Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown trojan/worm/botnet rootkit/bootkit? loong post


  • This topic is locked This topic is locked
27 replies to this topic

#1 quirkly

quirkly

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 21 January 2009 - 06:06 PM

Hi,
FIRST-- I have uploaded txt files of logs but I am concerned about infecting others. Take care if you open these, just txt, _not zipped_ as I know that has been a problem in the past.

Thanks to all who read and may try to help. I apologize right off if I have included too much information in this post. However, I have lots of history with this problem and no real help. I have been infected since at least August (many computers) with some unknown trojan/worm/botnet rootkit/bootkit??. No AV scans have revealed anything substantive. Early out, I got a few positives, one computer showed evidence of a vlob variant, due to audio/video symptoms, not scans. I have tried lots of pro help, could not get anyone to deal with the boot sector/MBR problem. Tried to work with sophos, Dell, etc. Since little or nothing was seen in the logs, I got no help. Sophos will not start now. I am posting the dds data as per instructions. You will see that I have many malware detectors, inspectors installed. I have attempted to uninstall them when they did not work or showed nothing. However they do not uninstall.

These logs are from my daughter's new Vista laptop. It was infected when a sophos tech suggested I put the CD-R (finalized) I made with the AV tools back into it to make sure I actually wrote the files to the CD when my other infected laptop would not read the CD. I argued but finally gave in, sadly, and prompted infected this computer.

Did lots and lots of clean installs. Not effective in light of the boot sector/MBR issue. Not sure how to deal with this problem. I got mixed info from many pros (spent big bucks, no resolution, no refunds, either). Have lots of infected data that is a difficult to know how to manage. No idea how to clean some of the more important financial stuff, now all on external drives.

Malware hangs on windows installer, .NET frameworks, all audio, graphics drivers, uninstallers, updaters and especially on the wireless drivers and mouse. Cursor moves around on it own. I believe that the original code/file is hidden from scanning due to the mouse clicks, hence it never shows up in scans. Computer turns off and on by itself. Would hook up to wireless if it had the chance but no longer have any wireless network at home. Malware did write to a commercial software CD for external wireless antenna, since I subsequently infected another computer with that disk. Seems to control the ability to access the CD drive.
Thank you very much for your interest



DDS (Ver_09-01-18.01) - NTFSx86
Run by Kirie at 11:34:11.69 on Wed 01/21/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.933 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Kirsten\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [Advanced Uninstaller PRO Installation Monitor] "c:\program files\innovative solutions\advanced uninstaller pro - version 9\monitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\kirie\appdata\roaming\mozilla\firefox\profiles\n2xgas6b.default\

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-1-8 34760]

=============== Created Last 30 ================

2009-01-20 17:00 <DIR> --d----- c:\program files\Lavalys
2009-01-20 16:06 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-20 16:06 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-20 16:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-20 16:06 <DIR> --d----- c:\users\kirie\appdata\roaming\SUPERAntiSpyware.com
2009-01-20 16:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-20 12:49 <DIR> --d----- c:\program files\Disk Investigator
2009-01-16 21:21 23,932 a------- C:\adsspyB run as admin
2009-01-16 21:14 <DIR> --d----- C:\Lop SD
2009-01-16 13:09 <DIR> --d----- C:\Snort
2009-01-14 09:13 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-14 02:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 02:36 <DIR> --d----- c:\users\kirie\appdata\roaming\Malwarebytes
2009-01-14 02:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 02:36 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-14 02:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 02:36 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-14 02:24 250 a------- c:\windows\gmer.ini
2009-01-14 02:18 <DIR> --d----- C:\New Folder
2009-01-12 12:02 26,808 a------- c:\windows\system32\drivers\pxark.sys
2009-01-12 12:02 <DIR> --d----- c:\programdata\PrevxCSI
2009-01-12 12:02 <DIR> --d----- c:\progra~2\PrevxCSI
2009-01-09 21:22 <DIR> --d----- c:\program files\Audible
2009-01-09 19:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-09 19:42 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-09 19:41 <DIR> --d----- c:\program files\iPod
2009-01-09 19:41 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> --d----- c:\program files\iTunes
2009-01-09 19:41 <DIR> --d----- c:\program files\Bonjour
2009-01-09 19:40 <DIR> --d----- c:\programdata\Apple
2009-01-09 19:18 <DIR> --d----- c:\program files\VS Revo Group
2009-01-09 19:02 <DIR> --d----- c:\programdata\Innovative Solutions
2009-01-09 19:02 <DIR> --d----- c:\progra~2\Innovative Solutions
2009-01-09 19:01 42,496 a------- c:\windows\system32\AdvUninstCPL.cpl
2009-01-09 19:01 <DIR> --d----- c:\program files\Innovative Solutions
2009-01-09 16:14 <DIR> --d----- c:\programdata\Apple Computer
2009-01-09 16:05 299,520 a------- c:\windows\uninst.exe
2009-01-08 14:33 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-01-08 12:05 2 a--shrot c:\windows\winstart.bat
2009-01-08 12:05 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-01-08 12:05 32,480 a------- c:\windows\system32\Partizan.exe
2009-01-08 12:05 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2009-01-08 12:05 <DIR> --d----- c:\program files\UnHackMe
2009-01-06 00:31 <DIR> --d----- c:\program files\PCCheckupOnline
2009-01-06 00:26 <DIR> --d----- c:\windows\system32\Dell
2009-01-05 16:27 70,656 a------- c:\windows\system32\drivers\KERNEL.del
2009-01-01 13:18 <DIR> --d----- c:\programdata\Adobe
2009-01-01 12:22 2,048 a------- c:\windows\system32\tzres.dll
2008-12-31 17:50 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-31 17:50 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-31 17:50 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-31 17:49 2,927,104 a------- c:\windows\explorer.exe
2008-12-31 17:49 827,392 a------- c:\windows\system32\wininet.dll
2008-12-31 17:49 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-31 17:49 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-31 17:49 94,720 a------- c:\windows\system32\logagent.exe
2008-12-22 15:56 4,117,846 a------- C:\unhackme500.exe

