This was performed on a live (not Virtual) machine.
Important to note that this particular machine came with two different FakeAVs: XP Antispyware 2012 and System Check which I've covered earlier here.
__________________________________________________________________________________
RogueKiller |
¤¤¤ Bad processes: 4 ¤¤¤
[WINDOW : System Check] aG6mmkUgRr179B.exe -- C:\Documents and Settings\All Users\Application Data\aG6mmkUgRr179B.exe -> KILLED [TermProc]
[SUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]
[SUSP PATH] UIWWFDnoJEOaR.exe -- C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe -> KILLED [TermProc]
[SUSP PATH] qkm.exe -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : UIWWFDnoJEOaR.exe (C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : wvgmkfnxrI.exe (C:\Documents and Settings\All Users\Application Data\wvgmkfnxrI.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2216767945-41830626-3922640483-1007[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] Memeo AutoBackup Launcher.lnk : C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[WINDOW : System Check] aG6mmkUgRr179B.exe -- C:\Documents and Settings\All Users\Application Data\aG6mmkUgRr179B.exe -> KILLED [TermProc]
[SUSP PATH] arpwrmsg.exe -- C:\WINDOWS\ARPWRMSG.EXE -> KILLED [TermProc]
[SUSP PATH] UIWWFDnoJEOaR.exe -- C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe -> KILLED [TermProc]
[SUSP PATH] qkm.exe -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 11 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : UIWWFDnoJEOaR.exe (C:\Documents and Settings\All Users\Application Data\UIWWFDnoJEOaR.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : wvgmkfnxrI.exe (C:\Documents and Settings\All Users\Application Data\wvgmkfnxrI.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2216767945-41830626-3922640483-1007[...]\Run : ae46da13 (C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\qkm.exe) -> FOUND
[SUSP PATH] Memeo AutoBackup Launcher.lnk : C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\Installer\{6BCEB97B-F315-455D-BC2D-565A1A6781E8}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Infection : Rogue.FakeHDD|Root.MBR|ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] bf2ee68d3eb0a197c05e0152bcdefae2
[BSP] 05e3161cf4ce79602881f99911e8893d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 290566 Mo
1 - [XXXXXX] FAT32 [VISIBLE] Offset (sectors): 567528255 | Size: 9491 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 004c402e0306e2f8ba947eacd4148327
[BSP] 33db9831113af5b866680bf417fa5a5d : PiHar MBR Code!
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 290566 Mo
1 - [XXXXXX] FAT32 [VISIBLE] Offset (sectors): 567528255 | Size: 9491 Mo
+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 8da38b9ec667eb12484664792003e81b
[BSP] 9c39957118038b3040b5edd3b3224b1e : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 8034 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
__________________________________________________________________________________
TDSSKiller |
Backup copy found, using it..
C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
\Device\Harddisk0\DR0 - ok
\Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
\Device\Harddisk0\DR0\TDLFS - deleted
\Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete
Two different rootkits here!
__________________________________________________________________________________
SAS |
Disabled.TaskManager
HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR
HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR
Trace.Known Threat Sources
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\55420F1N\7922f78e7b923_2176335[1].flv [ cache:wista ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\6Y3T1ZD7\fc548d3114a0c_2176313[1].flv [ cache:wista ]
Adware.IWinGames
HKU\S-1-5-21-2216767945-41830626-3922640483-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Trojan.Agent/Gen-FakeAlert[Local]
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AG6MMKUGRR179B.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UIWWFDNOJEOAR.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\SYSTEM CHECK.LNK
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\SYSTEM CHECK.LNK
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\UNINSTALL SYSTEM CHECK.LNK
C:\WINDOWS\Prefetch\AG6MMKUGRR179B.EXE-3A625C98.pf
C:\WINDOWS\Prefetch\UIWWFDNOJEOAR.EXE-0493FF7A.pf
Trojan.Agent/Gen-FakeAnitSpy
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WVGMKFNXRI.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\WVGMKFNXRI.EXE.VIR
C:\WINDOWS\Prefetch\WVGMKFNXRI.EXE-1D475FEC.pf
Trojan.Agent/Gen-BOPE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\AG6MMKUGRR179B.EXE.VIR
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\UIWWFDNOJEOAR.EXE.VIR
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\9\7CE9E4C9-58FB998C
Trojan.Agent/Gen-MSFraud
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\QKM.EXE.VIR
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\HIUEKWE.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
Trojan.Agent/Gen-FraudLoad
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\VVQRPXQA.EXE
C:\WINDOWS\Prefetch\VVQRPXQA.EXE-35F084AC.pf
HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR
HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR
Trace.Known Threat Sources
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\55420F1N\7922f78e7b923_2176335[1].flv [ cache:wista ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Local Settings\Temporary Internet Files\Content.IE5\6Y3T1ZD7\fc548d3114a0c_2176313[1].flv [ cache:wista ]
Adware.IWinGames
HKU\S-1-5-21-2216767945-41830626-3922640483-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}
Trojan.Agent/Gen-FakeAlert[Local]
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AG6MMKUGRR179B.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UIWWFDNOJEOAR.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\SYSTEM CHECK.LNK
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\SYSTEM CHECK.LNK
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\START MENU\PROGRAMS\SYSTEM CHECK\UNINSTALL SYSTEM CHECK.LNK
C:\WINDOWS\Prefetch\AG6MMKUGRR179B.EXE-3A625C98.pf
C:\WINDOWS\Prefetch\UIWWFDNOJEOAR.EXE-0493FF7A.pf
Trojan.Agent/Gen-FakeAnitSpy
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WVGMKFNXRI.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\WVGMKFNXRI.EXE.VIR
C:\WINDOWS\Prefetch\WVGMKFNXRI.EXE-1D475FEC.pf
Trojan.Agent/Gen-BOPE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\AG6MMKUGRR179B.EXE.VIR
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\UIWWFDNOJEOAR.EXE.VIR
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\9\7CE9E4C9-58FB998C
Trojan.Agent/Gen-MSFraud
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\DESKTOP\RK_QUARANTINE\QKM.EXE.VIR
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\HIUEKWE.EXE
C:\DOCUMENTS AND SETTINGS\HP_ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
Trojan.Agent/Gen-FraudLoad
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\VVQRPXQA.EXE
C:\WINDOWS\Prefetch\VVQRPXQA.EXE-35F084AC.pf
Notes: Read the Trace.Known Threat Sources section. May indicate where the infection came from (flash player exploit).
