Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Zlob, Skynet, and IE connect issue

19 replies to this topic

#1 a9642

a9642

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 01 September 2009 - 05:26 PM

Hi, thanks in advance for any help. My brother recently asked for my help in fixing his computer, one that is used by his whole family. From what I've gathered, the computer has been running for about a year with no firewall after some sort of malware disabled ZoneAlarm. I've got ZoneAlarm firewall back up and running, and I've also run AVG, which located and "healed" all but 11 of 28 infected "objects" it found in the scan. The remaining objects identified by AVG are labeled as being part of "Trojan.Zlob". The only remaining symptom is a popup from Internet Explorer which reads "The Web page you requested is not available offline. To view this page, click Connect." and gives the options "Connect" and "Stay Offline". This window pops up once every minute or so; I've been X-ing out of it. I'm convinced that there is other activity, though, such as several "SKYNET" entries in the RootRepeal scan (which I can post if you'd like to see it).

I don't have much experience removing malware, I've always focused on prevention. Please help me diagnose and remove these problems.

The contents of DDS.txt are as follows:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Administrator at 17:32:10.84 on Tue 09/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1102 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
C:\Program Files\Zone Labs 09\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [FIREBOX] c:\program files\presonus\1394audiodriver_firebox\FIREBOX Control.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs 09\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [RunNarrator] Narrator.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\program files\aim95\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: trymedia.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\1av7oqve.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\1av7oqve.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\compaq_administrator\desktop\byond 4.0 beta\bin\npbyond.dll
FF - plugin: c:\documents and settings\compaq_administrator\desktop\jacob\byond 4.0 beta\bin\npbyond.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-31 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-31 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-13 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-31 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ps_1394;ps_1394;c:\windows\system32\drivers\ps_1394.sys [2009-4-6 97152]
S3 ps_avs;ps_avs;c:\windows\system32\drivers\ps_avs.sys [2009-4-6 24576]
S3 RDID1003;EDIROL UM-2;c:\windows\system32\drivers\Rdwm1003.sys [2009-5-26 66530]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-4-6 18432]

=============== Created Last 30 ================

2009-09-01 17:22 <DIR> --d----- C:\HJT
2009-08-31 22:49 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-31 22:33 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-31 22:33 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-31 22:33 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-31 22:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-31 22:32 <DIR> --d----- c:\program files\AVG
2009-08-31 22:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-13 23:02 <DIR> --d----- c:\program files\AskBarDis
2009-08-13 23:02 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-08-13 23:01 <DIR> --d----- c:\program files\Zone Labs 09
2009-08-13 21:51 <DIR> --d----- c:\windows\system32\pixel_movement
2009-08-12 03:30 36,864 a------- c:\windows\system32\net.net
2009-08-12 03:01 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-09-01 17:30 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-01 13:52 15,265 a------- c:\windows\system32\tablet.dat
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-18 12:00 1,509,888 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-18 12:00 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 09:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-23 19:49 26,362 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 117,248 a------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 07:48 91,776 a------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 07:40 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:50 80,896 a------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 07:50 76,288 a------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-05 03:42 655,872 a------- c:\windows\system32\dllcache\mstscax.dll
2009-05-18 23:03 13,195 a------- c:\documents and settings\compaq_administrator\ZGUICFGW.DAT
2009-01-23 16:21 82 a------- c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2007-03-23 04:28 40 a------- c:\documents and settings\compaq_administrator\language.dat
2007-02-19 15:46 251 a------- c:\program files\wt3d.ini

============= FINISH: 17:33:55.95 ===============

#2 sempai

sempai

noypi

• Malware Response Team
• 5,288 posts
• OFFLINE
•
• Gender:Male
• Location:3 stars and a sun
• Local time:07:03 PM

Posted 17 September 2009 - 07:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Semp

You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators)

#3 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 18 September 2009 - 12:31 PM

Thanks for responding. The condition of this computer has gone downhill, and it is now in the same boat as one of the other PCs in the house (mentioned here: http://www.bleepingcomputer.com/forums/t/255213/infected-advanced-virusremover-2009-computer-2/ ). "Windows Police Pro" opens as soon as the desktop loads, and most of the administrative tools are disabled. Almost all programs are disabled, too, including notepad (which would be needed to get the results from DDS). I can run the scan in safe mode, I don't know if that would give you the results you need, though.

#4 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 20 September 2009 - 05:25 PM

Hi a9642,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

• Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

The SKYNET files are part of the TDSS rootkit family and we need to act quickly to stop it disabling your PC.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Then

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combo-Fix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

m0le is a proud member of UNITE

#5 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 20 September 2009 - 08:21 PM

Thanks for the response. You won't have to worry about me being absent.

I don't know if you saw the second post in this thread, but the situation with that computer has changed. "Windows Police Pro" is now active, and opens window after window to the exclusion of much else. I can't run most programs, even notepad. When I try to run a program, a window pops up with the title "Error" and the only text in it is the path to the exe I tried to run. Executing a file via the run command or the command line has the same result. I was able to get Win32kdiag.exe to run via the command line (with the arguments you specified), but it encountered errors. Here's the result:

Running from: C:\Documents and Settings\Old Noah\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Old Noah\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Finished!

I did not run ComboFix, because I didn't know if step one needed to be completed first. I can attempt to run ComboFix, or I can run win32kdiag after booting in safe mode.

Because I can't access the internet from the infected computer, I'm running files from it to another, uninfected computer, via a jump drive. Are there any precautions I should be taking to make sure that my uninfected computer remains uninfected?

Edited by a9642, 20 September 2009 - 08:23 PM.

#6 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 21 September 2009 - 04:08 AM

any precautions I should be taking to make sure that my uninfected computer remains uninfected?

You should disable autorun on any USB device as instructed here. It won't stop everything but it will dramatically drop your chances of picking up malware through the jump drive.

The win32diag ran fine and came up clean so now we need to work on the rootkit we have already identified.

Next please attempt to run Combofix. It could have been run but I like that you asked first

If it fails then try again but first boot into safe mode.

Instructions (if you need them):

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Thanks

m0le is a proud member of UNITE

#7 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 21 September 2009 - 08:51 PM

Thanks for the info about disabling autorun.

I ran Combo-Fix.exe on the infected computer via the command line. When it first started it output this message : "CSscript error: Loading your personal settings failed. (Access Denied)". That may not be exactly what it said, I wasn't able to write it all down before ComboFix continued. When it was done it displayed a dialogue with the following files listed, and told me to write them down:

C:\WINDOWS\system32\drivers\SKYNETyipupdkj.sys
C:\WINDOWS\system32\SKYNETmtiuvwuo.dll
C:\WINDOWS\system32\SKYNETbedixmir.dat
C:\WINDOWS\system32\SKYNETjnrwyodx.dll [note: pilot error, that could be jnrwgodx]
C:\WINDOWS\system32\SKYNETgfaajdmm.dat
C:\WINDOWS\system32\SKYNETbwucrddl.dll
C:\WINDOWS\system32\drivers\UACgvwodwxeqg.sys
C:\WINDOWS\system32\UACvgrnhjvetp.dll
C:\WINDOWS\system32\UACjnltullsrm.dll
C:\WINDOWS\system32\UACkxqgvihsdl.dat
C:\WINDOWS\system32\UACytkaacjuik.db
C:\WINDOWS\system32\UACnbnvtpulmm.dll
C:\WINDOWS\system32\UAChcnfpqkjid.dll

After the computer rebooted there was no new .txt file on the desktop (which I was expecting). I immediately thought that ComboFix was probably supposed to automatically run after the reboot, so I ran it again. It then started the process again, but this time displayed "Stage 1 complete" and started counting up those stages to somewhere around 50, I think. It then output information saying that it was deleting all sorts of temporary files and, finally, the directories for Advanced Virus Remover and Windows Police Pro. It then rebooted, and I ran Combo-Fix.exe again, this time it opened notepad and displayed the attached document. I realized as I was preparing to post this that I should not have run ComboFix again without asking first. It was a brain fart, I guess; the result of doing computer repair while watching TV :/

I'm ready for the next step, or back-step as the case may be.

#8 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 22 September 2009 - 03:28 PM

Hi a9642,

You have to be careful when running Combofix - even with assistance, you must do exactly as I say otherwise you could destroy your PC whilst watching the TV

The log looks okay though.

Both rootkits have been removed so how's the computer running?

Next step is to delete the keylogger file

Use Windows Explorer to find and delete this file:

c:\windows\system32\cdfvie.dll

As an example:
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
• Make sure the "Perform Full Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks, we're nearly there

Edited by m0le, 22 September 2009 - 03:29 PM.

m0le is a proud member of UNITE

#9 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 22 September 2009 - 07:14 PM

> so how's the computer running?

Better, but not smoothly. I havn't run it enough to tell you exactly what symptoms are gone (I don't do anything on that computer except what we talk about here), but it seems I can access programs again: I was able to open paint so as to get the attached screen shot. I still seem to be untrusted on that computer, even though the accounts I'm using are administrator accounts. Whenever I change something, like Folder Options -> Show Hidden Files and Folders, there's no error or alert, but the change doesn't go through.

I deleted the cdfvie.dll file and ran mbam-setup.exe. The setup's progress bar filled completely, but then returned the error dialogue seen in the attached screen shot. I aborted the install, rebooted, and tried again, but got the same result, so I aborted, turned off the computer, and am posting here. Just my layman's opinion, but I believe anything that edits the registry has been locked out by Group Policy. I don't know if that's a symptom of another active malware, or if it's the legacy of one of the rootkits that were removed.

#10 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 22 September 2009 - 07:25 PM

The rootkit's legacy is what we're dealing with. This next tool is Junction and will tell me what permissions have been altered.
Junction.zip

• Unzip it and place Junction.exe in the Windows directory (C:\Windows).
• Go to Start => Run... => Copy and paste the following command in the Run box and click OK:
cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply

m0le is a proud member of UNITE

#11 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 22 September 2009 - 09:53 PM

Nothing new to report. Attached you'll find the junction log file.

#12 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 23 September 2009 - 07:23 PM

but I believe anything that edits the registry has been locked out by Group Policy

MBAM is often stopped by malware but there may be an easier way to do this.

Delete the mbam-setup.exe file.

• Make sure you are connected to the Internet.
• Double-click on mole.scr to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

m0le is a proud member of UNITE

#13 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 23 September 2009 - 08:44 PM

I tried to save the file as mole.scr, but it started saving as mole.scr.exe.
Next I selected "Saved as type: All files" from Firefox's save file dialogue, but it started saving as mole.scr.exe again.
I can access "Tools > Folder Options > View > Hide extensions for known file types", but like all other settings, changes don't take effect at all.
I also downloaded the file as mole.scr from another computer, transferred it by Flash drive, and ran it from the desktop of this computer, the result was the same as the last message I posted.

This is the first time I've been able to get any programs running on this computer (I'm now posting from the computer in question), and the first time I've been able to run Firefox. When it opened I noticed the AVG toolbar. I then checked the task manager, and there are several processes running with "avg" at the start of the image name:
avgcsrvx.exe
avgemc.exe
avgnsx.exe
avgrsx.exe
avgwdsvc.exe

I don't see AVG running in the system tray, and the system tray customization window (to un-hide it if it were set to be hidden while running) does not show AVG anywhere. Should I uninstall AVG to make sure it's not running?

#14 m0le

m0le

Can U Dig It?

• Malware Response Team
• 34,527 posts
• OFFLINE
•
• Gender:Male
• Location:London, UK
• Local time:11:03 AM

Posted 24 September 2009 - 06:23 AM

Yes, uninstall AVG. You can always install it again after the fix. If that doesn't fix it I can find you the AVG uninstaller.

I should have made myself more clear regarding the MBAM instructions.

m0le is a proud member of UNITE

#15 a9642

a9642
• Topic Starter

• Members
• 20 posts
• OFFLINE
•
• Local time:06:03 AM

Posted 26 September 2009 - 02:31 AM

I uninstalled AVG and then tried your directions again. The result is the same as last time. :/

Should I try and continue the scan / removal, or maybe try manually adding that registry change?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users