Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection/ Moved


  • Please log in to reply
21 replies to this topic

#1 RedPenumbra

RedPenumbra

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 08 March 2009 - 07:03 PM

I've recently been infected with some type of malware. It has disabled almost every Administrator Tool including Run, Registry Editor, Command Prompt, Device Manager, Task Manager, etc. I've run Malwarebytes in quick and full, and although it says it has removed the infections, nothing is actually fixed except for that I can now use the Run command again (which is then re-disabled the next time I reboot.) I've tried to run MbAM in Safe Mode, but the computer blue screens every time I attempt to enter Safe Mode. I can't run DDS since Command Prompt is disabled, and I can't for the life of me re-enable it. HijackThis simply closes when I try to install it. C:\WINDOWS\system32\drivers\etc\hosts was infected, not allowing me to access several antivirus sites (including this one), but I just deleted all of the extra information in there, and it hasn't been re-copied yet. AVG has been disabled, and it closes down whenever I attempt to re-enable it. There is a folder located in C:\ titled "NIS2008", and I believe it is a result of the malware, since I don't recall seeing it before, and I have never used Norton Internet Security. Most of the infections that MbAM found were in my Temp folder, and had names such as 11.exe, 32.exe, etc, and it says the company of those files is UTool. They are either recreated or not deleted in the first place. The blue screens had names of BAD_POOL_HEADER and BAD_POOL_CALLER. Another one had a problem with krfvjmua.sys. Sorry for this very large list of problems, but I tried to note anything that might help you to identify/fix the problem. I'm running a Kaspersky online scan right now, and I'll also post that up as soon as it finishes. Thanks for any help I can get.

The following are two MbAM logs (a quick scan and full scan, respectively.)

--
Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600 Service Pack 3

3/8/2009 5:44:59 PM
mbam-log-2009-03-08 (17-44-59).txt

Scan type: Quick Scan
Objects scanned: 57153
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n32p (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\11.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\15.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\35.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\44.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\48.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\81.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\83.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\serv[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\x[2] (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\WDYV4TYZ\x[2] (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\WDYV4TYZ\iisconf[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
--


--
Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600 Service Pack 3

3/8/2009 7:09:26 PM
mbam-log-2009-03-08 (19-09-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 101083
Time elapsed: 17 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n32p (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\27.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\76.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\WDYV4TYZ\wk[2] (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED008A3C-6CF5-4395-8B7E-E1C7A9A2BAF1}\RP35\A0017577.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED008A3C-6CF5-4395-8B7E-E1C7A9A2BAF1}\RP35\A0023577.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
--

EDIT: The Kaspersky scan finally completed. Here is the log:

--
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 09, 2009 00:57:06
Records in database: 1881392
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 42029
Threat name: 10
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 01:21:42


File name / Threat name / Threats count
C:\Documents and Settings\Anonymous\Local Settings\Temp\06.exe Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\08.exe Infected: Backdoor.Win32.VB.hvf 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\17.exe Infected: Trojan.Win32.Small.buy 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\45.exe Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\51.exe Infected: Trojan-Dropper.Win32.Agent.aioo 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\60.exe Infected: Trojan.Win32.Agent.btlf 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\61.exe Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\63.exe Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\71.exe Infected: Trojan.Win32.Agent.btlf 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\75.exe Infected: Backdoor.Win32.Small.hqa 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\77.exe Infected: Trojan.Win32.Small.buy 1
C:\Documents and Settings\Anonymous\Local Settings\Temp\82.exe Infected: Backdoor.Win32.Agent.aelg 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\4L678XAZ\x[1] Infected: Trojan-Dropper.Win32.Agent.aioo 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\4L678XAZ\x[2] Infected: Trojan.Win32.Agent.btlf 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\1x[1].jpg Infected: Backdoor.Win32.Small.hqa 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\2[1].exe Infected: Backdoor.Win32.Agent.aelg 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\wk[2] Infected: Trojan.Win32.Small.buy 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\K9MFW5YJ\z[2] Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\WDYV4TYZ\1[2].exe Infected: Trojan.Win32.Agent.btqp 1
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\WDYV4TYZ\wk[1] Infected: Backdoor.Win32.Small.hpz 1
C:\Documents and Settings\Anonymous\muykfkq.exe Infected: Trojan.Win32.Small.buw 1
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe Infected: Trojan.Win32.Small.buy 1
C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc1.exe Infected: Backdoor.Win32.Small.hpz 1
C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc5.exe Infected: Backdoor.Win32.Small.hpz 1
C:\WINDOWS\system32\symdbgsvc.exe Infected: Trojan.Win32.Qhost.klg 1

The selected area was scanned.

Edited by RedPenumbra, 08 March 2009 - 11:10 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:13 AM

Posted 08 March 2009 - 11:11 PM

Hello RedPenumbra,

As the logs above are MBAM logs, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST OTHER LOGS unless a log is specifically requested.

Please tell us what your operating system is: Windows XP, Vista, etc.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 08 March 2009 - 11:17 PM

Doh, sorry about that. I'm running Windows XP Home Edition Service Pack 3.

Thanks for the help.

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 08 March 2009 - 11:20 PM

Let's give MBAM some help with those temp files

I would like you to update MBAM and run ATFCleaner, then immediately run MBAM(quick scan)

Reboot then run MBAM again without ATFCleaner

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Chewy

No. Try not. Do... or do not. There is no try.

#5 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 08 March 2009 - 11:47 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1828
Windows 5.1.2600 Service Pack 3

3/9/2009 12:29:15 AM
mbam-log-2009-03-09 (00-29-15).txt

Scan type: Quick Scan
Objects scanned: 42890
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n32p (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
--


--
Malwarebytes' Anti-Malware 1.34
Database version: 1828
Windows 5.1.2600 Service Pack 3

3/9/2009 12:41:00 AM
mbam-log-2009-03-09 (00-41-00).txt

Scan type: Quick Scan
Objects scanned: 57364
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n32p (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD (Hijack.CMDPrompt) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
--

On a side note, the system blue screened near the end of both shutdowns. Also, the ##.exe files are back in the Temp folder. Thanks again for all of your help.

EDIT: And I'll get the occasional "##.exe has encountered a problem and needs to close."

Edited by RedPenumbra, 08 March 2009 - 11:50 PM.


#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 09 March 2009 - 01:31 AM

See if you can get Dr Web Cureit to run in normal mode


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by DaChew, 09 March 2009 - 01:31 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 09 March 2009 - 05:09 PM

Sorry for the long wait. I fell asleep last night at the computer.

Anyway, I managed to run DrWeb-CureIt in normal mode, but now the internet doesn't seem to work on that computer. It doesn't even attempt to connect through wireless or wired.

On a good note, though, AVG is working now. Computer Management is also working, which means I should be able to get back all of my other administrator tools. I don't get a blue screen anymore at shutdown. And finally, I can install HijackThis (which I haven't done yet; still waiting on you to deem it necessary.)

Here is a shortened version of the DrWeb log, since it is on the other computer and I don't have the means to transfer it to this one:

muykfkq.exe; documents and settings\anonymous; deleted
krfvjmua.sys; system32\drivers; deleted
ndisis.sys; system32\drivers; deleted
symdbgsvc.exe; system32; deleted
63.exe, 76.exe, and 81.exe; Local Settings\Temp; deleted
wk[1]; Local Settings\Temporary Internet Files\Content.IE5\C703U2Z7; deleted
symdbgsvc.exe; system32; deleted
A0017607.exe; D:\System Volume Information\_restore{ED008A3C-6CF5-4395-8B7E-E1C7A9A2BAF1}\RP35

Just say the word if you need me to write the types of infections of each of those, and thanks again!

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 09 March 2009 - 06:41 PM

Use a usb flash/jump/pen drive

On the clean computer

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Would you rescan with MBAM and post the new log
Chewy

No. Try not. Do... or do not. There is no try.

#9 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 09 March 2009 - 10:15 PM

I need to get a flash drive to continue with your next step. And I hate to be a bother, but is there any quick way to get my internet back up tonight? I'm leaving for Florida tomorrow morning, and I won't be back until Friday. I was looking forward to taking the infected laptop with me to access internet in the hotel.

Device manager says this for my network adapters: "Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)"

Again, sorry to be a bother, and don't worry if you can't get back to me tonight or if there's nothing that can be done further without a flash drive. I'm sure I can survive 4 days without the internet. :thumbsup:

EDIT: Oh, and I can access regedit now, since I'm guessing the problem resides in the registry.

Edited by RedPenumbra, 09 March 2009 - 10:16 PM.


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 09 March 2009 - 10:36 PM

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Chewy

No. Try not. Do... or do not. There is no try.

#11 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 09 March 2009 - 11:33 PM

Phew, I was able to get my internet working again by uninstalling and reinstalling the drivers for my network adapter. Anyway, MbAM didn't find anything, and here is the gmer log:

--
GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-10 00:28:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spvl.sys ZwCreateKey [0xB9EA80E0]
SSDT spvl.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spvl.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spvl.sys ZwOpenKey [0xB9EA80C0]
SSDT spvl.sys ZwQueryKey [0xB9EC7108]
SSDT spvl.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spvl.sys ZwSetValueKey [0xB9EC719A]

INT 0x62 ? 89DD5BF8
INT 0x63 ? 89A91BF8
INT 0x73 ? 89A91BF8
INT 0x82 ? 89DD5BF8
INT 0xA4 ? 89A91BF8
INT 0xB4 ? 89A91BF8

---- Kernel code sections - GMER 1.0.15 ----

? ocvuv.sys The system cannot find the file specified. !
? spvl.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B96238AC 5 Bytes JMP 89A911D8
.text ad8u6yvz.SYS B95AD386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text ad8u6yvz.SYS B95AD3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ad8u6yvz.SYS B95AD3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text ad8u6yvz.SYS B95AD3C9 1 Byte [2E]
.text ad8u6yvz.SYS B95AD3CB 9 Bytes [00, 00, 5C, 02, 00, 00, 00, ...] {ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spvl.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spvl.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spvl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spvl.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spvl.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spvl.sys
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\ad8u6yvz.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DD41F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 89A8D1F8
Device \Driver\usbehci \Device\USBPDO-1 89A471F8
Device \Driver\usbuhci \Device\USBPDO-2 89A8D1F8
Device \Driver\usbuhci \Device\USBPDO-3 89A8D1F8
Device \Driver\usbuhci \Device\USBPDO-4 89A8D1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89E451F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89E451F8
Device \Driver\Cdrom \Device\CdRom0 89B79500
Device \Driver\Ftdisk \Device\HarddiskVolume3 89E451F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 899D3500
Device \Driver\PCI_PNP0768 \Device\0000004b spvl.sys
Device \Driver\NetBT \Device\NetbiosSmb 899D3500
Device \Driver\NetBT \Device\NetBT_Tcpip_{202174A3-F3AB-4CB9-B903-4CBC927E4761} 899D3500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 89A8D1F8
Device \Driver\usbuhci \Device\USBFDO-1 89A8D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89AA9500
Device \Driver\usbuhci \Device\USBFDO-2 89A8D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89AA9500
Device \Driver\usbuhci \Device\USBFDO-3 89A8D1F8
Device \Driver\usbehci \Device\USBFDO-4 89A471F8
Device \Driver\sptd \Device\935729518 spvl.sys
Device \Driver\Ftdisk \Device\FtControl 89E451F8
Device \Driver\ad8u6yvz \Device\Scsi\ad8u6yvz1Port2Path0Target0Lun0 89B5B500
Device \Driver\ad8u6yvz \Device\Scsi\ad8u6yvz1 89B5B500
Device \FileSystem\Fastfat \Fat 89B74500
Device \FileSystem\Fastfat \Fat A7A21297

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89B98500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2D 0xA2 0xE8 0xCF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD7 0x68 0x7B 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0xB4 0xA2 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2D 0xA2 0xE8 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD7 0x68 0x7B 0x56 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0xB4 0xA2 0x4E ...

---- EOF - GMER 1.0.15 ----

EDIT: And as I don't have a flash drive, is it still necessary for me to run Flash Disinfector?

Edited by RedPenumbra, 09 March 2009 - 11:35 PM.


#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 10 March 2009 - 07:22 AM

Lets me get someone to log at that log

Jump drives are so economical today I can't imagine not having one

I am still finding remnants of that durn daemon tools on my system, I installed it as part of my troubleshooting cd/dvd burning issues on a couple of other forums.
Chewy

No. Try not. Do... or do not. There is no try.

#13 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 19 March 2009 - 10:35 PM

You ever get someone to look at those logs?

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:13 AM

Posted 19 March 2009 - 10:51 PM

Would you update MBAM and run a fresh scan?

How was florida?

The keys are nice this time of year
Chewy

No. Try not. Do... or do not. There is no try.

#15 RedPenumbra

RedPenumbra
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 19 March 2009 - 11:03 PM

Florida was Heavenly. Kinda nice to get away from it all and just go laze around at the beach. :thumbsup:

Half way through the MbAM scan, when it started to scan the Temp folder, AVG popped up and went nuts over the ##.exe files. I just went ahead and clicked ignore for now.

--
Malwarebytes' Anti-Malware 1.34
Database version: 1875
Windows 5.1.2600 Service Pack 3

3/19/2009 11:59:07 PM
mbam-log-2009-03-19 (23-59-07).txt

Scan type: Quick Scan
Objects scanned: 59516
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Anonymous\Local Settings\Temporary Internet Files\Content.IE5\07FA1D96\x[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Anonymous\Local Settings\Temp\22.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

EDIT: And I can give you what AVG automatically detected if you need it.

Edited by RedPenumbra, 19 March 2009 - 11:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users