trojan generic13.atph

View previous topic View next topic Go down

trojan generic13.atph

Post by jonk on Sat Jun 20, 2009 5:06 pm

I had a system security virus. Wouldn't let me start any applications. I was, at least I believe I was, able to remove the virus by deleting some registry entries and files when I booted in safe mode. However, I then ran avg in safe mode and it says it still finds generic13.atph. It says that it places it in the vault and will remove it on start up but it doesn't. I am still having some problems with browsers being hijacked and some weird random audio streaming. Any help would be greatly appreciated as the only remaining step I can think of would be to reinstall XP
thanks.
jon


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:48 PM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcFnF5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcFnF5.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jon & lisa\Desktop\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] C:\Program Files\Lenovo\Drag-to-Disc\DrgToDsc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 10660 bytes

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Sat Jun 20, 2009 6:05 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
    O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Sat Jun 20, 2009 6:43 pm

First thanks for he quick reply.
I completed the Hijack this part of the instructions but had problems with the second part. I already have Malwarebytes but it turns out it doesn't work anymore. I click on it to start it up and nothing happens. I tried to unistall it with add/remove programs but that didn't work. I then downloaded the installer again to see if I could install over it but it hangs when it is extracting files. Finally, I tried to remove it manually but it says I can't delete mbamext.dll
any suggestions?

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Sat Jun 20, 2009 7:57 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Sat Jun 20, 2009 8:21 pm

I disabled AVG 8 resident Shield as instructed and started Combo-Fix but combofix popped up a message saying that AVG was still running so I started avg GUI and it said that there were no active components. I checked the processes that were running and saw avgrsx.exe I tried to kill this but it won't let me. ComboFix said I could proceed at my own risk so I chose no. Should I rerun combofix and just let it proceed?

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Sun Jun 21, 2009 12:27 am

Can you do the following in Safe Mode with Networking, (as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then run Combofix from there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Sun Jun 21, 2009 11:23 pm

I tried running combofix in safe mode with networking but once again it said that avg was running. I checked the processes that were running none of which seemed to be avg related. Once again I said no to letting combo fix run

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Origin on Mon Jun 22, 2009 1:49 am

We are going to have to uninstall AVG:


Please download Revo Uninstall from here: [You must be registered and logged in to see this link.]

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.
  3. Select the following item for removal by clicking on it once.

    AVG8

  4. Then hit the "Uninstall" button at the top.
  5. Close Revo Uninstaller.




Now try running ComboFIx.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline


Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Mon Jun 22, 2009 2:37 am

I was able to uninstall avg. I downloaded combofix again, renamed during download and started combo-fix. I then get a pop-up that says I can not rename combofix as combo-fix please use another name preferably made of alphanumeric characters. I tried the same thing in safe mode with the same result.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Origin on Mon Jun 22, 2009 2:41 am

Ok delete that file of ComboFix and download it again without renaming it, see if that works.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline


Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Mon Jun 22, 2009 3:00 am

i double click on combofix but it doesn't seem to do anything.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Origin on Mon Jun 22, 2009 2:57 pm

Does a Blue window pop up or ComboFix doesn't start at all?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline


Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Mon Jun 22, 2009 4:41 pm

I am not at my computer right now but I am pretty sure it just did nothing - no pop up.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Origin on Mon Jun 22, 2009 4:45 pm

Ok do the following when you are on your computer:


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline


Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Tue Jun 23, 2009 1:12 am

I tried to run this but my machine thought it was an autocad script so it produced a notepad document full of nonsense symbols.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Origin on Tue Jun 23, 2009 3:49 pm

Ok I see,


Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline


Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Wed Jun 24, 2009 2:25 am

GMER worked and found rootkit. The results follow. I have two quick questions. If I connect my external hard drive to my compter and copy all of my important documents to it can the external hard drive become infected and two if I reinstall xp will that remove the virus(I assume so but I have never been infected to this degree) thanks.

need to break into two pieces

GMER 1.0.15.14972 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-23 22:19:54
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 87BC7C30 ZwEnumerateKey
Code 87C2BC58 ZwFlushInstructionCache
Code 87BC8CAE IofCallDriver
Code 87C17E1E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 87BC8CB3
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 87C17E23
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 87BC7C34
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 87C2BC5C

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Administrator\Desktop\b6nhi.exe[636] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009E000A
.text C:\Documents and Settings\Administrator\Desktop\b6nhi.exe[636] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 009F000A
.text C:\WINDOWS\Explorer.EXE[800] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[800] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\winlogon.exe[904] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\winlogon.exe[904] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\services.exe[952] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\services.exe[952] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0075000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 40A5178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 40A51710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 40A51754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 40A5169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 40A516D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 40A517CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WININET.dll!HttpAddRequestHeadersA 7805FB4D 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WININET.dll!HttpAddRequestHeadersW 780CD14D 5 Bytes JMP 00EC000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00EDF9F0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EE0A60 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00EE08A0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EE0780 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00EDFDA0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[1128] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EDFFD0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\WINDOWS\system32\ctfmon.exe[1580] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\ctfmon.exe[1580] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0099000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AB000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00AC000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E9F9F0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA0A60 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00EA08A0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA0780 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1804] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E9FDA0 \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Wed Jun 24, 2009 2:28 am

