8 steps followed, please look at logs

Solved
By Corteil
Apr 23, 2010
Topic Status:
Not open for further replies.
  1. Hi,
    had some trouble with my laptop, IE was hijacked and had a fake Anti-virus software installed. plus other evil software installed, Microsoft security essentials gives a clean bill of health. have passed, attached logs from the 8 steps

    Malwarebytes Anti-Malware log

    Malwarebytes' Anti-Malware 1.45
    www.malwarebytes.org

    Database version: 4024

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/04/2010 02:56:36
    mbam-log-2010-04-23 (02-56-36).txt

    Scan type: Quick scan
    Objects scanned: 114429
    Time elapsed: 5 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.



    GMER log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-23 07:37:34
    Windows 5.1.2600 Service Pack 3
    Running: w6eme5zk.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\pfloqpow.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? dxdipsrq.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\SearchIndexer.exe[4640] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\BTHUSB \Device\000000a4 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\000000a6 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device 97F00D20
    Device 97EFD7B4

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@0023453465b0 0x4B 0xDA 0x3E 0xDB ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ccd6922 0x85 0x2C 0x4C 0x2D ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ce74068 0xB9 0x88 0x2A 0x24 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@0023453465b0 0x4B 0xDA 0x3E 0xDB ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ccd6922 0x85 0x2C 0x4C 0x2D ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0009dd60b8a9@00247ce74068 0xB9 0x88 0x2A 0x24 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}@pafdbebfnjoeibcfbaopbnimbgkmamhj 0x69 0x61 0x65 0x64 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}@oapfdjhcmekiigjabmcefeiadfhioe 0x69 0x61 0x65 0x64 ...

    ---- EOF - GMER 1.0.15 ----

    both DDS logs: DDS.txt and Attach.txt are attached because of their size


    Thank you for your time looking at this

    Brian

    Attached Files:

  2. Corteil

    Corteil Newcomer, in training Topic Starter

    I should had said I am using XP pro on my laptop

    once again Thank you for your time

    Brian
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot Brian. I'll help with the malware. While I finish checking these logs, please run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave those logs for me and I'll see what needs to be removed.
  4. Corteil

    Corteil Newcomer, in training Topic Starter

    new log files

    Bobbye,

    thank you for your time, I have followed your instructions and have included the Eset log file below and attached the log file from Combofix




    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ca7fd5ab76371c4e8c98956071fe3c92
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-04-24 01:58:05
    # local_time=2010-04-24 02:58:05 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1024 16777215 100 0 12489028 12489028 0 0
    # compatibility_mode=5891 16776869 100 100 4787 12305262 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=77541
    # found=1
    # cleaned=0
    # scan_time=5203
    C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe a variant of Win32/Induc.A virus 00000000000000000000000000000000 I

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thank you for your patience Brian. Go ahead and run this while I write the script for Combofix.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  6. Corteil

    Corteil Newcomer, in training Topic Starter

    Once again Bobbye, thank you for your time, in helping me with this. There is the log you requested.

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\Documents and Settings\Brian\My Documents\Downloads\IPDesignToolSetup\IPDesignToolSetup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Brian
    ->Temp folder emptied: 1234064 bytes
    ->Temporary Internet Files folder emptied: 5705052 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 37997953 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 434 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 134 bytes

    User: NetworkService
    ->Temp folder emptied: 3622 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 50636248 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 91.00 mb


    OTM by OldTimer - Version 3.1.10.2 log created on 04242010_225802

    Files moved on Reboot...
    C:\Documents and Settings\NetworkService\Local Settings\Temp\SQL.LOG moved successfully.
    File move failed. C:\WINDOWS\temp\SQL.LOG scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    thanks

    Brian
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, Speedy! How is the system running now? Go ahead with this:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\MtxVxd.sys
    c:\windows\system32\Drivers\NvtSp50.sys
    
    Folder::
    c:\program files\ophcrack
    c:\documents and settings\Brian\Local Settings\Application Data\hynyuwaah
    
    Registry::
    RegNull:
    [HKEY_USERS\S-1-5-21-3191962127-1526828786-1711201123-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}*]
    
    Driver::
    MtxVxd
    NvtSp50
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    And please run a HijackThis scan and leave that log. We're almost through!

    Please download HijackThis HERE.
    • Save it to a permanent folder (such as C:\HJT).
    • Open HijackThis, and select Do a system scan and save a logfile.
    • A Notepad document will open. Please post the contents of that document.
  8. Corteil

    Corteil Newcomer, in training Topic Starter

    There seems to be some improvement. please find the files you requested attached.

    thanks

    Brian.corteil

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please run this:
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\windows\system32\drivers\SBREDrv.sys
    c:\windows\system32\2819083972.dat
    c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
    c:\windows\system32\2819083972.dat
    c:\program files\bitcomet\BitComet.exe/AddLink.htm
    c:\program files\bitcomet\BitComet.exe/AddVideo.htm
    c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
    c:\\Documents and Settings\\Brian\\Desktop\\Desktop\\SConfigurator_Generic503.exe
    
    Process::
    c:\windows\ia\command.exe
    c:\windows\ia\KE.vbs
    
    Folder::
    c:\windows\383dvc6k38a40aq9icbxjclw.ini
    c:\program files\bitcomet\BitComet
    
    Registry::
    RegNull::
    [HKEY_USERS\S-1-5-21-3191962127-1526828786-1711201123-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6089530B-B819-11B3-37CA-9C4BEB185E28}*]
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Let me know how the system is doing now.

    At your leisure, consider removing this: Dell Control Point:
    http://dell-controlpoint-connection-manager.software.informer.com/
  10. Corteil

    Corteil Newcomer, in training Topic Starter

    Bobbye, once again thank you for your continued support, I have attached the log file requested and remove Dell Control Point, my laptop seems to be running OK now, feels normal.

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're very welcome. Glad to help.

    Brian, do you know what this is? 2010-04-26 08:28: C:\AdemTech
    I find information regarding nano and immunotechnology- but I didn't find anything for a computer system.

    I set up the following to remove the remaining Dell Control Point entries. You don't have to submit the log:
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
    c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
    c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
    c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
    c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
    
    Folder::
    Registry::
    
    Driver::
    dcpsysmgrsvc
    DellConnectionManager
    USCService
    DellControlPoint
    Dell ControlPoint System Manager
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt .

    If the malware problems have been resolved, you can go ahead with Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if I can be of more help in the future.
  12. Corteil

    Corteil Newcomer, in training Topic Starter

    yes, I know what it is

    2010-04-26 08:28: C:\AdemTech

    Is a program for programming Honeywell Intruder Alarm panels. I had to install it on Monday, to backup a panel I need to change.

    Brian
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    No problem- just part of my job!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.