Hello All,
I got infected by a Trojan (Fake Antivirus Soft) when running as a Non-Admin user. Infection restricted only to that User. Am still puzzled on how I got the infection. I know it had to be due to running Google Chrome (more on this later).
Before I proceed, I'll let you all know that I have Never had a Virus infection in my 12 years of PC Usage (until yesterday). I run a tight ship at home, have the works installed (AVG AntiVirus, AShampoo Free Firewall, Use only FF or Google Chrome, Never run as Admin user unless required, Use Run-As where needed).
Now to the events preceeding ComboFix:
1. I got hit by a fake Trojan - Antivirus Soft when running as a Non-Admin user which was strange because I didnt navigate to one of those sites prone to infection (was just checking mail) etc all safe activities. So I immediatly logged off and logged on Admin user. Then I installed Malware Bytes and Super Antispyware. One of these proceeded to remove the Trojan/Virus (asam.exe). Next I logged as normal user and just to be sure, I uninstalled Google Chrome and Voila - The Trojan had not been removed but Reactivated. Now I was double sure it was Google Chrome (uninstaller) that was infected which had reactivated this fake antivirus trojan (asam.exe & another file sys??.exe)
2. Anyway feeling very stupid but not too worried, I just ran System Restore and restored to couple of days back and the trojan was gone.
3. Just to be safe, I installed Malware Bytes, Spyboy SD, SuperAntiSpyware one after the other - and ALL Was safe with NO threats. I really should've stopped at this point but I didnt.
4. I read something about ComboFix being very effective in scanning and removing malware. I proceeded to download and install it without reading the docos and warnings (I know its really dumb, but anyways).
5. On launching ComboFix , it asked to disable AVG and PC Tools SpyDoctor (which I could disable). However I could'nt disable AVG for some reason.
At this point, Just to be safe, I clicked on the 'X' of the ComboFix message box with the warning (really hoping it would cancel and exit out of ComboFix), but it was too late and my PC restarted in a flash and was up and running with ComboFix. My antivirus and firewall had not been loaded on restart. Heck even Explorer had not been loaded. It was just ComboFix running at that point. Now I thought I'd let ComboFix run its course hoping that it would ONLY scan and NOT make changes to my system.
After ComboFix finished and the PC restarted, to my absolute WTF moment, I found that it had made massive changes to my system including removing AVG Antivirus and whole lot of other changes. Still hoping that a system restore would undo the changes, I started system restore only to find that there was NO Restore point created by ComboFix. Now I have the ComboFix file that am attaching at the end of this post.
Observations:
1. ComboFix only said Attempting to create restore point (no success message)
2. ComboFix could not install or download recovery console.
3. ComboFix finished all stages and generated the ComboFix.txt file.
Questions:
1. Apart from AVG, what other software has been removed?
2. What are the changes to the registry?
3. Can all the changes made by ComboFix be undone?
Sorry for the long post, but I want to give as much information as possible. Find attached ComboFix log file:
------------------------------BEGIN -----------------------------------------
ComboFix 10-06-01.01 - Admin 06/02/2010 8:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.481 [GMT 10:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.
2010-06-01 22:11 . 2010-06-01 22:11 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-01 22:11 . 2010-06-01 22:11 63488 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-01 22:11 . 2010-06-01 22:11 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-01 22:11 . 2010-06-01 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 22:10 . 2010-06-01 22:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-01 21:46 . 2009-10-30 01:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-01 21:45 . 2009-11-09 01:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-01 21:45 . 2009-10-06 06:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-01 21:45 . 2009-09-02 23:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-01 11:29 . 2009-10-27 15:36 1152444 ----a-w- c:\windows\UDB.zip
2010-06-01 11:29 . 2008-11-26 02:08 131 ----a-w- c:\windows\IDB.zip
2010-06-01 11:28 . 2010-06-01 12:55 -------- d-----w- c:\program files\Spyware Doctor(2)
2010-06-01 11:28 . 2010-06-01 12:55 -------- d-----w- c:\program files\Common Files\PC Tools(2)
2010-06-01 10:45 . 2010-06-01 22:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-01 09:50 . 2010-06-01 09:50 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com
2010-06-01 09:41 . 2010-06-01 09:41 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-06-01 09:41 . 2010-06-01 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-01 09:41 . 2010-06-01 12:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 21:42 . 2010-05-24 22:02 -------- d-----w- C:\ramachs6
2010-05-16 21:43 . 2010-05-16 21:43 -------- d-----w- c:\documents and settings\HOME\Application Data\SharePod
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 22:35 . 2010-06-01 21:45 -------- d-----w- c:\program files\Spyware Doctor
2010-06-01 22:29 . 2010-06-01 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-01 22:19 . 2010-06-01 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-01 22:15 . 2009-11-25 21:57 -------- d-----w- c:\program files\Google
2010-06-01 21:56 . 2010-06-01 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-01 21:47 . 2010-06-01 21:45 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-01 21:45 . 2010-06-01 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-01 21:45 . 2010-06-01 21:45 -------- d-----w- c:\documents and settings\Admin\Application Data\PC Tools
2010-06-01 19:42 . 2009-08-09 04:44 -------- d-----w- c:\program files\Opera
2010-06-01 19:41 . 2010-06-01 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware-CLEAN
2010-05-31 21:20 . 2009-10-09 14:17 -------- d-----w- c:\documents and settings\HOME\Application Data\Free Download Manager
2010-05-31 21:20 . 2009-11-21 21:17 664 ----a-w- c:\documents and settings\HOME\Local Settings\Application Data\d3d9caps.dat
2010-05-23 10:47 . 2009-10-06 00:24 -------- d-----w- c:\documents and settings\HOME\Application Data\vlc
2010-05-23 06:30 . 2009-10-11 04:56 -------- d-----w- c:\documents and settings\HOME\Application Data\dvdcss
2010-04-29 05:39 . 2010-06-01 19:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 05:39 . 2010-06-01 19:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 09:42 . 2009-12-04 12:21 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-19 04:59 . 2010-04-19 04:59 255472 ----a-w- c:\documents and settings\HOME\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-03 07:40 . 2010-04-03 07:40 -------- d-----w- c:\program files\SystemRequirementsLab
2010-04-03 07:40 . 2010-04-03 07:40 84480 ----a-w- c:\documents and settings\Admin\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-04-03 07:40 . 2010-04-03 07:40 -------- d-----w- c:\documents and settings\Admin\Application Data\SystemRequirementsLab
2010-03-23 02:30 . 2010-03-23 02:30 50354 ----a-w- c:\documents and settings\HOME\Application Data\Facebook\uninstall.exe
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-12 21:05 . 2010-03-12 21:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-12 21:05 . 2009-12-04 12:20 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-12 21:04 . 2009-12-04 12:20 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 03:46 . 2010-03-07 02:04 512 ----a-w- C:\helena.bin
2010-03-07 01:53 . 2010-03-07 01:53 512 ----a-w- C:\MBR_HardDisk0.dat
2010-03-07 01:10 . 2009-08-09 04:09 20720 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\HOME\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\HOME\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-03-05 03:52 . 2009-10-05 06:41 20720 ----a-w- c:\documents and settings\HOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-05 03:46 . 2010-03-05 03:46 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2009-11-15 33120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-06-01 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShaPlus Bandwidth Meter"="c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-09-30 96984]
"ClipX"="c:\program files\ClipX\clipx.exe" [2008-07-28 199168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Ashampoo FireWall"="c:\program files\Ashampoo\Ashampoo FireWall FREE\FireWall.exe" [2008-06-02 3251800]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-1-16 113664]
Microsoft Office.lnk - c:\tools\OFFICEXP.PRO\FILES\PFILES\MSOFFICE\OFFICE10\OSA.EXE [2009-8-9 83360]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-8-9 44384]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-12 21:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9FREE\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9FREE\\avgnsx.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/2/2010 7:45 AM 207792]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/4/2009 10:20 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/4/2009 10:21 PM 242896]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [3/5/2010 2:59 PM 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 4:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 4:41 AM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9FREE\avgwdsvc.exe [3/13/2010 7:04 AM 308064]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2010 7:45 AM 359624]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/5/2010 1:46 PM 691696]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/26/2009 7:57 AM 135664]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
--- Other Services/Drivers In Memory ---
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder
2009-12-28 c:\windows\Tasks\avgupd.job
- c:\program files\AVG\AVG9FREE\avgupd.exe [2009-12-04 21:41]
2010-06-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-01-05 21:41]
2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 21:57]
2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-25 21:57]
2010-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1532298954-839522115-1005Core.job
- c:\documents and settings\HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 20:28]
2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1532298954-839522115-1005UA.job
- c:\documents and settings\HOME\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 20:28]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Ashampoo\Ashampoo FireWall FREE\spi.dll
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\qwkklrli.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2010-06-02 08:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASFWHide]
"ImagePath"="\??\c:\docume~1\Admin\LOCALS~1\Temp\ASFWHide"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\igfxdev.dll
- - - - - - - > 'lsass.exe'(744)
c:\program files\Ashampoo\Ashampoo FireWall FREE\spi.dll
.
Completion time: 2010-06-02 08:50:50
ComboFix-quarantined-files.txt 2010-06-01 22:50
Pre-Run: 1,825,443,840 bytes free
Post-Run: 1,870,458,880 bytes free
- - End Of File - - C8DCDBB808B9BD38AFC619DF730AE680
------------------------------
END -----------------------------------------