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fastfat \Fat B8FA0D20
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACjobrqoxadmxrqkg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1116] 0x02D00000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [1128] 0x00ED0000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1252] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1360] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1428] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x00A00000
Library \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1804] 0x00E90000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETxeaxcwbr.sys (*** hidden *** ) [SYSTEM] SKYNETlluycnln <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\UACkndjklvmyqxrmuj.sys (*** hidden *** ) [SYSTEM] UACd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln@imagepath \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules@SKYNETcmd.dll \systemroot\system32\SKYNETdqdaufod.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules@SKYNETlog.dat \systemroot\system32\SKYNETnlgubfdc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules@SKYNETwsp.dll \systemroot\system32\SKYNETfnhdnvdi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETlluycnln\modules@SKYNET.dat \systemroot\system32\SKYNETbusqjavu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdemvkbebpjejboa.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACitqrqjowqpskbto.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uaclog

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Wed Jun 24, 2009 2:28 am

Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACymnpqltqswylnwo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACemftilkohsdliyg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACariyvgcrfmsrgsx.db
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACjobrqoxadmxrqkg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACqfhxsvvalghvmos.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACtrqujdrebgeayuy.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACstwtuwunvhlfmep.log
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln@imagepath \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules@SKYNETcmd.dll \systemroot\system32\SKYNETdqdaufod.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules@SKYNETlog.dat \systemroot\system32\SKYNETnlgubfdc.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules@SKYNETwsp.dll \systemroot\system32\SKYNETfnhdnvdi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETlluycnln\modules@SKYNET.dat \systemroot\system32\SKYNETbusqjavu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdemvkbebpjejboa.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACitqrqjowqpskbto.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACyrdlugicwpktkmo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACymnpqltqswylnwo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACemftilkohsdliyg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACariyvgcrfmsrgsx.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACjobrqoxadmxrqkg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACqfhxsvvalghvmos.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACtrqujdrebgeayuy.log
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACstwtuwunvhlfmep.log
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln@imagepath \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main@aid

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Wed Jun 24, 2009 2:29 am

Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETxeaxcwbr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules@SKYNETcmd.dll \systemroot\system32\SKYNETdqdaufod.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules@SKYNETlog.dat \systemroot\system32\SKYNETnlgubfdc.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules@SKYNETwsp.dll \systemroot\system32\SKYNETfnhdnvdi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETlluycnln\modules@SKYNET.dat \systemroot\system32\SKYNETbusqjavu.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACkndjklvmyqxrmuj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdemvkbebpjejboa.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACitqrqjowqpskbto.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACyrdlugicwpktkmo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACymnpqltqswylnwo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACemftilkohsdliyg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UACariyvgcrfmsrgsx.db
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACjobrqoxadmxrqkg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACaharaniiqttftbg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACqfhxsvvalghvmos.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACtrqujdrebgeayuy.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACstwtuwunvhlfmep.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\jon & lisa\Local Settings\Temp\UAC2bb5.tmp 343040 bytes executable
File C:\Program Files\Wolfram Research\Mathematica\6.0\Documentation\English\System\ReferencePages\Characters\UAcute.nb 6603 bytes
File C:\Program Files\Lenovo\System Update\UACSdk.exe 91448 bytes executable
File C:\WINDOWS\Temp\UACafd7.tmp 66560 bytes
File C:\WINDOWS\Temp\UACb223.tmp 36864 bytes
File C:\WINDOWS\system32\drivers\UACkndjklvmyqxrmuj.sys 51712 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\UACaharaniiqttftbg.dll 66560 bytes
File C:\WINDOWS\system32\UACariyvgcrfmsrgsx.db 1110399 bytes
File C:\WINDOWS\system32\UACdemvkbebpjejboa.dll 23552 bytes executable
File C:\WINDOWS\system32\UACemftilkohsdliyg.dll 19456 bytes executable
File C:\WINDOWS\system32\uacinit.dll 5871 bytes
File C:\WINDOWS\system32\UACitqrqjowqpskbto.dat 224 bytes
File C:\WINDOWS\system32\UACjobrqoxadmxrqkg.dll 30208 bytes executable
File C:\WINDOWS\system32\UACkjkkxndqcqhdaky.dat 224 bytes
File C:\WINDOWS\system32\UACqfhxsvvalghvmos.log 140725 bytes
File C:\WINDOWS\system32\uactmp.db 3976714 bytes
File C:\WINDOWS\system32\UACymnpqltqswylnwo.dll 17408 bytes executable
File C:\WINDOWS\system32\UACyrdlugicwpktkmo.dll 19968 bytes executable

