Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

More Malware help requested [Moved]


  • Please log in to reply
14 replies to this topic

#1 jake_bleeping

jake_bleeping

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 11 July 2009 - 07:35 AM

Hello-

I am in desperate need of help. I have eset NOD32 and it alerted me that it cannot clean from the operating memory this file :

Win32/rootkit.Agent.ODG trojan

I have tried scanning with the anti-virus both in normal and safe mode. I have tried ad-aware, Malwarebytes, and Norman Malware cleaner. None worked. All in safe mode with the antivirus off and the system restore off. Nothing. I am afraid of sensitive information being compromised.

Combofix seems to be the only one that works but comes with many disclaimers of causing more harm, hard to use, expert use only etc. I am hesitant and apprehensive about doing this myself. More importantly, I want to know that if I back up my files on an external hard drive, will the trojan migrate also....

I would like a "helper" to walk me through this process so I don't have to uninstall everything and reinstall xp home and reset all my preferences...

Help!!!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:07 PM

Posted 11 July 2009 - 11:54 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

To everyone reading this topic: Please note that ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


From: http://www.bleepingcomputer.com/forums/ind...t&p=1159014

@ jake_bleeping

and the system restore off.


Please turn system restore back on before doing anything else. Disabling System Restore as the first step when attempting to clean a system or when scanning for malware is not advisable. Unfortunately, some anti-virus vendors still recommend doing this before attempting malware removal and many folks follow that advice. This is really not a good practice when dealing with infected computer systems. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. If an incident renders your system problematic or unbootable, you can use System Restore to return it to a previous working state. Without a restore point to fall back on, you are left with a limited means of restoring your system to a usable condition. Disabling this feature could mean having to perform a repair install (or reformat in worst case scenarios) if you're unable to fix any problems which System Restore may be able to correct. Although System Restore is not always 100% guaranteed to work all the time, it at least gives you another option before resorting to more drastic measures.

"System Restore and malware removal - what is best practice?"
"Should I purge all my restore point BEFORE removing infection?"

I have tried . . . Malwarebytes. . . in safe mode


MalwareBytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

Please run MBAM again, but this time in Normal Mode. Please be sure to update the program before running it. Please post that log in your reply.

I want to know that if I back up my files on an external hard drive, will the trojan migrate also....


That depends on the types of files in question and the type of infection(s) you have. Another more knowledgeable than I can provide you with more information on that.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 11 July 2009 - 03:50 PM

I may be repeating this, but the interface takes some getting used to. I ran quick scan. updated and in normal mode. here is the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 4:47:44 PM
mbam-log-2009-07-11 (16-47-44).txt

Scan type: Quick Scan
Objects scanned: 100452
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I guess you'll want a full scan at 4 + hours.

Anyway, thanks. I have a feeling I will have to reformat. even my nod32 from eset is ignoring my requests for help.

#4 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 11 July 2009 - 05:05 PM

I do appreciate your help by the way.

This is the full scan log :

Malwarebytes' Anti-Malware 1.38
Database version: 2411
Windows 5.1.2600 Service Pack 3

7/11/2009 6:01:01 PM
mbam-log-2009-07-11 (18-01-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 243970
Time elapsed: 1 hour(s), 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************************************************************

same result.

Help?

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:07 PM

Posted 12 July 2009 - 07:15 PM

Please run ATF and SAS


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
-------------------------------

Follow that up with Dr. Web CureIt


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 15 July 2009 - 07:16 AM

Sorry for the delay. I hope you didn't ignore my request. So far So good. I think It did the trick as it deleted the file in question. This is the object name that ESET nod32 gave that it couldn't delete : \\?\globalroot\system32\hjgruivkaqtchf.dll


Logs as requested :


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2009 at 11:56 PM

Application Version : 4.26.1006

Core Rules Database Version : 3989
Trace Rules Database Version: 1929

Scan type : Complete Scan
Total Scan Time : 12:48:36

Memory items scanned : 240
Memory threats detected : 0
Registry items scanned : 5740
Registry threats detected : 0
File items scanned : 140141
File threats detected : 57

Adware.Tracking Cookie
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.media6degrees.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.chitika.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
ads.advertalis.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.at.atwola.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.trafficregenerator.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.trafficregenerator.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.list.ru [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.tns-counter.ru [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.findingsingles.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.findingsingles.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.toseeka.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
xml.trafficengine.net [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.a1.interclick.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.eyewonder.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.sex.healthguru.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.sex.healthguru.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.content.yieldmanager.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
www.burstnet.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.burstbeacon.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
www.burstbeacon.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\jake\Application Data\Mozilla\Firefox\Profiles\zr4hlk71.default\cookies.txt ]


**************************************************************************************************************************


Dr Web log:

hjgruivkaqtchf.dll;C:\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;


That is the file!!!!!

