Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

security system 2009 still causing problems?


  • Please log in to reply
24 replies to this topic

#1 doivberg

doivberg

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2009 - 06:35 AM

I believe something is still wrong with my computer. A couple days ago, i got infected with Security system 2009 and all the junk that comes along with it. I ran Malwarebytes Anti-Malware in safe mode, and most of it seems cleaned up. However, to be sure, I also ran an older version of DrWeb Cureit (which i had used to fix a previous problem a few months ago).
DrWeb Cureit runs the quickscan fine, but when I run the complete scan with 'heuristic analysis' unchecked, I eventually get the Blue screen of death :thumbsup:
Anyway, restarting the computer, it looks normal at first. My Norton antivirus says everything is fine. But when I tried to download the LATEST Drweb Cureit, the download was much slower than usual.
Then I re-ran Malwarebytes Anti-Malware... although it finishes and says there are no viruses, it somehow affects my Norton Antivirus, saying the "SONAR Advanced Protection failed to load", and turns this off.
I can't imagine what is wrong. Everything looks normal, except for:

1) the slow download (I don't dare to go online again on that computer)
2) the blue screen when i run drweb cureit
3) norton advanced protection getting screwed up when i run malwarebytes anti-malware.

any suggestion is appreciated.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 03 August 2009 - 10:45 AM

Ok let's take another look. Disable NOrton and SpyBot (if needed)for these.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2009 - 04:00 PM

when i click on rootrepeal, a Rootrepeal window opens saying: "could not read the boot sector. try adjusting the disk access level in the options dialog." after clicking ok a few times, i get to the rootrepeal window with the regular Report/scan tabs. should i adjust something before i run Scan?

#4 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2009 - 04:31 PM

ok, i re-ran an updated MBAM quick scan, and again got no infections reported.
I ran rootrepeal and got the following report:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 17:13
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA43A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B5C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8B0C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF74C8000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\vsfocejpyfnpxr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfocemmiwrtui.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\vsfoceulhbagrj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\vsfocelkibqhxd.sys
Status: Invisible to the Windows API!

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_314.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Stealth Objects
-------------------
Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: services.exe (PID: 1332) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: lsass.exe (PID: 1344) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfoceulhbagrj.dll]
Process: svchost.exe (PID: 1524) Address: 0x006d0000 Size: 49152

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 1524) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 1612) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 1656) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: EvtEng.exe (PID: 1796) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: S24EvMon.exe (PID: 1960) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: Explorer.EXE (PID: 2020) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 2040) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 408) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: spoolsv.exe (PID: 812) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: CFSvcs.exe (PID: 976) Address: 0x00930000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: DVDRAMSV.exe (PID: 1008) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: sqlservr.exe (PID: 1064) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ccSvcHst.exe (PID: 1108) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: RegSrvc.exe (PID: 1196) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: sqlbrowser.exe (PID: 1536) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: sqlwriter.exe (PID: 1828) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 1844) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: TAPPSRV.exe (PID: 176) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ccSvcHst.exe (PID: 2404) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: alg.exe (PID: 2472) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: AGRSMMSG.exe (PID: 2660) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: RTHDCPL.EXE (PID: 2668) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: DLACTRLW.EXE (PID: 2688) Address: 0x00920000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: SmoothView.exe (PID: 2704) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: TvsTray.exe (PID: 2720) Address: 0x003d0000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: thotkey.exe (PID: 2728) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: TFncKy.exe (PID: 2832) Address: 0x00950000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: TDispVol.exe (PID: 2872) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: Ltmoh.exe (PID: 2996) Address: 0x003e0000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: SynTPEnh.exe (PID: 3024) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ZCfgSvc.exe (PID: 3048) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ifrmewrk.exe (PID: 3080) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: igfxtray.exe (PID: 3104) Address: 0x003e0000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: hkcmd.exe (PID: 3140) Address: 0x003a0000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: igfxpers.exe (PID: 3180) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: Toshiba.exe (PID: 3280) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: iTunesHelper.exe (PID: 3332) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: CFSServ.exe (PID: 3464) Address: 0x01280000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: TPSBattM.exe (PID: 3500) Address: 0x00950000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: NDSTray.exe (PID: 3508) Address: 0x010e0000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: toscdspd.exe (PID: 3568) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ctfmon.exe (PID: 3588) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: MsnMsgr.Exe (PID: 3640) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: iPodService.exe (PID: 3828) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: NkbMonitor.exe (PID: 3928) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: RAMASST.exe (PID: 3940) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: ONENOTEM.EXE (PID: 204) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: Dot1XCfg.exe (PID: 1228) Address: 0x00a10000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: svchost.exe (PID: 2924) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: vsfocejpyfnpxr.dll]
Process: RootRepeal.exe (PID: 3340) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: vsfoceqltqsnky
Image Path: C:\WINDOWS\system32\drivers\vsfocelkibqhxd.sys

==EOF==

what should i do next? thanks.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 03 August 2009 - 07:05 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\vsfocelkibqhxd.sys
C:\WINDOWS\system32\vsfoceulhbagrj.dll
C:\WINDOWS\system32\vsfocejpyfnpxr.dll

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 03 August 2009 - 09:41 PM

ok, it does appear to be running better. But how can I be sure everything is clean?
once again, MBAM shows no infections. Also, Norton no longer gives me the Advanced Protection error, so that seems fixed. I also tried downloading the latest drweb cureit, and it is faster than before, although i'm not sure it is as fast as it should be.
I re-ran Rootrepeal and got this new report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 21:04
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA461000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B4C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9038000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF74C8000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_316.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86e112a8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86f594b8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86ecf300

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x86d30b98

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86ccd748

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa731040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86bce568

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x86ccb3c0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86d0b6f8

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x86b79ed0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7312c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa731820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x86ecf978

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e6d978

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86d2c418

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86e111e8

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86c630a8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86c2dee8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86c426e8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86e759b8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86ecf3d0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x86ccfa20

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x86e75928

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e7e978

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86e3d388

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86eb84c0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86e6ed88

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x86b79f90

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa731a70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86c42628

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86f609c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86e752f8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86eb8400

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86ecc918

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e72b38

Hidden Services
-------------------
Service Name: vsfoceqltqsnky
Image Path: C:\WINDOWS\system32\drivers\vsfocelkibqhxd.sys

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x86c8be50

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86bed050

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86c99050

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x86bf1050

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x85538218

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8553f218

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x86cca410

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x86b51a28

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x855402d0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8553d6c8

==EOF==

based on this rootrepeal report, is there anything further i should do? or any way i can be sure everything is clean? thanks.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 04 August 2009 - 09:00 AM

Hi,yes, I want to recheck that first rootkit.
STAff only Tool.
Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 04 August 2009 - 04:52 PM

this was what the log file reported:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 04 August 2009 - 07:06 PM

OK the MBR rootkit is dead. We have opened the others for cleaning.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 04 August 2009 - 07:49 PM

Ok, i hope i didn't screw up the process. Before getting your reply, i tried running a complete scan of DrWeb Cureit in safe mode, to see if i would get the blue screen again. It found some malware. Below is the report list:

acssetup.exe/data026\data009;C:\CONNECT\fscommand\AOL\comps\acs\acssetup.exe/data026;Trojan.PWS.GoldSpy.origin;;
data026;C:\CONNECT\fscommand\AOL\comps\acs;Archive contains infected objects;;
acssetup.exe;C:\CONNECT\fscommand\AOL\comps\acs;Archive contains infected objects;Moved.;
tbsetup.exe\data009;C:\CONNECT\fscommand\AOL\comps\tb\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\CONNECT\fscommand\AOL\comps\tb;Archive contains infected objects;Moved.;

Anyway, after seeing your message, I stopped the Cureit scan half way, and followed your instructions for MBAM in normal mode. It found no infections, I guess because Cureit got rid of them before. Below is the log file:

Malwarebytes' Anti-Malware 1.40
Database version: 2561
Windows 5.1.2600 Service Pack 3

8/4/2009 8:43:21 PM
mbam-log-2009-08-04 (20-43-21).txt

Scan type: Quick Scan
Objects scanned: 107473
Time elapsed: 11 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Does this mean I am ok now? Sorry for getting ahead of myself with DrWeb Cureit.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 04 August 2009 - 08:35 PM

Well it OK, I guess as we would have run it soon.. So how is the compy running now? It appears to be clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 04 August 2009 - 08:52 PM

well it does appear to be clean as you said (although it's been a bit harder to tell than usual). All i can say is is the norton doesn't give problem, and when i try to download the latest drweb cureit, which i am using for download speed reference, it now downloads at a normal rate. I guess the last thing to try will be to run the complete drweb cureit and see if i get the blue screen. Assuming that i don't, thanks so much for your help! i was afraid i would have to trash the computer. :thumbsup: well let you know after i run cureit, if i get blue screen.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 04 August 2009 - 08:56 PM

Sure run that ,post the log if we still find things or there is anything we can still post an HJT log in that forum and check. We haven't quit ,just need to know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 doivberg

doivberg
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 05 August 2009 - 10:33 PM

ok i finished a complete scan with cureit, and it still found some stuff. here is the log:

A0008637.exe/data026\data009;C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP86\A0008637.exe/data026;Trojan.PWS.GoldSpy.origin;;
data026;C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP86;Archive contains infected objects;;
A0008637.exe;C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP86;Archive contains infected objects;Moved.;
A0008638.exe\data009;C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP86\A0008638.exe;Trojan.PWS.GoldSpy.origin;;
A0008638.exe;C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP86;Archive contains infected objects;Moved.;
AOL_Eng.exe/CONNECT/fscommand/AOL/comps/acs/acssetup.exe/data026\data009;C:\TOSHIBA\AOL\AOL_Eng.exe/CONNECT/fscommand/AOL/comps/acs/acssetup.exe/data026;Trojan.PWS.GoldSpy.origin;;
data026;C:\TOSHIBA\AOL;Archive contains infected objects;;
CONNECT/fscommand/AOL/comps/acs/acssetup.exe;C:\TOSHIBA\AOL;Archive contains infected objects;;
AOL_Eng.exe/CONNECT/fscommand/AOL/comps/tb/tbsetup.exe\data009;C:\TOSHIBA\AOL\AOL_Eng.exe/CONNECT/fscommand/AOL/comps/tb/tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
CONNECT/fscommand/AOL/comps/tb/tbsetup.exe;C:\TOSHIBA\AOL;Archive contains infected objects;;
AOL_Eng.exe;C:\TOSHIBA\AOL;Archive contains infected objects;Moved.;

I googled this Trojan.PWS.GoldSpy.origin and it looks pretty scary :thumbsup: what should I do now? (do I need to worry about online banking stuff?) By the way, I used a Cureit I downloaded 2 days ago, so it may not have been the latest one at the time I ran the scan.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 05 August 2009 - 11:02 PM

Actually we look pretty good here. You have some things in System restore (Drweb log), we'll get them in a moment.
The Trojan attempts to steal information from E-Gold accounts and from Internet Explorer sessions with E-Gold URLs. So if you use those be concerned.

Rerun MBAM (MalwareBytes) one more like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users