Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable Trojan. Others unsure./ Reopened


  • Please log in to reply
18 replies to this topic

#1 seaspine

seaspine

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 03 March 2009 - 12:09 PM

Here's definitely one:
AvFlt File not found: C:\Windows\system32\drivers\av5flt.sys

Probably (.sys extension instead of .dll):
NwlnkFltIPX Traffic Filter Driver File not found: system32\DRIVERS\nwlnkflt.sys
NwlnkFwdIPX Traffic Forwarder Driver File not found: system32\DRIVERS\nwlnkfwd.sys
IpInIpIP in IP Tunnel Driver File not found: system32\DRIVERS\ipinip.sys
SDDMI2 File not found: C:\Windows\system32\DDMI2.sys

These were listed as a Microsoft application online, not an HP .dll

Net Driver HPZ12Dot4Net Module (Not verified) Hewlett-Packard c:\windows\system32\hpzinw12.dll

Pml Driver HPZ12PmlDrv Module (Not verified) Hewlett-Packard c:\windows\system32\hpzipm12.dll


Any advise would be appreciated. I would havesent the entore list but it seems I can't open an .arn file in Vista.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:18 AM

Posted 05 March 2009 - 04:06 PM

Hello I am moving from Windows Startup Programs Database to Am I Infected for scans.



run MBAM:
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 06 March 2009 - 04:45 AM

I'm going to be quick here. This is just an update. Malwarebytes was unsuccessful. I would post it but I had to do aclean install last night and I lost most everything. It locked me out of my partition and proceeded to trash my computer. I'll give you more details on this tomorrow if I can compile it all. It muted to a rootkit - I'll it the Rastabama rootkit-selectively hid some of my e-mail, and passed me over to a fake Panda webpage. It should be gone now with a reformat. Tomorrow I'l post a followup. Seems nothing detected it even GMER, Kapersky, One Care, Panda, and F-secure. I tried to run Trend Micro but it shut it down. Then I got locked out of my partition.
More tomorrow.

#4 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 06 March 2009 - 06:41 PM

I just ran malewarebytes. It identified RogueInstaller and removed it. Looks like I got reinfected after my clean reformat and install. Since both of my home computers are infected, I found uot this one came in courtesy of Windows Update. My other computer is not attached to this one in anyway and only downloaded Windows Update. On that computer, Webroot picked up "virtumonde" but I doubt that was it. No typical file or drivers characteristic of virtumonde are installed. I did locate these rogue files
APPFCONT.DAT.bck
APPFCONT.DAT
APPFLT.cfg
APPFLT.cfg.bck
dsaflt.cfg.bck
idsflt
Imhosts.sam
NetAdapt.cfg
NetAr.wlt
NetLoc.wlt
pfdnnt.act
WnmFlt
dxgkml.sys

I haven't done anything with them It corrupted Panada file PAVRPT.DAT so the antivirus doesn't work

Here' the MBAM log:
Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 6.0.6000

3/6/2009 5:09:22 PM
mbam-log-2009-03-06 (17-09-17).txt

Scan type: Quick Scan
Objects scanned: 58611
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> No action taken. ?. I Selected Removed. Will run again

#5 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:18 AM

Posted 06 March 2009 - 08:06 PM

If you formated and reinstalled, your computer should have been safe. Secondary partitions may be a source, but I would have to ask. You may end up having to repartition the drive and the format/reinstall. Let's see what we have.

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:18 AM

Posted 07 March 2009 - 01:49 AM

Hello seaspine,

Is this the same computer that you posted about here: http://www.bleepingcomputer.com/forums/topic207339.html ?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 07 March 2009 - 02:38 AM

It wasn't because I couldn't access the web. Now I can. The rogue files are still there even though MBAM ran and identified the Rogue installer. Personally I can't find any remnant of the rogue where MBAM identified it. I ran MBAM agin in safe mode and it didn't find anything this time so it probably was removed. I checked the registry and there is no evidence of those files there despite being present in the sys32\drivers\etc folder. Any reason not to manually delete them? I'm going to go ahead and do the SuperAntispyware and ATF as you said and will report back tomorrow.
Thank you for your help

