Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UNKNOWN ROOTKIT -- ROOTREPEAL RESISTANT


  • This topic is locked This topic is locked
20 replies to this topic

#1 pjvex86

pjvex86

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 05 July 2009 - 07:26 PM

Attached to this post is a zipped version of attach.txt.

Below is the DDS LOG:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 19:09:27.14 on Sun 07/05/2009
Internet Explorer: 7.0.6000.16386 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2813.1967 [GMT 5.5:30]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Internet Security *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e7ea6efc\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_e7ea6efc\aestsrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\rundll32.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autofix
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableVirtualization = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\nuwe88qb.default\
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-5-15 21008]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_e7ea6efc\AEstSrv.exe [2009-7-4 77824]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-7-4 22072]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\system32\drivers\royal.sys [2009-7-3 240128]
S3 CSNPD51;CSNPD51 NDIS Protocol Driver;c:\windows\system32\drivers\CSNPD51.sys [2009-7-5 27800] [<<<<---- NOTE: This is a driver or a wrapper used by Colasoft Capsa]
S3 CSNPD51a64;CSNPD51a64 NDIS Protocol Driver;c:\windows\system32\drivers\CSNPD51a64.sys [2009-7-5 42520] [<<<<---- NOTE: This is a driver or a wrapper used by Colasoft Capsa]
S3 gg;gg;c:\windows\system32\drivers\gg.sys [2009-7-5 33280]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]

