Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Baffled-How do I remove this?


  • This topic is locked This topic is locked
7 replies to this topic

#1 tripnbili

tripnbili

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 June 2009 - 12:50 PM

Ok, here's the deal. I contracted some type of virus. When I would google something and click on a result, I would be redirected. Also, this bug caused my internal dvd-rw drive to not be recognized. I have a Sony VAIO VGN-NR110E, running Vista Home Premium.

Originally, the bug would not allow me to run Malware Bytes, or properly install any trustworthy anti-virus programs. Through some research, I was finally able to get Malware Bytes to run by changing some file names and extensions. It removed something like 6 files which were infected. I even ran in safe mode and normal mode.

Whatever this thing is, it's still there. I am still redirected from google and other search engines. My DVD-RW drive is not recognized. I am unable to burn any data from the hard drive (and thats fine with me).

What should I do. I am considering re-formating the hard drive, but will that take care of it? What do I need to do this, I've never done it before. I have included the log from malware too, in case it helps, thank you so much

***************************************************************************************************************

Malwarebytes' Anti-Malware 1.37
Database version: 2241
Windows 6.0.6001 Service Pack 1

6/6/2009 16:24:20
mbam-log-2009-06-06 (16-24-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 218546
Time elapsed: 42 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c9eaf00d-0970-4370-aa7a-9a64373d0148}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c9eaf00d-0970-4370-aa7a-9a64373d0148}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c9eaf00d-0970-4370-aa7a-9a64373d0148}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.76,85.255.112.176 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\favorites\Free Porn pictures and movies galleries.url (Rogue.Link) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\[isoHunt] Malwarebytes' Anti-Malware 1.32[MULTI][serial].torrent (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
c:\RECYCLER\S-3-9-66-100024386-100011667-100031832-8430.com (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 tripnbili

tripnbili
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 June 2009 - 04:10 PM

Ok, more info if needed->

I just bought this laptop from a friend, and any data on it is useless to me. I'm willing to re-format. I ran GMER and here is the log:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-07 03:24:04
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 85B79518 ZwEnumerateKey
Code 85B6E340 ZwFlushInstructionCache
Code 85AF4395 IofCallDriver
Code 85B9E30E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 82085FE2 5 Bytes JMP 85B9E313
.text ntkrnlpa.exe!IofCallDriver 82107F6F 5 Bytes JMP 85AF439A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 821FE30B 5 Bytes JMP 85B6E344
PAGE ntkrnlpa.exe!ZwEnumerateKey 82253BA2 5 Bytes JMP 85B7951C
? system32\DRIVERS\CDAVFS.sys The system cannot find the path specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcyesjmhetjtnbiwligswumwrpxbmsivag.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [888] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcyesjmhetjtnbiwligswumwrpxbmsivag.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcilvbqoscmpnqnoxrboksudhscrarwycp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcyesjmhetjtnbiwligswumwrpxbmsivag.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcilvbqoscmpnqnoxrboksudhscrarwycp.dll

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\gxvxcnvtstoeixwsrxmimciqjrmtakqpefsyv.sys 48128 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gxvxccount 4 bytes
File C:\Windows\System32\gxvxcilvbqoscmpnqnoxrboksudhscrarwycp.dll 27649 bytes executable
File C:\Windows\System32\gxvxcyesjmhetjtnbiwligswumwrpxbmsivag.dll 22529 bytes executable

---- EOF - GMER 1.0.15 ----

#3 tripnbili

tripnbili
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 June 2009 - 07:57 PM

I tried SUPERAnti-Spyware as well. The log is below. Even in safe mode, this bug is trying to prevent function of any virus removal programs. Every tool I have used, I have had to rename the installation file and the main executable file. This is really pissing me off.

SOMEONE PLEASE HELP!


****************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2009 at 06:54 AM

Application Version : 4.26.1004

Core Rules Database Version : 3910
Trace Rules Database Version: 1854

Scan type : Complete Scan
Total Scan Time : 01:13:38

Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 8236
Registry threats detected : 1
File items scanned : 124702
File threats detected : 8

Adware.ShopAtHomeSelect
HKU\S-1-5-21-1518616603-2995173145-76309287-1002\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Adware.Tracking Cookie
C:\Users\joey\AppData\Roaming\Microsoft\Windows\Cookies\Low\joey@2o7[1].txt
C:\Users\joey\AppData\Roaming\Microsoft\Windows\Cookies\Low\joey@atdmt[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@2o7[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@admarketplace[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@ads.bleepingcomputer[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@atdmt[2].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@bridge1.admarketplace[1].txt
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\owner@theclickcheck[2].txt

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 07 June 2009 - 09:06 PM

Hello.. This is a serious rootkit bringing in many Backdoor malwares. So I will say this first.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.



If you want to try cleaning ...
ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tripnbili

tripnbili
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 June 2009 - 09:41 PM

Tried ROOTRepeal. Won't allow it to run. The log is below. I tried renaming the executable, after that I tried to run it. The result said driver couldn't be found.



ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000094
Exception Address: 0x004f3399

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:08 PM

Posted 07 June 2009 - 10:14 PM

I just bought this laptop from a friend, and any data on it is useless to me. I'm willing to re-format.


Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 tripnbili

tripnbili
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 07 June 2009 - 10:28 PM

I am seriously considering the reformat. You referenced XP, however I'm using Vista. I backed up all my drivers to a flash drive the other day, and am afraid to use it, as it may contain the bug, therefore transferring it to my system again after reformat. I will reformat, quick and easy question though. Do I need anything other than a clean version of my Vista OS? Drivers etc?

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:08 PM

Posted 08 June 2009 - 03:33 AM

Hello,

I see that you have posted a log here: http://www.bleepingcomputer.com/forums/topic232350.html I'm not sure why you decided to do that when you were going to reformat. Nonetheless, now that you have a log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. It may be a couple weeks before you get a response. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient.

It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users