Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP, SP3 - Infection prevents running AV programs and accessing AV sites


  • This topic is locked This topic is locked
27 replies to this topic

#1 zarf

zarf

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 December 2008 - 01:44 PM

Hello! I was referred here as a result of the problem described in this post:

http://www.bleepingcomputer.com/forums/t/187012/another-very-stubborn-xp-infection-any-ideas/

The main problem is that Google has been hijacked, but there are also other bad effects such as the firewall being inactive upon startup. Any AV program I have installed or have tried to install (see original post) will not run, not even in safe mode, nor can I access any AV websites, including this one. I am creating this post from another system. The DDS.txt from the infected system appears below and the DDS Attach.txt file from the infected system is also attached.

Attached File  Attach.zip   3.4KB   4 downloads

Thanks so much in advance for any guidance you might be able to offer:


DDS (Version 1.1.0) - NTFSx86
Run by Bonnie at 13:05:54.59 on Tue 12/16/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.251 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
"C:\WINDOWS\system32\drivers\svchost.exe"
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Bonnie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - c:\windows\downlo~1\vzbb.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - c:\windows\downlo~1\vzbb.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - c:\program files\save flash\SaveFlash.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - c:\program files\save flash\SaveFlash.dll
uRun: [PxDotNetLoader] "c:\program files\fidelity investments\fidelity active trader\system\ATPStartupAssistant.exe"
uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: []
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\bonnie\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet d series\bin\hpoojd07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: www.vectorvest.com
Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2006-5-15 15172]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-14 111184]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-8-15 10872]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-14 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2006-4-17 155160]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2006-4-17 352920]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\Brfilt.sys [2004-12-25 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2004-12-25 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2004-12-25 39552]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-12-25 60416]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2004-12-27 142336]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2004-12-27 524288]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2006-4-17 254040]
S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys []

=============== Created Last 30 ================

2008-12-16 09:01 --d----- c:\program files\Spybot - Search & Destroy
2008-12-16 09:01 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-16 08:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 08:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 08:21 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-16 08:21 --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-15 18:19 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-12-15 18:11 1,660,481 a------- C:\SmitfraudFix.exe
2008-12-14 22:10 49,152 a------- c:\windows\system32\drivers\svchost.exe
2008-12-05 15:20 --d----- C:\acetates
2008-12-02 16:09 87,608 a------- c:\docume~1\bonnie\applic~1\inst.exe
2008-12-02 16:09 217,127 a------- c:\windows\system32\drv43260.dll
2008-12-02 16:09 208,935 a------- c:\windows\system32\drv33260.dll
2008-12-02 16:09 176,165 a------- c:\windows\system32\drv23260.dll
2008-12-02 16:09 102,439 a------- c:\windows\system32\sipr3260.dll
2008-12-02 16:09 65,602 a------- c:\windows\system32\cook3260.dll
2008-12-02 16:09 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2008-12-02 16:09 626,688 a------- c:\windows\system32\vp7vfw.dll

==================== Find3M ====================

2008-12-02 16:09 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-02 16:09 47,360 a------- c:\docume~1\bonnie\applic~1\pcouffin.sys
2008-12-02 16:07 87,608 a------- c:\docume~1\bonnie\applic~1\ezpinst.exe
2008-11-18 20:35 1,730,790 a------- c:\docume~1\bonnie\applic~1\jasonpress1.zip
2008-10-24 06:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-15 20:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2006-04-24 07:35 180,249 a------- c:\docume~1\bonnie\applic~1\jasonpress.zip
2001-08-18 07:00 94,784 ---sh--- c:\windows\twain.dll
2008-04-13 19:12 50,688 ---sh--- c:\windows\twain_32.dll
2008-04-13 19:11 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2008-04-13 19:12 57,344 ---sh--- c:\windows\system32\msvcirt.dll
2008-04-13 19:12 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2008-04-13 19:12 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2008-04-13 19:12 551,936 ---sh--- c:\windows\system32\oleaut32.dll
2008-04-13 19:12 84,992 ---sh--- c:\windows\system32\olepro32.dll
2008-04-13 19:12 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 13:06:50.56 ===============

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 22 December 2008 - 10:08 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 07:53 PM

Hi PP,

Thanks so much for your assistance. I followed your instructions exactly and was able to run ATFCleaner and OTScanIt on the infected system, but the system refused to let me run gmer.exe.

A characteristic of this virus I have noticed is that it disables my Windows firewall as part of the startup procedure and then will disable it again after some period of time after I have enabled it. Thus, I have the infected computer disconnected from any network and have been using this computer (a laptop running Vista) to download and transfer the files to the desktop of the infected computer via the use of CD-ROM.

I have attached a copy of the OTScanIt.txt file obtained from the infected computer. Hopefully, there will be some indication in there what might be preventing me from running gmer.exe.

Note that a characteristic of this virus so far has been to block me from running any AV-related programs or updates (SmitFraudFix, HiJackThis, SuperAntiSpyware, etc).

