Small problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by santa_kerlaus, Feb 5, 2010.

  1. santa_kerlaus

    santa_kerlaus Private E-2

    I recently found i couldn't connect to the sites microsoft.com for updates
    or kaspersky.com or other such sites, so I came to this site and did what
    was said, and I think the problem has been fixed by MBAM:



    Files Infected:
    C:\WINDOWS\system32\H8SRTlktxocogmj.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vmoyadf.dll*seebelow* (Worm.Autorun) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted
    successfully.
    C:\WINDOWS\system32\H8SRTrdqpsbiyou.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.




    *** So I think it was just a small problem but I'm not sure if it's been totally removed because when I completed the combofix step - the vmoyadf.dll file was still there --> (see at the bottom of this list)

    So I'm just wondering what to do next - is it all finally done, or is there still something problems to fix.



    also hats off to whoever wrote the malware removal instructions. :cool
    I printed them off and it's all complete step by step for dumbies like me :-o





    ((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
    .

    2010-02-04 11:10 . 2009-12-30 03:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-04 11:10 . 2010-02-04 12:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-04 11:10 . 2009-12-30 03:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-02 04:23 . 2010-02-02 05:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-02 04:23 . 2010-02-02 04:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-01 06:17 . 2010-02-01 06:17 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-01-24 11:49 . 2010-01-24 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-12-29 23:53 . 2009-01-21 01:27 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-12-29 23:51 . 2009-12-29 23:51 -------- d-----w- c:\program files\NVIDIA Corporation
    2009-12-29 12:26 . 2009-01-21 00:20 15600 ----a-w- c:\windows\gdrv.sys
    2009-12-25 20:24 . 2009-01-21 03:21 -------- d-----w- c:\program files\Google
    2009-12-21 19:14 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll
    2009-12-13 13:10 . 2009-07-03 16:40 -------- d-----w- c:\program files\DivX
    2009-12-13 13:10 . 2009-07-03 16:40 -------- d-----w- c:\program files\Common Files\DivX Shared
    2009-12-11 18:00 . 2009-12-28 07:20 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-12-07 06:41 . 2009-03-08 09:36 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
    2009-11-21 16:36 . 2006-02-28 12:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-11-14 00:49 . 2009-12-13 13:10 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2009-11-14 00:49 . 2009-12-13 13:10 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2009-11-14 00:49 . 2009-12-13 13:10 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2009-11-14 00:49 . 2009-12-13 13:10 129784 ------w- c:\windows\system32\pxafs.dll
    2009-11-14 00:49 . 2009-12-13 13:10 120056 ------w- c:\windows\system32\pxcpyi64.exe
    2009-11-14 00:49 . 2009-12-13 13:10 118520 ------w- c:\windows\system32\pxinsi64.exe
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
    .


    ------- Sigcheck -------

    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 01D5EAAFF224415A7FF513E4C882BE30 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
    [-] 2006-02-28 . 3BB4B08619C111C7BE8BDA07AA0DE6A2 . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys

    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\qmgr.dll
    [-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\qmgr.dll
    [-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\bits\qmgr.dll
    [-] 2007-03-29 . CC431E6DEAAD867A583EE5E804EE4CF2 . 409600 . . [6.7.2600.3109] . . c:\windows\system32\dllcache\qmgr.dll
    [-] 2007-03-29 . 65E23953D337574E549B1EF34FE0B1DA . 409600 . . [6.7.2600.3109] . . c:\windows\$hf_mig$\KB923845\SP2QFE\qmgr.dll
    [7] 2006-02-28 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtUninstallKB923845$\qmgr.dll
    [7] 2004-08-03 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-08 68856]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
    "nwiz"="nwiz.exe" [2006-10-31 1622016]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Canon PC1200 iC D600 iR1200G Status Window.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE [2009-2-6 30208]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6134:TCP"= 6134:TCP:kzjfcmd

    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 9:38 PM 92008]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/13/2009 1:08 PM 133104]
    S2 nmktrwzv;Driver Shell;c:\windows\system32\svchost.exe -k netsvcs [2/28/2006 11:00 PM 14336]
    S2 RHDISK;RHDISK;\??\g:\_rohos\RHDISK.SYS --> g:\_rohos\RHDISK.SYS [?]
    S2 tlujza;Server Monitor;c:\windows\system32\svchost.exe -k netsvcs [2/28/2006 11:00 PM 14336]
    S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    tlujza
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 02:07]

    2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-13 02:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com.au/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-05 16:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nmktrwzv]
    "ServiceDll"="c:\windows\system32\vmoyadf.dll"
    --

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tlujza]
    "ServiceDll"="c:\windows\system32\vmoyadf.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(472)
    c:\windows\system32\ACTIVEDS.dll

    - - - - - - - > 'explorer.exe'(2136)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2010-02-05 16:51:48
    ComboFix-quarantined-files.txt 2010-02-05 05:51
    ComboFix2.txt 2010-02-05 05:35
     
    santa_kerlaus, Feb 5, 2010
    #1
  2. santa_kerlaus

    santa_kerlaus Private E-2

    small possible malware prob

    sorry if this is my SECOND POST :p I posted about an hour ago
    but I couldn't find it :confused

    Ok I tried to do the readme steps (because i couldn't access microsoft.com for updates) and mbam fixed it, but the same file showed up once I finished using combofix, still there after second scan. And I can't go to the next step because RootRepeal froze while initializing and I waited 15min!


    Here is the MBAM log:
    C:\WINDOWS\system32\H8SRTlktxocogmj.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vmoyadf.dll*** (Worm.Autorun) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\H8SRTrdqpsbiyou.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.


    Here are the Combofix excerpts:
    *** is this normal?
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6134:TCP"= 6134:TCP:kzjfcmd
    ***The following is the same file found by mbam
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nmktrwzv]
    "ServiceDll"="c:\windows\system32\vmoyadf.dll"
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tlujza]
    "ServiceDll"="c:\windows\system32\vmoyadf.dll"
    --------------------- DLLs Loaded Under

    thanks for any help guys,
    aaron kerlaus
     
    santa_kerlaus, Feb 5, 2010
    #2
  3. santa_kerlaus

    santa_kerlaus Private E-2

    small malware problem

    I made this same post but with the logs in the message so I guess it's caught
    in the spam filter, So my mistake, apologies I didn't read the intro post.

    My problem is, after going through the readme steps for a minor problem of the windows updates site being blocked, I'm now concerned as a file 'deleted on reboot' by MBAM showed up again in combofix.

    logs are attached this time. :-o feel free to shout at me


    thanks for any help,
    A. Kerlaus

    P.S. I can proceed no further as RootRepeal froze on me "initializing".
    Should I be waiting patiently? I reset the computer after about 10 minutes
     

    Attached Files:

    Last edited: Feb 5, 2010
    santa_kerlaus, Feb 5, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please do not post anymore inline logs. Also remain in one thread.

    You need to attach the logs from SUPERAntiSpyware and MGtools as instructed in the cleaning instructions.

    Also attach the full unedited log from Malwarebytes and not a partial log like you pasted in.
     
    chaslang, Feb 7, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds