I went into safe mode still it boots up. It has a bogus system file Iass.exe , Crss.exe etc but in a different folder written in the registry. However, in safe mode i can view go into regedit and task manager. I disable the process but it keeps on coming again. I delete registry entry it still keeps coming. I even went into windows console manager and use command line to delete but access is denied. I tried to change some visible file its ACL. after which can be deleted in console manager. But the major files are still complete hidden and cannot change the ACL. I created a batch file to use cacls command to give full access but since CMD is disabled, it run for 0.000001 sec and it shuts down cmd. HELP. Please view the Combofix report.
Report as follows:
ComboFix 10-03-01.01 - Administrator 03/02/2010 11:19:23.2.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.218 [GMT 8:00]
Running from: c:\documents and settings\projc2\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
.
---- Previous Run -------
.
C:\autorun.inf
c:\windows\Downloaded Program Files\Install.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.
2010-03-02 03:28 . 2010-03-02 03:28 1032704 ----a-w- c:\windows\MGY.exe
2010-03-01 08:43 . 2010-02-03 06:00 8005 ----a-w- c:\windows\kill.vbs
2010-03-01 08:43 . 2010-02-03 06:00 8005 ----a-w- C:\kill.vbs
2010-03-01 08:07 . 2010-03-01 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-26 03:33 . 2010-02-26 03:33 -------- d-----w- c:\documents and settings\projc2\Application Data\Malwarebytes
2010-02-26 03:33 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 03:33 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-26 03:32 . 2010-02-26 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-26 03:32 . 2010-02-26 03:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-26 02:46 . 2009-11-12 18:45 16417245 --sha-r- c:\windows\system32\mgy.exe
2010-02-26 02:46 . 2009-11-12 18:45 16417245 --sha-r- C:\mgy.exe
2010-02-26 02:46 . 2010-03-02 03:28 -------- d-sh--r- c:\windows\system32\{271287-000021-100287-705016}
2010-02-25 00:16 . 2010-02-25 00:17 -------- d-----w- c:\documents and settings\projc2\Local Settings\Application Data\Temp
2010-02-08 06:16 . 2010-02-08 06:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-06 06:11 . 2010-02-06 06:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-02 04:56 . 2010-02-02 04:56 -------- d-----w- c:\program files\Common Files\Java
2010-02-01 00:13 . 2010-02-05 00:10 -------- d-----w- c:\documents and settings\projc2\Application Data\PPlive
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 03:29 . 2008-04-28 03:46 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-02 02:50 . 2009-12-02 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLive
2010-03-02 02:15 . 2009-06-18 11:16 -------- d-----w- c:\program files\PPStream
2010-03-02 00:11 . 2009-06-18 11:17 -------- d-----w- c:\documents and settings\projc2\Application Data\PPStream
2010-02-26 03:34 . 2010-02-26 03:34 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-26 00:02 . 2009-06-21 04:32 1287 ----a-w- c:\windows\system32\cid_store.dat
2010-02-22 00:35 . 2009-10-19 12:10 -------- d-----w- c:\program files\GVOD
2010-02-17 02:39 . 2009-11-22 05:01 -------- d-----w- c:\program files\QvodPlayer
2010-02-15 01:10 . 2009-06-21 04:32 -------- d-sh--w- c:\documents and settings\All Users\Application Data\thunder_vod_cache
2010-02-13 01:45 . 2010-02-13 01:45 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVEX32A.DLL
2010-02-13 01:45 . 2010-02-13 01:45 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVEX15.SYS
2010-02-13 01:45 . 2010-02-13 01:45 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVENG32.DLL
2010-02-13 01:45 . 2010-02-13 01:45 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\NAVENG.SYS
2010-02-13 01:45 . 2010-02-13 01:45 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\ERASER.SYS
2010-02-13 01:45 . 2010-02-13 01:45 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\EECTRL.SYS
2010-02-13 01:45 . 2010-02-13 01:45 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\ECMSVR32.DLL
2010-02-13 01:45 . 2010-02-13 01:45 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd309803.vdb\CCERASER.DLL
2010-02-11 04:21 . 2009-10-19 12:13 -------- d-sh--w- c:\documents and settings\All Users\Application Data\GVODCache
2010-02-06 06:10 . 2008-06-12 01:51 -------- d-----w- c:\program files\Google
2010-02-02 04:57 . 2010-02-02 04:57 503808 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e0c0c67-n\msvcp71.dll
2010-02-02 04:57 . 2010-02-02 04:57 348160 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e0c0c67-n\msvcr71.dll
2010-02-02 04:56 . 2010-02-02 04:56 499712 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4e0c0c67-n\jmc.dll
2010-02-02 04:56 . 2010-02-02 04:56 61440 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-66e26215-n\decora-sse.dll
2010-02-02 04:56 . 2010-02-02 04:56 12800 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-66e26215-n\decora-d3d.dll
2010-02-02 04:54 . 2009-01-13 02:59 -------- d-----w- c:\program files\Java