=============== Created Last 30 ================

2009-07-05 16:05 376 a------- c:\windows\ODBC.INI
2009-07-05 16:05 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-07-05 16:05 <DIR> --d----- c:\windows\PCHEALTH
2009-07-05 16:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-05 14:59 33,280 a------- c:\windows\system32\drivers\gg.sys
2009-07-05 14:58 458,240 a------- C:\abc.exe [NOTE: THIS FILE IS ACTUALLY ROOTREPEAL, I RENAMED IT BEFORE RUNNING]
2009-07-05 14:19 <DIR> --d----- C:\!KillBox
2009-07-05 10:18 <DIR> --d----- c:\users\admini~1\appdata\roaming\X-NetStat
2009-07-05 10:18 <DIR> --d----- c:\program files\X-NetStat Professional
2009-07-05 07:14 3,045,704 a------- C:\porncleaner.exe [NOTE THIS FILE IS ACTUALLY COMBOFIX, I RENAMED IT BEFORE RUNNING]
2009-07-05 06:15 <DIR> --d----- c:\program files\NeoTracePro
2009-07-05 06:06 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-07-05 06:03 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-07-05 06:03 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-07-05 06:02 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-07-05 06:02 <DIR> --d----- c:\program files\Kaspersky Lab
2009-07-05 06:02 <DIR> --d----- c:\progra~2\Kaspersky Lab
2009-07-05 06:01 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-07-05 06:01 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-07-05 04:58 <DIR> --d----- c:\users\admini~1\appdata\roaming\Colasoft Capsa
2009-07-05 04:58 <DIR> --d----- c:\program files\common files\Software FX Shared
2009-07-05 04:58 <DIR> --d----- c:\program files\common files\Colasoft Shared
2009-07-05 04:33 <DIR> --d----- c:\windows\Downloaded Installations
2009-07-05 04:14 110,136 a------- c:\windows\system32\drivers\ataport.sys
2009-07-05 04:14 45,112 a------- c:\windows\system32\drivers\pciidex.sys
2009-07-05 04:14 28,216 a------- c:\windows\system32\drivers\msahci.sys
2009-07-05 04:14 21,560 a------- c:\windows\system32\drivers\atapi.sys
2009-07-05 04:14 15,928 a------- c:\windows\system32\drivers\pciide.sys
2009-07-05 04:14 <DIR> --d----- c:\program files\Malware Avenger
2009-07-05 04:14 619,008 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-07-05 04:14 36,864 a------- c:\windows\system32\cdd.dll
2009-07-05 04:13 319,488 a------- c:\windows\system32\imapi2.dll
2009-07-05 04:12 224,824 a------- c:\windows\system32\clfs.sys
2009-07-05 04:11 0 a--shr-- c:\windows\system32\drivers\103C_HP_cNB_Pavilion dv4 Notebook PC_Y5335KV_0U_QCND8520TXJ_EU_4A_I30FB_SCompal_V01.9A_F.45_T090420_WV1-0_L409_M2814_J320_7AMD_8F31_92.10_#090705_N10EC8136;14E44315_(NB200UA#ABA)_XMOBILE_CN10_Z_21_G10029612.MRK
2009-07-05 04:09 <DIR> --d----- c:\programdata\Google
2009-07-05 02:40 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-05 02:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-05 02:40 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-05 02:33 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-07-05 02:33 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-05 02:33 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-04 19:56 <DIR> --d----- c:\program files\WinPcap
2009-07-04 19:56 <DIR> --d----- c:\program files\Nmap
2009-07-04 19:55 <DIR> --d----- c:\program files\Metasploit
2009-07-04 19:07 <DIR> --d----- c:\program files\Nsasoft
2009-07-04 18:37 <DIR> --d----- c:\programdata\Hewlett-Packard
2009-07-04 18:35 <DIR> --d----- c:\programdata\CyberLink
2009-07-04 18:35 1,233,920 a------- c:\windows\system32\msxml4.dll
2009-07-04 18:35 82,432 a------- c:\windows\system32\msxml4r.dll
2009-07-04 18:35 44,544 a------- c:\windows\system32\msxml4a.dll
2009-07-04 18:35 <DIR> --d----- c:\program files\HP
2009-07-04 18:35 1,060,864 -------- c:\windows\system32\MFC71.dll
2009-07-04 18:35 89,088 -------- c:\windows\system32\atl71.dll
2009-07-04 18:34 <DIR> --d----- c:\programdata\Temp
2009-07-04 18:11 22,072 a------- c:\windows\system32\drivers\usbfilter.sys
2009-07-04 18:11 <DIR> --d----- c:\program files\AMD
2009-07-04 18:11 885,782 a------- c:\windows\system32\oem6.inf
2009-07-04 18:11 <DIR> --d----- c:\windows\system32\no-NO
2009-07-04 18:10 91,376 a------- c:\windows\system32\bcmwlcoi.dll
2009-07-04 18:10 6,656 a------- c:\windows\system32\bcmwlrc.dll
2009-07-04 18:10 3,858,432 a------- c:\windows\system32\bcmihvsrv.dll
2009-07-04 18:10 3,538,944 a------- c:\windows\system32\bcmihvui.dll
2009-07-04 18:10 1,880,056 a------- c:\windows\system32\drivers\BCMWL6.SYS
2009-07-04 18:10 <DIR> --d----- c:\program files\Broadcom
2009-07-04 18:09 873,310 a------- c:\windows\system32\oem5.inf
2009-07-04 00:47 <DIR> --d----- c:\program files\IDT
2009-07-04 00:47 376,832 a------- c:\windows\system32\aestecap.dll
2009-07-04 00:47 133,632 a------- c:\windows\system32\aestacap.dll
2009-07-04 00:47 53,248 a------- c:\windows\system32\aestaren.dll
2009-07-04 00:47 532,480 a------- c:\windows\system32\idtmini1.exe
2009-07-04 00:47 73,728 a------- c:\windows\system32\AESTCom.dll
2009-07-04 00:47 15,222 a------- c:\windows\system32\nbspkrs.ico
2009-07-04 00:47 3,774 a------- c:\windows\system32\bltinmic.ico
2009-07-04 00:47 3,774 a------- c:\windows\system32\2hps.ico
2009-07-04 00:47 10,641,500 a------- c:\windows\system32\idtcpl.cpl
2009-07-04 00:47 2,875,392 a------- c:\windows\system32\stlang.dll
2009-07-04 00:47 446,556 a------- c:\windows\sttray.exe
2009-07-04 00:47 <DIR> --d----- c:\windows\system32\SRSLabs
2009-07-04 00:46 168,960 a------- c:\windows\system32\staco.dll
2009-07-04 00:46 671,744 a------- c:\windows\system32\stapo.dll
2009-07-04 00:46 427,008 a------- c:\windows\system32\stapi32.dll
2009-07-04 00:46 404,480 a------- c:\windows\system32\stcplx.dll
2009-07-04 00:46 389,120 a------- c:\windows\system32\drivers\stwrt.sys
2009-07-04 00:44 <DIR> --d----- c:\program files\VideoLAN
2009-07-04 00:14 <DIR> --d----- c:\programdata\ATI
2009-07-04 00:14 0 a------- c:\windows\ativpsrm.bin
2009-07-04 00:09 <DIR> --d----- c:\program files\ATI
2009-07-04 00:09 <DIR> --d----- c:\program files\ATI Technologies
2009-07-04 00:09 <DIR> --dsh--- c:\windows\Installer
2009-07-03 23:34 24,832 a------- c:\windows\system32\drivers\CSTDI50.sys
2009-07-03 23:32 <DIR> --d----- c:\users\admini~1\appdata\roaming\Colasoft Packet Builder
2009-07-03 22:32 1,047,552 a------- c:\windows\system32\mfc71u.dll
2009-07-03 22:32 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-03 22:32 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-03 22:32 <DIR> --d----- c:\program files\Colasoft Capsa 6.9 EE
2009-07-03 22:29 <DIR> --d----- c:\windows\WinRAR
2009-07-03 22:25 <DIR> --d----- c:\program files\uTorrent
2009-07-03 22:25 <DIR> --d----- c:\users\admini~1\appdata\roaming\uTorrent
2009-07-03 21:59 118,784 a------- c:\windows\system32\drivers\Rtlh86.sys
2009-07-03 21:59 <DIR> --d----- c:\program files\Realtek
2009-07-03 21:59 <DIR> --d----- C:\swsetup
2009-07-03 21:41 <DIR> --d----- c:\windows\Panther
2009-07-03 21:41 438,840 a--shr-- C:\bootmgr
2009-07-03 21:41 <DIR> --dsh--- C:\Boot
2009-07-03 20:50 240,128 a------- c:\windows\system32\drivers\royal.sys
2009-07-03 20:50 <DIR> --d----- c:\users\Administrator
2009-07-03 20:42 239,025,313 a------- c:\windows\DUMP5b0a.tmp
2009-07-03 20:42 195,402,593 a------- c:\windows\DUMP41df.tmp

==================== Find3M ====================

2009-07-05 06:03 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-05 06:03 86,016 a------- c:\windows\inf\infstor.dat
2009-07-05 06:03 51,200 a------- c:\windows\inf\infpub.dat
2009-07-05 04:21 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-05 04:15 163,384 a------- c:\windows\system32\halmacpi.dll
2009-07-05 04:15 137,272 a------- c:\windows\system32\halacpi.dll
2009-05-25 05:21 219,664 a------- c:\windows\system32\klogon.dll
2009-05-25 05:18 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-05-24 15:30 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-05-16 20:59 19,472 a------- c:\windows\system32\drivers\klmouflt.sys
2009-05-15 18:50 21,008 a------- c:\windows\system32\drivers\klim6.sys
2006-11-02 18:19 174 a--sh--- c:\program files\desktop.ini

============= FINISH: 19:09:52.07 ===============

Attached Files


Edited by pjvex86, 05 July 2009 - 07:42 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 05 July 2009 - 08:41 PM

Hi, pjvex86 :thumbup2:

Welcome.

Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 July 2009 - 04:19 AM

Thank you very much J.. I like your avatar. Very cool.

I will follow your instructions immediately...

One question though, since I am a "teach a man to fish" kinda guy, and since I have learned so much about too many topics to count already in my battle with this bug, I would really appreciate it if you might add a little narrative as to what you are exactly doing. To wit: what you have gleaned from the DDS diagnostic (if anything...and btw, that's quite a little clever masquerade of a diagnostic app), any insights or speculations you might have and why, and perhaps what it is I am actually doing next (and why). I assume this isn't top secret stuff, and I am not asking for source code.... I just want to gain some knowledge. Knowledge is power after all. :thumbup2:

Oh and I am also asking because I tried to apply for your malware removal training program, but appears "all slots are full".

Paul

Edited by pjvex86, 06 July 2009 - 04:37 AM.


#4 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 July 2009 - 07:52 AM

OK. Good news and bad new... But the good news hopefully will ultimately lead to solving this problem.

First, I might have caused some confusion, but I do not think it will prove to be too significant. My original post in the "Am I infected?" forum explains everything... essentially, I have an infected laptop and my dad's laptop, which he loaned to me, became infected from my laptop/my actions (what I did to infect it..to spread the rootkit to it was boot it with a linux LIVE CD. The CD in quesiton was downloaded and burned on my infected laptop. I mistakenly thought since it was a Live CD, that it's self-contained operating system would not be writing to the boot-sector of his hard-drive, or anything like that....I thought as long as I cleared the RAM by completely powering off before booting I wouldn't spread any infection that might be on tje Linux CD to his laptop. Well, apparently I was wrong as his laptop soon showed several of the same tell-tale signs that mine does.

Now the upside to this--as explained in my original post--is that my dad's laptop had a Trend Micro AV/Firewall app installed BEFORE I accidentally infected it, and on one of its scans, it found some key component of the rootkit, and now his laptop is constantly showing the SKYNET error (as detailed in my first post). My laptop, on the other hand, is so thoroughly infected, if I did not have the knowledge I do (given that I have a bit of a hacker/pen-tester mindset), I would never have noticed nor cared that my laptop suddenly showed 4 new IPv6 addresses in the routing table, nor that I could clearly see I was not no longer a stand-alone workstation but part of an Active Domain, etc.

On my dad's laptop, this rootkit was effectively "injured" making it much more vulnerable. I have kept the laptop off the internet to the best of my ability. "To the best of my ability" means it is 8 feet from any ethernet connection, and the wireless button is "off" and glowing amber. However, I know that a) that the color of the wireless button does not necessarily mean it has no wireless capability, and :thumbup2: this bug (as stated earlier) uses connectionless and low-to-no configuration protocols to communicate (IPv6, UDP, 6to4, SSDP, UDP or ICMP over HTTP... the list is endless)), so all bets are off. But by not connecting it directly to an ethernet cable, I know I am doing the smartest thing to keep it in the best "injured" state as possible.

OK, first, the DDS results I posted above, were actually from my laptop. Just to be clear... My laptop is not showing the SKYNET error. However, I did run DDS on my dad's laptop (the laptop showing the SKYNET error every 2 seconds). Further, I have now run the GMER diagnostic scanning utility on both laptops. My dad's laptop reported clearly several infected files. Mine, unfortunately did not (see below). Whatever is infecting my machine is really embedded and concealed quite well. However--and this is my guess as to why the internet connection is dangerous -- my laptop has been online almost continuously (I am typing from it as we speak), with only a crippled/thoroughly hooked Kapersky firewall/AV application running on it.

