Results 1 to 10 of 20

Thread: ctv*****.exe criptograhed malware. Need Help Pls!

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2009-10-20, 05:36 #1
    Damn_VCT-exe
    Damn_VCT-exe is offline
    Junior Member Damn_VCT-exe's Avatar
    Join Date
    Oct 2009
    Location
    Lisbon, PT
    Posts
    11

    Exclamation ctv*****.exe criptograhed malware. Need Help Pls!

    Hello tech people
    Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
    Hjthis log file follows as ... :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:06:16, on 20-10-2009
    Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\UnsignedThemesSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ALCXMNTR.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255038252750
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1255716346265
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
    O24 - Desktop Component 0: (no name) - (no file)

    GMER log file as follows:

    GMER 1.0.15.15163 - http://www.gmer.net
    Rootkit scan 2009-10-19 19:25:55
    Windows 5.1.2600 Service Pack 3, v.5857
    Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
    SSDT B9F5878C ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
    SSDT B9F5879B ZwDeleteKey
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
    SSDT B9F587AA ZwLoadKey
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
    SSDT B9F587B4 ZwReplaceKey
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
    SSDT B9F58787 ZwTerminateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
    .text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
    .text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
    IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
    B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
    AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
    CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
    CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
    CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
    EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
    AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
    FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
    CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
    DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
    DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
    68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
    464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
    9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
    009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
    AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
    A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
    A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
    FE91D18112EA85CE959C5026E16A81D28C3083F7264
    F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59



    --
    End of file - 6871 bytes



    Would appreciate kind help ASAP
    Last edited by tashi; 2009-10-20 at 05:54. Reason: Broke lines to prevent page sprawl, Forum FAQ-produce only a HJT log ;-)
  2. 2009-10-22, 07:13 #2
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  3. 2009-10-22, 16:35 #3
    Damn_VCT-exe
    Damn_VCT-exe is offline
    Junior Member Damn_VCT-exe's Avatar
    Join Date
    Oct 2009
    Location
    Lisbon, PT
    Posts
    11

    Exclamation

    DDS.com log files attached.
    Thanks for your help


    Quote Originally Posted by Damn_VCT-exe View Post
    Hello tech people
    Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
    Hjthis log file follows as ... :
    DDS.com log files attached

    Thanks for your help



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:06:16, on 20-10-2009
    Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\UnsignedThemesSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\oodag.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ALCXMNTR.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
    O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255038252750
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1255716346265
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
    O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
    O24 - Desktop Component 0: (no name) - (no file)

    GMER log file as follows:

    GMER 1.0.15.15163 - http://www.gmer.net
    Rootkit scan 2009-10-19 19:25:55
    Windows 5.1.2600 Service Pack 3, v.5857
    Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
    SSDT B9F5878C ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
    SSDT B9F5879B ZwDeleteKey
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
    SSDT B9F587AA ZwLoadKey
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
    SSDT B9F587B4 ZwReplaceKey
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
    SSDT B9F58787 ZwTerminateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
    .text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
    .text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
    IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
    IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
    B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
    AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
    CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
    CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
    CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
    EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
    AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
    FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
    CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
    DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
    DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
    68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
    464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
    9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
    009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
    AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
    A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
    A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
    FE91D18112EA85CE959C5026E16A81D28C3083F7264
    F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59



    --
    End of file - 6871 bytes



    Would appreciate kind help ASAP
    Damn_VCT
  4. 2009-10-22, 17:58 #4
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again


    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  5. 2009-10-23, 10:53 #5
    Damn_VCT-exe
    Damn_VCT-exe is offline
    Junior Member Damn_VCT-exe's Avatar
    Join Date
    Oct 2009
    Location
    Lisbon, PT
    Posts
    11

    Exclamation

    Hi again

    Combofix log file zipped and attached
    Thanks


    Quote Originally Posted by Blade81 View Post
    Hi again


    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.
    Damn_VCT
  6. 2009-10-23, 16:39 #6
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open MBAM and update its definitions. Then run a full scan with it. Post back the report.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  7. 2009-10-25, 01:45 #7
    Damn_VCT-exe
    Damn_VCT-exe is offline
    Junior Member Damn_VCT-exe's Avatar
    Join Date
    Oct 2009
    Location
    Lisbon, PT
    Posts
    11

    Exclamation

    MBAM log attached. Trojans deleted and quarentined although has already done this and files are always replicating randomly
    Thanks

    Quote Originally Posted by Blade81 View Post
    Hi,

    Open MBAM and update its definitions. Then run a full scan with it. Post back the report.
    Damn_VCT
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules