Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Remnant Blocking Symform Online Backup Software


  • This topic is locked This topic is locked
36 replies to this topic

#16 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 28 September 2011 - 09:41 AM

Hello,

Lets look for a replacement for the that file.

Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    *ftdisk*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


BC AdBot (Login to Remove)

 


#17 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 01 October 2011 - 08:56 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#18 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 02 October 2011 - 01:33 AM

My apologies for the delay - I was away for a couple of days.

I've attached the log. If I read it correctly, a previous anti-malware program (most likely Kaspersky Internet Security, since that's what the customer was using until it expired recently) detected a problem with ftdisk.sys and attempted to restore a good copy, but apparently was not successful, and a compressed copy of the original is available in C:\WINDOWS\I386.

- Mark Lebowitz

Attached Files



#19 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 02 October 2011 - 01:32 PM

Hello,

Lets see if we can replace that bad file.


1.
Go to Start>>AllPrograms>>Accessories>>Command Prompt
Now type the following just as u see it.

EXPAND C:\WINDOWS\I386\FTDISK.sy_ C:\FTDISK.sys

You should start to see something similiar to this

Expanding c:\windows\i386\FTDISK.sy_ to c:\FTDISK.sys.
c:\windows\i386\FTDISK.sy_: 60791 bytes bytes expanded to 125056 bytes, 92% increase.

It may not be exactly that, but something similiar.


IF you see that then proceed to the next step. If not then stop here.

2.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\ftdisk.sys | C:\WINDOWS\system32\drivers\ftdisk.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.


3.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

4.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Things to include in your next reply::
Did everything go ok?
How is the machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#20 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 03 October 2011 - 06:32 AM

Avenger.exe appears to have successfully replaced the infected ftdisk.sys with a clean copy, but the Symform software still reports that its requests are being redirected to 127.0.0.1:6522. Everything else seems to run fine.

I have attached the requested avenger.txt and hijackthis.log files. I left the computer running aswMBR and GMER scans, but apparently it crashed and reboted while running them, and since it takes a good 3 hours to get a full scan with either one, I probably won't be able to attach those logs until very early tomorrow morning.

- Mark

Attached Files



#21 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 03 October 2011 - 03:53 PM

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::

Folder::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" =-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting]
"ProxyServer" =-

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#22 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 05 October 2011 - 01:21 AM

Thanks for your patience. I have to do all my work on this computer very late at night - more accurately, very early in the morning - because my customer uses it throughout most of the day. My first attempt to run ComboFix with the CFScript stopped short when ComboFix cut off the Internet connection and then, apparently, failed to restore it. Either that, or it hung the computer. I stopped trying to get back in when it had been offline for about an hour and a half. Presumably, the customer's staff rebooted it in the morning.

I was able to run ComboFix to completion tonight, and have attached the log file.

- Mark Lebowitz

Attached Files



#23 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 05 October 2011 - 04:21 PM

Hello,


How is the machine running?


Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in remservice.bat for the file name. Right below that click the down arrow in the line for "save as" and select all files. Save this to your desktop and close notepad.

@echo off
sc stop {E15B9ACA-3C89-4F42-808ABF14F35F7CD4}
sc stop oslncmhr
sc stop Lavasoft Kernexplorer
sc delete {E15B9ACA-3C89-4F42-808ABF14F35F7CD4}
sc delete oslncmhr
sc delete Lavasoft Kernexplorer
del remservice.bat 
EXIT
Locate the remservice icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

NOTICE: This file was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#24 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 06 October 2011 - 02:39 AM

I created and ran the remservice.bat script as directed. It did clobbered Lavasoft Ad-Aware Internet Security Free until I rebooted. Hopefully, the other services it was supposed to remove didn't come back.

Other than that, the problem still persists: the Symform software still abends with a report that its requests are being redirected to 127.0.0.1:6522.

Thanks!

