Bad case of infection, disables most programs

[kielee6166]

A friend of mine had a computer infected about three days ago, and I've been taking a look at it for a couple hours now. It seems pretty severe. Safe mode has been disabled, most programs (MBAM, IE, and pretty much everything else I've tried) do not work, there are multiple incidences of "conime.exe" running and keeping the CPU running at nearly 100%, and there are IE popups and "Bad Image" popups galore. I've been able to get online by using favorites links on windows explorer. However, DDS will not run - it gives that security warning, and when i click "run" it shows up in Task Manager but nothing actually happens. I will attempt GMER shortly after, but I wanted to get this out first since I'm not sure how much longer internet will work on this machine. Thanks in advance.

[kielee6166]

DDS worked after the machine rebooted itself. Here are the logs. However, GMER still refuses to run.

DDS (Ver_09-06-26.01) - NTFSx86
Run by haeme at 16:55:13.98 on 06/28/2009 Sun
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
mWinlogon: Taskman=c:\recycler\s-1-5-21-5411729721-4430063652-004700815-6458\wnzip32.exe
uWindows: load=c:\windows\system32\msijmvp.exe
uWindows: run=c:\windows\system32\msxbniqa.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll
TB: V3: {9e3849d6-41ef-4b2f-86b7-632ef90758e4} - c:\program files\ahnlab\v3\V3Bar.dll
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [AdobeBridge]
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Twain] c:\documents and settings\haeme\application data\twain\Twain.exe
uRun: [gadcom] "c:\documents and settings\haeme\application data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [reader_s] c:\documents and settings\haeme\reader_s.exe
uRun: [Windows Network Data Management System Service] "c:\docume~1\haeme\locals~1\temp\298.exe" *
uRun: [A00F52B2E.exe] c:\docume~1\haeme\locals~1\temp\_A00F52B2E.exe
uRun: [<NO NAME>] c:\docume~1\haeme\locals~1\temp\z7kmgg09jc.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\haeme\locals~1\temp\z7kmgg09jc.exe
uRun: [kell] c:\program files\manson\liser.exe
uRun: [Windows System Recover!] c:\docume~1\haeme\locals~1\temp\winlogon.exe
uRun: [InetChk] c:\docume~1\haeme\locals~1\temp\ms1246234638.exe work
uRun: [A00F46F7F.exe] c:\docume~1\haeme\locals~1\temp\_A00F46F7F.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NaverPCGreen] "c:\program files\naver\naverpcgreen\NPCGreenUpgrader.exe" /reboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
mRun: [sysldtray] c:\windows\ld09.exe
mRun: [18488594] c:\documents and settings\all users\application data\18488594\18488594.exe
mRun: [98498586] c:\documents and settings\all users\application data\98498586\98498586.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [Windows Network Data Management System Service] "c:\docume~1\haeme\locals~1\temp\298.exe" *
mExplorerRun: [exec] c:\windows\system32\msoywmjq.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {15C4019C-C917-4905-999A-99B4EC71B7CF} - hxxp://listen.daum.net/52st/DaumMPlayer/DaumMPlayer.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1CE47888-DD62-482C-9723-4814BB04D45D} - hxxp://pumpeng.musicshake.com/NewDownload/engmusicshake.cab
DPF: {3F68E1C3-39EC-4990-85E3-ABFE61AB86C5} - hxxp://dl.bugsm.co.kr/install/BugsInstaller.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {AB4ADC0F-2B4B-4B08-8B5C-CA4D6188A180} - hxxp://config.hyosungcdn.com/download/p3xset.cab
DPF: {BCEF5CDE-BAD4-4532-A30B-9D16D502DE69} - hxxp://install.bugs.co.kr/install/BugsInstallerEx.cab
DPF: {BD6BB450-7C69-43B8-96F3-689CAE57AB51} - hxxp://netv.sbs.co.kr/object/player/SBSWebPlayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E1CE4482-98E9-48F8-8D0D-EF03BC9E26F3} - hxxp://audition.bugs.co.kr/Game/BugsGameStart.cab
Filter: text/html - {8e4eb415-c5cb-43a4-9a48-a05ee546f231} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: __c0099E56 - c:\windows\system32\__c0099E56.dat
