Inactive Infected with BankerFox.A and sgtlrattssd.exe

[Inactive] Infected with BankerFox.A and sgtlrattssd.exe

One of my computers picked up a virus that disabled the task manager. Virus alerts created and difficult to tell which are genuine and which are false.

A file was downloaded to my user area called sgtlrattssd.exe which was one of the culprits. This is a very nasty piece of work. It seems to disable many executables.

In normal mode, MalwareBytes anti-malware wouldn't load and execute and AVG seemed *******. Neither found anything in safe mode. Diagnosed binary name from startup qu in safe mode.

Removed it, then AVG caught another version.

Computer now running OK, but IE8 won't connect to the Net and the Windows Diagnostic Tool says HTTP, FTP and HTTPS is not available, but it is. Firefox works and I can FTP. So much for this diagnostic tool, but there are still problems with this PC.

Any suggestions how to nail down this bugger, much appreciated.

Using 32 bit Win XP Professional, default settings, service pack 3 with AVG free anti virus.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Obi-Wan at 18:56:29.46 on Wed 08/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.232 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
d:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\MemoryBoost\MemoryBoost.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
D:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\Symantec\WinFax\WFXCTL32.EXE
D:\Program Files\WordWeb\wweb32.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yoda\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [Multi Reminders] "d:\program files\multi reminders\reminder.exe" -c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE "
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe "
mRun: [MemoryBoost] "c:\program files\memoryboost\MemoryBoost.exe "
mRun: [Acronis*True*Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe "
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe "
mRun: [rfagent] "c:\program files\rfa platinum\rfagent.exe "
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe "
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
StartupFolder: c:\docume~1\yoda\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\yoda\startm~1\programs\startup\office~1.lnk - d:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - d:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\contro~1.lnk - d:\program files\symantec\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\wordweb.lnk - d:\program files\wordweb\wweb32.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
Trusted Zone: google.com\www
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - d:\program files\symantec\winfax\WfxSeh32.Dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 91.212.127.226 osguardpro.microsoft.com
Hosts: 91.212.127.226 os-guardpro.com
Hosts: 91.212.127.226 www.os-guardpro.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\yoda\applic~1\mozilla\firefox\profiles\87m4l46o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - le:en-USfficial
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: d:\program files\adobe\adobe acrobat 6.0\acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");

============= SERVICES / DRIVERS ===============

R0 rramdisk;Ramdisk Driver;c:\windows\system32\drivers\rramdisk.sys [2003-12-9 10368]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-12 216400]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-12 29584]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-12 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S1 c4a4c089;c4a4c089;c:\windows\system32\drivers\c4a4c089.sys [2008-7-25 0]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]
S3 c454166f-7b64-4e21-93fb-1a0f3c6f1854;c454166f-7b64-4e21-93fb-1a0f3c6f1854; [x]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile= "%1" %*

=============== Created Last 30 ================

2010-08-04 08:51:16 0 d-----w- C:\Anti_Virus
2010-07-18 07:40:01 0 d-----w- c:\program files\common files\Motorola Shared
2010-07-18 07:36:50 9232 ----a-w- c:\documents and settings\yoda\USB_MOT_BRIT.INF
2010-07-18 07:36:50 5960 ----a-w- c:\documents and settings\yoda\USB_MOT_A1000.INF
2010-07-18 07:36:46 7194 ----a-w- c:\documents and settings\yoda\1279438606-oem57.inf
2010-07-18 07:36:46 5877 ----a-w- c:\documents and settings\yoda\1279438606-oem58.inf
2010-07-18 07:36:46 5798 ----a-w- c:\documents and settings\yoda\1279438606-oem59.inf
2010-07-18 07:36:46 14286 ----a-w- c:\documents and settings\yoda\1279438606-oem57.PNF
2010-07-18 07:36:46 12820 ----a-w- c:\documents and settings\yoda\1279438606-oem58.PNF
2010-07-18 07:36:46 12466 ----a-w- c:\documents and settings\yoda\1279438606-oem59.PNF
2010-07-18 00:50:33 0 d-----w- c:\program files\Avanquest update
2010-07-18 00:49:18 24192 ----a-r- c:\windows\system32\drivers\OLD71.tmp
2010-07-18 00:49:02 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2010-07-18 00:49:02 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2010-07-18 00:47:17 7201 ----a-w- c:\documents and settings\yoda\USBMOT2000.INF
2010-07-18 00:47:17 6141 ----a-w- c:\documents and settings\yoda\USBMOT2000XP.INF
2010-07-18 00:47:17 5880 ----a-w- c:\documents and settings\yoda\USB_CMCS_2000.INF
2010-07-18 00:47:17 25600 ----a-w- c:\documents and settings\yoda\usbsermptxp.sys
2010-07-18 00:47:17 24192 ----a-w- c:\windows\system32\drivers\usbsermptxp.sys
2010-07-18 00:47:17 22768 ----a-w- c:\documents and settings\yoda\usbsermpt.sys
2010-07-18 00:47:14 70690 ----a-w- c:\documents and settings\yoda\1279414034-oem57.PNF
2010-07-18 00:47:14 54341 ----a-w- c:\documents and settings\yoda\1279414034-oem57.inf
2010-07-18 00:45:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2010-07-15 23:31:19 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-14 00:56:17 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 08:31:51 7680 ----a-w- c:\windows\system32\CNMVS61.DLL
2010-07-10 08:31:49 116736 ----a-w- c:\windows\system32\CNMLM61.DLL
2010-07-09 01:47:58 0 d-----w- c:\docume~1\yoda\applic~1\Foxit Software

==================== Find3M ====================

2010-07-18 07:38:21 9232 ----a-w- c:\documents and settings\yoda\mqdmmdfl.sys
2010-07-18 07:38:21 92064 ----a-w- c:\documents and settings\yoda\mqdmmdm.sys
2010-07-18 07:38:21 79328 ----a-w- c:\documents and settings\yoda\mqdmserd.sys
2010-07-18 07:38:21 66656 ----a-w- c:\documents and settings\yoda\mqdmbus.sys
2010-07-18 07:38:21 6208 ----a-w- c:\documents and settings\yoda\mqdmcmnt.sys
2010-07-18 07:38:21 5936 ----a-w- c:\documents and settings\yoda\mqdmwhnt.sys
2010-07-18 07:38:21 4048 ----a-w- c:\documents and settings\yoda\mqdmcr.sys
2010-07-15 23:31:25 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 23:29:46 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2007-02-27 00:20:32 560 ----a-w- c:\program files\Global.sw
2003-07-31 02:57:28 1405 ----a-w- c:\program files\INSTALL.LOG
2002-07-09 11:28:50 271 --sh--w- c:\program files\desktop.ini
2002-07-09 11:28:50 21952 ---ha-w- c:\program files\folder.htt
2000-10-16 03:30:56 217088 ----a-w- c:\program files\SpaceMonger.exe
2008-04-09 23:11:28 16496 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\windows nt\diskquota\NTDiskQuotaSidCache.dat
2008-09-07 03:49:13 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 18:57:15.04 ===============