51 replies to this topic

[TennisGeek]

I got a call from my ISP that we have a port open, and that it's sending out spam. I have 3 PCs on my home network, and have isolated the problem to one PC. I removed that one from the network, and the ISP is happy again.

I had some weird things happen, like I couldn't update MBAM, so I couldn't actually do a decent scan. I finally realized this was a problem, reinstalled it, and I could update it. It then found and cleaned a bunch of things. An additional scan indicated no infections.

Attached are the scan results. I still need to install and run Spybot Search & Destroy.

Thanks for your help!

Attached Files

•  ActiveScan.txt   10.23K   114 downloads
•  mbam_log_2008_10_14__22_53_34_.txt   834bytes   78 downloads
•  startuplist.txt   37.74K   151 downloads

[AdvancedSetup]

Hi and Welcome to Malwarebytes

Give me some time to review your logs and I"ll get back to you. In the future please do not attach the logs. Post them directly in your post.

Thanks

[AdvancedSetup]

Please upload the following files so that we can review them.
C:\WINDOWS\system32\sgjrcpqd.dll
C:\WINDOWS\system32\pexehh.dll
C:\WINDOWS\system32\krveasku.dll

Upload to: uploads.malwarebytes.org

[indent]Update TrendMicro™ HijackThis™
You need to download and install the latest version 2.0.2

• Download HJTInstall.exe to your desktop.
  
• Doubleclick HJTInstall.exe to install HijackThis.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• It will create a HijackThis icon on your desktop.
  
• Once installed, it will launch HijackThis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
  
• You can delete the version of HJT, located here: C:\Documents and Settings\Dad\Desktop\HiJackThis.EXE

[/indent]

[TennisGeek]

AdvancedSetup, on Oct 15 2008, 03:30 PM, said:

Please upload the following files so that we can review them.
C:\WINDOWS\system32\sgjrcpqd.dll
C:\WINDOWS\system32\pexehh.dll
C:\WINDOWS\system32\krveasku.dll

Upload to: uploads.malwarebytes.org

I could only find the krveasku.dll file. I uploaded it. I also installed HJT 2.02. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:51 PM, on 10/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3986 bytes


Thanks!

[AdvancedSetup]

Okay please give us some time to review that file and update MB if needed to remove it properly.

[AdvancedSetup]

Okay I'm told that this file has been added to MBAM now.

Please start MBAM and go to the UPDATE tab and update the program {it is now at version 1.29}
Then run a Quick Scan and allow it to fix anything found and REBOOT the computer.

After the reboot please run HJT and do a Scan. Then post back both logs.

Thanks.

[TennisGeek]

I'll run this as soon as I get home from work.

[TennisGeek]

Here they are. I did the full scan with MBAM.

For the 15 minutes or so that the PC has been running and connected to the internet, there does not seem to be the increase in UDP ports that I'd seen previously (as determined by running netstat -na from the command line).

Malwarebytes' Anti-Malware 1.29
Database version: 1280
Windows 5.1.2600 Service Pack 3

10/17/2008 9:31:52 PM
mbam-log-2008-10-17 (21-31-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142660
Time elapsed: 1 hour(s), 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krveasku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:37 PM, on 10/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4301 bytes

[AdvancedSetup]

The logs look clean. Please run MBAM and update it and do another Quick Scan and a new HJT scan.

Hopefully both scans should come back clean. If MBAM does come back clean this time then please proceed and run another Online PANDA scan and make sure you disable any programs like resident AV that will stop Panda from running.

Then post back the logs and all of them should come back clean. Panda will find cookies but that's okay they're not dangerous.

[TennisGeek]

I'll get this to you tomorrow. I did run the MBAM scan last night. It found Vundo in the file that I sent in (krveasku.dll) and deleted it. I'll run another MBAM scan, the HJT scan and the Panda scan and send the logs.

Gotta go.

[TennisGeek]

I did an MBAM scan with the latest version (V1.29, database 1291). It found 2 instances of Trojan.Lop.h, which it removed. The PC still opens lots of UDP ports when it is connected to the internet, so I'm afraid to run the Panda scan and leave it attached for the couple of hours that it will take to scan.