__________________________________________________________________________________
CF |
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179Br
c:\documents and settings\All Users\Application Data\aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\HP_Administrator\Start Menu\Programs\System Check
c:\documents and settings\HP_Administrator\WINDOWS
c:\documents and settings\QBDataServiceUser17\WINDOWS
c:\windows\$NtUninstallKB49832$
c:\windows\$NtUninstallKB49832$\123586037\@
c:\windows\$NtUninstallKB49832$\123586037\bckfg.tmp
c:\windows\$NtUninstallKB49832$\123586037\cfg.ini
c:\windows\$NtUninstallKB49832$\123586037\Desktop.ini
c:\windows\$NtUninstallKB49832$\123586037\keywords
c:\windows\$NtUninstallKB49832$\123586037\kwrd.dll
c:\windows\$NtUninstallKB49832$\123586037\L\aqaeidou
c:\windows\$NtUninstallKB49832$\123586037\lsflt7.ver
c:\windows\$NtUninstallKB49832$\123586037\U\00000001.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000002.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000000.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000032.@
c:\windows\$NtUninstallKB49832$\4256935209
c:\windows\bcm225.tmp
c:\windows\bcm226.tmp
c:\windows\bcm227.tmp
c:\windows\bcm228.tmp
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.ics
D:\Autorun.inf
.
c:\windows\system32\drivers\intelppm.sys . . . is missing!!
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\~aG6mmkUgRr179Br
c:\documents and settings\All Users\Application Data\aG6mmkUgRr179B
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\HP_Administrator\Start Menu\Programs\System Check
c:\documents and settings\HP_Administrator\WINDOWS
c:\documents and settings\QBDataServiceUser17\WINDOWS
c:\windows\$NtUninstallKB49832$
c:\windows\$NtUninstallKB49832$\123586037\@
c:\windows\$NtUninstallKB49832$\123586037\bckfg.tmp
c:\windows\$NtUninstallKB49832$\123586037\cfg.ini
c:\windows\$NtUninstallKB49832$\123586037\Desktop.ini
c:\windows\$NtUninstallKB49832$\123586037\keywords
c:\windows\$NtUninstallKB49832$\123586037\kwrd.dll
c:\windows\$NtUninstallKB49832$\123586037\L\aqaeidou
c:\windows\$NtUninstallKB49832$\123586037\lsflt7.ver
c:\windows\$NtUninstallKB49832$\123586037\U\00000001.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000002.@
c:\windows\$NtUninstallKB49832$\123586037\U\00000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000000.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000004.@
c:\windows\$NtUninstallKB49832$\123586037\U\80000032.@
c:\windows\$NtUninstallKB49832$\4256935209
c:\windows\bcm225.tmp
c:\windows\bcm226.tmp
c:\windows\bcm227.tmp
c:\windows\bcm228.tmp
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\hosts.ics
D:\Autorun.inf
.
c:\windows\system32\drivers\intelppm.sys . . . is missing!!
Found a legit copy using SystemLook.
__________________________________________________________________________________
TST |
Thisisu's Scanning Tool (TST) is a program I am working on for finding traces of malware. It's in the very early stages of development but I thought I'd give it some practice to see how it performs ;)
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\HP_Administrator\Application Data\1c464a42
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\HP_Administrator\templates\31dd8447
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\All Users\Application data\48013ce3
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\HP_Administrator\local settings\application data\930ef073
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\HP_Administrator\templates\31dd8447
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\All Users\Application data\48013ce3
----a-w- 2012-01-18 03:00:00 C:\Documents and Settings\HP_Administrator\local settings\application data\930ef073
__________________________________________________________________________________
Misc Notes:
No residual OS damage.
No hidden partition.
___________________________________________________________________________________