Perhaps the attached OTScanIt.txt will help you guide me to the next step. Thanks again.

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 07:57 PM

Hello.

These newer infection often prevent such tools from running. Please try to rename GMER.exe to GMER123.exe and run the scan.

There is very likely to be a rootkit at work here.

With Regards,
The Panda

#5 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 08:03 PM

Hi PP,

I renamed the file gmer.exe to gmer123.exe and it still won't run when double-clicked.

z

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 08:08 PM

Hello zarf.

Let's try ComboFix.

Install Recovery Console and Run ComboFix
Transfer the files needed to the infected computer. If ComboFix does not run, rename it to ComboFixCF.exe.

Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

Posted Image
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Download the file and save it as it's originally named onto your desktop.
  • Close any open windows, including this one.
  • Drag the setup package onto ComboFix.exe and drop it.


    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click Yes to run the full ComboFix scan.

    Posted Image
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Try running GMER after after ComboFix finishes.

With Regards,
The Panda

#7 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 08:38 PM

Hi PP,

I downloaded ComboFix and also WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe, because the infected computer runs Windows XP Home Edition with SP3.

The infected computer does have a floppy drive, but its CD-ROM drive seems to read/write ok.

Should I transfer and run ComboFix first? Or should I transfer and run the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe on the infected computer first to create setup floppies for use during the ComboFix run? I was unclear on the relation between Combofix and the .exe I downloaded from Microsoft.

Thanks,
z

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 08:47 PM

Hello.

Transfer both files at the same time to the infected computer. ComboFix uses the Microsoft setup file to install a Recover Console on the computer itself.

With Regards,
The Panda

#9 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 09:06 PM

Hi PP,

ok, I transferred both those files onto the desktop of the infected computer, exited the AVG tray icon and inactivated the Avast AV.

However, when I dragged and dropped the WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe over the ComboFix.exe icon, as in the instructions, nothing happened (Combofix did not run).

This is really a stubborn one so far!

z

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 09:10 PM

Hello.

Had you tried to rename ComboFix? Give it ComboFixCF.exe.

Do the drag and drop again. If still not go, we can work without it.

EDIT please make sure Avast! is disabled before running ComboFix.
Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image
(ignore the BSOD comment)

With Regards,
The Panda

Edited by PropagandaPanda, 23 December 2008 - 09:12 PM.


#11 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 09:14 PM

Hi PP,

Just renamed ComboFix.exe to ComboFixCF.exe as you suggested, did the drag and drop, and still nothing happens (no execution of program). Ready for the next step.

ps, thanks so much for your patience - you have the patience of a saint!

z

#12 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 09:15 PM

ps, I did previously stop Avast On-Access protection originally before doing drag and drop.

Edited by zarf, 23 December 2008 - 09:16 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 09:30 PM

Hello zarf.

Let's see if The Avenger will work. Please first save the script as a text file and transfer it. You will also need ERUNT setup and the Avenger itself. Unzip the Avenger.exe with the working computer first, if possible.

If you have not already, disconnect the infected computer from the Internet and any other network.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to disable:
    tdssserv.sys
    tdssserv
    
    Registry values to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | SVCHOST.EXE
    
    Files to replace with dummy:
    %SystemRoot%\system32\drivers\svchost.exe
  • Click Posted Image to paste the script from the clipboard.
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.


After running the Avenger, try ComboFix again.

With Regards,
The Panda

#14 zarf

zarf
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 23 December 2008 - 10:32 PM

Hi PP,

ok, transferred and ran ERUNT and then Avenger successfully, pasting in the code you provided.

System rebooted twice,

Avenger logfile appeared (I am typing this in - I'll explain why shortly):

Logfile of The Avenger Version 2.0, © by Swandog46
http:/swandog46.geekstogo.com

Platform: Windows XP

**********************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at c:\Avenger

**********************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
Image path: \systemroot\system32\drivers\TDSSmqlt.sys
Start Type:: 4 (Disabled)

Rootkit scan completed.

Driver "tdssserv.sys" disabled successfully.

Error: could not open driver "tdssserv"
Disablement of driver "tdssserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\svchost.exe replaced with dummy successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SVCHOST.EXE"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SVCHOST.EXE" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

****************************


Upon startup, apparently Avast also became active and generated an alert: "A Trojan Horse Was Found!"
File name: C:\WINDOWS\SYSTEM32\TDSSXFUM.DLL
Malware name: Win32:Fasec [Trj]
Malware type: Trojan Horse


I haven't take any action on this alert window. The choices are:

Move/Rename...
Delete...
Move to chest

No action

I didn't dare click anything until I checked with you for the next thing to do. Thanks!

z

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 23 December 2008 - 11:06 PM

Hello Zarf.

The rootkit driver that The Avenger disabled was hiding the items that Avast! found. If Avast! detects anything else, move it to the chest.

Please try running ComboFix and GMER again.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users