Daughters School PC Infected with C:\ Recycler

View previous topic View next topic Go down

Daughters School PC Infected with C: Recycler

Post by ajwalkman on 10th November 2009, 4:59 pm

Originally found a variety of Trojans and Malware with Malwarebytes, then saw hȋdden folders in recycle bin and worked to remove thru DOS commands. Then rescanned with Malwarebytes and then with ComboFix.
So below are three logs,
1. original Malwarebytes,
2. Malewarebytes after attempting to manually delete c:\ recycler
3. ComboFix Log

Thanks in advance for all your support.



1.
Malwarebytes' Anti-Malware 1.41
Database version: 3123
Windows 5.1.2600 Service Pack 2

11/8/2009 1:46:17 PM
mbam-log-2009-11-08 (13-46-17).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 211667
Time elapsed: 5 hour(s), 29 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\batmeter16.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d3bf8d2-d5e5-47c5-aca2-71debc975867} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dclbjcwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dclbjcwr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP259\A0290120.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP259\A0291120.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Shared\_lib.dll (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\Program Files\Shared\_lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully.
C:\WINDOWS\batmeter16.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Admin_2\Local Settings\Application Data\qjqfgn\lkadsysguard.exe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.


2. Malwarebytes' Anti-Malware 1.41
Database version: 3123
Windows 5.1.2600 Service Pack 2

11/10/2009 9:25:10 AM
mbam-log-2009-11-10 (09-25-10).txt

Scan type: Quick Scan
Objects scanned: 134253
Time elapsed: 4 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3.
ComboFix 09-11-09.01 - Admin_2 11/10/2009 10:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.262 [GMT -5:00]
Running from: c:\documents and settings\Admin_2\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\system32\bszip.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-08 12:59 . 2009-11-08 12:59 -------- d-----w- c:\documents and settings\Admin_2\Application Data\Malwarebytes
2009-11-08 12:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 12:58 . 2009-11-08 12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 12:58 . 2009-11-08 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 12:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 01:58 . 2009-11-08 01:58 -------- d-----w- c:\documents and settings\Admin_2\Local Settings\Application Data\Mozilla
2009-11-07 13:37 . 2009-11-08 18:46 -------- d-----w- c:\documents and settings\Admin_2\Local Settings\Application Data\qjqfgn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 15:03 . 2006-04-01 03:09 65120 ----a-w- c:\documents and settings\Admin_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 14:28 . 2005-11-16 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-10 04:51 . 2005-11-16 19:40 -------- d-----w- c:\program files\Common Files\AOL
2009-11-10 04:43 . 2005-11-16 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-10 04:35 . 2007-01-23 23:48 -------- d-----w- c:\program files\LimeWire
2009-11-10 04:33 . 2005-11-16 19:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-09 13:02 . 2006-08-30 17:38 -------- d-----w- c:\documents and settings\Admin_2\Application Data\StumbleUpon
2009-09-20 22:02 . 2006-02-28 01:59 -------- d-----w- c:\program files\Google
2009-09-11 14:33 . 2004-08-19 21:49 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-19 21:49 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-19 21:49 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-19 21:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-19 21:49 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-19 21:50 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 03:29 . 2009-08-21 03:29 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe
2007-07-26 19:32 . 2007-08-29 01:35 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-07-26 19:32 . 2007-08-29 01:35 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-26 19:32 . 2007-08-29 01:35 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-07-26 19:32 . 2007-08-29 01:35 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-07-26 19:32 . 2007-08-29 01:35 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-10-01 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-04-28 53248]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-06 118784]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-10-01 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-16 24576]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2008-4-29 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [9/30/2008 10:56 PM 49680]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/30/2008 10:42 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/30/2008 10:42 PM 334352]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [9/30/2008 10:57 PM 497008]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [9/30/2008 10:57 PM 677128]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: StumbleUpon: &Blog This - StumbleUponIEBar.dll/blogimage
Trusted Zone: stumbleupon.com
FF - ProfilePath - c:\documents and settings\Admin_2\Application Data\Mozilla\Firefox\Profiles\s5hyjku6.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-10 10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1520)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-11-10 10:42
ComboFix-quarantined-files.txt 2009-11-10 15:42

Pre-Run: 27,243,409,408 bytes free
Post-Run: 28,788,449,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 1DB9087658D9D3125A2504C3496E41D6

ajwalkman
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-11-08
OS OS : vista
Points Points : 25905
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Daughters School PC Infected with C:\ Recycler

Post by Belahzur on 10th November 2009, 5:22 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Daughters School PC Infected with C:\ Recycler

Post by ajwalkman on 10th November 2009, 6:45 pm

Thanks for the reply. I was afraid to reboot to see.
I ran ComboFix /u and combofix uninstalled.

OK to reboot now?
1. Since Malwarebytes could not see it and I seemed to be able to delete the C:/Recycler hȋdden files thru DOS, how will I know if it is clean?
2. Is there a way to know if the memory stick I used to get Malwarebytes to the infected machine is infected?


Thanks again
Alan

ajwalkman
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-11-08
OS OS : vista
Points Points : 25905
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Daughters School PC Infected with C:\ Recycler

Post by Belahzur on 10th November 2009, 7:53 pm

Hello.
Does the Recycler folder have the recycle bin image? if so, that's legit, you can leave that alone; it's meant to be a hȋdden folder.

As for the memory stick, we can tell if it's infected using some of our other tools, but I don't think it is, this infection isn't an autorun worm.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum