Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack log - Not Possible


  • This topic is locked This topic is locked
4 replies to this topic

#1 copystart

copystart

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 26 March 2009 - 05:27 PM

I can't even get HijackThis to run on the computer. Everytime I download it, the icon keeps flickering and then says that this is not a valid win32 application. It does the same thing for GMER and although doesn't make it a useless program, disables like half of it's features somehow.

What do I do?

Edit: To add some extra info, it disabled my Avast and other anti-spyware applications and rendered them unusable. I am running GMER as we speak despite it error'ing at the beginning because it can't do something with a .sys file / can't get a key from it. So far i says possible rootkit detected and two hidden processes and such.

Edit2: And something else... Avast never detected this thing coming in (and I keep it updated daily). The virus took affect after I rebooted the system today.

Edited by copystart, 26 March 2009 - 05:38 PM.


BC AdBot (Login to Remove)

 


#2 copystart

copystart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 26 March 2009 - 06:12 PM

This is what GMER had to say (Note I do run MagicFolders and this log was truncated to just the first part about the rootkit):

(GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 19:00:26
Windows 5.1.2600 Service Pack 2


---- Modules - GMER 1.0.15 ----

Module _________ BA7E8000-BA800000 (98304 bytes)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 3508
Process hidden process (*** hidden *** ) 3656

---- Services - GMER 1.0.15 ----

Service C:\Documents and Settings\Kurt Scheuringer\Application Data\drivers\wfsintwq.sys (*** hidden *** ) [SYSTEM] srosa <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


----------------------------------------------------------------------------------------------------------------------------------------------------------------------


GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 18:59:11
Windows 5.1.2600 Service Pack 2


---- Services - GMER 1.0.15 ----

Service C:\Documents and Settings\Kurt Scheuringer\Application Data\drivers\wfsintwq.sys (*** hidden *** ) [SYSTEM] srosa <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\MediumCache\{6c0bc760-5951-11d2-a41a-00104b75937c}-0-0@\\?\DISPLAY#NTativrv01#5&2bb82b4b&0&80000008&01&00#{6994ad05-93ef-11d0-a3cc-00a0c9223196}\{bc187864-4183-4dc5-9fe0-679a7a039975} 0
Reg HKLM\SYSTEM\CurrentControlSet\Control\MediumCache\{6c0bc760-5951-11d2-a41a-00104b75937c}-0-0@\\?\DISPLAY#NTativrv01#5&2bb82b4b&0&80000008&01&00#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\{bc187864-4183-4dc5-9fe0-679a7a039975} 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x29 0x78 0xA5 0x9C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6B 0x6A 0x01 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC2 0xA0 0x0B 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa@ImagePath \??\C:\Documents and Settings\Kurt Scheuringer\Application Data\drivers\wfsintwq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\srosa@DisplayName srosa
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:55 AM

Posted 26 March 2009 - 07:56 PM

This is not the proper forum for those logs

Did you try thr DDS scan that is mentioned in the preparation guide?
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you cannot get DDS to run, try this:

If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 copystart

copystart
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 26 March 2009 - 08:01 PM

Here is the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Kurt Scheuringer at 18:46:36.30 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1567 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090325-0] *On-access scanning enabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
D:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Documents and Settings\Kurt Scheuringer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.eq2players.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=192.168.2.107:5190;https=192.168.2.107:5190
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [Google Update] "c:\documents and settings\kurt scheuringer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
mRun: [ASUS Probe] c:\program files\asus\probe\AsusProb.exe
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [RAMDef] c:\program files\ram def xt\ramdef.exe -tray
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
Trusted Zone: aol.com\free
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
TCP: {9E10EB17-960F-40D9-8525-3400AAEB551E} = 192.168.2.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kurtsc~1\applic~1\mozilla\firefox\profiles\4q5o762m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eq2players.com
FF - component: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\{f8cc37c3-cbeb-4a00-8cbf-26a88693f0c5}\plugins\npagent.dll
FF - plugin: c:\documents and settings\kurt scheuringer\application data\mozilla\firefox\profiles\4q5o762m.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\kurt scheuringer\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\windows\microsoft.net\framework\v3.5\wpf\NPWPF.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 55024]
R1 sK9Ou0s;sK9Ou0s;c:\documents and settings\kurt scheuringer\application data\drivers\srosa2.sys [2009-3-26 7168]
S0 MFX;MFX; [x]
S0 XMS1563K;XMS1563K;c:\windows\system32\drivers\XMS1563K.SYS [2007-5-2 49580]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]
S2 gupdate1c8cbe63317895a;Google Update Service (gupdate1c8cbe63317895a);c:\program files\google\update\GoogleUpdate.exe [2008-7-16 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\tm_cfw.sys --> c:\windows\system32\drivers\TM_CFW.sys [?]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-13 138680]
S4 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-13 254040]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-13 352920]
S4 TmPfw;Trend Micro Personal Firewall; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-03-26 18:31 <DIR> --d----- C:\HJ
2009-03-26 11:43 <DIR> --d-h--- c:\docume~1\kurtsc~1\applic~1\m
2009-03-26 10:50 <DIR> --dsh--- C:\Diskeeper
2009-03-26 09:37 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2009-03-26 09:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-03-26 09:37 <DIR> --d----- c:\program files\Diskeeper Corporation
2009-03-26 09:34 <DIR> --d-h--- c:\docume~1\kurtsc~1\applic~1\drivers
2009-03-22 22:48 65,536 a------- c:\windows\IFinst27.exe
2009-03-16 23:18 <DIR> --d----- c:\program files\Yahoo!
2009-03-04 20:31 <DIR> --d----- c:\program files\MySQL

==================== Find3M ====================

2009-01-26 21:05 25,536 a------- c:\docume~1\kurtsc~1\applic~1\GDIPFONTCACHEV1.DAT
2008-04-22 13:25 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,989 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:55 AM

Posted 26 March 2009 - 10:19 PM

This topic is a duplicate of the one posted here: http://www.bleepingcomputer.com/forums/t/214268/dds-log-rootkit-virus/ Posting more than one topic on the same issue is called double-posting and is not allowed on this forum because it can create massive confusion and in this case make the malware removal process more difficult and time consuming. In addition, we do not analyze these logs in the Am I Infected forum. Therefore, this topic shall be deleted.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic shall disappear in the next 24 hours or so.

Orange Blossom ~ forum moderator
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users