---- EOF - GMER 1.0.15 ----

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Wed Jun 24, 2009 2:13 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
UACd.sys
SKYNETlluycnln

Drivers to delete:
UACd.sys
SKYNETlluycnln

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETxeaxcwbr.sys
C:\WINDOWS\system32\drivers\UACkndjklvmyqxrmuj.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Thu Jun 25, 2009 1:05 am

avenger ran successfully
Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "UACd.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "SKYNETlluycnln" disabled successfully.
Driver "UACd.sys" deleted successfully.
Driver "SKYNETlluycnln" deleted successfully.
File "C:\WINDOWS\system32\drivers\SKYNETxeaxcwbr.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACkndjklvmyqxrmuj.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Thu Jun 25, 2009 9:31 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Thu Jun 25, 2009 11:54 am

Malwarebytes' Anti-Malware 1.38
Database version: 2333
Windows 5.1.2600 Service Pack 3

6/25/2009 7:46:43 AM
mbam-log-2009-06-25 (07-46-43).txt

Scan type: Quick Scan
Objects scanned: 97738
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Manson (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\SKYNETdqdaufod.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETfnhdnvdi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACaharaniiqttftbg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACemftilkohsdliyg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACjobrqoxadmxrqkg.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACymnpqltqswylnwo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACyrdlugicwpktkmo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdriwqqhxri.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETitcofmegpy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETiutfrntpfh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETjwivfuycbq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETksmntssprq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToqojeqnfpy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETorentipmba.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqouofxxplb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqprvbrnsok.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqxdnfyfucr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETriyqxtcxxt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETthqocvcdcy.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETufqhpftiob.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvbxwvfhhiv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvnyyyfibap.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETwopcjqpxmd.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxetenxbprp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\Manson\liser.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\tj.vbs (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACdemvkbebpjejboa.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACkndjklvmyqxrmuj.sys (Trojan.Agent) -> Quarantined and deleted successfully.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Thu Jun 25, 2009 12:42 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Thu Jun 25, 2009 11:30 pm

ran it but it only produced a bunch of nonsense symbols

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Fri Jun 26, 2009 12:16 am

Try Combofix again, even if it says AVG is active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Sat Jun 27, 2009 1:54 pm