AppInit_DLLs: czuzyt.dll ywxbuw.dll vfrsij.dll ysxwqx.dll wjqhpk.dll iztsed.dll,c:\progra~1\manson\liser.dll
SSODL: VKdOqSCxj - {F4C867A1-5E62-CD0B-FE8A-4412C3FA36A2} - c:\windows\system32\sqvhbez.dll
STS: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-28 16:55 28,160 a------- c:\windows\system32\__c008F74.dat
2009-06-28 16:54 282,624 ----h--- c:\windows\system32\msxbniqa.exe
2009-06-28 16:54 282,624 ----h--- c:\windows\system32\msoywmjq.exe
2009-06-28 16:54 282,624 ----h--- c:\windows\system32\msijmvp.exe
2009-06-28 16:54 282,624 ----h--- c:\windows\system32\msbrky.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\mszjm.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\mswftyrk.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\mstubbmc.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\msutephn.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\msqsgqf.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\msjsi.exe
2009-06-28 16:51 282,624 ----h--- c:\windows\system32\msceq.exe
2009-06-28 16:17 <DIR> --d-h--- c:\windows\system32\3361
2009-06-28 16:16 10 a------- c:\windows\system32\kr_done1
2009-06-28 16:14 28,160 a------- c:\windows\system32\__c00EE894.dat
2009-06-28 16:13 52,225 a------- c:\documents and settings\haeme\reader_s.exe
2009-06-28 15:53 <DIR> --d----- c:\windows\DLL
2009-06-28 15:52 124,928 a------- c:\windows\system32\sopidkc.exe
2009-06-28 15:52 65,536 a------- c:\windows\system32\wiawow32.sys
2009-06-28 15:52 8 a------- c:\windows\system32\comsa32.sys
2009-06-28 15:52 155,648 -------- c:\windows\system32\tpsaxyd.exe
2009-06-28 15:52 46 a------- C:\p2hhr.bat
2009-06-28 15:51 96,768 a------- C:\stfqqym.exe
2009-06-28 15:51 28,160 a------- c:\windows\system32\__c0051217.dat
2009-06-28 15:51 216,042 a------- C:\illhtee.exe
2009-06-28 15:51 24,576 a------- C:\scfsiab.exe
2009-06-28 15:51 39,424 a------- C:\mkvknro.exe
2009-06-28 15:51 7,680 a------- C:\ohhvpdqo.exe
2009-06-28 15:50 86,528 -------- c:\windows\system32\bndmss.exe
2009-06-27 11:56 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-06-27 11:55 94,412 a------- c:\windows\system32\drivers\db034d82.sys
2009-06-27 11:55 96,768 a------- C:\rnntnd.exe
2009-06-27 11:55 28,160 a------- c:\windows\system32\__c00B379.dat
2009-06-27 11:55 211,813 a------- C:\ffxvx.exe
2009-06-27 11:55 39,424 a------- C:\cqblhs.exe
2009-06-27 11:55 52,225 a------- c:\windows\system32\reader_s.exe
2009-06-26 09:01 14,976 a------- c:\windows\system32\iehelper.dll
2009-06-24 14:13 2 ----h--- c:\windows\zaponce52689.dat
2009-06-24 14:12 15,872 ----h--- c:\windows\ld09.exe
2009-06-24 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\98498586
2009-06-24 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\18488594
2009-06-24 14:12 <DIR> --dshr-- c:\program files\Manson
2009-06-24 14:12 168 a------- C:\xcrashdump.dat
2009-06-24 14:11 110,796 a------- c:\windows\system32\drivers\dcfb081a.sys
2009-06-24 14:11 <DIR> --d----- c:\program files\sys
2009-06-24 14:11 96,768 a------- C:\giyghshu.exe
2009-06-24 14:11 211,031 a------- C:\mupwjiav.exe
2009-06-24 14:11 28,160 a------- c:\windows\system32\__c0099E56.dat
2009-06-24 14:10 2 a------- c:\windows\010112010146118114.dat
2009-06-24 14:10 2 a------- C:\-188192864
2009-06-24 14:10 39,424 a------- c:\windows\system32\drivers\smss.exe
2009-06-24 14:10 15,000 a------- c:\windows\system32\gsf83iujid.dll
2009-06-24 14:10 39,424 a------- C:\lrrrcoe.exe
2009-06-24 14:10 304,640 a------- c:\windows\sysguard.exe
2009-06-24 14:10 28,160 ----h--- c:\windows\ld10.exe

==================== Find3M ====================

2009-06-27 11:56 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-25 21:34 74,648 a------- c:\docume~1\haeme\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:00:44.26 ===============

[kielee6166]

72-hour bump. Hope this doesn't get counted as two bumps...

Also, a note. I will be away camping for a couple days, and as such will not be able to follow whatever directions may be given until I come back on the 4th. But I will follow through on them as soon as I can (also, the computer's owner is watching this thread and may be able to complete the steps on his own), so please don't hesitate to reply

[Ried]

Hello kielee6166, or the owner of this terribly infected system :)

I'd like to try to get that gmer scan. Open Notepad and copy/paste the contents in the code box below, into Notepad.

Quote:

@copy /y gmer.exe gamer.exe
@Start gamer.exe -protect

Save this as owned.bat Choose to "Save type as - All Files"

It should look like this:

Place the batch next to gmer & double click to launch it.


Remember to configure and carry out the scan as follows:

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply

[kielee6166]

Hello Ried, hope you're having a great holiday weekend. Still the original poster here (I normally use my own account, "Baejung92", when posting on this and other TSF forums--you've even helped me out a few times with my own computer ). Just letting you know that the machine's owner left for his own weekend vacation shortly after I did, but I should be ready to follow those instructions and post the log around tomorrow.

[Ried]

Hi Baejung92, I remember you.

That'll be fine. I am subscribed so will be notified when you do reply.

[kielee6166]

Hi Ried, running into some more problems. The machine seems to have deteriorated further--I was unable to even launch Notepad, let alone paste the code into it. Attempts to open existing plain text files were unsuccessful.

Some new symptoms: phishing popups that I haven't seen before (warning of a suspended World of Warcraft account, which to my knowledge isn't even installed on the machine), a disabled Task Manager on one user account but working on the other, Internet now not working at all (before, the IE desktop icon was disabled, but I could start it through Favorites on Windows Explorer), and the aforementioned inability to open even basic applications like Notepad.

There is a copy of the Microsoft Malicious Software Removal Tool on the computer that I downloaded initially before (when I was attempting to fix it myself), but I haven't run it yet, nor do I know if it would be safe or effective to do so. I will await further instructions. Thanks.

[Ried]

Will the system boot into Safe Mode? See if you have more control there.

[kielee6166]

Nope, Safe Mode with or without Networking simply fails to boot (gives me the "Windows did not start succesfully" message). I haven't tried with Command Prompt but I assume it will result in the same thing. And Last Known Configuration results in no discernible change.

[Ried]

Okay, let's try it this way. Delete your existing gmer.exe and download it again from here.

Try again to run the scan as outlined in our pre-posting topic:

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply

[kielee6166]

The thing is, Internet doesn't work on the infected machine. Would it work to download it on a different computer and move it via USB drive or something?

[Ried]

Yes, absolutely

[kielee6166]

Okay, I will attempt that tomorrow.

[Ried]

Okay, talk to you then.

[kielee6166]

Actually, another question. I am assuming that ComboFix will probably be involved in the disinfection process (if not, go ahead and disregard the question). Since this will also probably require a USB drive to run on the Internet-disabled machine, may I just put ComboFix on it right now as well? Or will this cause problems? I am just reluctant to plug in a drive that may be infected by the other computer back into my own.

[Ried]

Yes, ComboFix will be involved, but not until I see if we have any rootkits involved. Before you plug your usb into this infected computer, download Flash_Disinfector.exe to the desktop of your computer.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

This will help protect you. One of the things it does is disable autorun so if there is an infection, it will not automatically load when you insert your usb stick into your computer.

[kielee6166]

Um, I'm not sure what's happening here... but when I try to download that in Firefox, it says "Firefox can't find the file at http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe." and under Internet Explorer, it will download but then say that access is denied and to check if the disk is write-protected or full.

[Ried]

It's working for me. What OS is the computer you're running it on?

[kielee6166]

It's XP. But I think I have an idea why.
Earlier, I copied all the contents of that flash drive (it's an older one) to my desktop, just to back it all up. But what I had forgotten was that at some point, that drive had developed a kink where there would be plenty of room left on it, but I would be unable to put any more data on it. I would have to delete something to make room, but it was never precise how much stuff would have to be deleted. Now I'm wondering if there was some file on that drive causing it, and I unwittingly copied that onto my desktop... I've removed that entire backup folder now, but the problem is still there.

[Ried]

Hmmm. Right click Flash_Disinfector.exe and select Properties. Try clicking 'Unblock'