What I am hoping is that we can take what we learn from these diagnostics on the rootkit (since it is "injured" and therefore for some reason unable to hide itself to the same degree as the rootkit that spawned it and infesting my laptop), and apply this knowledge in some way to my laptop since we are dealing with essentially the same rootkit (though I realize it may be altered in name and/or location).

So... here is the good news. The GMER results from my dad's laptop:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 04:19:45
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 86A00518 ZwEnumerateKey
Code 869D12C0 ZwFlushInstructionCache
Code 86A1633D IofCallDriver
Code 86A123CE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81C3BFE2 5 Bytes JMP 86A123D3
.text ntkrnlpa.exe!IofCallDriver 81CBDF6F 5 Bytes JMP 86A16342
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DB430B 5 Bytes JMP 869D12C4
PAGE ntkrnlpa.exe!ZwEnumerateKey 81E09BA2 5 Bytes JMP 86A0051C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1788] @ C:\Windows\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1240639607\ee\aolsoftware.exe[3412] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\SKYNETvrhsrvrh.sys (*** hidden [SYSTEM] SKYNETictqdsdi <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi@imagepath \systemroot\system32\drivers\SKYNETvrhsrvrh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main@aid 10056
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETvrhsrvrh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETpoiunrxq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules@SKYNETlog.dat \systemroot\system32\SKYNETxecbiywp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETowmuvcnp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETictqdsdi\modules@SKYNET.dat \systemroot\system32\SKYNETsntsjooq.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi@imagepath \systemroot\system32\drivers\SKYNETvrhsrvrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main@aid 10056
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETvrhsrvrh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules@SKYNETcmd.dll \systemroot\system32\SKYNETpoiunrxq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules@SKYNETlog.dat \systemroot\system32\SKYNETxecbiywp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules@SKYNETwsp.dll \systemroot\system32\SKYNETowmuvcnp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETictqdsdi\modules@SKYNET.dat \systemroot\system32\SKYNETsntsjooq.dat

---- Files - GMER 1.0.15 ----

File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETdabqvpntoo.tmp 19082 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp.dll 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp_b50.VIR 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp_c08.VI0 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp_c08.VIR 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp_c1c.VI0 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETowmuvcnp_c1c.VIR 19086 bytes
File C:\Program Files\Trend Micro\Internet Security\Quarantine\SKYNETtquisbyili.tmp 19082 bytes
File C:\Users\Administrator\AppData\Local\Temp\SKYNET000 0 bytes
File C:\Windows\System32\drivers\SKYNETvrhsrvrh.sys 69632 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\SKYNETowmuvcnp.dll 18944 bytes
File C:\Windows\System32\SKYNETpoiunrxq.dll 43520 bytes executable
File C:\Windows\System32\SKYNETsntsjooq.dat 93 bytes
File C:\Windows\System32\SKYNETxecbiywp.dat 193048 bytes

---- EOF - GMER 1.0.15 ----


I guess I should read a bit more about NTFS, because I do not understand where exactly these files are hidden. I thought Index.dat-type files were about as hidden you could get.

OK, time-out... I am going to interrupt here for a second.... THIS IS REALLY STRANGE. I just pasted the above file, and had tried to straighten-out the formatting a bit. As you will note, there are two instances where it states ROOTKIT!!, and in the first instance, it also a lists a second SKYNET file. I highlighted these two lines in red for your convenience.

This output is from a text file I saved from the GMER results. It is on a flash drive plugged into my computer. I saved the GMER file on this flash drive when I ran the scan on my dad's laptop. Upon first plugging in the flash drive into my laptop (after removing it from my dad's laptop), I went to it immediately and opened up said text file, copied and pasted the output. The output which is virtually the same as the above text, save for a little formatting I have done as stated.

Now after this minor formatting I did on the above text, I wanted to check something on the source .txt file on the flash drive just to make absolutely sure I did not alter it substantively in any way. What is incredible is when I opened that SAME text file, at first glance, it looks identical to the above output. Now however, the word "rootkit" is nowhere to be found, and in the first red line above where it lists the second infected file, this information is not in the output file any longer. It has only been 2 minutes since I originally opened the file and copied the text. In the interim while I was typing, the system hung for about a minute.... I wasn't sure why. But I unplugged the ethernet, because usually this bug is accessing something from the net or there is some communication going on (you should see my Colasoft Capsa file which I ran overnight on my laptop... it must have had 4 magic "wake" packets sent to it during the course of 6 hours while the laptop was in "hibernation"). That is creepy. This rootkit is creepy.

But, I think you will see that we now have files and other information which GMER has found that indicate the presence of a rootkit, at least we can say that with confidence as it relates to my dad's laptop. So, I guess I need to know what files to kill or what exactly I should do next as it relates to that machine. [I wouldn't dare second guess you or anyone at this point as to what to do next.]

Now, onto MY thoroughly possessed laptop..

Here is the output from GMER.....

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 05:59:04
Windows 6.0.6000


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

The attached device mentioned in the lonely line above, I believe, is a WD 500GB MyBook back-up drive which I have had since about the time of this problem, and also which I have been recently working on to recover from a failure. I do not know if this failure is related to the rootkit or not, but I do know that there were at one time hidden files on it as well (found a few months ago). [In fact, I think this rootkit uses every device and application to its advantage. I just remembered some additional info regarding the mysterious missing GMER output text above.... When I plugged the drive into my laptop, I opened the file quickly and copied it, quicker than my Kapersky AV even had a chance to scan it. Once the file was open the Kapersky dialog box offering to scan the drive was up, and I considered waiting, but figured my laptop is already completely f*cked anyway, so I grabbed the data and closed the file. After the scan, coincidentally, the data in the file has been now apparently altered. I don't know obviously if it was a hooked Kapersky app that changed the file or it was something else....but it just seems so nefarious to me that mere code could do all of this..... but I know it can.


OK... so that's where we are. Again, I appreciate your help and your patience. For a fairly intelligent, above-average computer skilled quasi-alpha male, this rootkit and my inability to eradicate it-- alone or even with previous help from others--over the past 6 months has taken quite a toll on my disposition generally and more. In essence, you are not merely helping me restore the health to my PC, but you are very much helping me restore confidence in my environment and in myself. Further, a certain amount of sanity is definitely returning as well...

It has not been a pleasant experience when for six months straight you have had to reinstall your operating system on an average of two (2) times per week-- never actually having a workspace that is yours....constantly fearing that the perpetrators of the bug on your system may be watching you through your own webcam..... listening to you or your VoIP phone calls the conversations around the laptop when it is running (or maybe when it is just "sleeping"). I hope you do not think I am over-paranoid (because I am not, trust me), but I have a piece of electrician's tape over the built-in webcam on my laptop. I know what can be done (I have read about it and discussed it, but never partook in it), and I do not want it done to me.

Thank you again -- very, VERY much,

Paul

Edited by pjvex86, 06 July 2009 - 07:53 AM.


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 06 July 2009 - 09:58 AM

Lets work on your dad's laptop first. After we finish this one we will take care of yours. My instructions will be only directed to your dad's laptop until such time is cleared.

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop. The computer must be hooked to the internet for this to work.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 06 July 2009 - 12:51 PM

A bit of a problem...

First my dad's laptop now -- can't say when this started -- is unable to connect to the internet. It only gets local service. I cannot ping the gateway.

I tried a variety of things.. (changed some configurations in the adpater which I know have worked before on my laptop, flushed dns, released and renewed my ip addressed, etc.) but could not get on.

Ultimately, I downloaded the file on my laptop (properly renaming it per your instructions) and then copied it to a flash drive and took it to my dad's laptop. I ran it several times. Recall that every two seconds I am clicking OK to the same error warning me that the "SKYNETxxxxxxx.dll does not exist". First 3 times it ran, I got to a point where it said the same message as before when I ran the original Combofix (i.e., Rootkit detected, write down this file name, allow Combofix to reboot....). Upon reboot however, combofix is no longer running. I then tried to run the application two (2) more times, and in each of these instances, it just would hang at "Attempting to recreate a new System Restore Point".

Should I try running it in safe mode? Does the applicaiton need the internet when I start running it? Or did you just say that because I needed to download the file to begin with?

Thanks,
Paul

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 06 July 2009 - 06:57 PM

Hi, pjvex86 :thumbup2:

Combofix has security safeguards to avoid being downloaded from unauthorized sites, thus transferring the program using a flash drive wont do.

Please download the enclosed folder. Save and extract its contents to the desktop. Once extracted, you can transfer the Root_Fix folder to your father's laptop. Once done, open the folder and click on the RunMe.bat file. The MSDOS window will be displayed and the computer will restart. That is normal. Upon Restart, re-attempt to download Combofix to this laptop and run it as instructed above.

Edited by JSntgRvr, 06 July 2009 - 07:01 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 07 July 2009 - 09:07 AM

Man, you guys are busier than a free-clinic in vancouver!

I am sending this from my PDA. Regarding my laptop, I decided to wipe an old hard drive and reinstall factory disks... I know now what is and isn't this rootkit. But right now I cannot access internet as it is installing the OS.

Regarding my dad's laptop... I think originally there initially was a problem with the Trend Micro app. I finally went into msconfig and disabled it, HPadvisor, and AOL from startup. I even for good measure reinstalled the ethernet adapter driver. The batch program runs--apparently successfully, however at the end, it appears explorer has been shutdown, but it won't restart. So I am just looking at desktop wallpaper. When I either do a hard power off or restart explorer.exe from the task manager and then do a restart, I come back to windows, however, no intenet access. My routing table shows three IPv6 link-local addresses, and also my loopback, in both IPv4 and IPv6, and my IPv4 address is also link-local (169.xxx.xxx.xxx). I re-ran GMER just to make sure that the bug had not renamed itself since your batch program is tailored to it (thank you very much btw), but it looks like all the registry keys and processes are still the same name, so the keys and files referenced in your batch program are still correct.

