Mongoooos wrote:
I sent you a new HijackThis Log.
Mabidwe, Roytctm, soxpeca, tdydowkc, wsldoekd are the ones I cant interupt manually. HijackThis wont fix them either. I cant remember the name of the root kit cleaner (its at the house) but following its execution SuperAS was able to ID these files.
I have re-run HijackThis and checked any processes that you ID'd before. Hgcheck went off the list. I sent it to norton.
I have periodicaly shut down system restore when told to in the instructions.
The files like "Mabidwe.exe" Rootkit.Trojan was detected by Malwarebytes and even corected the bad registry data, Did Norton not pickup on this major Malware??
Malwarebytes detections
Memory Processes Infected:
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Unloaded process successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Temp\1188.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3548.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hguest.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgcheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Malwarebytes also remove the file "hgcheck.exe"
I noticed the first Hijackthis log of the day this entry
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,
Is th file "C:\WINDOWS\system32\ODBCJET.exe" still on your hard drive??
Now you Questions with Hijackthis log #2 of the day
The File "downer.exe" is a Backdoor.Trojan of some sort Find the file"C:\WINDOWS\TEMP\IXP000.TMP\downer.exe" and do the same as earlier in this thread and submit it to Symatec and post the Tracking Number for JohnM, like earlier on.
The File(s) "Perfs.exe" is a Rootkit/downloader that attempts to download more Malware. Location "C:\WINDOWS\system32\perfs.exe" Also submit to Symantec
The Service "O23 - Service: KingDuBa Driver (KingDuuBa) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\system32\DuBa.exe" is probably similar to the one earlier that Symantec has added to their defs ("\timeresu.exe – Tracking number: 10302503 --> Backdoor.Trojan") , So submit that file to "C:\WINDOWS\system32\DuBa.exe"
Now With Hijackthis you can tick (check) these entries.
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP000.TMP\"
O23 - Service: disk manager service and creates macros (disk manager service) - Unknown owner - C:\WINDOWS\system\1sass.exe
O23 - Service: KingDuBa Driver (KingDuuBa) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\system32\DuBa.exe
O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: pms (Portable Media Serial) - Unknown owner - C:\WINDOWS\UPsutup.exe (file missing)
O23 - Service: me helou (tima or srerer) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\timeresu.exe
O23 - Service: winDuBa Driver (WinDuuBa) - Unknown owner - C:\WINDOWS\system32\IM.exe (file missing)
Now Click "Fix Checked"
Next by your SAS (SuperAntispyware) log, it detected the "perfs.exe" and "1sass.exe" Did SAS delete them??
SAS entries
Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\Prefetch\PERFS.EXE-394EC78D.pf
Trojan.1SASS
HKLM\System\ControlSet001\Services\disk manager service
C:\WINDOWS\SYSTEM\1SASS.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_disk manager service
HKLM\System\ControlSet002\Services\disk manager service
HKLM\System\ControlSet002\Enum\Root\LEGACY_disk manager service
HKLM\System\CurrentControlSet\Services\disk manager service
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_disk manager service
C:\WINDOWS\Prefetch\1SASS.EXE-393C6FA6.pf
You may have to manually delete "DuBa.exe" after submiting and "timeresu.exe", already submitted.
One other thing for JohnM or someone, this looks a bit odd as a running process, the "1.exe" on the end of
"C:\Program Files\Symantec AntiVirus\1.exe"
Is it legit?? part of Norton??
OH your hijackthis log shows you have Norton Antivirus installed, what Firewall are you using??
Quads
Message Edited by Quads on 02-10-2009 08:52 PM