Author Topic: [SOLVED?] please help with malware infestation, hjt log  (Read 13314 times)

0 Members and 1 Guest are viewing this topic.

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #15 on: October 24, 2008, 12:07:49 AM »
OK, I'm back.  Here are my last two MBAM logs, as well as a fresh HijackThis log, also a copy of my virus chest contents:
(One of the IT guys at work suggested unimmunizing then repeating the MBAM scan in case the computer might have been immunized after some infection, potentially causing removal problems.)

Malwarebytes' Anti-Malware Logs:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

10/22/2008 6:36:22 PM
mbam-log-2008-10-22 (18-36-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136170
Time elapsed: 42 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSoeqh.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSrtql.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> No action taken.



Malwarebytes' Anti-Malware 1.30
Database version: 1310
Windows 5.1.2600 Service Pack 3

10/23/2008 4:59:05 PM
mbam-log-2008-10-23 (16-59-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136719
Time elapsed: 39 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #16 on: October 24, 2008, 12:09:07 AM »
New HijackThis log and contents of avast virus chest (image of virus chest attached)

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:27 PM, on 10/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vtisp.com/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061129
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168211069062
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5248\SAService.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7088 bytes


(edit:  attached image of avast virus chest contents)
« Last Edit: October 24, 2008, 12:15:26 AM by t l s »
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31069
  • malware fighter
Re: please help with malware infestation, hjt log
« Reply #17 on: October 24, 2008, 03:56:35 PM »
Hi t l s,

The overal HJT log has no more serious hick-ups as far as I can find.
Then I see only one entry here that should rather be restored and not fixed,

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) 
Very safe
This entry was classified from our visitors as good, because SiteAdvisor, see:
http://www.castlecops.com/tk28217-SiteAdv_dll_saIE_dll.html

Why that SiteAdvisor was deleted I can only quess.

Furthermore the computer as is shown from the HJT logfile does not have any active software firewall running, a thing which we encounter a lot lately. On certain false grounds people think they do not need an active firewall anymore, but this is putting them at additional risks, because the built-in MS firewall is only partly active by default.
As far as SiteAdvisor there are other alternatives: using scandoo.com as search engine does more or less the same, and there are other browser better add-ons to use like WOT or finjan (IE and/or firefox),

Then on the Trojan agent, Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\TDSShrxr.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSoeqh.log (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSoiqh.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSoiqt.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSrhyp.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSrtql.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSxfum.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSpqlt.sys (Rootkit.Agent) -> No action taken.

Please read here:
http://www.bleepingcomputer.com/forums/topic175337.html

One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If this computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read
http://www.dslreports.com/faq/10451

Although the rootkit was identified and removed (or in the process of being removed), this PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
http://www.dslreports.com/faq/10063
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html

polonus


« Last Edit: October 24, 2008, 04:09:41 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #18 on: October 25, 2008, 12:18:38 AM »
Thanks, Polonus.  SiteAdvisor was deleted to be re-installed.  It seemed to be behaving a bit strangely, was often disabled.  It seems OK now.  The computer had PC-Cillin Internet Security installed, and kept updated, until it stopped working during this mess; so I uninstalled it and installed avast!  I will be installing a new software firewall soon, after testing on the remains of a laptop I bought at a yard sale and reconstructed.  (That one, too, needs a firewall other than the inadequate Windows "firewall;" I just haven't had time to take a good look at them.  Also, like the infected computer, its most sensitive use is for checking e-mail (Yahoo), so I wasn't in a hurry.  Whatever I install for her must be very user-friendly as well as functional.  I will be trying out PC Tools firewall first, based on what I have read as well as the opinions of a few people I know who are using it.

My daughter changed all of her passwords, as soon as we found out her computer was compromised, using my desktop computer.  That one is not used for any risky surfing, etc., and is more adequately protected.

We are seriously considering wiping the drive clean, formatting and re-installing XP.  Although her computer is not currently used for any critical purposes and contains no sensitive information, that could change in the future.  Most of the important contents of this computer, mainly pictures and her music library, were already backed up, in one form or another.  The music will take longest to restore, although it wasn't downloaded, but copied for portability and transfer to her iPod--so she has the originals.   

We really appreciate all your help, including the additional information and links you have given.
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31069
  • malware fighter
Re: please help with malware infestation, hjt log
« Reply #19 on: October 25, 2008, 12:32:34 AM »
Hi t l s,

I think your evaluation of the situation is very much like I should have put it. You can postpone the total-recall of that machine to the days where your daughter starts to take after her mum's excellent security attitudes, and I hope that day will come soon.
On the other hand I think you have grasped a couple of additional insights about what cybersecurity is about, and again I say that you have got what it takes to be a real good malware fighter.
Try to contact this nice Belgian Malware Fighter, the lady is Microsoft-MPV, and she might like to welcome you and train you,
http://miekiemoes.blogspot.com/ & http://support.bluemedicine.be/mybb/user-1.html

polonus (malware-fighter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40636
  • Dragons by Sasha
    • Malware fixes
Re: please help with malware infestation, hjt log
« Reply #20 on: October 25, 2008, 01:30:18 PM »
miekiemoes is one very clever lady.  I have learnt many things from watching her in action 

Offline t l s

  • Sr. Member
  • ****
  • Posts: 248
  • huh?
Re: please help with malware infestation, hjt log
« Reply #21 on: October 26, 2008, 03:49:32 PM »
Hi t l s,

I think your evaluation of the situation is very much like I should have put it. You can postpone the total-recall of that machine to the days where your daughter starts to take after her mum's excellent security attitudes, and I hope that day will come soon.
On the other hand I think you have grasped a couple of additional insights about what cybersecurity is about, and again I say that you have got what it takes to be a real good malware fighter.
Try to contact this nice Belgian Malware Fighter, the lady is Microsoft-MPV, and she might like to welcome you and train you,
http://miekiemoes.blogspot.com/ & http://support.bluemedicine.be/mybb/user-1.html

polonus (malware-fighter)

Coming from you, polonus, this is as good as being accepted into a "first choice" university.  I fully intend to give it a serious try.  You, and other fine malware fighters here, have helped me to learn many things to protect my computers and those of my family and friends.  We all are accustomed to protecting the physical aspects of our lives, using common sense; with practice, the same approach to venturing into the internet really isn't so difficult.  Common sense is not evenly distributed, however, and no prevention will be absolute.  Living does have its consequences.   :)  For me, learning to minimize the damage some of those consequences can cause would be the next logical step.  It is gratifying to know you think I might be up to the task.

Terry

P.S.  My daughter's laptop seems to be working entirely as it should, with PCTools Firewall Plus now installed.  I have run more scans, including an avast! boot time scan including archives, and have found nothing more.  But I will scan more often than usual for a while, and add one or two I haven't done yet.
Pentium Dual-Core 2.5 GHz, 250GB HDD, 2 GB RAM, WinXP Pro SP3, reasonable caution/adequate paranoia, Mozy, Firefox, IE8, CCleaner, Avast! Internet Security