So, I think we are still stuck... incidentally, I re-ran both versions of combo-fix for lack of alternatives, and each one goes through the same process consistently... they report the same rootkit name as in my first post, reboot on their own, but then after the desktop comes up, combofix never restarts. I triple-checked all other start-up apps, but honestly cannot see anything that would interfere with it other than what I disabled. It just won't continue running after it reboots.

Thank you for everything!! Let me know what options we have....

Paul

Edited by pjvex86, 07 July 2009 - 09:14 AM.


#9 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 07 July 2009 - 09:08 AM

Man, you guys are busier than a free-clinic in vancouver!

I am sending this from my PDA. Regarding my laptop, I decided to wipe an old hard drive and reinstall factory disks... I know now what is and isn't this rootkit. But right now I cannot access internet as it is installing the OS.

Regarding my dad's laptop... I think originally there initially was a problem with the Trend Micro app. I finally went into msconfig and disabled it, HPadvisor, and AOL from startup. I even for good measure reinstalled the ethernet adapter driver. The batch program runs--apparently successfully, however at the end, it appears explorer has been shutdown, but it won' restart. So I am just looking at desktop wallpaper. When I either do a hard power off or restart explorer.exe from the task manager and then do a restart, I come back to windows, however, no intenet access. My routing table shows three IPv6 link-local addresses and my loopback in both IPv4 and IPv6, and my IPv4 address is also link local (169.xxx.xxx.xxx). I re-ran GMER just to make sure that the bug had not renamed itself since your batch program is tailored to it (thank you very much btw), but it looks like all the registry keys and processes are still the same name, so your the keys and files referenced in your batch program are still correct.

So, I think we are still stuck... incidentally, I re-ran both versions of combo-fix for lack of alternatives, and each one goes through the same process consistently... they report the same rootkit name as in my first post, reboot on their own, but then after the desktop comes up, combofix never restarts. I triple-checked all other start-up apps, but honestly cannot see anything that would interfere with it other than what I disabled. It just won't continue running after it reboots.

Thank you for everything!! Let me know what options we have....

Paul

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 07 July 2009 - 11:55 AM

Hi, pjvex86 :thumbup2:

In order to restore your communication, you may need to reset the router to Factory Settings. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

I don't understand the GMER report. If you scanned and the file entries ere still there, either the batch file fail to remove the nasty, or they were re-created. Lets use another tool to remove these if present.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\Users\Administrator\AppData\Local\Temp\SKYNET000
C:\Windows\System32\drivers\SKYNETvrhsrvrh.sys
C:\Windows\System32\SKYNETowmuvcnp.dll
C:\Windows\System32\SKYNETpoiunrxq.dll
C:\Windows\System32\SKYNETsntsjooq.dat
C:\Windows\System32\SKYNETxecbiywp.dat

Drivers to delete:
SKYNETictqdsdi

Registry keys to delete:
HKLM\SOFTWARE\SKYNETictqdsdi

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 08 July 2009 - 11:05 AM


Please IGNORE this post and read the next one. Thank you.

Thank you. I followed your instructions.

First, I just wanted to make you aware that I am connected to an ethernet 100b-T cable running straight to a modem with an external IP. No router. As risky as I know this is, it really isn't an issue when you are already loaded with trojans because once you get one (3 months ago), most commercial software you try to install after that is comprised by pre-existing global hooks, so any function calls made by the software is meaningless in protecting your system..... As you undoubtedly know...

Secondly, I might not have been clear, with my Dad's laptop... I could not get online with it to download the modified combofix utility. The batch program ran, and it looked as though it was successful (it stated "command successfully completed" after I in the cmdline window when I ran the batch program, but thereafter, it did not reboot). I re-ran GMER, and since it showed all of the same keys, obviously it was still infected, but also I was just pointing out that your batch program was still attempting to delete valid filenames, i.e. they had not changed.

So back to our story....

I tried avenger like you suggested. Partial success. But I have a feeling partial success with a rootkit is probably very little success. Following is the log from Avenger....

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete file "C:\Users\Administrator\AppData\Local\Temp\SKYNET000"
Deletion of file "C:\Users\Administrator\AppData\Local\Temp\SKYNET000" failed!
Status: 0xc0000156


Error: could not delete file "C:\Windows\System32\drivers\SKYNETvrhsrvrh.sys"
Deletion of file "C:\Windows\System32\drivers\SKYNETvrhsrvrh.sys" failed!
Status: 0xc0000156


Error: could not delete file "C:\Windows\System32\SKYNETowmuvcnp.dll"
Deletion of file "C:\Windows\System32\SKYNETowmuvcnp.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\Windows\System32\SKYNETpoiunrxq.dll"
Deletion of file "C:\Windows\System32\SKYNETpoiunrxq.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\Windows\System32\SKYNETsntsjooq.dat"
Deletion of file "C:\Windows\System32\SKYNETsntsjooq.dat" failed!
Status: 0xc0000156


Error: could not delete file "C:\Windows\System32\SKYNETxecbiywp.dat"
Deletion of file "C:\Windows\System32\SKYNETxecbiywp.dat" failed!
Status: 0xc0000156

Driver "SKYNETictqdsdi" deleted successfully.