I think that I'm figuring out what is going on. I use the DOS command netstat -aon to look at the ports that are open, and tasklist to match the PIDs from both applications. It appears that the multitude of newly opened ports are from PID 4, which translates to the SYSTEM task. I looked in the c:\windows\system32 folder for anything like windows.sys, and I found win32k.sys (1,804 KB). It is dated 15-Sept-08, which is about the time the problems started! I went to one of my other computers, and the same file is dated 14-Apr-08, and is 1,803KB. I have Windows XP SP3 on both systems.

Do you have a way of checking the suspect file if I upload it? Also, I tried to simply transfer the file from the computer that is working fine to the problem PC, but the infected computer tells me that the file is in use and won't let me change it. Do you know how I can copy the known good file to the infected PC?

Attached are the HJT and MBAM logs.

Thanks for your help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:27 PM, on 10/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exX" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exx" MSRun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\stumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3514 bytes



Malwarebytes' Anti-Malware 1.29
Database version: 1291
Windows 5.1.2600 Service Pack 3

10/19/2008 8:06:29 PM
mbam-log-2008-10-19 (20-06-29).txt

Scan type: Quick Scan
Objects scanned: 56378
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Lop.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Lop.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

You need to be careful about trying to copy over files like that. There are a lot of reasons why file sizes can be different and that does not mean their infected.

Please run the following scan and ATTACH the file please. Do not post it directly to the forum. This will help us to determine what files are legitimate on your system or not.

[indent]Click on START - RUN and type in SIGVERIF and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.

• Click on the START button and let it run.
  
• It will popup a box when it's done to show the status, you can close that box.
  
• Close the File Signature Verification application.
  
• Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply.
  
• DO NOT post the log directly into your reply, attach the file please.

[/indent]

[TennisGeek]

Please see the attached sigverif.txt file. It says the win32k.sys file is signed. Note that when I click on the properties of this file, the file version is:

5.1.2600.5676 (xpsp_sp3_gdr.080915-1443)

This file has a creation date of 9/15/2008. The version on my other computer from 4/14/2008 has the version

5.1.2600.5512 (xpsp.080413-2105)

(For what it's worth)

Also, below is a copy of running netstat -aon. PID=4 is the system task.

Thanks again for your help.


Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Dad>netstat -aon

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1300
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 2376
TCP 127.0.0.1:1117 127.0.0.1:1118 ESTABLISHED 3012
TCP 127.0.0.1:1118 127.0.0.1:1117 ESTABLISHED 3012
TCP 127.0.0.1:1146 127.0.0.1:1147 ESTABLISHED 3012
TCP 127.0.0.1:1147 127.0.0.1:1146 ESTABLISHED 3012
TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING 2240
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 2240
TCP 192.168.0.108:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 1300
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 1008
UDP 0.0.0.0:1045 *:* 4
UDP 0.0.0.0:1056 *:* 4
UDP 0.0.0.0:1067 *:* 4
UDP 0.0.0.0:1068 *:* 4
UDP 0.0.0.0:1081 *:* 4
UDP 0.0.0.0:1082 *:* 4
UDP 0.0.0.0:1083 *:* 4
UDP 0.0.0.0:1329 *:* 4
UDP 0.0.0.0:1331 *:* 4
UDP 0.0.0.0:1894 *:* 4
UDP 0.0.0.0:1895 *:* 4
UDP 0.0.0.0:1901 *:* 4
UDP 0.0.0.0:1907 *:* 4
UDP 0.0.0.0:1908 *:* 4
UDP 0.0.0.0:1913 *:* 4
UDP 0.0.0.0:1914 *:* 4
UDP 0.0.0.0:1919 *:* 4
UDP 0.0.0.0:1920 *:* 4
UDP 0.0.0.0:1921 *:* 4
UDP 0.0.0.0:1922 *:* 4
UDP 0.0.0.0:1954 *:* 4
UDP 0.0.0.0:1955 *:* 4
UDP 0.0.0.0:1958 *:* 4
UDP 0.0.0.0:1959 *:* 4
UDP 0.0.0.0:3503 *:* 4
UDP 0.0.0.0:3504 *:* 4
UDP 0.0.0.0:3505 *:* 4
UDP 0.0.0.0:3506 *:* 4
UDP 0.0.0.0:3540 *:* 4
UDP 0.0.0.0:3573 *:* 4
UDP 0.0.0.0:3574 *:* 4
UDP 0.0.0.0:3575 *:* 4
UDP 0.0.0.0:3776 *:* 656
UDP 0.0.0.0:4161 *:* 4
UDP 0.0.0.0:4171 *:* 4
UDP 0.0.0.0:4176 *:* 4
UDP 0.0.0.0:4184 *:* 4
UDP 0.0.0.0:4189 *:* 4
UDP 0.0.0.0:4191 *:* 4
UDP 0.0.0.0:4193 *:* 4
UDP 0.0.0.0:4206 *:* 4
UDP 0.0.0.0:4223 *:* 4
UDP 0.0.0.0:4226 *:* 4
UDP 0.0.0.0:4448 *:* 4
UDP 0.0.0.0:4461 *:* 4
UDP 0.0.0.0:4463 *:* 4
UDP 0.0.0.0:4471 *:* 4
UDP 0.0.0.0:4484 *:* 4
UDP 0.0.0.0:4500 *:* 1008
UDP 0.0.0.0:4504 *:* 4
UDP 0.0.0.0:4542 *:* 4
UDP 0.0.0.0:4550 *:* 4
UDP 0.0.0.0:4552 *:* 4
UDP 0.0.0.0:4567 *:* 4
UDP 0.0.0.0:4572 *:* 4
UDP 0.0.0.0:4664 *:* 4
UDP 0.0.0.0:4674 *:* 4
UDP 127.0.0.1:123 *:* 1380
UDP 127.0.0.1:1900 *:* 1884
UDP 192.168.0.108:123 *:* 1380
UDP 192.168.0.108:137 *:* 4
UDP 192.168.0.108:138 *:* 4
UDP 192.168.0.108:1900 *:* 1884

C:\Documents and Settings\Dad>

[AdvancedSetup]

I do not see an attached file. Please edit your post or make a new post and try to upload the file again.

[AdvancedSetup]

Still don't see an attached file. Please try again to upload the file.

Thanks.

[TennisGeek]

Sorry, I didn't check that it was attached. It was too large, so I had to zip it.

Attached Files

•  SIGVERIF.zip   32.11K   70 downloads

[TennisGeek]

Was anyone able to check the signatures file?

Thanks

[AdvancedSetup]

Yes I'm reviewing it. The file win32k.sys is signed and valid. Do not see anything else in that log myself so I'll check with someone else and see if they find anything amiss with it and get back to you soon.


win32k.sys 9/15/2008 2:5.1 Signed KB954211.cat Microsoft Windows Component Publisher

[AdvancedSetup]

Please make sure all your data, documents, images, videos, etc are backed up.
At this point if you are infected then it's something deeper and it may already have control of your system.
DO NOT do any Financial, Banking, etc type work from this computer at least for now until we can track down the cause. It's possible that we may remove some type of infection as we move forward that could also prevent the computer from booting into Windows, that's why the caution of backing up your data.

MBAM 1.30 was released today.
Please start MBAM and go to the UPDATE tab and update the program and do another Quick Scan, fix anything found and Reboot the computer.

Run a new HJT scan and save the log.

Then run these routines

Important!
[indent]All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here Pre- HJT Post Instructions first.

I also need for you to download this program OTListIt.exe to your desktop.

[indent]

• Close all applications and windows so that you have nothing open and are at your Desktop
  
• Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
  
• Place a checkmark in the Scan All Users checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
  
• Click the Run Scan button
  
• NOTE: Please be patient and let the scan run without using the computer
  
• When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)
  
• In Notepad, click Edit, Select all then Edit, Copy
  
• Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
  
• Submit your reply and close the Notepad window with OTList.txt
  
• Also OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
  
• In Notepad, click Edit, Select all then Edit, Copy
  
• Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
  
• NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.[/indent]

[/indent]
[indent]Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.[/indent]

Then when that one is finished please run this one.

[indent]Please download the following scanning tool. GMER

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]


When you're done with these please post back the logs from all of them, in the order they were run.

Thanks.

[TennisGeek]

Thanks. I'll have to start this tomorrow night. Also, the win32k.sys file date was a red herring. I updated my third pc tonight, and it loaded that file version. Sorry.