==================== Find3M ====================

2009-01-09 22:42 86,016 a------- c:\windows\inf\infstor.dat
2009-01-09 22:42 51,200 a------- c:\windows\inf\infpub.dat
2009-01-09 22:42 86,016 a------- c:\windows\inf\infstrng.dat
2008-10-31 19:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 19:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 19:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 19:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 19:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-22 12:44 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 18:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:34:23.04 ===============


Also just used disk investigator which stated that the boot manager was missing or compressed. Since this is Vista computer, it should not boot. However it does since I am posting from it now. Txt included here:
000000000180 0180 . . A d i s k r e a d e r ..A disk read er
000000000190 0190 r o r o c c u r r e d . . . B ror occurred...B
0000000001A0 01A0 O O T M G R i s m i s s i n OOTMGR is missin
0000000001B0 01B0 g . . . B O O T M G R i s c g...BOOTMGR is c
0000000001C0 01C0 o m p r e s s e d . . . P r e s ompressed...Pres
0000000001D0 01D0 s C t r l + A l t + D e l t s Ctrl+Alt+Del t
0000000001E0 01E0 o r e s t a r t . . . . . . . o restart.......
0000000001F0 01F0 . . . . . . . . . . . . . . U . ..............U.
000000000200 0200 . . B . O . O . T . M . G . R . ..B.O.O.T.M.G.R.
000000000210 0210 . . $ . I . 3 . 0 . . . . . . 0 ..$.I.3.0......0
000000000220 0220 . . . . . . . . . . . . . . . . ................
000000000230 0230 . . . . . . . . . . . . . . . . ................



I also have sysinspector data if that is possible to post. Many suspicous or unknown items are indicated which are most likely related to the infestation. Rootkit detectors rarely run in their entirety, but Rootrepeal log of hidden modules is included below. I also have uploaded the the Everest report on the computer since many of the apparently installed drivers/devices were not, to my knowledge my installation. I also have the UnhackMe regrun report, which I have not included due to my worry of sending too long a post and too much information. Probably does provide additional information to the knowledgeable.


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/01/20 15:51
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: fltMgr.sys]
Process: svchost.exe (PID: 956) Address: 0x00200000 Size: 200704

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 956) Address: 0x002a0000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 956) Address: 0x00490000 Size: 323584

Object: Hidden Module [Name: PSHED.DLL]
Process: svchost.exe (PID: 956) Address: 0x4a980000 Size: 65536

Object: Hidden Module [Name: http.sys]
Process: svchost.exe (PID: 956) Address: 0x02250000 Size: 434176

Object: Hidden Module [Name: ci.dll]
Process: svchost.exe (PID: 956) Address: 0x32f10000 Size: 913408

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 956) Address: 0x72390000 Size: 1589248

Object: Hidden Module [Name: diagperf.dll]
Process: svchost.exe (PID: 956) Address: 0x716a0000 Size: 1089536

Object: Hidden Module [Name: qmgr.dll]
Process: svchost.exe (PID: 956) Address: 0x6ca90000 Size: 1826816

