Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix and Malwarebytes failed to run


  • This topic is locked This topic is locked
4 replies to this topic

#1 barmaglot

barmaglot

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 04 June 2009 - 07:37 PM

I have 2 problems but I think thea are connected somehow:
1. links at google.com are redirected to 2 porno sites (only 2, zumvideo.net and uniporn.ru)
2. combofix and malwarebytes failed to start without any error in event log and doesn't rise error level in command line

I am running Windows XP Professional SP3 x32 English with few updates. I am using Symantec Antivirus 10.0.0.359 which is up-to-date and Windows Firewall (but it was disabled till now).

How it started:
1. I noticed the presence of user with name pywl$ on my computer, I deleted it. After a while this user appeared again, I deleted it 1 more time. I didn't see that user since then.
2.Yesterday (04.06.2009) I searched something in google then Symantec Antivirus showed the pop-up meaning that he deleted 4 viruses: Hacktool.Rootkit, Backdoor.Trojan, Backdoor.Tidserv, W32.Tidserv.G (in Symantec terminology). Removal of one of these required reboot of my machine.
3. After reboot links at google.com and windowsupdate.microsoft.com were redirected to porno sites mentioned above (both in Firefox and Internet Explorer 7). Virus set incorrect DNS addres in properties of my network connection, I removed it and restore previous settings.
4. Then I ran full scan of my system drive. Symantec found SecurityRisk.ProxyDNS and cleand it successfully.
5. Windows System File Protection showed an message that %systemroot%\system32\drivers\beep.sys was replaced by file with incorrect version. I inserted disk and system restore the file.
Then I noticed few things at once:
- there is autorun.inf files on all of my drives with command to run file S-6-0-2....com (sorry, I didn't remember full name)
- there is file S-6-0-2....com (name looks like Security Identifier - SID) in Recycler or Recycled folder on all of my drives
- System Restore is enabled although it was disabled
- few errors in event log that some services with strange names failed to start (services display names: MS Mediab Control mCenter, MS Mediaw Control nCenter, webclicents, SheColle Authorization server)
- there are strange files in %systemroot%\system32, some of them are binaries of services mentioned above, some are binaries of services which are running but also have strange names (f.e. catsd.dll); last modification time of all of these files is 04.06.2009
I disabled System Restore and removed all Recycler/Recycled/System Volume Information folders from all drives along with autorun.inf files. I didn't find any info about each of strange services and removed them too.
6. Then I found that %systemroot%\system32\drivers\pcidump.sys without any description or version was also created 04.06.2009 and there is a key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP. I removed pcidump.sys and key.
7. Then I runned RootkitRevealer and found HKLM\Software\gxvxc, HKLM\System\ControlSet002\Services\gxvxcserv.sys (main control set) and HKLM\System\ControlSet004\Services\gxvxcserv.sys (backup control set) which are hidden from Windows API. I don't have any idea what to do with them.

Please sorry for my erroneous english.

DDS attachment in attach.
DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by triton at 2:26:25,90 on 05.06.2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1251.7.1033.18.2047.1510 [GMT 4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\SDF Lab Design Team\VistaDriveIcon\DrvIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SDF Lab Design Team\Lclock\LClock.exe
C:\Program Files\SDF Lab Design Team\YzToolbar\YzToolBar.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SAV\Rtvscan.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\triton\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://info.starlink.ru/
uSearch Page = hxxp://google.icq.com
uSearch Bar = hxxp://google.icq.com/search/search_frame.php
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LClock] c:\program files\lclock\LClock.exe
uRun: [Vista Sidebar] c:\program files\vista sidebar\sidebar.exe
uRun: [ViStart] c:\program files\vistart\ViStart.exe
uRun: [ViOrb] c:\program files\viorb\ViOrb.exe
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [DAEMON Tools Lite] c:\program files\daemon tools lite\daemon.exe -autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\sav\VPTray.exe
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DrvIcon] c:\program files\sdf lab design team\vistadriveicon\DrvIcon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [openvpn-gui] c:\program files\openvpn\bin\openvpn-gui.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ICQ Lite] "c:\program files\icqlite\ICQLite.exe" -minimize
mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\triton\startm~1\programs\startup\lclock.lnk - c:\program files\sdf lab design team\lclock\LClock.exe
StartupFolder: c:\docume~1\triton\startm~1\programs\startup\vistad~1.lnk - c:\program files\sdf lab design team\vistadriveicon\DrvIcon.exe
StartupFolder: c:\docume~1\triton\startm~1\programs\startup\yztool~1.lnk - c:\program files\sdf lab design team\yztoolbar\YzToolBar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244069108533
TCP: NameServer = 85.255.112.61,85.255.112.172
TCP: {23C8707F-A631-4AAC-9724-A4BFF6C2D7D1} = 85.255.112.61,85.255.112.172
TCP: {29C6E45E-C3ED-4114-9252-89CCCBE153FB} = 85.255.112.172
TCP: {DB1A06CE-C023-4BBD-8C76-D7FE819AE268} = 85.255.112.61,85.255.112.172
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\triton\applic~1\mozilla\firefox\profiles\sso9cnd8.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\videolan\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 pe3aqfgb;Tension Environment Driver (pe3aqfgb);c:\windows\system32\drivers\pe3aqfgb.sys [2008-3-17 68720]
R0 pf2aqfgb;Tension File System Driver (pf2aqfgb);c:\windows\system32\drivers\pf2aqfgb.sys [2008-3-17 83568]
R0 ps7aqfgb;Tension Synchronization Driver (ps7aqfgb);c:\windows\system32\drivers\ps7aqfgb.sys [2008-8-12 67704]
R0 sfdrv02;FrontLine Environment Driver (v2);c:\windows\system32\drivers\sfdrv02.sys [2006-9-11 67960]
R0 sfsync05;FrontLine Synchronization Driver (v5);c:\windows\system32\drivers\sfsync05.sys [2006-8-11 59776]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-10-29 2911848]
R1 SAVRT;SAVRT;c:\program files\sav\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\sav\Savrtpel.sys [2005-2-4 53896]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2008-10-11 13560]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\sav\Rtvscan.exe [2005-4-17 1706176]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2007-12-22 38656]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-7-5 93696]
R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2008-10-25 9216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090604.002\naveng.sys [2009-6-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090604.002\navex15.sys [2009-6-4 876144]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\system32\appdrvrem01.exe svc --> c:\windows\system32\appdrvrem01.exe svc [?]
S2 pr2aqfgb;Tension Drivers Auto Removal (pr2aqfgb);c:\windows\system32\pr2aqfgb.exe svc --> c:\windows\system32\pr2aqfgb.exe svc [?]
S2 sfrem02;FrontLine Drivers Auto Removal (v2);c:\windows\system32\sfrem02.exe svc --> c:\windows\system32\sfrem02.exe svc [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\video3d32.sys --> c:\windows\system32\drivers\Video3D32.sys [?]

=============== Created Last 30 ================

2009-06-05 02:13 <DIR> --d----- c:\windows\system32\NtmsData
2009-06-05 02:06 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-06-04 22:19 0 a------- c:\windows\system32\ativvaxx.cap
2009-06-04 03:15 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-04 02:56 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-04 02:47 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-04 02:01 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-06-04 01:35 37,359 ---sh--- c:\windows\system32\woss.exe
2009-05-27 10:55 <DIR> --d----- c:\program files\ReflexiveArcade
2009-05-08 00:54 49,152 a------- C:\FindBytesSeq.exe

==================== Find3M ====================

2008-07-05 21:56 22,328 a------- c:\docume~1\triton\applic~1\PnkBstrK.sys
2008-03-29 00:23 1 a------- c:\documents and settings\triton\SI.bin
2007-12-22 19:59 457 a------- c:\program files\INSTALL.LOG

============= FINISH: 2:26:31,53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 barmaglot

barmaglot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 07 June 2009 - 05:29 PM

Additional info: keys hidden from Windows API are visible in regedit now, I don't know how/why they turned to be visible. HKLM\System\ControlSet002\Services\gxvxcserv.sys key is empty but HKLM\Software\gxvxc contains interesting info:
[HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc]

[HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc\disallowed]
"avp.exe"=hex(0):
"klif.sys"=hex(0):
"mrt.exe"=hex(0):
"spybotsd.exe"=hex(0):
"sasdifsv.sys"=hex(0):
"saskutil.sys"=hex(0):
"sasenum.sys"=hex(0):
"superantispyware.exe"=hex(0):
"szkg.sys"=hex(0):
"szserver.exe"=hex(0):
"mbam.exe"=hex(0):
"mbamswissarmy.sys"=hex(0):
"pctssvc.sys"=hex(0):
"pctcore.sys"=hex(0):
"mchinjdrv.sys"=hex(0):
"avgfwdx.sys"=hex(0):
"avgldx86.sys"=hex(0):
"avgmfx86.sys"=hex(0):
"avgrkx86.sys"=hex(0):
"avgtdix.sys"=hex(0):
"hijackthis.exe"=hex(0):
"combofix.exe"=hex(0):

I downloaded new version of RootkitRevealer by sysinternals and run it again. Among other files and keys it found %systemroot%\system32\drivers\gxvxccoirqrdbbmludjnkxymqlviubrpntsewq.sys, Symantec Antivirus recognized this as Backdoor.Tidserv and deleted this file right away.
Now I have gxvxckbwukgbivdnkftvjvtiwhdudomyhbqhe.dll and gxvxcxmynqhkymyqpxjrwwasfuoqbhtkiwsdd.dll files with 04.06.2009 as last modification date (I didn't see these files earlier) and gxvxccount file in %systemroot%\system32 folder.

It seems I found the solution at your forum in the moment I was going to post the message: http://www.bleepingcomputer.com/forums/lof...hp/t229827.html. The issue is resolved now. Anyway, thank for your forum :thumbup2:.

#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 15 June 2009 - 03:57 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#4 barmaglot

barmaglot
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 16 June 2009 - 05:27 AM

Hello, Net_Surfer.
Thank for you reply.
As I wrote in my previous post I found the topic with the same problem on your forum. My AV managed to detect and delete the virus. It seems that my PC is clear now, malware removal tools are able to run and google links are not redirected anymore.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:01 AM

Posted 16 June 2009 - 05:11 PM

Hello,

Thank you for posting back. I'm glad that your computer issues seem to be resolved. Please note, however, that following disinfection instructions written for one computer on a different computer can cause serious problems just as someone receiving a surgery that was prescribed for someone else. Also, just because symptoms are gone doesn't mean the infection is.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users