[In Progress] rootkit infection

  • 1 Replies
  • 1314 Views
*

Offline bikerTA

  • Bronze Member
  • 1
[In Progress] rootkit infection
« on: February 08, 2009, 03:18:40 AM »
I have a problem with a rootkit infection 2u.com
Yesterday I did what is suggested here:

http://www.myantispyware.com/2008/05/26/how-to-remove-trojans-that-uses-autoruninf-file/

But prevx CSI still notify infection:

[BP] c:\1utbfd.bat   [PX5: 59B911A0A36E2E16ABFB0112C0A1CB00ED3045AA]   Malware Group: Cloaked Malware
[BP] c:\windows\system32\olhrwef.exe   [PX5: 59B911A0A36E2E16ABFB0112C0A1CB00ED3045AA]   Malware Group: Cloaked Malware
c:\windows\setup1.exe   [PX5: 27A43109118C466091CA0060B347BF005C52D1D5]   Malware Group: Adware
c:\windows\readreg.exe   [PX5: 2E847C8E0010F4D8B00A02F5B9AAF500CB35442B]   Malware Group: Malicious Software

How can I fix the problem, please ?

This my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.50.17, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\anvshell.exe
C:\Programmi\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\FinePixViewer\QuickDCF.exe
C:\Programmi\Sun\StarOffice 8\program\soffice.exe
C:\Programmi\Sun\StarOffice 8\program\soffice.BIN
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [liveNote] livenote.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: StarOffice 8.lnk = C:\Programmi\Sun\StarOffice 8\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234010937691
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ASUS Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5981 bytes
« Last Edit: February 08, 2009, 10:59:06 AM by Maurice Naggar »

*

Offline Maurice Naggar

  • Malware Removal Staff
  • Gold Member
  • 1205
Re: rootkit infection
« Reply #1 on: February 08, 2009, 10:56:16 AM »
Hello and welcome to SpywareHammer.
Turn off Ad-Aware Ad-Watch, and keep it disabled while we attempt to clean this system.
Right click on the Ad-Watch icon in the system tray if present.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

I need for you to do some basics and get me some reports.

You may want to print the rest of these instructions for offline reference.

1. Please download ATF Cleaner by Atribune, saving it to your desktop: http://www.atribune.org/ccount/click.php?id=1
(Mirror site: http://www.majorgeeks.com/ATF_Cleaner_d4949.html)
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

  • If you use Firefox browser (and some Mozilla-based browsers):
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser:
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.



    2. Enable Show Hidden Files and Folders

    If using Windows XP:

    • Close all programs so that you are at your desktop.
    • Double-click on the My Computer icon.
    • Select the Tools menu and click Folder Options.
    • After the new window appears select the View tab.
    • Put a checkmark in the checkbox labeled Display the contents of system folders.
    • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    • Remove the checkmark from the checkbox labeled Hide protected operating system files.
    • Press the Apply button and then the OK button and exit My Computer.
    • Now your computer is configured to show all hidden files.



    3. Download the Malicious Software Removal Tool to your desktop, then run it.




    4. Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe

    • Close all open windows on the Task Bar.  Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
    • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
    • Now click Run Scan at Top left and let the program run uninterrupted.  It will take about 4 minutes.
    • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
    • Exit Notepad.  Remember where you've saved these 2 files as we will need both of them shortly!
    • Exit OTListIt2 by clicking the X at top right.



    5. Download Security Check by screen317 and save it to your Desktop: http://screen317.spywareinfoforum.org/SecurityCheck.zip
    • Unzip SecurityCheck.zip and a folder named Security Check should appear.
    • Open the Security Check folder and double-click Security Check.bat
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; close Notepad.  We will need this log, too, so remember where you've saved it!
    If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

    Reply with copies of OTListIt.txt
    Extras.txt
    checkup.txt


    These will help to me to see details on this system, and the malware that is onboard. This is only a starter. We'll follow later with removal steps. So please reply soonest.
    ~Maurice Naggar
    MS-MVP (October 2002 - September 2010)