I backed up all of my data on an external hard drive. Including application data and program folder files that contain preferences so that when and if I had to reload windows xp. I had something left. I want to know if this virus migrated to my backup. If so, what do I do? Do I scan the external hard drive the same way with the local disk? Antispyware and then dr web? From normal mode or from safe mode?


Thanks again-

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:07 PM

Posted 15 July 2009 - 05:31 PM

I'm not so sure Dr Web got rid of the rootkit

HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 16 July 2009 - 09:27 AM

You're right. I still have whatever I have.

I will try what you suggested.

Why is it that I have to use 5 or 6 different programs?

I'll keep you posted.

And I still don't know what to do with my backed up data....

I am not a happy camper.

#9 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 16 July 2009 - 09:45 AM

As requested the log report.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/16 10:30
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6B9B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruiuhfrarow.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiuhfrarow.sys
Address: 0xB6E30000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB29D4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiasdotwtf.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiifuqxggi.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruinwpxvuki.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruivkaqtchf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruipfqcqiyiyv.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruirrtauafjyk.tmp
Status: Invisible to the Windows API!

Path: c:\program files\dell network assistant\data\alert.dat
Status: Size mismatch (API: 61330, Raw: 61226)

Path: C:\WINDOWS\system32\drivers\hjgruiuhfrarow.sys
Status: Invisible to the Windows API!

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a651a60

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a651e80

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a652460

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a652280

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a651c90

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a6520b0

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: winlogon.exe (PID: 900) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: services.exe (PID: 948) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: lsass.exe (PID: 960) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiifuqxggi.dll]
Process: svchost.exe (PID: 1196) Address: 0x008d0000 Address: 53248

Object: Hidden Module [Name: hjgruivkaqtchf.dll]
Process: svchost.exe (PID: 1196) Address: 0x00ca0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1280) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1328) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1368) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1572) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 1672) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: Explorer.EXE (PID: 1720) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: WLTRYSVC.EXE (PID: 1952) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: bcmwltry.exe (PID: 1972) Address: 0x00cf0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: spoolsv.exe (PID: 172) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 324) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: AppleMobileDeviceService.exe (PID: 360) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: mDNSResponder.exe (PID: 384) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 416) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: ekrn.exe (PID: 564) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: hnm_svc.exe (PID: 628) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: jqs.exe (PID: 652) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: nvsvc32.exe (PID: 692) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: sprtsvc.exe (PID: 792) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 832) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: alg.exe (PID: 4084) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: wmiprvse.exe (PID: 556) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: SynTPEnh.exe (PID: 2324) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: rundll32.exe (PID: 2448) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: RunDLL32.exe (PID: 2524) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: jusched.exe (PID: 2548) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: WLTRAY.exe (PID: 2700) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: stsystra.exe (PID: 2740) Address: 0x00980000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: KADxMain.exe (PID: 2748) Address: 0x00980000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: issch.exe (PID: 2784) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: DrgToDsc.exe (PID: 2804) Address: 0x003d0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: PCMService.exe (PID: 3204) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: Acrotray.exe (PID: 3248) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: lxbtbmgr.exe (PID: 3360) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: sprtcmd.exe (PID: 4040) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: iTunesHelper.exe (PID: 1248) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: lxbtbmon.exe (PID: 2132) Address: 0x003c0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: egui.exe (PID: 3804) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: rundll32.exe (PID: 2220) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: ctfmon.exe (PID: 2320) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: ezi_hnm2.exe (PID: 3520) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: DLG.exe (PID: 3552) Address: 0x009d0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: iPodService.exe (PID: 1616) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: ServiceLayer.exe (PID: 3448) Address: 0x003f0000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: svchost.exe (PID: 2932) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: NclUSBSrv.exe (PID: 3068) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: firefox.exe (PID: 3076) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: NclRSSrv.exe (PID: 3268) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: NclMSBTSrv.exe (PID: 3576) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: wuauclt.exe (PID: 2536) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruirrtauafjyk.tmpll]
Process: DllHost.exe (PID: 3800) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruivkaqtchf.dll]
Process: RootRepeal.exe (PID: 2212) Address: 0x10000000 Address: 32768

Object: Hidden Code [ETHREAD: 0x8a65da00]
Process: System Address: 0x8a650790 Address: 1000

Hidden Services
-------------------
Service Name: hjgruipvwfebif
Image PathC:\WINDOWS\system32\drivers\hjgruiuhfrarow.sys

==EOF==




At least tell me what is going on and why this cannot be deleted. Thanks.

