Thread: Serious Malware issue
View Single Post
Old 07-02-2009, 08:52 AM   #1 (permalink)
richiejain
Registered User
 
Join Date: Jul 2009
Posts: 8
OS: Windows Xp Home


Serious Malware issue
Hey guys , I got stuck up with a big time trojan which could not be detected by Mcafee & spyware doctor..

It was too late by the time, I wanted to resolve the issue, the os was not responding with lots of memory being eaten up and unwanted popups of explorer crashing.

The start bar & the desktop was never seen, even after trying to close explorer.exe and starting a new process using ctrl alt del

Called Acer helpline and they told me i could reformat and resintall windows by using one of their system restore feature called as Acer empowering technology and they promised me the virus would be gone.

But i informed them that as I have only one Single drive whih is not partitioned, wouldnt the virus or trojan affect the restore file to which they replied negatively.

Anyways after the format and reinstall of winxp home edition, everything looked fine until i noticed none of the antivirus sites were opening up on Chrome as well as Internet explorer.

Run Malwarebites and found a trojan which was deleted Trojan.BHO

This is the log of the scan
_____________

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/2/2009 4:05:14 PM
mbam-log-2009-07-02 (16-05-14).txt

Scan type: Quick Scan
Objects scanned: 83050
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{86676e13-d6d8-4652-9fcf-f2047f1fb000} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\Partner\partner.dll (Trojan.BHO) -> Delete on reboot.
__________________________

Here i am pasting the DDS log

_____________________________


DDS (Ver_09-06-26.01) - NTFSx86
Run by Yatish at 18:31:03.40 on Thu 07/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.486 [GMT 5.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yatish\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://global.acer.com
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0709&m=aoa150
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6172\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6172\SiteAdv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\yatish\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {AA2F2604-DCA6-420C-BC90-659D50DBED79} = 125.22.47.125,202.56.250.5
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6172\SiteAdv.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-7-21 201288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-8-16 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-7-25 144704]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-7-25 695624]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-7-24 79304]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-7-21 35240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-7-21 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 llfhwuy;Support Time;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-7-25 33800]
S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2009-7-3 110576]

=============== Created Last 30 ================

2009-07-02 18:03 <DIR> --d----- c:\program files\Trend Micro
2009-07-02 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-02 16:03 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-02 16:03 <DIR> --d----- c:\docume~1\yatish\applic~1\SUPERAntiSpyware.com
2009-07-02 16:02 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-02 15:57 <DIR> --d----- c:\docume~1\yatish\applic~1\Malwarebytes
2009-07-02 15:56 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-02 15:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-02 15:56 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-02 15:56 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-02 14:44 <DIR> --d----- c:\program files\i.c.s SMS
2009-07-02 14:40 164,352 a------- c:\windows\system32\unrar.dll
2009-07-02 14:40 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-07-02 13:57 <DIR> --d----- c:\program files\uTorrent
2009-07-02 13:57 <DIR> --d----- c:\docume~1\yatish\applic~1\uTorrent

==================== Find3M ====================

2008-04-15 08:30 90,520 a--shr-- c:\windows\system32\jktbyy.dll
2008-08-15 23:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-07-03 01:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070220090703\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-07-03 01:51 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:31:48.26 ===============
Attached Files
File Type: zip Attach.zip (3.4 KB, 3 views)
richiejain is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here