Object: Hidden Module [Name: wuaueng.dll]
Process: svchost.exe (PID: 956) Address: 0x6c4b0000 Size: 1814528

Object: Hidden Module [Name: tbssvc.dll]
Process: svchost.exe (PID: 956) Address: 0x6e060000 Size: 61440

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 956) Address: 0x72110000 Size: 8192

Object: Hidden Module [Name: schedsvc.dll]
Process: svchost.exe (PID: 956) Address: 0x736d0000 Size: 606208

Object: Hidden Module [Name: dps.dll]
Process: svchost.exe (PID: 956) Address: 0x731c0000 Size: 139264

Object: Hidden Module [Name: gpsvc.dll]
Process: svchost.exe (PID: 956) Address: 0x746e0000 Size: 577536

Object: Hidden Module [Name: WUDFPlatform.dll]
Process: svchost.exe (PID: 956) Address: 0x74650000 Size: 192512

Object: Hidden Module [Name: emdmgmt.dll]
Process: svchost.exe (PID: 956) Address: 0x74810000 Size: 577536

Object: Hidden Module [Name: adtschema.dll]
Process: svchost.exe (PID: 956) Address: 0x74770000 Size: 606208

Object: Hidden Module [Name: wlansvc.dll]
Process: svchost.exe (PID: 956) Address: 0x748a0000 Size: 528384

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 956) Address: 0x74a70000 Size: 163840

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 956) Address: 0x75c80000 Size: 258048

Object: Hidden Module [Name: bcmwlrmt.dll]
Process: bcmwltry.exe (PID: 1460) Address: 0x01c70000 Size: 77824

Object: Hidden Module [Name: msvcm80.dll]
Process: bcmwltry.exe (PID: 1460) Address: 0x03d40000 Size: 507904

Object: Hidden Module [Name: WLTRAY.EXE]
Process: bcmwltry.exe (PID: 1460) Address: 0x05ad0000 Size: 3821568

Object: Hidden Module [Name: imageres.dll]
Process: Explorer.EXE (PID: 2428) Address: 0x6b0a0000 Size: 15822848

Object: Hidden Module [Name: msvcm80.dll]
Process: WLTRAY.EXE (PID: 2676) Address: 0x04460000 Size: 507904

Object: Hidden Module [Name: bcmwlrmt.dll]
Process: WLTRAY.EXE (PID: 2676) Address: 0x04440000 Size: 77824

Object: Hidden Code [ETHREAD: 0x844467b0]
Process: System Address: 0x88a6b7e8 Size: -

Object: Hidden Code [ETHREAD: 0x8446cd78]
Process: System Address: 0x902fea50 Size: -

Object: Hidden Code [ETHREAD: 0x8446cad0]
Process: System Address: 0x8a3e96b8 Size: -

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 30 January 2009 - 02:04 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 31 January 2009 - 07:54 PM

Dear PP
Thank you for your help.

Changes include the fact that I discovered that the admin account had its permissions changed so I changed the user account to an admin account and disabled the UAC. And made the user account into an admin account. This was an attempt to be able to run some of the programs to determine more about the infection.
I have many infected machines, which are not being used, nor are they networked. This computer is the only one that goes on the internet, since it is already infected. I think this is some sort of bootkit for a botnet. I only email from an account on server online, no email client is used on this machine so I do not know if it would produce spam, but probably.

The biggest change was that the computer moved the Kirsten account (former user turned to admin as noted above) has been moved to the C:\Windows\system32\config\systemprofile\ There exists another Kirsten account in C:\Users\Kirsten-logged into at first in normal mode. Then safe mode log in was to the desktop for the system 32 Kirsten. Now in normal mode, I was sent to the system32 desktop.

dds logs follow. gmer will not run. I renamed on download and had spent a lot time removing all the gmer files previous used but to no avail. As far as I can tell the diagnostic programs are listed as run once in the registry so I can never run them again. I discovered many many exe files in sys32 folder that the computer is currently using to redo itself and many hidden files. I will attach these lists also. Other than system changes, redirected and filtered URLs the most annoying symptom is the skipping cursor, that moves typing spot. Oh, I also am unable to really uninstall programs. I tried to get rid of groove but not possible, despite the uninstaller I use. I think the computer must just be putting it back from some other partion. I have disabled system restore but that is likely not real.

