Author Topic: new worm?, avast doesn' know it  (Read 57989 times)

0 Members and 1 Guest are viewing this topic.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #60 on: December 27, 2009, 03:54:35 PM »

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kpgmh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
   2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
   b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-12-27  14:41:05 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-27 14:41

Pre-Run: 153,819,316,224 bytes free
Post-Run: 156,370,591,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 19C7488F916CA0B7BBFE04BC72EDC125

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #61 on: December 27, 2009, 07:08:47 PM »
Hi MakrWest,

BitTorrent DNA
You have BitTorrent DNA,  P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself that is the problem, but what can be downloaded with it, usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm

I would recommend that you uninstall BitTorrent DNAt, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it/them, please do not use it until we are done

We'll use comdofix again but run it differently. After combofix has finished please try going on line to get a tool we will use later.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code: [Select]
File::
c:\windows\Igaqofevinuyoz.bin
c:\windows\Avasub.dat
c:\windows\system32\fjhdyfhsn.bat

FCopy::
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\System32\ctfmon.exe

RootKit::
c:\windows\system32\drivers\kpgmh.sys

Driver::
kpgmh


In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




.
Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield
  • Do not copy the word CODE , please note the script starts with the :
Code: [Select]
:filefind
sfcfiles.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post back with
  • combofix log
  • SystemLook log

How's the computer?

Thanks

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #62 on: December 27, 2009, 08:05:00 PM »
i didn't relize i had any bittorrent stuff on that computer and do not want it either, if i cannot find it in the add remove what else can be done to remove it, so far the computer is stillcoming up with the same errors from avast that is has found a malware file, i am generallyleaving the computer off until you post a thing for me to do on it, not wanting the infection to spread further, i am currently working on my old clean computer and will switch back to my sick machine soon to run the current plans you have to help it

edit: i will probably grab the systemlook fle on here and cpying it over via flashdrive i still do not want to put that computer online incase it infects it more
« Last Edit: December 27, 2009, 08:10:30 PM by Markwest »

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #63 on: December 27, 2009, 10:07:05 PM »
bad news my laptop has died on me, i'm down to one machine other then my sick machine now it may take alot longer to fix now since i'm having to switch wires to get between the sick and clean old machine constantly

emantoyaks

  • Guest
Re: new worm?, avast doesn' know it
« Reply #64 on: December 28, 2009, 01:39:38 AM »
try Spyware Terminator hope they can help you....

Download links:
http://filehippo.com/download_spyware_terminator/download/f3711407582ea0bf0f62323b4502c9d4/

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #65 on: December 28, 2009, 02:00:54 AM »
Hi MarkWest,

Run the combofix CFScript I posted and the infected computer should go on line just fine. Make sure you use copy and paste to create the CFScript, we don't need a typo when we are this close.

Thanks

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #66 on: December 28, 2009, 03:51:12 PM »
well avast did something really wierd, even though it was disabled it popped up saying it found an infected file (the same one as usual) during the combo fix scan, thought i'd mention that here comes the logs

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:30 on 28/12/2009 by Mark (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.*"
C:\WINDOWS\system32\sfcfiles.dll   --a--- 1589248 bytes   [17:35 19/12/2007]   [17:35 19/12/2007] 3702A9C76696A70323330FD3879A5408

-=End Of File=-

ComboFix 09-12-26.01 - Mark 28/12/2009  14:12:09.2.4 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.44.1033.18.3327.2941 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Avasub.dat"
"c:\windows\Igaqofevinuyoz.bin"
"c:\windows\system32\fjhdyfhsn.bat"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Avasub.dat
c:\windows\Igaqofevinuyoz.bin
c:\windows\system32\fjhdyfhsn.bat

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ctfmon.exe --> c:\windows\System32\ctfmon.exe
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPGMH
-------\Service_kpgmh


(((((((((((((((((((((((((   Files Created from 2009-11-28 to 2009-12-28  )))))))))))))))))))))))))))))))
.

2009-12-28 14:12 . 2007-07-27 11:00   15360   -c--a-w-   c:\windows\system32\dllcache\ctfmon.exe
2009-12-28 14:12 . 2007-07-27 11:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe
2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\program files\GNU

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #67 on: December 28, 2009, 03:51:44 PM »

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 14:25 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-28 14:24 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 19:34 . 2009-10-29 04:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
.

------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((   SnapShot@2009-12-27_14.35.32   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-27 19:47 . 2009-12-27 19:47   16384              c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2009-12-28 14:23 . 2009-12-28 14:23   16384              c:\windows\Temp\Perflib_Perfdata_654.dat
+ 2009-12-28 14:23 . 2009-12-28 14:23   16384              c:\windows\Temp\Perflib_Perfdata_52c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-07-27 15360]

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #68 on: December 28, 2009, 03:52:19 PM »

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #69 on: December 28, 2009, 03:52:44 PM »

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Namco Bandai Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Outspark\\WindSlayer\\WindSlayer.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Overlord2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Config.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bookworm adventures volume 2\\BookwormAdventuresVol2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\Autorun\\Exe\\Autorun.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer red alert 3 uprising\\RA3EP1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\zuma's revenge\\ZumasRevenge.exe"=
"c:\\Program Files\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #70 on: December 28, 2009, 03:53:08 PM »

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 14:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #71 on: December 28, 2009, 03:53:34 PM »
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
   2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
   b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3908)
c:\windows\system32\ctagent.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-28  14:28:53 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-28 14:28
ComboFix2.txt  2009-12-27 14:41

Pre-Run: 156,365,512,704 bytes free
Post-Run: 156,329,406,464 bytes free

- - End Of File - - 0C9B4409138C4B5D432B859B7649F647

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #72 on: December 28, 2009, 08:27:39 PM »
Hi MarkWest,

When avast detected the file, you moved it to the chest? Combofix removed the driver so there shouldn't be any more detections now.

Do you have an XP cd?

Have you tried going on line with this computer yet?

Quote
i didn't relize i had any bittorrent stuff on that computer and do not want it either,
Go to add/remove programs and uninstall this program

DNA

We'll take care of it's left overs after you have uninstalled it.


.
We'll use comdofix again.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code: [Select]
SRPeek::
c:\windows\system32\sfcfiles.dll

SkipFix::

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close  all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



.
You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
  • combofix log
  • MBAM log
How is the computer?

Thanks

Markwest

  • Guest
Re: new worm?, avast doesn' know it
« Reply #73 on: December 28, 2009, 09:00:03 PM »
yes orignally i did move it to the chest, no i currently don't have a xp cd here but i can get one here by tommorow, and no i'm still not going online with my sick computer yet, i think i got rid of bittorrent though ^^ used add remove to drop dna off it,

How close are we do you think, it's alot harder on me now i'm getting pretty sick irl at the moment from it probably only able to do 1 thing a day at this time cause i think a winter bug has got my body too heh ^_^

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: new worm?, avast doesn' know it
« Reply #74 on: December 28, 2009, 09:30:41 PM »
Hi Markwest,

You can go online with the "sick" computer. We have removed everything visible. It is now time to deal directly with the computer and we need to know how it is when used normally.

We have the last instruction I posted to do and one more scan.