- Mark Lebowitz

#25 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 06 October 2011 - 04:29 PM

Hello,

It has to be on there end either there servers or routers have been infected. You may also want to uninstall and reinstall the Symform software And see if that helps.




The only other thing I can think of is to reset the MBR.

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image


When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter
Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


3.
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Things to include in your next reply::
aswMBR log
Gmer log
Results.txt
Still redirecting?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#26 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 06 October 2011 - 09:32 PM

I'll try uninstalling and reinstalling the Symform software - I can do that remotely.

I can't use the Recovery Console remotely, if reinstalling the Symform software doesn't fix the problem, I won't be able to try the rest until I can get to the customer's office and work directly on the computer.

One question: The computer is a Compaq Presario model with a hidden recovery partition. HP and Compaq computers often have non-standard MBRs, and use proprietary boot code to direct bootup to the recovery partition or Windows partition depending on whether or not the System Recovery hotkey was pressed. Will FIXMBR be safe to use in that case? If not, can I use the the proprietary MBRInst.exe to rebuild the MBR?

- Mark Lebowitz

#27 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 06 October 2011 - 10:06 PM

Hello,


Fixmbr will only put a standard XP MBR code back on. We normally don't see any problems with HP or Compaq. It is usually Dell's that give us fits. If you would rather back up the MBR first we can do that also. Just let me know.

Edited by fireman4it, 06 October 2011 - 10:06 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#28 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 06 October 2011 - 10:22 PM

I think it makes sense to be cautious and back up the MBR before running FIXMBR. Got a favorite tool for doing this? If not, my toolkit includes an Active @Boot CD.

- Mark Lebowitz

#29 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 07 October 2011 - 01:15 AM

I just logged in, uninstalled the Symform service and looked through the Registry to ensure that no entries were left behind, then reinstalled it. It still gives the same error. So I guess the next step will be for me to go downtown, visit the client and try rewriting the MBR as you suggest. This won't take place until next week sometime, so please keep this thread open until I reply with the results.

Thanks again,

- Mark Lebowitz

#30 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 11,781 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bement, ILL
  • Local time:10:42 AM

Posted 07 October 2011 - 11:09 PM

You will need a blank USB flash drive for this.

Download NTBR_USB.exe and save it to your desktop on your clean computer. Plug in the USB you want to use and double-click NTBR_USB.exe to run it.
Verify that the drive letter shown is the same as assigned by Windows, then click OK.
Once the image is written to the device, you will be prompted to reboot ~ do not reboot and instead remove the device.
Insert the bootable device in the infected computer and start it, then use the appropriate F key to access the boot menu where you can choose to boot from USB. (same as how it booted with xPud)
You should be presented with a boot screen - select usb and press Enter to boot to the device.
After a warning screen there is a keyboard language options screen - press Enter to leave it at EN-US.
You should now be at the Tool options screen.

First, let's back up your current MBR.

Type 1 and hit Enter to start MBRWORK
At Choose Option: type c and hit Enter ( C) Capture Sectors )
At Enter File Name: type mbr.bin and hit Enter
At LBA: 0 Leave at 0 and hit Enter
At Number of Sectors: 1 Leave at 1 and hit Enter
The screen will show:
Processing ...
Save completed - Press Enter
Hit Enter then at Choose Option: type e and hit Enter to exit MBRWORK

Now, we copy it to your USB drive:

Type 5 and hit Enter to go to an X:\> prompt
Type copy mbr.bin c:\ and hit Enter
You should see mbr.bin => c:\mbr.bin and return to the X:\> prompt
Type menu and hit Enter.



Next, let's replace your MBR:

At the menu type 1 to select MBRWORK then hit Enter

This screen will show the hard drive configuration.

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Back at the menu, type 6 to Quit.
Press Ctrl+Alt+Del to restart the machine.
Pull out the USB drive at this point.

Did it properly boot into Windows?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


un03.png

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users