and settings\jamesZeRo\WINDOWS
    2010-12-03 12:37 . 2010-12-03 12:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-12-01 12:52 . 2010-12-01 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
    2010-11-25 11:01 . 2010-12-10 07:04 12920 ----a-w- c:\windows\system32\apl001.sys
    2010-11-25 11:01 . 2010-12-10 07:04 10872 ----a-w- c:\windows\system32\apf001.sys
    2010-11-24 04:23 . 2010-11-24 04:23 -------- d-----w- c:\program files\Managed DirectX (0901)
    2010-11-23 12:29 . 2003-02-27 09:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
    2010-11-23 12:29 . 2002-12-05 07:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
    2010-11-23 12:29 . 2002-12-02 08:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
    2010-11-23 12:29 . 2002-12-02 06:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
    2010-11-23 12:29 . 2002-12-02 06:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
    2010-11-23 12:29 . 2010-11-23 12:29 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
    2010-11-23 12:29 . 2010-11-23 12:29 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2010-10-08 08:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-15 07:14 . 2010-11-15 07:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-11-06 00:26 . 2002-12-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2002-12-31 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2002-12-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 11:11 . 2010-10-09 04:40 684031 ----a-w- c:\windows\unins000.exe
    2010-10-26 13:25 . 2002-12-31 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-09 05:10 . 2010-10-09 05:10 70264 ----a-w- c:\windows\system32\sealt.sys
    2010-10-08 09:41 . 2010-10-08 09:41 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
    "Skype "= "c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UnlockerAssistant "= "c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
    "TWCU "= "c:\program files\TP-LINK\TWCU\TWCU.exe" [2006-03-29 364544]
    "egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-07 2145000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, myxkbbyh.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
    "d:\\My Documents\\Downloads\\New Folder\\TalesRunner\\trgame.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "d:\\My Documents\\Downloads\\PB\\PointBlank\\PointBlank.exe "=
    "c:\\Program Files\\EA GAMES\\Need for Speed Underground 2\\speed2.exe "=

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [15/11/2553 14:14 691696]
    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/4/2553 21:08 114984]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/4/2553 21:09 95872]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/4/2553 21:08 810120]
    S3 apf001;apf001;d:\my documents\Downloads\SEAL\Seal Online Plus\apf001.sys [26/8/2553 23:12 10872]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 Tseal;Tseal;c:\windows\system32\sealt.sys [9/10/2553 12:10 70264]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-19 c:\windows\Tasks\AWC Update.job
    - c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-11-08 08:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://easynetseek.com
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-21 15:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\NOD11.tmp 79872 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath "= "c:\windows\system32\GameMon.des -service "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2188)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\acs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-21 15:19:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-21 08:19

    Pre-Run: 27,997,597,696 bytes free
    Post-Run: 27,968,450,560 bytes free

    - - End Of File - - DD85A93579395137A73F61BB856019D2
     
    whopper,
    #11
  13. 2010/12/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
calc.exe
:reg
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #12
  14. 2010/12/22
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    I couldn't run it . It says script required in an error box

    thanks
     
    whopper,
    #13
  15. 2010/12/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Did you copy/paste my script?
     
    broni,
    #14
  16. 2010/12/23
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    Duh! sorry , brain fart

    SystemLook 04.09.10 by jpshortstuff
    Log created at 17:05 on 23/12/2010 by jamesZeRo
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "calc.exe "
    C:\WINDOWS\system32\calc.exe --a---- 946448 bytes [08:43 08/10/2010] [12:00 31/12/2002] 006728285A531498449FCB9B4AC8814E

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, myxkbbyh.dll "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SaslProfiles]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\SCHANNEL]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders\WDigest]


    -= EOF =-
     
    whopper,
    #15
  17. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We have this issue:
    and you don't have any healthy replacement on your computer.

    Do you have Windows XP CD?
     
    broni,
    #16
  18. 2010/12/23
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    Yes I do.

    Whatever is easiest. This is my sons computer and he uses it for games and chatting. There is nothing of value on it. So a complete XP re-installation is no problem, infact, I am getting pretty good at it. I would assume that a complete XP re-installation would solve the problem. Like I said, it seems to work fine except for the odd glitch. I am not sure what this trojan does or if it is something really serious. But like I said, the computer is basically bare, so whatever is easiest to solve the problem. Thanks for your help.
     
    whopper,
    #17
  19. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If you have Windows CD, it should be pretty easy fix.
    In Windows CD, navigate to i386 folder, find calc.ex_ file, copy it to your desktop and unzip it with any unzipping program.
    It'll become calc.exe.

    Now, navigate to c:\windows\system32 folder and rename calc.exe to calc.old.
    Now copy your fresh calc.exe file to c:\windows\system32 folder.

    You may need to do it in Safe Mode.

    When done, post fresh Combofix log.
     
    broni,
    #18
  20. 2010/12/24
    whopper

    whopper Inactive Thread Starter

    Joined:
    2008/09/22
    Messages:
    38
    Likes Received:
    0
    I looked in the system 32 folder and only found the calculator file. named calc. Is that the one?

    I unzipped the file the calc.ex file and it looked like total gibberish, thai language and numbers and every other BS under the sun. IS that normal?
     
    whopper,
    #19
  21. 2010/12/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, but Combofix says, the file is infected, so we have to replace it.

    There is no reason to open that file.

    All you need to do is to follow instructions from my previous reply.
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...