I have done many clean installs with an immediate return of symptoms, as shown by skipping cursor and nonfunctional AV. Additionally I had pros do clean installs, reset CMOS, flash BIOS. However nothing was done to the MBR, or boot sectors, no success. This pattern has held true for two vistas and an XP laptop, all of followed the above pattern. I would be happy to wipe them out and start over but that did not help. I do have infected so it would be nice to find what ever this is so I can clean the data. I have had this infection since maybe March of last year, but it finally became a serious issue in August. I have not had a clean computer since. Let me know what you think is the best course. I am happy to do whatever. I just need it gone.

DDS (Ver_09-01-19.01) - NTFSx86
Run by SYSTEM at 15:52:45.57 on Sat 01/31/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.1329 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\config\systemprofile\Desktop\ONCE AGAIN.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
mURLSearchHooks: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
BHO: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
TB: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Advanced Uninstaller PRO Installation Monitor] "c:\program files\innovative solutions\advanced uninstaller pro - version 9\Monitor.exe"
uRun: [FileBoss_1] "c:\program files\fileboss v2\FileBoss.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Notify: igfxcui - igfxdev.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\windows\system32\config\system~1\appdata\roaming\mozilla\firefox\profiles\1x1iebew.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-1-24 9728]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-1-24 3072]
S3 rspMMFS;rspMMFS;c:\windows\system32\drivers\rspmmfs.sys [2009-1-31 18480]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-1-24 23992]

=============== Created Last 30 ================

2009-01-31 15:45 185,344 a------- C:\thatfile.dll
2009-01-31 13:06 18,480 a------- c:\windows\system32\drivers\rspmmfs.sys
2009-01-31 13:06 <DIR> --d----- c:\program files\MultiMon
2009-01-31 03:36 <DIR> a-d----- c:\programdata\TEMP
2009-01-31 03:35 <DIR> --d----- c:\windows\system32\config\system~1\appdata\roaming\FileBoss
2009-01-31 03:35 <DIR> --d----- c:\program files\FileBoss V2
2009-01-31 03:29 <DIR> --d----- C:\WinDirStat
2009-01-31 02:48 <DIR> --d----- C:\PScanner Backup
2009-01-31 02:37 <DIR> --d----- c:\program files\Conduit
2009-01-31 02:37 <DIR> --d----- c:\program files\AurelloSoft
2009-01-31 02:32 <DIR> --d----- c:\windows\USERS
2009-01-30 14:38 <DIR> --d----- c:\program files\WinDirStat
2009-01-28 17:38 98 a------- C:\index.ini
2009-01-28 17:36 <DIR> --d----- c:\program files\a-squared HiJackFree
2009-01-27 20:47 <DIR> --d----- c:\windows\system32\config\system~1\appdata\roaming\DiskRegistry
2009-01-27 17:29 <DIR> --d-h--- c:\windows\PIF
2009-01-27 08:53 <DIR> --d----- c:\program files\CCleaner
2009-01-26 13:36 <DIR> --d----- c:\program files\ASAP Utilities
2009-01-25 11:07 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-01-25 11:07 <DIR> --d----- c:\program files\common files\HP
2009-01-25 10:54 675,840 a------- c:\windows\system32\hpowiav1.dll
2009-01-25 10:54 573,440 a------- c:\windows\system32\hpotscl1.dll
2009-01-25 10:54 303,104 a------- c:\windows\system32\hpovst01.dll
2009-01-25 10:53 258,048 a------- c:\windows\system32\hpzids01.dll
2009-01-25 10:53 <DIR> --d----- c:\program files\HP
2009-01-25 10:51 148,991 a------- c:\windows\hpoins19.dat
2009-01-25 10:50 <DIR> a-d----- c:\programdata\HP
2009-01-24 19:05 <DIR> --d----- c:\program files\InternetCleanPC
2009-01-24 18:58 <DIR> --d----- c:\program files\EASEUS
2009-01-24 18:41 23,992 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-01-24 18:14 <DIR> --d----- c:\program files\Disk and Registry Alert Trial
2009-01-24 17:17 <DIR> --d----- c:\program files\HackCleaner
2009-01-22 15:40 15,616 a------- c:\windows\system32\drivers\Dbgv.sys
2009-01-22 15:00 <DIR> --d----- c:\windows\system32\logs
2009-01-22 14:59 10,871,290,180 a------- c:\windows\Procmon.pmb
2009-01-16 21:21 23,932 a------- C:\adsspyB run as admin
2009-01-16 13:09 <DIR> --d----- C:\Snort
2009-01-14 09:13 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-12 12:02 26,808 a------- c:\windows\system32\drivers\pxark.sys
2009-01-09 21:22 <DIR> --d----- c:\program files\Audible
2009-01-09 19:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-09 19:42 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-09 19:41 <DIR> --d----- c:\program files\iPod
2009-01-09 19:41 <DIR> a-d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> a-d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> --d----- c:\program files\iTunes
2009-01-09 19:40 <DIR> a-d----- c:\programdata\Apple
2009-01-09 16:14 <DIR> a-d----- c:\programdata\Apple Computer
2009-01-09 16:05 299,520 a------- c:\windows\uninst.exe
2009-01-08 14:33 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-01-06 00:31 <DIR> --d----- c:\program files\PCCheckupOnline
2009-01-06 00:26 <DIR> --d----- c:\windows\system32\Dell
2009-01-05 16:27 70,656 a------- c:\windows\system32\drivers\KERNEL.del

==================== Find3M ====================

2009-01-31 14:30 573,440 a------- C:\thatfile.exe
2009-01-25 10:54 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-25 10:54 86,016 a------- c:\windows\inf\infstor.dat
2009-01-25 10:54 51,200 a------- c:\windows\inf\infpub.dat
2009-01-08 11:57 4,117,846 a------- C:\unhackme500.exe
2008-11-27 08:51 225,280 a------- c:\windows\system32\BootMan.exe
2008-11-26 15:58 472,064 a------- c:\windows\system32\NTFSFormat.dll
2008-11-26 15:55 65,536 a------- c:\windows\system32\FatCopy.dll
2008-11-26 15:54 17,920 a------- c:\windows\system32\SectorCopy.dll
2008-11-26 15:54 139,776 a------- c:\windows\system32\NTFSCopy.dll
2008-11-26 15:52 86,016 a------- c:\windows\system32\ResizeNTFS.dll
2008-11-26 15:51 61,952 a------- c:\windows\system32\FatResizeMove.dll
2008-11-26 15:51 45,568 a------- c:\windows\system32\FileSystemCheck.dll
2008-11-26 15:51 93,184 a------- c:\windows\system32\Partition.dll
2008-11-26 15:50 180,736 a------- c:\windows\system32\DeviceManager.dll
2008-11-26 15:49 22,016 a------- c:\windows\system32\FatFormat.dll
2008-11-26 15:49 86,528 a------- c:\windows\system32\NTFSLib.dll
2008-11-26 15:49 31,744 a------- c:\windows\system32\FatLib.dll
2008-11-26 15:48 10,752 a------- c:\windows\system32\DeviceAdapter.dll
2008-11-26 15:48 6,656 a------- c:\windows\system32\CallbackOperator.dll
2008-11-26 15:48 68,096 a------- c:\windows\system32\Device.dll
2008-11-26 15:48 21,504 a------- c:\windows\system32\Fixup.dll
2008-11-26 15:48 14,848 a------- c:\windows\system32\FileSystemAnalyser.dll
2008-11-26 15:48 24,576 a------- c:\windows\system32\NTFSFileSystemAnalyser.dll
2008-11-26 15:47 25,088 a------- c:\windows\system32\FATFileSystemAnalyser.dll
2008-11-25 17:18 86,408 a------- c:\windows\system32\setupempdrv03.exe
2008-11-25 17:18 9,728 a------- c:\windows\system32\epmntdrv.sys
2008-11-25 17:18 3,072 a------- c:\windows\system32\EuGdiDrv.sys
2008-11-25 17:18 14,848 a------- c:\windows\system32\EuEpmGdi.dll
2008-10-22 12:44 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 15:52:56.65 ===============

there was inadequate space for the hidden files list or the v. large file for all the contents of the sys32 folder. Many new exes to essentially create a new operating systems. When one pro reformated the drive on this computer he said there were many partions-which I did not make. There is an exe in the the sys32 entitled diskpart so likely it is partioning the drive on its own.

Thanks for any suggestions. I very much appreciate you time and kindness.
Quirkly

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 31 January 2009 - 08:45 PM

Hello.

Nothing much showing in the logs. Let's see what we can find.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Try to run GMER again after. If it doesn't work still, try Avira Antirootkit.

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Do not choose to rename any items found yet. There may be false positives.

With Regards,
The Panda

#5 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 01:51 AM

Dear PP
Thanks for your prompt reply. MBAM found some adware from a recent rootkit search tool that I thought was from a good link. Log attached. I deleted that malware. Nothing from Avira.

Got gmer to run, to some extent. There should be settings and log tabs, and the first time I ran it, there were, but not this time. So the scan is only partial but those logs are attached.

online file for a-squared analysis
http://analyze.hijackfree.com/analyze/?id=...17-01d8fb37b7a9
for what it is worth.