Error: registry key "HKLM\SOFTWARE\SKYNETictqdsdi" not found!
Deletion of registry key "HKLM\SOFTWARE\SKYNETictqdsdi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



Next I ran DDS. Here is the output from that.....


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 18:31:24.44 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1276 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Administrator\Desktop\bbfd99eo.exe
C:\Windows\System32\wsqmcons.exe
C:\Users\ADMINI~1\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-7-29 145424]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-22 365952]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-7-29 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-4-29 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-4-29 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-29 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-7-29 256528]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-22 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]

=============== Created Last 30 ================

2009-07-07 06:28 <DIR> --ds---- C:\Combo-Fix
2009-07-07 06:28 318,976 a------- c:\windows\system32\CF10786.exe
2009-07-07 06:12 318,976 a------- c:\windows\system32\CF7566.exe
2009-07-07 06:06 318,976 a------- c:\windows\system32\CF6377.exe
2009-07-07 04:58 161,792 a------- c:\windows\SWREG.exe
2009-07-07 04:58 155,136 a------- c:\windows\PEV.exe
2009-07-07 04:58 98,816 a------- c:\windows\sed.exe
2009-07-07 04:58 318,976 a------- c:\windows\system32\CF25854.exe
2009-07-07 04:31 318,976 a------- c:\windows\system32\CF20610.exe
2009-07-07 04:10 318,976 a------- c:\windows\system32\CF16413.exe
2009-07-07 04:04 318,976 a------- c:\windows\system32\CF15061.exe
2009-07-06 11:28 318,976 a------- c:\windows\system32\CF16665.exe
2009-07-06 10:37 318,976 a------- c:\windows\system32\CF6787.exe
2009-07-06 10:18 203,925,516 a------- c:\windows\MEMORY.DMP
2009-07-06 09:58 318,976 a------- c:\windows\system32\CF31822.exe
2009-07-06 09:45 318,976 a------- c:\windows\system32\CF29314.exe
2009-07-06 09:35 318,976 a------- c:\windows\system32\CF27391.exe
2009-07-06 09:27 318,976 a------- c:\windows\system32\CF25702.exe
2009-07-05 12:31 <DIR> --d----- C:\!KillBox
2009-07-05 11:20 318,976 a------- c:\windows\system32\CF27560.exe
2009-07-05 05:47 318,976 a------- c:\windows\system32\CF25518.exe
2009-07-05 05:33 <DIR> --d----- C:\32788R22FWJFW.4.tmp
2009-07-05 05:32 <DIR> --d----- C:\32788R22FWJFW.3.tmp
2009-07-05 03:45 318,976 a------- c:\windows\system32\CF3286.exe
2009-07-05 03:39 <DIR> --d----- C:\32788R22FWJFW.2.tmp
2009-07-05 03:39 <DIR> --d----- C:\32788R22FWJFW.1.tmp
2009-07-05 03:38 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-07-05 03:33 318,976 a------- c:\windows\system32\CF1774.exe
2009-07-04 09:53 344 a------- c:\windows\wininit.ini
2009-07-04 08:53 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-07-04 08:53 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-04 08:53 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-07-04 08:52 <DIR> --d----- c:\users\admini~1\appdata\roaming\Malwarebytes
2009-07-04 08:52 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-04 08:52 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-04 08:52 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-04 08:52 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-04 08:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-04 08:07 <DIR> --d----- c:\users\admini~1\appdata\roaming\PolyView
2009-07-04 07:55 <DIR> --d----- c:\program files\Polybytes
2009-07-03 08:55 <DIR> --d----- c:\program files\Colasoft Capsa 6.9 EE
2009-07-03 08:51 <DIR> --d----- c:\windows\WinRAR
2009-07-02 02:47 <DIR> --d----- c:\program files\R-Studio
2009-07-02 00:49 71 a------- c:\windows\Crypkey.ini
2009-07-02 00:49 27,648 a----r-- c:\windows\Setup_ck.exe
2009-07-02 00:49 165,888 a------- c:\windows\Ckconfig.exe
2009-07-02 00:49 69,632 a------- c:\windows\system32\Crypserv.exe
2009-07-02 00:49 31,846 a------- c:\windows\system32\Ckldrv.sys
2009-07-02 00:49 18,432 a------- c:\windows\Setup_ck.dll
2009-07-02 00:49 11,776 a------- c:\windows\Ckrfresh.exe
2009-06-24 06:49 10,752 a------- c:\windows\DCEBoot.exe
2009-06-19 06:23 <DIR> --d----- c:\program files\VideoLAN
2009-06-13 14:56 <DIR> --d----- c:\users\Administrator

==================== Find3M ====================

2009-07-07 06:24 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-07 06:24 51,200 a------- c:\windows\inf\infpub.dat
2009-07-07 06:05 86,016 a------- c:\windows\inf\infstor.dat
2009-04-24 22:25 54,832 a------- c:\windows\system32\AOLParconLink.exe
2008-10-22 22:54 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:35:37.57 ===============



And though nothing struck me as immediately problematic, I didn't like the way the system felt. And further, I still could not get online. The repeating error that the system was giving me earlier has stopped (I imagine due to avenger deleting that file).