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:07 PM

Posted 16 July 2009 - 06:26 PM

At least tell me what is going on and why this cannot be deleted. Thanks.


You have a severe rootkit infection
Not all scan tools will work with specific infections, that is why we use more than one. When we finally figure out how to delete them the malware writters are right back out there trying to make it so we can't.
We are going to finish with this last scan and see if it works before I have you submit a HJT log


Run Root Repeal one more time
In the Root Repeal window, use your mouse and highlight C:\WINDOWS\system32\drivers\hjgruiuhfrarow.sys
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer!!!!
When done rebooting, run another mbam scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 17 July 2009 - 08:34 AM

I've run another malwarebytes full scan but it seems to be frozen at the "show log" stage. I cannot click any tab or any buttons.....

the only button I guess that works is "remove selected" which includes the following list of malware :


Trojan.TDSS
Trojan.TDSS
Trojan.Agent

All files related to the original object I wiped from rootkit repeal.

What do I do next? Do I "Remove Selected"?

I Want to thank you for your time and knowledge but have a few questions that are important.

1. I am concerned about what this rootkit does and what is it's purpose. What has been comprimised, etc. Is there a way to find out what information has been stolen, if any?

I have changed all passwords but maybe too late?

2. How will I know it is gone, and how can I determine where I got it from. Obviously to avoid this virus in the first place.

3.Finally, should I go through the same steps to remove the rootkit from by backed up data (suerspyware, Dr Web cureit, rootkitrepeal, and then malwarebytes). This can go on forever if I don't clean all my data. I do not know where the rootkit came from so it might be in my email, photos, program preferences etc which I have backed up.....

Edited by jake_bleeping, 17 July 2009 - 05:45 PM.


#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:07 PM

Posted 17 July 2009 - 06:13 PM

What do I do next? Do I "Remove Selected"?

Yes

Is there a way to find out what information has been stolen, if any?

Not that I know of, but you more than likely did have anything compromised.
You would have known by now

I have changed all passwords but maybe too late?

Changing passwords is the right thing to do

For your backup drive:


Then download Panda USB and AutoRun Vaccine and save it to your desktop.
alternate download link 1
alternate download link 2
  • Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
  • Open that folder and double-click on USBVaccine.exe to start the program.
  • Click Run.
  • Click the button to Vaccinate computer..
  • Insert your USB drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.


To scan it with mbam, you must do the full scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 18 July 2009 - 09:26 AM

Thanks-

Does this mean I'm worm free? I've launched firefox and closed it and did a scan with eset nod32 and it didn't find the rootkit. No threats detected. If indeed I am worm free, you have made me very happy. I wonder about what it was doing - One thing I did notice was that it would re-direct google links, turn off my windows xp fire wall, alter the search window so that I couldn't search the c drive as well as duplicating the optical drive letter in 'My Computer'. I wonder if it is what caused windows not to recognize the partition on the external hard disk. That's my next problem. It reads only 150 gb when it's 500. I had to back up on a new drive.

As far as the external disk. I understand I need to load panda but do I have to scan my external hard drive (500 gb lacie, with separate power source)) with the others you recommended I use for the local disk (in order : malwarebytes, ATF, superspyware, dr web curit, rootrepeal, and then malwarebytes again) or do I just use panda as you instruct? When you say USB drive you mean both a memory stick and an external hard drive, yes? You begin with "then" in your instructions so I feel like I'm missing a step....

Would a better anti virus(Kaspersky better than ESET?) and a better firewall help in avoiding this in the future? nod32 updates regularly and now I will run either malwarebytes or ad-aware once every week. Is there a free download for a firewall that is better than windows firewall and one that does not slow the internet connection?

I apologize for all the questions. It's seems to be what I do. Again, you've been a tremendous help, thanks.

#14 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:07 PM

Posted 18 July 2009 - 05:57 PM

I should have edited out "Then"
Scanning any USB device is just an added precaution
---------------------------
Have a look in our Freeware replacement sub-forum for AV and firewall alternatives
http://www.bleepingcomputer.com/forums/topic3616.html

Please....

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

-------------------------------

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software, crack sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smrgsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Edited by garmanma, 18 July 2009 - 05:59 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#15 jake_bleeping

jake_bleeping
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 24 July 2009 - 09:17 AM

Thank you for your help. I apologize for not posting sooner but I am extremely busy. I will run the scan on the external drives and post here to complete this entry.

If all goes well, I will be virus free.

Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users