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:18 AM

Posted 07 March 2009 - 09:17 PM

:thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 March 2009 - 04:26 AM

Interesting event today. BOTH my home computers have the same rogue files, overactive svchost.exe and dwm.exe, with huge memory leak. Seems "virtumond" showed up again on the other computer. I called Microsoft about the files and any other suggestions they might have and......We discovered the cause of the infection. Identified as Win32/Vundo and it arrived courtesy of Panda Antivirus 2009 download to BOTH computers.Microsoft Security id's the files as belonging to Panda. Thank you Panda. However, after uninstalling Panda (actually quite easy), and manually deleting the rogue files/registry, the memory leak quit and it looks like it settled down-for now. I did run but didn't fix anything with Rootkit Revealer. Despite disabling all unnecessary processes, antivirus, unhooking from the net and standing 10 feet away, the log showed 292,000+ issues. I'm not about to post it. F-secure didn't find anything and neither did AVG Rootkit Finder. I still get pop-ups from Webroot saying that svschost is trying to delete TCpip so I'm going to keep a close eye. So far NO scan has ever really identified it (Kapersky, Avast, Panda, Windows Live One Care, Malewarebytes, SuperSpySweeper). The only way was to look it the system32 driver file and there were the files.
Right now I'm doing the cleanup and will post in two days to let you know if this puppy is going to fly.

#10 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:18 AM

Posted 08 March 2009 - 06:12 AM

seaspine,

I see you have an open HJT log posted in the HijackThis Logs and Malware Removal forum.
You shouldn't make any changes to your system, while your HJT log is posted, as that could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:18 AM

Posted 08 March 2009 - 10:40 AM

Topic reopened as the HJT topic is for a different computer.

@ seaspine

To avoid confusion, please discuss only the one computer in this thread, not the one in the HJT forum. If the two computers are connected together, I strongly urge you to disconnect them as one can infect the other until both computers are clean.

Panda's definition files - these are the files used by the program to check for baddies on your system - frequently get flagged by other security programs because they neglect to properly sign and encrypt them. This is one reason why I no longer use the Panda Online scanner for a double check.

Have you run the SuperAntiSpyware scan as rigel suggested? If so, please post the log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#12 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 March 2009 - 01:40 PM

Actually the post was regarding this computer. I resolved the other one with Microsoft. I couldn't use this one to access the Internet so I used the other computer to post that reply. Therfore, your advise has always been regarding this computer and is well appreciated.
Now, regarding this computer that the post originated from. Yes, I ran SuperAntiSpyware. Removed 33 cookies, nothing else so I didn't keep the log. My computer flagged ssetup.exe as spyware in the AppData/Low belonging to SuperAntiSpyware so I uninstalled it and removed the file so as to not confuse the issue any further.
Regarding Panda. My computer symptoms cleared significantly after I uninstalled it. The DDS logs showed those sys32 files I mentioned came in with the Panda Antivirus Pro 2009 download (10 minutes). Panda's virus definition files have a .sig extension.
Current issue. Svchost.exe repeatedly wants to delete TCPIP and Netbt. Memory usage on task manager over 90K. Current antivirus is back to Webroot. Since Microsoft Security identified the offender as probable Win32/vundo on my other computer (not at issue here) with the same markers I am inclined to believe them. I am concerened I have a rootkit. Please advise. AVG AntiRootkit free and F-Secure Blacklight were both negative last night.

#13 seaspine

seaspine
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 March 2009 - 01:50 PM

Sorry to post again but I left out the files that were associated with the Panda Antivirus Pro 2009. As far as I am able to tell so far the NwLnkFlt and NwLinkFwd are probably legit but am awaiting confirmation. The files in the sys32\drivers folder that were associated with the Panda download (ref: DDS log) were:
APPFCONT.DAT
APPFCONT.dat.bck
APPFLT.CFG
APPFLT.CFG.bck
dsaflt.cfg.bck
These files disappeared with uninstall of Panda Antivirus Pro 2009.
I hop this cleared up a significant deletion above. Sorry.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:18 AM

Posted 08 March 2009 - 01:51 PM

Thanks for clarifying that seaspine. Your previous answer to my question about that indicated that the two topics were concerning different computers.

As tg1911 indicated, you cannot have two topics on the same issue as this can create massive confusion. I'm going to give you a choice here: Continue receiving assistance here and DELETING the HiJack This topic OR reclosing this topic and await assistance in the HiJack this forum. If you choose the latter, I will edit the HJT topic to include a link to this thread so your helper can see what's been done since you posted.

Edited to add: Please let me know your choice via PM. In the meantime, I shall reclose this topic.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 08 March 2009 - 02:00 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:18 AM

Posted 09 March 2009 - 08:18 PM

Topic reopened and HiJack This log topic deleted. ~ OB

@ seaspine,

Please post the SuperAntiSpyware log that rigel requested in post #5. Make sure to follow all the steps in that post.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 09 March 2009 - 08:21 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users