2010-01-21 00:08 . 2009-11-06 03:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 10:32 . 2009-06-21 04:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Thunder Network
2010-01-13 00:07 . 2009-12-02 06:20 -------- d-----w- c:\program files\PPLiveVA
2010-01-13 00:07 . 2009-12-02 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2010-01-13 00:07 . 2009-12-02 06:16 -------- d-----w- c:\program files\PPLive
2010-01-13 00:07 . 2010-01-13 00:06 -------- d-----w- c:\program files\Common Files\PPLiveNetwork
2010-01-12 00:12 . 2009-12-02 06:21 -------- d-----w- c:\documents and settings\projc2\Application Data\PPLiveVA
2010-01-12 00:12 . 2010-01-12 00:12 6005448 ----a-w- c:\documents and settings\projc2\Application Data\PPLiveVA\PPVAUpdate\PPVAUpdate.exe
2010-01-09 07:41 . 2010-01-08 04:23 152576 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 07:40 . 2009-12-03 00:10 79488 ----a-w- c:\documents and settings\projc2\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-06 05:11 . 2010-01-19 10:39 390960 ----a-w- c:\documents and settings\All Users\Application Data\Thunder Network\Thunder_A30B0AF7-D81B-464e-B4E4-4B6DF996FB46_\Components\DownloadLibDll\md_p_1.0.20\xldcagent.dll
2010-01-05 08:57 . 2009-12-02 06:20 2403376 ----a-w- c:\documents and settings\All Users\Application Data\PPLive\update\PPLiveLiteSetup2.exe
2009-12-31 16:14 . 2004-08-04 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 09:14 . 2009-01-13 02:59 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 12:58 . 2008-04-28 02:59 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:55 . 2004-08-04 12:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-08-04 12:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-02 09:33 . 2010-01-15 04:07 137008 ----a-w- c:\documents and settings\All Users\Application Data\Thunder Network\Thunder_A30B0AF7-D81B-464e-B4E4-4B6DF996FB46_\Components\DownloadLibDll\md_p_1.0.17\xl_mole.dll
2009-11-12 18:45 . 2010-02-26 02:46 16417245 --sha-r- c:\windows\system32\mgy.exe
2009-11-12 18:45 . 2010-03-01 11:11 16417245 --sh--r- c:\windows\system32\{271287-000021-100287-705016}\csrss.exe
2009-11-12 18:45 . 2010-02-26 02:46 16417245 --sha-r- c:\windows\system32\{271287-000021-100287-705016}\smss.exe
.
------- Sigcheck -------
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 43333B1B7E6AE2D4367C7F0B366A85A6 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Msmsgs"="c:\windows\system32\{271287-000021-100287-705016}\csrss.exe" [2009-11-12 16417245]
"mgy"="c:\windows\system32\mgy.exe" [2009-11-12 16417245]
c:\documents and settings\projc2\Start Menu\Programs\Startup\
PPS.lnk - c:\program files\PPStream\PPStream.exe [2009-11-27 2540424]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoHelp"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFind"= 1 (0x1)
"NoFolderOptions"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="c:\windows\system32\{271287-000021-100287-705016}\smss.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mgy]
2009-11-12 18:45 16417245 --sha-r- c:\windows\system32\mgy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Msmsgs]
2009-11-12 18:45 16417245 --sh--r- c:\windows\system32\{271287-000021-100287-705016}\csrss.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\PPStream\\update\\ppstreamsetup-update090811.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=
"c:\\Program Files\\GVOD\\GVODS.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\PPLiveVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA_U.exe"=
"c:\\Program Files\\PPLive\\PPVA\\FlvPick.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPLiveVA.exe"=
"c:\\Program Files\\PPLive\\PPVA\\crashreporter.exe"=
"c:\\Program Files\\PPLive\\PPVA\\PPVADownload.exe"=
"c:\\Program Files\\PPLive\\PPVA\\DownloadProgress.exe"=
"c:\\Program Files\\Common Files\\PPLiveNetwork\\PPAP.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/6/2010 2:10 PM 135664]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [6/19/2007 7:51 AM 81832]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL mgy.exe
\Shell\Explore\command - C:\mgy.exe
\Shell\Open\command - C:\mgy.exe
.
Contents of the 'Scheduled Tasks' folder
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 06:10]
2010-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 06:10]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{db9d7a78-a76c-4bf2-97c6-258925ee1542} - (no file)
AddRemove-Burn4Free - c:\documents and settings\projc2\Desktop\Viet Songs\Burn4Free\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 11:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\browselc.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\igfxpph.dll
c:\windows\system32\hccutils.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\regedit.exe
.
**************************************************************************
.
Completion time: 2010-03-02 11:40:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 03:40
Pre-Run: 17,937,801,216 bytes free
Post-Run: 17,901,518,848 bytes free
- - End Of File - - 4FDEA6CDC5946DA66E03C824FDC97ECC