I have some other logs also. SysInspector identifies an "unknown" within process, services, etc. but nothing has ever been able to find the original or continuing infection, although it is linked to the "unknown" shown by sysinspector.

Thank you.
Quirks

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 01 February 2009 - 12:12 PM

Hello.

GMER did not run correctly for some reason. Please try running Avira Antirookit.

Also include a fresh DDS log please.

You had mentioned a MBR issue. Let's look into that too.

Download and Run MBR
  • Please download MBR.exe to your desktop.
  • Double click the file to run it.
  • You will see a black command prompt window open then close. A file named mbr.txt will appear on your desktop. Open it and copy its contents into your next reply.
With Regards,
The Panda

#7 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 02:51 PM

Hi,
I did run the Avira previously. I think I noted that nothing was found. Sorry if I forgot to mention that.
I will run the others as you suggest and get back to you.
Thanks
Quirks

#8 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 03:30 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by SYSTEM at 12:14:34.74 on Sun 02/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2037.1036 [GMT -8:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Windows\system32\config\systemprofile\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uURLSearchHooks: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
mURLSearchHooks: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
BHO: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
TB: AurelloSoft Toolbar: {b45e3a8a-d5e7-4a27-98d0-7f3882673998} - c:\program files\aurellosoft\tbAure.dll
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [Advanced Uninstaller PRO Installation Monitor] "c:\program files\innovative solutions\advanced uninstaller pro - version 9\Monitor.exe"
uRun: [FileBoss_1] "c:\program files\fileboss v2\FileBoss.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
Notify: igfxcui - igfxdev.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\windows\system32\config\system~1\appdata\roaming\mozilla\firefox\profiles\1x1iebew.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

============= SERVICES / DRIVERS ===============

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-1-24 9728]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-1-24 3072]
S3 rspMMFS;rspMMFS;c:\windows\system32\drivers\rspmmfs.sys [2009-1-31 18480]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-1-24 23992]

=============== Created Last 30 ================

2009-02-01 10:32 164,927 a------- c:\windows\PScanner.tmp
2009-02-01 10:04 <DIR> --d----- C:\pscanner
2009-01-31 21:32 250 a------- c:\windows\gmer.ini
2009-01-31 19:52 <DIR> --d----- c:\program files\Avira GmbH
2009-01-31 19:51 <DIR> --d----- C:\antivir_rootkit
2009-01-31 18:41 <DIR> --d----- c:\windows\system32\config\system~1\appdata\roaming\Malwarebytes
2009-01-31 18:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 18:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 18:41 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-31 18:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 18:41 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-31 13:06 18,480 a------- c:\windows\system32\drivers\rspmmfs.sys
2009-01-31 13:06 <DIR> --d----- c:\program files\MultiMon
2009-01-31 03:36 <DIR> a-d----- c:\programdata\TEMP
2009-01-31 03:35 <DIR> --d----- c:\windows\system32\config\system~1\appdata\roaming\FileBoss
2009-01-31 03:35 <DIR> --d----- c:\program files\FileBoss V2
2009-01-31 03:29 <DIR> --d----- C:\WinDirStat
2009-01-31 02:48 <DIR> --d----- C:\PScanner Backup
2009-01-31 02:37 <DIR> --d----- c:\program files\Conduit
2009-01-31 02:37 <DIR> --d----- c:\program files\AurelloSoft
2009-01-31 02:32 <DIR> --d----- c:\windows\USERS
2009-01-30 14:38 <DIR> --d----- c:\program files\WinDirStat
2009-01-28 17:38 98 a------- C:\index.ini
2009-01-28 17:36 <DIR> --d----- c:\program files\a-squared HiJackFree
2009-01-27 20:47 <DIR> --d----- c:\windows\system32\config\system~1\appdata\roaming\DiskRegistry
2009-01-27 17:29 <DIR> --d-h--- c:\windows\PIF
2009-01-27 08:53 <DIR> --d----- c:\program files\CCleaner
2009-01-26 13:36 <DIR> --d----- c:\program files\ASAP Utilities
2009-01-25 11:07 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-01-25 11:07 <DIR> --d----- c:\program files\common files\HP
2009-01-25 10:54 675,840 a------- c:\windows\system32\hpowiav1.dll
2009-01-25 10:54 573,440 a------- c:\windows\system32\hpotscl1.dll
2009-01-25 10:54 303,104 a------- c:\windows\system32\hpovst01.dll
2009-01-25 10:53 258,048 a------- c:\windows\system32\hpzids01.dll
2009-01-25 10:53 <DIR> --d----- c:\program files\HP
2009-01-25 10:51 148,991 a------- c:\windows\hpoins19.dat
2009-01-25 10:50 <DIR> a-d----- c:\programdata\HP
2009-01-24 19:05 <DIR> --d----- c:\program files\InternetCleanPC
2009-01-24 18:58 <DIR> --d----- c:\program files\EASEUS
2009-01-24 18:41 23,992 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-01-24 18:14 <DIR> --d----- c:\program files\Disk and Registry Alert Trial
2009-01-24 17:17 <DIR> --d----- c:\program files\HackCleaner
2009-01-22 15:40 15,616 a------- c:\windows\system32\drivers\Dbgv.sys
2009-01-22 15:00 <DIR> --d----- c:\windows\system32\logs
2009-01-22 14:59 10,871,290,180 a------- c:\windows\Procmon.pmb
2009-01-16 21:21 23,932 a------- C:\adsspyB run as admin
2009-01-16 13:09 <DIR> --d----- C:\Snort
2009-01-14 09:13 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-12 12:02 26,808 a------- c:\windows\system32\drivers\pxark.sys
2009-01-09 21:22 <DIR> --d----- c:\program files\Audible
2009-01-09 19:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-09 19:42 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-09 19:41 <DIR> --d----- c:\program files\iPod
2009-01-09 19:41 <DIR> a-d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> a-d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 19:41 <DIR> --d----- c:\program files\iTunes
2009-01-09 19:40 <DIR> a-d----- c:\programdata\Apple
2009-01-09 16:14 <DIR> a-d----- c:\programdata\Apple Computer
2009-01-09 16:05 299,520 a------- c:\windows\uninst.exe
2009-01-08 14:33 <DIR> --d----- c:\windows\RestoreSafeDeleted
2009-01-06 00:31 <DIR> --d----- c:\program files\PCCheckupOnline
2009-01-06 00:26 <DIR> --d----- c:\windows\system32\Dell
2009-01-05 16:27 70,656 a------- c:\windows\system32\drivers\KERNEL.del

==================== Find3M ====================

2009-01-31 21:31 811,008 a------- C:\gmer.exe
2009-01-31 14:30 573,440 a------- C:\thatfile.exe
2009-01-25 10:54 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-25 10:54 86,016 a------- c:\windows\inf\infstor.dat
2009-01-25 10:54 51,200 a------- c:\windows\inf\infpub.dat
2009-01-08 11:57 4,117,846 a------- C:\unhackme500.exe
2008-11-27 08:51 225,280 a------- c:\windows\system32\BootMan.exe
2008-11-26 15:58 472,064 a------- c:\windows\system32\NTFSFormat.dll
2008-11-26 15:55 65,536 a------- c:\windows\system32\FatCopy.dll
2008-11-26 15:54 17,920 a------- c:\windows\system32\SectorCopy.dll
2008-11-26 15:54 139,776 a------- c:\windows\system32\NTFSCopy.dll
2008-11-26 15:52 86,016 a------- c:\windows\system32\ResizeNTFS.dll
2008-11-26 15:51 61,952 a------- c:\windows\system32\FatResizeMove.dll
2008-11-26 15:51 45,568 a------- c:\windows\system32\FileSystemCheck.dll
2008-11-26 15:51 93,184 a------- c:\windows\system32\Partition.dll
2008-11-26 15:50 180,736 a------- c:\windows\system32\DeviceManager.dll
2008-11-26 15:49 22,016 a------- c:\windows\system32\FatFormat.dll
2008-11-26 15:49 86,528 a------- c:\windows\system32\NTFSLib.dll
2008-11-26 15:49 31,744 a------- c:\windows\system32\FatLib.dll
2008-11-26 15:48 10,752 a------- c:\windows\system32\DeviceAdapter.dll
2008-11-26 15:48 6,656 a------- c:\windows\system32\CallbackOperator.dll
2008-11-26 15:48 68,096 a------- c:\windows\system32\Device.dll
2008-11-26 15:48 21,504 a------- c:\windows\system32\Fixup.dll
2008-11-26 15:48 14,848 a------- c:\windows\system32\FileSystemAnalyser.dll
2008-11-26 15:48 24,576 a------- c:\windows\system32\NTFSFileSystemAnalyser.dll
2008-11-26 15:47 25,088 a------- c:\windows\system32\FATFileSystemAnalyser.dll
2008-11-25 17:18 86,408 a------- c:\windows\system32\setupempdrv03.exe
2008-11-25 17:18 9,728 a------- c:\windows\system32\epmntdrv.sys
2008-11-25 17:18 3,072 a------- c:\windows\system32\EuGdiDrv.sys
2008-11-25 17:18 14,848 a------- c:\windows\system32\EuEpmGdi.dll
2008-10-22 12:44 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 04:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 04:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:14:45.16 ===============

MBR flashes on but does not produce a log. Nothing on desktop, nothing from search. I have had this problem with dos programs.
The autoexec.bat file only says: REM Dummy file for NTVDM


autoexe.nt says:
REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
REM different startup file is specified in an application's PIF.

