Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prevx alert


  • Please log in to reply
7 replies to this topic

#1 blondegeek

blondegeek

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 September 2009 - 04:44 PM

Hi there,

This morning I got the following alert message while checking email in Eudora. My computer is running slow as hell and nothing has been detected with Prevx, Malwarebytes or Bitdefender. I have not rebooted to see if it will help things speed up for fear of activating an exe file or something.

Any suggestions of how to proceed? I just had to re-install Windows a few months ago becaue of malware so I bought Prevx. It appears to be useless for prevention.

Thanks


Prevx Malware Monitor has detected new malware infections within your operation.

1 Critically Important System is infected

The malware is:

File Behavior

IS-9LT5I.EXE has been seen to perform the following behavior:

* Found on infected systems and resists interrogation by security products
* Uses low level functions to hide itself from the user and from system/security processes

IS-9LT5I.EXE has been the subject of the following behavior:

* Added as a Registry Key (RUNONCE) to auto start Programs on system start up
* Created as a process on disk

Country Of Origin

The filename IS-9LT5I.EXE was first seen on Aug 25 2009 in the following geographical regions of the Prevx community:

* POLAND on Aug 25 2009
* The UNITED STATES on Aug 25 2009

File Name Aliases

IS-9LT5I.EXE can also use the following file names:

* ISRS-000.TMP
* DPLRNKQYFV-170.PMS.EXE
* 51229629.EXE
* IS-K1LUE.EXE
* IS-JH5NT.EXE
* IS-2C2AQ.EXE
* IS-PGV4D.EXE
* IS-SCPMT.EXE
* IS-1VKH8.EXE
* IS-89M13.EXE
* IS-25TPO.EXE
* IS-7OPJ1.EXE
* IS-DEMGR.EXE
* IS-G64RM.EXE
* IS-98AD6.EXE
* IS-USQF1.EXE
* IS-D2G8F.EXE
* IS-OR2P3.EXE
* IS-580E8.EXE
* IS-5Q8DS.EXE
* IS-J3A4E.EXE
* IS-M6H9A.EXE
* IS-7V98U.EXE
* IS-7R1C5.EXE
* IS-MKJDN.EXE
* IS-7T701.EXE
* IS-J18FR.EXE
* IS-OPUDR.EXE
* IS-L751H.EXE
* IS-5UMK2.EXE
* IS-TLS8E.EXE
* IS-DS1IK.EXE
* IS-0AQET.EXE
* IS-RH6GU.EXE
* IS-K4D5T.EXE
* IS-7BHCC.EXE
* IS-VUP85.EXE
* IS-AJPFR.EXE
* IS-I4ETG.EXE
* IS-LGJ0N.EXE
* IS-MEG8L.EXE
* IS-5FD0R.EXE
* IS-3NVGU.EXE
* IS-5FCPH.EXE
* IS-C8C5O.EXE
* IS-U47TB.EXE
* IS-AE07B.EXE
* IS-HA4JM.EXE
* IS-G8HOF.EXE
* IS-74DSA.EXE
* IS-KNSKB.EXE
* IS-FJ1Q5.EXE
* IS-8MKRE.EXE
* IS-8B5OI.EXE
* IS-HMD7F.EXE
* IS-A3KBF.EXE
* IS-85L40.EXE
* IS-LQDG2.EXE
* IS-QLJV0.EXE
* IS-PS249.EXE
* IS-ISN3N.EXE
* IS-5V9DI.EXE
* IS-4CO4G.EXE
* IS-QPBD2.EXE
* IS-ICPFA.EXE
* IS-2AR8B.EXE
* IS-HKF1C.EXE
* IS-829IL.EXE
* IS-IJEBF.EXE
* IS-NBI3E.EXE
* IS-167A0.EXE
* IS-JPDV7.EXE
* IS-SPR6C.EXE
* IS-ASQC9.EXE
* IS-0PUVK.EXE
* IS-62FNQ.EXE
* IS-TDEIC.EXE
* IS-THH6K.EXE
* IS-6G94D.EXE
* IS-6CN0D.EXE
* IS-C9FHA.EXE
* IS-RIT4A.EXE
* IS-UORRF.EXE
* IS-EH7RQ.EXE
* IS-8IRNN.EXE
* IS-NF9IL.EXE
* IS-KJHUF.EXE
* IS-0CLP2.EXE
* IS-UKCH6.EXE
* IS-7BMPK.EXE
* IS-P4UOU.EXE
* IS-1QAE1.EXE
* IS-Q5VKO.EXE
* IS-SBBKS.EXE
* IS-KMCGM.EXE
* IS-LTMFN.EXE
* IS-5HKLN.EXE
* IS-P63E7.EXE

Filesizes

This file has been seen with the following file size:

* 693,760 bytes

Vendor, Product and Version Information

A file with the name IS-9LT5I.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

* ; Setup/Uninstall; 51.49.0.0
* ; Setup/Uninstall;

File Type

The filename IS-9LT5I.EXE refers to an executable program.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:00 PM

Posted 14 September 2009 - 07:48 PM

Let's take a look with Root Repeal

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 blondegeek

blondegeek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 September 2009 - 08:15 PM

Does it work in safe mode?

#4 blondegeek

blondegeek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 September 2009 - 10:07 PM

I also moved the file ISRS-000.TMP from the windows directory and put it in another folder.


I ran it in safe mode because things were going slower than slow.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 18:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7723000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF76B4000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7646000 Size: 95360 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7C2B000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7B13000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7873000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF77E3000 Size: 62592 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7773000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7763000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF765E000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7C07000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF72FC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C3F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7BB7000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7D17000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF6D91000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7626000 Size: 128896 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7C27000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7684000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7803000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF749D000 Size: 151552 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF7853000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7A63000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF7B93000 Size: 9600 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7813000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF77D3000 Size: 41856 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7703000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7A03000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7C03000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF74C2000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF75FD000 Size: 92032 File Visible: - Signed: -
Status: -

Name: LHidFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
Address: 0xF7A73000 Size: 24320 File Visible: - Signed: -
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
Address: 0xF7863000 Size: 63328 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7A4B000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF7468000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7733000 Size: 42240 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7AFB000 Size: 19072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7BBF000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7528000 Size: 107904 File Visible: - Signed: -
Status: -

Name: MXOFX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\MXOFX.SYS
Address: 0xF7AC3000 Size: 32512 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7543000 Size: 182912 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7B0B000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7570000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7E16000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7713000 Size: 61056 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF798B000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF76A3000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7CCB000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7983000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: pxscan.sys
Image Path: pxscan.sys
Address: 0xF7743000 Size: 36864 File Visible: - Signed: -
Status: -

Name: pxsec.sys
Image Path: pxsec.sys
Address: 0xF7783000 Size: 40960 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF746C000 Size: 196864 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF77F3000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7953000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7614000 Size: 73472 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7C1D000 Size: 4352 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7823000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7410000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7C21000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7AAB000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7833000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7A7B000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF74E5000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7ADB000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF73FC000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7753000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7A93000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7C05000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180480 File Visible: - Signed: -
Status: -

Edited by blondegeek, 14 September 2009 - 10:07 PM.


#5 blondegeek

blondegeek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 September 2009 - 10:18 PM

My computer no longer works at all except in safe mode. It starts to load stuff but then freezes before all the programs load in.

I am in urgent need of knowing whether or not I will have to re-install windows.

Thank you

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:00 PM

Posted 15 September 2009 - 11:45 AM

The log shows you have one of the latest rootkit variants. If it were me, I would reformat and reload - especially if you are okay with doing it. Root kits are information thieves. I would change all on-line passwords from a clean computer.

Let me know what you would like to do. If you choose to try and clean your computer, we need to send you over to the HJT forum. They are the only ones that can clean this infection.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 blondegeek

blondegeek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 15 September 2009 - 04:46 PM

Thanks. I am going to reformat and reload. Prevx told me it was because I was only doing security updates in SP2 that it happened. They said I have to have SP3.

#8 blondegeek

blondegeek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 15 September 2009 - 06:06 PM

Do I need to somehow scan all my data files once I get reloaded? I have at least 50+ passwords to change so I am going to be busy with that for awhile. I am so bummed.

I am working from my laptop right now. I have all my desktop data regularly backed up on external drives. Do I need to worry about using those files on the laptop?

I am very concerned because this just happened to me 2 months ago. On top of that Microsoft now thinks my XP is not genuine so today I ordered a new XP CD with SP3. I got my stuff used so I cannot prove anything to get help from Microsoft. Do you think Prevx is correct in saying that because I was only doing security updates with SP2 that it happened?

I really cannot have this happening over and over again. I was just downloading email into Eudora when I apparently got infected. I wasn't even at my computer or on the Internet I had left the room. Prevx, Malwarebytes and Bitdefender were all running when this happened. I also have a router. How much more protection do I need??




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users