I know you said that I needed to download the modified Combo-Fix (as renamed), but I ran the version that I downloaded on my laptop anyway. I got the same results. That is...I still cannot get Combo-Fix to continue scanning after the system restarts.

I am stumped.... But at least the annoying error has stopped.

Paul

Edited by pjvex86, 08 July 2009 - 04:16 PM.


#12 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 08 July 2009 - 04:15 PM

Hello....

We have run out of time unfortunatey with my Dad's laptop. He needed it to go out of town and took it back. I told him it was still infected, but he didn't seem to care (although he doesn't know how nasty this thing is). But I couldn't dissuade him.

So, if you do not mind, I would still like to do a once over on my laptop. I mentioned to you that I had wiped an old 2.5" drive and then replaced my current drive and reformatted it with HP factory disks -- Vista Home Premium 64bit.

Now I have done this before several times, however I always thought there was something amiss and I was still infected somehow (do not know if it was the eprom (though I doubt it), or I used a CD afterwards to boot into or what, but I never felt I was clean.

Right now, it is no different. I have installed the OS from the HP disks and kept anything contaminated (well I did scan and decontaminate a flash drive using a computer at Kinkos (and even looked at the boot sector with Win-Hex), and it looked good (I know what my boot sector/MBR should look like at this point). And also, I am running a Norton firewall which seems to be doing what I tell it to do, but what I do not like is when I run a particular hardware info program, an option to look at the 2nd microprocessor in the dual core laptop is grayed out. In addition, I am paying for 7Mbit/s internet access, yet I am only downloading at 49K/s or something ridiculously slow like that. Also....other sign of infection are the IPv6 addresses in my routing table. I spoke to my ISP and they said they have no IPv6 capability. And when I try to break down the addresses, they seem to all go to link-local mDNS addresses, which could be good or could be part of a method to access my machine. I am not sure.

I would have included in this post outputs from the various diagnostics we have run on my dad's laptop (or even my own when I had a 32-bit OS installed), but now I am running Vista 64 bit and none of them seem to work.

Is there a GMER, a DDS or a Combo-Fix I can run on a 64 bit machine?

Thank you.... and thank very much for your help on my Dad's laptop... We still made progress and I wish I could have talked him into letting me fix it completely, but he was insistent on taking it.

Paul

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 08 July 2009 - 05:35 PM

Download OTL.exe by Oldtimer to your Desktop. It should have 64bit capabilities.
  • Close any open browsers.
  • Double-click on OTL.exe to start the program.
  • Leave all settings as they appear as default.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Post the contents of that Notepad document in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 pjvex86

pjvex86
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 11 July 2009 - 12:41 PM

OK.... I had some trouble getting this running. It froze a couple of times. And then, I had to wipe and resinstall all over again. This is what happened....

First. I enabled the built-in Administrator user and created a password for it. I then logged in with it, and for what I thought would be better security --although this may have been foolish--I then deleted my original user (a member of the Administrators group). After setting up my desktop and installing Gbs of applications, rebooted. When I typed in my username and password at the login screen, it said "This Account has been disabled. Please se your system Administrator". I was furious. The I hit "switch user", so see if perhaps there was a guest account I could re-enable using so third party software, but the guest account was gone. However, to my surprise what I did find was a user called Other User, with a blank space for the username, and Password, also with a blank space for the password. I have never seen this, and I think it is evidence of some foul play.

Regarding OTL scan output. You were right. It is A LOT of data. In fact, this BB would not let me post it in one post, nor even two or three posts without it coming back with an error that my post was too long. Therefore, I have zipped it and attached it. Best I could do!! Sorry.


Please let me know what you think. And thank you very much once again.

Paul

PS: In addition, there was also another output file from OTL called "Extras.txt". Just in case, I zipped it, and also attached it to this post.

Attached Files



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:19 PM

Posted 12 July 2009 - 11:56 AM

Hi, pjvex86 :thumbup2:

I have reviewed the reports and see no malware problems. You are using however, uTorrent.

Many peer-to-peer networks are under constant attack by people with a variety of motives.

Examples include:
  • poisoning attacks (e.g. providing files whose contents are different than the description)
  • denial of service attacks (attacks that may make the network run very slowly or break completely)
  • defection attacks (users or software that make use of the network without contributing resources to it)
  • insertion of viruses to carried data (e.g. downloaded or carried files may be infected with viruses or other malware)
  • malware in the peer-to-peer network software itself (e.g. distributed software may contain spyware)
  • filtering (network operators may attempt to prevent peer-to-peer network data from being carried)
  • identity attacks (e.g. tracking down the users of the network and harassing or legally attacking them)
  • spamming (e.g. sending unsolicited information across the network- not necessarily as a denial of service attack)
I would recommend you stay away from these decentralized networks as they are the source of most of the malware.

How is the computer doing otherwise?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users