REM Install CD ROM extensions
lh = %SystemRoot%\system32\mscdexnt.exe

REM Install network redirector (load before dosx.exe)
lh %SystemRoot%\system32\redir

REM Install DPMI support
lh %SystemRoot%\system32\dosx

REM The following line enables Sound Blaster 2.0 support on NTVDM.
REM The command for setting the BLASTER environment is as follows:
REM SET BLASTER=A220 I5 D1 P330
REM where:
REM A specifies the sound blaster's base I/O port
REM I specifies the interrupt request line
REM D specifies the 8-bit DMA channel
REM P specifies the MPU-401 base I/O port
REM T specifies the type of sound blaster card
REM 1 - Sound Blaster 1.5
REM 2 - Sound Blaster Pro I
REM 3 - Sound Blaster 2.0
REM 4 - Sound Blaster Pro II
REM 6 - SOund Blaster 16/AWE 32/32/64
REM
REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
REM left unspecified, the default value will be used. (NOTE, since all the
REM ports are virtualized, the information provided here does not have to
REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
REM The T switch must be set to 3, if specified.
SET BLASTER=A220 I5 D1 P330 T3

REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
REM SB base I/O port address. For example:
REM SET BLASTER=A0


Thanks, I await your instructions.
Quirks

Attached Files



#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 01 February 2009 - 03:37 PM

Hello.

Please try opening MBR by right clicking it and selecting Run As Administrator.

With Regards,
The Panda

#10 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 04:24 PM

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


I moved it to the root directory C:\ and then it ran. That was how I got gmer to run as well
as it did.

If there is nothing in the MBR or boot sector why would the infection return after no exposure to data
or the internet?

Clean installs were done by a pro with the HD out of the machine.

Thanks
Quirks

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 01 February 2009 - 04:47 PM

Hello.

Were than any portable drives connected to the computer?

The Panda

#12 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 05:05 PM

No, no peripherals. I and finally, several pros, have done clean installs on several computers, xp and vista that were infected. I can see why the vista clean installs were more problematic due to disc structure but the xp was straight forward. I could not get the vistas reformat the disc. The program pretended to but a reformat takes more than 3 seconds. I finally got Dell to agree that was true. I wonder if the computer never really booted from CD. Subsequently I tried to use "Reimage", but I could never get it to boot off the reimage ISO, either. The BIO appears to be controlled.

I have several infected computers. I keep hoping that eventually someone will understand what this thing is.

Any ideas?
Quirks

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 01 February 2009 - 05:32 PM

Hello.

I'm still not sure that an infection is present at the moment.

Let's check something out.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/197087/unknown-trojanwormbotnet-rootkitbootkit-loong-post/
  • Under Browse to the file you want to submit, input:
    C:\thatfile.exe
  • Under the comments section, say that Panda asked for the submission.

Please post back when that is submited.

With Regards,
The Panda

#14 quirkly

quirkly
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 February 2009 - 06:49 PM

Yeah,
"thatfile.exe" is a renamed gmer. There are a few files that seem problematic. I can review and I will send you some ideas. The problem is that the ones that look bad, or are reported as bad by some tool, are locked and I cannot get at them to submit them. When I do it in safe mode or finally manage to get it zipped and passworded, then the file is not infected. It seems that I can see something (infection?) move around. Icons appear and disappear as I am trying to something to submit.

Yes, I realize that an infection is hard to understand since it does not show up in any usual manner. However, based on behavior: the cursor, moving files, changing permissions, the appearance of many many exe files in the sys32 folder, downloading webpagess and images in the background which are put up to deny access to various sites, the inability to do online scans, and such, there is something wrong. It also moves from an infected computer to a clean computer, producing symptoms in the newly infected computer that are the same as in the first computer.

Gmer shows many many red folders and files in the registry. However I cannot get them to export. Do the red files and folder indicate problems?

Do you still want to to submit the renamed gmer file? Maybe it was altered in some way, but I changed the name.

Thanks
Quirkly

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 PM

Posted 01 February 2009 - 07:40 PM

Hello.

No there is not need to submit GMER.

Please give me some specifics. Which files were flagged? What were they flagged as? What sites were being denied?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users