WiredWX Hobby Weather ToolsLog in

 


Stealth Intrusion

3 posters

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Hello, Completed everything except the Host.exe opened up with Jasc Paint Shop Photo Album... and it has nothing. Is that supposed to happen? It is asking me what program do I want to open it with. Which one should I pick?

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Notepad, please.

When you go to save it again, click File > Save as...

Choose Save as type: All Files

File name: HOSTS

No extension, just that one word. Then, click Save.

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Sorry didn't read the rest of your note...

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Cheetah-Anti-Rogue v1.3.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 02/19/2010 - Time: 17:25:43 - Arch.: x86


-- Malware removal tools check --
Trend Micro HijackThis 2.0.2
Malwarebytes' Anti-Malware


-- Known infection --

C:\DOCUME~1\Valerie\LOCALS~1\Temp\B.tmp (Trj.Sinowal.X)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\5.tmp (Trj.Bredavi-Backdoor)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\8.tmp (HEUR:::Trj.Bredavi-Backdoor)
C:\DOCUME~1\Valerie\LOCALS~1\Temp\9.tmp (HEUR:::Trj.Bredavi-Backdoor)


Extra message: Detection only.


EOF

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Hehe, let me see something, if possible:

Stealth Intrusion - Page 2 Mbamicontw5 Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
I am waiting for the Malware scan to complete and I noticed that I do not have sound in my speakers... I did get a message that wants me to install hardware for Multi Media )?( but I tried to install it and it would not install. Maybe it was cause of the problems I was having. Not sure how to get the sound back...

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
We'll try to fix that soon, 1 problem at a time. Smile...

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Post the results when ready.

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Below is the log. What should I be doing with my security on myPC? This is the second time this week I've had a virus. Any suggestions? I have Free AVG 9.0. That must not be good enough. Thanks again for all your help!

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 9:08:22 PM
mbam-log-2010-02-19 (21-08-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 199067
Time elapsed: 50 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon86.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Hmm..seems to be a continuous infection. A backdoor was spotted on the reverse page. Seems pretty bad and hiding from MBAM. Could not hide from my tool.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
SDFix: Version 1.240
Run by Valerie on Fri 02/19/2010 at 11:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 08:47:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"RefCount"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dlcjcoms.exe"="C:\\WINDOWS\\system32\\dlcjcoms.exe:*:Enabled:Dell 964 Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe:*:Enabled:Dell 964 Printer Status"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AVG\\AVG8\\avgam.exe"="C:\\Program Files\\AVG\\AVG8\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG9\\avgam.exe"="C:\\Program Files\\AVG\\AVG9\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"="C:\\Program Files\\AVG\\AVG9\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG9\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 21 Jan 2004 61,440 ...H. --- "C:\Program Files\MSN\msnupdate!@#@.exe"
Wed 21 Jan 2004 292,864 ...H. --- "C:\Program Files\MSN\txsrvc.dll"
Wed 21 Jan 2004 302,080 ...H. --- "C:\Program Files\MSN\unicows.dll"
Sun 20 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 17 Feb 2010 49,664 ...H. --- "C:\Documents and Settings\Valerie\My Documents\~WRL2543.tmp"
Tue 14 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 16 Jan 2008 30,208 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL0001.tmp"
Wed 9 Dec 2009 32,256 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL4002.tmp"
Sun 26 Apr 2009 266,752 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Templates\~WRL0189.tmp"
Fri 10 Jul 2009 172,544 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0115.tmp"
Wed 25 Nov 2009 585,728 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0341.tmp"
Fri 22 Jan 2010 712,192 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0356.tmp"
Tue 8 Sep 2009 367,104 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2661.tmp"
Tue 6 Oct 2009 428,032 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2817.tmp"
Sun 2 Aug 2009 271,872 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2879.tmp"
Wed 24 Jun 2009 134,656 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL3678.tmp"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\ar00000\install.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\in00000\setup.exe"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\setup1.exe"
Sun 20 Jul 2008 4,348 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1key.bak"
Mon 28 Jul 2008 20 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 20 Jul 2008 400 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2key.bak"
Mon 28 Jul 2008 1,536 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
We need to do some more diagnostics to make sure your computer is clean.

1. Please download Rooter and Save it to your desktop

  1. Double click it to start the tool.
  2. Click Scan.
  3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.



2. Download LockSearch to your desktop

  • A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  • A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply


3. Please download CKScanner by askey127 from here

Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


4. I request the following logs to be posted in your next reply, please:
-Rooter
-LockSearch
-CKScanner

Thanks. Smile...

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 1, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !

.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:211 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [Removable]
.
Scan : 10:30.40
Path : C:\Documents and Settings\Valerie\Desktop\Rooter.exe
User : Valerie ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (892)
______ \??\C:\WINDOWS\system32\csrss.exe (940)
______ \??\C:\WINDOWS\system32\winlogon.exe (964)
______ C:\WINDOWS\system32\services.exe (1008)
______ C:\WINDOWS\system32\lsass.exe (1020)
______ C:\WINDOWS\system32\svchost.exe (1224)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\WINDOWS\System32\svchost.exe (1436)
______ C:\WINDOWS\system32\svchost.exe (1572)
______ C:\WINDOWS\system32\svchost.exe (1684)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (1772)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (1780)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
Locked AVGIDSAgent.exe (1948)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1984)
______ C:\WINDOWS\Explorer.EXE (620)
______ C:\WINDOWS\system32\svchost.exe (1568)
______ C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (1624)
Locked avgwdsvc.exe (1676)
Locked avgfws9.exe (1696)
______ C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (328)
______ C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (644)
Locked avgam.exe (1516)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (1832)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2528)
______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (2568)
______ C:\WINDOWS\system32\svchost.exe (2764)
______ C:\WINDOWS\system32\WFXSVC.EXE (2792)
______ C:\Program Files\WinFax\WFXMOD32.EXE (2856)
______ C:\WINDOWS\System32\alg.exe (3832)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3704)
______ C:\WINDOWS\System32\svchost.exe (3804)
______ C:\WINDOWS\system32\dllhost.exe (3496)
______ C:\WINDOWS\system32\msdtc.exe (1768)
______ C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (4024)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3656)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2308)
______ C:\WINDOWS\system32\dlcjcoms.exe (1416)
______ C:\Program Files\AVG\AVG9\avgui.exe (112)
______ C:\Documents and Settings\Valerie\Desktop\Rooter.exe (5992)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:249990902784)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{76D70BD6-ADEF-4772-B82F-52AD730EEB58}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:31.07
.
C:\Rooter$\Rooter_1.txt - (20/02/2010 | 10:31.07)

LockSearch by jpshortstuff (05.11.09.1)
Log created at 10:32 on 20/02/2010 (Valerie)
Scanning C:\


C:\pagefile.sys
-------------------------

-=E.O.F=-

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind.swf
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind_image.swf
c:\program files\jasc software inc\paint shop pro studio\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro studio\patterns\cracked paint.pspimage
scanner sequence 3.CA.11
----- EOF -----

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
I would say clean.

How is the computer running now?

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
It is working Very nice thank you!!!! I personally want to thank you for all your help. You truly are a MASTER!!! I also donated to Geek Police this morning... it is well worth the money. Until we meet again...... A BIG THANKS!!

descriptionStealth Intrusion - Page 2 EmptyRe: Stealth Intrusion

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum