15 replies to this topic

[HURST]

Last week my brother asked for my help because "his laptop wouldn't start" showing a BSOD when you tried to boot.
He hasn't used an AV for more than a year despite mi several warnings.

Obviously I performed a MBAM scan and it found 47 infections, most of the "harmless" trojans, but there's a nasty Vundo variant that won't go away. It's there after every reboot.

I performed 4 MBAM scans, both on normal and safe mode. 2 SAS scans (normal and safe). 1 Avira scan. 1 Kaspersky AVP Tool scan. Still there.

I used HijackThis and AVG anti-rootkit. I thought I had beaten this nasty, but MBAM says it's still there.

I waited a few days for new definitions, but still no luck. Last time I tried was 4 days ago. I scanned with MBAM, selected "Remove all selected" and rebooted. After that I scanned again, so I could save 2 logs, so you could maybe see what's going on. Logs are in spanish, but I think they are very straightforward to understand.

Here is the MBAM log for the 1st scan:

Quote

Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2769
Windows 5.1.2600 Service Pack 2

09-09-2009 19:01:13
mbam-log-2009-09-09 (19-01-05).txt

Tipo de examen : Examen Rápido
Objetos examinados: 97090
Tiempo transcurrido: 8 minute(s), 43 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 3
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 2
Carpetas Infectadas: 0
Ficheros Infectados: 4

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f5f2347-2d28-4b1e-84e8-42ba330f5bd6} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtivbqie (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3f5f2347-2d28-4b1e-84e8-42ba330f5bd6} (Trojan.Vundo.H) -> No action taken.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
c:\windows\system32\wacvxeq.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\King Valenzuela\update4.exe (Trojan.Inject) -> No action taken.
C:\Documents and Settings\King Valenzuela\update5.exe (Trojan.Inject) -> No action taken.
C:\Documents and Settings\King Valenzuela\Datos de programa\wiaserva.log (Malware.Trace) -> No action taken.

2nd scan log:

Quote

Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2769
Windows 5.1.2600 Service Pack 2

09-09-2009 19:15:37
mbam-log-2009-09-09 (19-15-25).txt

Tipo de examen : Examen Rápido
Objetos examinados: 97103
Tiempo transcurrido: 8 minute(s), 45 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 3
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 2
Carpetas Infectadas: 0
Ficheros Infectados: 2

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f5f2347-2d28-4b1e-84e8-42ba330f5bd6} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xtivbqie (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3f5f2347-2d28-4b1e-84e8-42ba330f5bd6} (Trojan.Vundo.H) -> No action taken.

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
c:\windows\system32\wacvxeq.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\King Valenzuela\Datos de programa\wiaserva.log (Malware.Trace) -> No action taken.

HijackThis log:

Quote

Logfile of HijackThis v1.99.1
Scan saved at 19:16:30, on 09-09-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Archivos de programa\Atheros\ACU.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\VM305_STI.EXE
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\DAEMON Tools Lite\daemon.exe
C:\Archivos de programa\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {3f5f2347-2d28-4b1e-84e8-42ba330f5bd6} - c:\windows\system32\wacvxeq.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ACU] "C:\Archivos de programa\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mswin32dll] windowsupdate.exe
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\RunServices: [mswin32dll] windowsupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Archivos de programa\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: uecupd32.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xtivbqie - wacvxeq.dll (file missing)
O23 - Service: Servicio de configuración de Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Servicio de transferencia inteligente en segundo plano (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib - Canon Inc. - C:\Archivos de programa\Canon\CAL\CALMAIN.exe
O23 - Service: Actualizaciones automáticas (wuauserv) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)

Thanks in advance!

[negster22]

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

---
Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofix.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a log file located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

BTW, a new version of MBAM was released v 1.41

Uninstall MBAM v 1.40

Next, download Malwarebytes' Anti-Malware (MBAM) version 1.41 to your desktop from:

BestTechie.net
http://www.besttechi.../mbam-setup.exe
or
MajorGeeks.com:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Double-click mbam-setup.exe and follow the prompts to install the program. At the end of the install, UNcheck the following two options:

• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Click Finish.
  
• Close MBAM and rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\notepad.exe"
  
• Now relaunch MBAM from the Windows Start Menu or by double-clicking notepad.exe in the MBAM folder.
  
• Select the Update tab -> Check for Updates
  
• After MBAM updates, select the Scanner tab.
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post the MBAM v 1.41 log.

I would like to collect some infected file samples of anything that MBAM is unable to remove so the next definition updates will include complete coverage for those threats. I'll let you know what samples I need and how you can submit them - thanks in advance!

[HURST]

Thanks for the quick response.
I'll perform the steps and post an update when I get back home from work.

[HURST]

Ok, here is the log from the Gmer "quick" scan.

Quote

GMER 1.0.15.15086 - http://www.gmer.net
Rootkit quick scan 2009-09-14 18:13:38
Windows 5.1.2600 Service Pack 2
Running: gxmiwbj6.exe; Driver: C:\DOCUME~1\KINGVA~1\CONFIG~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT spax.sys ZwEnumerateKey [0xF750ECA2]
SSDT spax.sys ZwEnumerateValueKey [0xF750F030]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 4417c335.sys
Device \FileSystem\Ntfs \Ntfs 84F891F8
Device \Driver\Tcpip \Device\Ip 4417c335.sys
Device \Driver\Tcpip \Device\Tcp 4417c335.sys
Device \Driver\Tcpip \Device\Udp 4417c335.sys
Device \Driver\Tcpip \Device\RawIp 4417c335.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\4417c335.sys (*** hidden *** ) [SYSTEM] 4417c335 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\drivers\5ba3cbde.sys (*** hidden *** ) [SYSTEM] 5ba3cbde <-- ROOTKIT !!!
Service C:\WINDOWS\System32\drivers\ba1f2c63.sys (*** hidden *** ) [SYSTEM] ba1f2c63 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

[HURST]

Here are the 3 logs.

Attached Files

•  ARK.txt   50.8K   11 downloads
•  ComboFix.txt   20.24K   35 downloads
•  hijackthis2.txt   5.3K   8 downloads

[HURST]

MBAM 1.41 log:

Quote

Malwarebytes' Anti-Malware 1.41
Versión de la Base de Datos: 2798
Windows 5.1.2600 Service Pack 2

14-09-2009 20:59:49
mbam-log-2009-09-14 (20-59-49).txt

Tipo de examen : Examen Rápido
Objetos examinados: 95732
Tiempo transcurrido: 4 minute(s), 54 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 3
Elementos de Datos del Registro Infectados: 8
Carpetas Infectadas: 0
Ficheros Infectados: 12

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov (Trojan.Downloader) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\4417c335.sys (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\system32\drivers\5ba3cbde.sys (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\system32\drivers\ba1f2c63.sys (Rootkit.Rustock) -> Delete on reboot.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\King Valenzuela\Datos de programa\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\King Valenzuela\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[HURST]

Performed a 2nd MBAM scan, this is the result:

Quote

Malwarebytes' Anti-Malware 1.41
Versión de la Base de Datos: 2798
Windows 5.1.2600 Service Pack 2

14-09-2009 21:11:56
mbam-log-2009-09-14 (21-11-44).txt

Tipo de examen : Examen Rápido
Objetos examinados: 95816
Tiempo transcurrido: 4 minute(s), 43 second(s)

Procesos en Memoria Infectados: 1
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 3
Elementos de Datos del Registro Infectados: 2
Carpetas Infectadas: 0
Ficheros Infectados: 5

Procesos en Memoria Infectados:
C:\WINDOWS\system32\sys32_nov.exe (Trojan.Agent) -> No action taken.

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys32_nov (Trojan.Agent) -> No action taken.

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\Documents and Settings\King Valenzuela\Datos de programa\wiaserva.log (Malware.Trace) -> No action taken.
C:\Documents and Settings\King Valenzuela\sys32_nov.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\ba1f2c63.sys (Rootkit.Rustock) -> No action taken.
C:\WINDOWS\system32\sys32_nov.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\wpv421252625374.exe (Trojan.Agent) -> No action taken.

[HURST]

And a last scan log.
This time I disconnected the internet connection before rebooting and then scanning.

Quote

Malwarebytes' Anti-Malware 1.41
Versión de la Base de Datos: 2798
Windows 5.1.2600 Service Pack 2

14-09-2009 21:30:28
mbam-log-2009-09-14 (21-30-28).txt

Tipo de examen : Examen Rápido
Objetos examinados: 95697
Tiempo transcurrido: 4 minute(s), 13 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 2
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\Documents and Settings\King Valenzuela\Datos de programa\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

[negster22]

OK good job, I'll be with you soon with a script for you to run.

[negster22]

Make sure you can view hidden files and folders

You have an infected copy of a Windows system file called beep.sys which we have to replace with a clean version. To that end, I have attached a zipped XP beep.sys file to this reply. You will have to download and extract as follows - making absolutely sure the file is unzipped to the proper folder that I have given you instructions to unzip it to:

1. Download the attached file beep.zip to your root directory C:\
2. Unzip beep.zip to C:\beep.sys
3. Very Important:Using Windows Explorer, verify that the file C:\beep.sys exists - before moving on to the next step.

We have some more items to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk, Windows Updates or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture below, drag CFScript.txt into ComboFix.exe (fixme.exe)


This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

http://www.malwarebytes.org/forums/index.php?showtopic=24590
KillAll::

Driver::
4417c335
5ba3cbde
ba1f2c63
tqqphaok
7865703b
vvftav
evidence

Fcopy::
C:\beep.sys | C:\WINDOWS\System32\drivers\beep.sys
C:\beep.sys | C:\windows\system32\dllcache\beep.sys

Collect::[75]
C:\WINDOWS\System32\drivers\4417c335.sys
C:\WINDOWS\System32\drivers\5ba3cbde.sys
C:\WINDOWS\System32\drivers\ba1f2c63.sys
C:\WINDOWS\System32\drivers\tqqphaok.sys
C:\WINDOWS\System32\drivers\7865703b.sys
c:\windows\system32\drivers\vvftav.sys

rootkit::
c:\windows\system32\sys32_nov.exe
c:\windows\system32\braviax.exe

File:
c:\documents and settings\Administrador\Men£ Inicio\Programas\Inicio\uecupd32.exe
c:\documents and settings\King Valenzuela\Men£ Inicio\Programas\Inicio\uecupd32.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
Regedit32=-
sys32_nov=-

DirLook::
C:\LE38

Attached Files

•  BEEP.zip   2.09K   17 downloads

[HURST]

Here is the log.

Attached Files

•  log.txt   16.73K   12 downloads

[negster22]

How is the computer running now?

Disable active protection.

Please repeat the quick ARK rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the quick scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARKQuick.txt and post it in your next reply.

You may now re-enable any active protection you disabled before performing the scan.

---

Did you get a prompt to upload files when Combofix ran and did you respond?

I need you to see if these two files are present using . You must have viewing of hidden files and folders enabled:
c:\documents and settings\Administrador\Menú Inicio\Programas\Inicio\uecupd32.exe
c:\documents and settings\King Valenzuela\Menú Inicio\Programas\Inicio\uecupd32.exe

Launch MBAM

• Update MBAM by clicking the Update tab -> Check for updates
  
• Click the Scanner tab and select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Please post back the ArkQuick.txt and the MBAM log, plus answer my questions posed above.

Also IMPORTANT:

Please open a run line (click Start ->Run)

Copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should open in Notepad. Please post the contents in your next reply.

[HURST]

Computer seems to be running fine now.

uecupd32.exe is not in any of the 2 folders.

I wasn't paying attention when Combofix scanned, so I didn't see any prompt to upload files.

MBAM came out clean.

Here are the 3 logs you asked for:

Attached Files

•  ARKQuick.txt   469bytes   9 downloads
•  ComboFix_quarantined_files.txt   5.36K   15 downloads
•  mbam_log_2009_09_16__20_25_41_.txt   1.02K   18 downloads

[negster22]

While I review your logs, can you do me a favor and submit some files so we can include them in our database.

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:
http://www.malwareby...showtopic=24590

Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:
C:\Qoobox\Quarantine\[75]-Submit_2009-09-15_23.35.06.zip

Then click 'Send File'

Please do the same for these files:

C:\Qoobox\Quarantine\C\Documents and Settings\King Valenzuela\Menú Inicio\Programas\Inicio\uecupd32.exe.vir

C:\Qoobox\Quarantine\C\qubaisyvtash.exe.vir

C:\Qoobox\Quarantine\C\qtubfgaait.exe.vir

C:\Qoobox\Quarantine\C\WINDOWS\system32\MSSMAG64.dll.vir

C:\Qoobox\Quarantine\C\WINDOWS\jestertb.dll.vir

C:\Qoobox\Quarantine\C\Documents and Settings\King Valenzuela\Escritorio\[Torrentsworld.net] - Greg Iles - Spandau Phoenix prc.torrent .vir

C:\Qoobox\Quarantine\C\Documents and Settings\King Valenzuela\Datos de programa\Microsoft\Clip Organizer\Offic10.MGC.vir

C:\Qoobox\Quarantine\C\Documents and Settings\King Valenzuela\Datos de programa\Microsoft\Clip Organizer\mstore10.mgc.vir


Let me know when that has been done, so I can check if the files were received.

Thanks in advance.

[HURST]

Just uploaded them.

Thanks for all!

[negster22]

Thanks very much but can I ask you to upload these five zipped driver files, as well. I would very much appreciate it!

To make it easier, just create a folder on your desktop and move or copy all the following drivers into it:

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ba1f2c63_.sys.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_5ba3cbde_.sys.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_4417c335_.sys.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_tqqphaok_.sys.zip
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_sfavlful_.sys.zip

Then zip it up to create drivers.zip

Then go to my submission page here:
http://www.bleepingcomputer.com/submit-mal....php?channel=75

and upload drivers.zip which contains the above five drivers to my malware submission channel please.