ComboFix 09-06-25.01 - jon & lisa 06/25/2009 20:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3050.2566 [GMT -4:00]
Running from: c:\documents and settings\jon & lisa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SKYNETnlgubfdc.dat
c:\windows\system32\UACitqrqjowqpskbto.dat
c:\windows\system32\UACkjkkxndqcqhdaky.dat
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-25 11:41 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-25 11:41 . 2009-06-25 11:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 11:41 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 02:12 . 2009-06-22 02:12 -------- d-----w- c:\program files\VS Revo Group
2009-06-21 23:19 . 2009-06-21 23:20 -------- d-s---w- C:\Combo-Fix
2009-06-20 15:46 . 2009-06-20 15:46 -------- d-----w- c:\windows\system32\scripting
2009-06-20 15:46 . 2009-06-20 15:46 -------- d-----w- c:\windows\system32\en
2009-06-20 15:46 . 2009-06-20 15:46 -------- d-----w- c:\windows\system32\bits
2009-06-20 15:46 . 2009-06-20 15:46 -------- d-----w- c:\windows\l2schemas
2009-06-20 15:45 . 2009-06-20 15:45 -------- d-----w- c:\windows\ServicePackFiles
2009-06-20 15:40 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2009-06-20 14:49 . 2009-06-20 14:49 -------- d-----w- c:\program files\Sun
2009-06-20 14:34 . 2009-06-20 14:34 -------- d-----w- c:\windows\system32\LogFiles
2009-06-17 01:08 . 2009-06-17 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-14 22:02 . 2009-06-14 22:02 -------- d-----w- c:\documents and settings\jon & lisa\Local Settings\Application Data\McNeel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 02:17 . 2008-12-10 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-20 15:48 . 2006-04-30 07:12 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-20 14:49 . 2009-05-01 21:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-20 14:49 . 2008-12-05 07:17 -------- d-----w- c:\program files\Java
2009-06-17 03:23 . 2008-12-09 19:20 -------- d-----w- c:\program files\Windows Live Toolbar
2009-06-16 03:24 . 2009-05-01 21:09 -------- d-----w- c:\documents and settings\jon & lisa\Application Data\LimeWire
2009-06-06 19:05 . 2008-12-11 15:46 -------- d-----w- c:\program files\Wolfram Research
2009-06-01 15:49 . 2009-01-19 19:59 -------- d-----w- c:\program files\Flickr Uploadr
2009-05-16 14:52 . 2008-12-11 19:46 -------- d-----w- c:\program files\Common Files\McNeel Shared
2009-05-16 14:51 . 2009-05-16 14:51 -------- d-----w- c:\program files\Common Files\InstallShield Shared
2009-05-16 14:51 . 2009-05-16 14:51 -------- d-----w- c:\program files\ASGvis
2009-05-16 14:51 . 2008-12-05 07:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-09 04:19 . 2009-05-09 04:19 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-09 04:14 . 2009-05-09 04:14 -------- d-----w- c:\program files\Netflix
2009-05-07 15:32 . 2006-04-30 06:55 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 19:43 . 2008-12-16 00:05 -------- d-----w- c:\documents and settings\jon & lisa\Application Data\Move Networks
2009-05-02 13:26 . 2009-05-02 13:26 -------- d-----w- c:\documents and settings\jon & lisa\Application Data\Malwarebytes
2009-05-02 13:26 . 2009-05-02 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 21:07 . 2009-05-01 21:07 152576 ------w- c:\documents and settings\jon & lisa\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-04-29 04:56 . 2006-04-30 06:56 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-21 00:08 . 2008-12-05 07:14 123864 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 12:26 . 2006-04-30 06:55 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-04-30 06:55 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-15 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-18 331776]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-14 3073336]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-20 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2008-06-07 181536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-08-08 10:14 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2008-09-27 06:17 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RoxMediaDB10"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"mnmsrvc"=3 (0x3)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"IviRegMgr"=2 (0x2)
"iPod Service"=3 (0x3)
"InstallShield Licensing Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CryptSvc"=3 (0x3)
"btwdins"=2 (0x2)
"Browser"=2 (0x2)
"Bonjour Service"=2 (0x2)
"BITS"=3 (0x3)
"BcmSqlStartupSvc"=2 (0x2)
"avg8wd"=2 (0x2)
"Autodesk Network Licensing Service"=3 (0x3)
"Autodesk Licensing Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=3 (0x3)
"AcSvc"=2 (0x2)
"AcPrfMgrSvc"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\Mathematica.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\MathKernel.exe"=
"c:\\Program Files\\Wolfram Research\\Mathematica\\6.0\\math.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [5/14/2008 8:21 PM 114728]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 8:21 PM 19496]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [12/5/2008 3:24 AM 4442]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 9:50 AM 46144]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [12/5/2008 3:24 AM 94208]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 8:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 9:50 AM 253952]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [12/5/2008 2:45 AM 243856]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 7:54 PM 37312]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [4/30/2006 3:28 AM 26488]
S4 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 9:50 PM 30312]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 1:04 AM 65536]
S4 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 12:15 PM 1120752]
S4 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1939128119-3152334995-3733480193-1008.job
- c:\documents and settings\jon & lisa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-10 06:18]

2009-06-26 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-12-05 16:46]
.
.

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Sat Jun 27, 2009 1:54 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-25 20:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'lsass.exe'(1180)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\ThinkPad\ConnectUtilities\AcFnF5.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\wscntfy.exe
c:\program files\ThinkPad\ConnectUtilities\AcFnF5.exe
.
**************************************************************************
.
Completion time: 2009-06-26 20:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-26 00:58

Pre-Run: 84,515,647,488 bytes free
Post-Run: 84,663,103,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

258 --- E O F --- 2009-06-20 22:42

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Sat Jun 27, 2009 5:36 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by jonk on Tue Jun 30, 2009 1:54 pm

Seems like everything is back to normal. Ran Malwarebytes and it found NO problems! Great Job!

jonk
Novice
Novice

Status :
Online
Offline


Posts Posts : 34
Joined Joined : 2009-06-18
OS OS : xp

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by cyraxx on Fri Jul 10, 2009 1:57 am

It seems like I'm having the same problems as the OP. Is it safe for me to follow all of the steps advised to him, or should I make a new topic with my own logs, etc? Thanks.

cyraxx
Novice
Novice

Status :
Online
Offline


Posts Posts : 9
Joined Joined : 2009-07-10
OS OS : XP

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by Belahzur on Fri Jul 10, 2009 12:29 pm

Make your own topic please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline


Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: trojan generic13.atph

Post by cyraxx on Fri Jul 10, 2009 12:35 pm

Thank you for the reply. I am at work right now, but when I get home I will definitely make my own topic.

cyraxx
Novice
Novice

Status :
Online
Offline


Posts Posts : 9
Joined Joined : 2009-07-10
OS OS : XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum