Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Problem?


  • This topic is locked This topic is locked
82 replies to this topic

#1 steedross

steedross

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 08 October 2009 - 01:30 AM

[b]Please keep your posts to one topic
Do not add anymore posts to this topic. It will delay a response to your post[/][b



Love, love, love this website.

My problem seemed to be Malware at first - during searches I get redirected to the "generic" website thing or "Internet Explorer cannot display the website" message thing. I can usually get to the website I want by going back a couple of times, researching for the subject again, closing the "generic" website window and/or the "cannot display" window when they appear, and the website will eventually come up.

I ran the Anti-Malware from BC (which I try to update and run periodically). There were a couple things, I have the logs if you need them, but I followed the instructions to get rid of the infected stuff. However, I'm still having the redirecting cannot display problem - but this only occurs when searching, not on websites I go to on my favorites or in history.

Anyway, after looking at the Rootkit post, I'm wondering if this may be the prob. Somewhere in my not to-to distant memory (say last two-three months maybe), I'm remembering a Anti-Spy Protector 2009 type window pop up, but I can't pin details - sorry - except the memory of trying to close the darn thing as fast as I could. I don't get shut out of the Malware program though.

Thanks for looking. I appreciate all your help and this website!!

Oh - I just thought of something.
I did have a blue screen problem earlier in the week. The message indicated that I had a driver that was causing the system to crash - sorry, I didn't note the exact message. But the message noted that it could either be hardware or software related. Before I got into a MS fix detailed on the blue screen (uninstalling, etc), and since my DS recently put a new game (Spore, Galactic Adventure) on the computer that was overburdening our memory, I cleaned out and backed up old files. I haven't received another blue screen.


DDS (Ver_09-09-29.01) - NTFSx86
Run by Dad and Mom at 0:36:50.28 on Thu 10/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.87 [GMT -5:00]


============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager\TurbineDownloadManagerIcon.exe"
mRun: [VBTUCopy] c:\program files\vbtucopy\VBTUCopy.exe /a /f
mRun: [LexStart] lexstart.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe
mRun: [xkstartup] RunDll32 insxk50c.dll,SetUsbPrinterPort
mRun: [SHPC32] shpc32.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242485911218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-03 17:13 <DIR> --d----- C:\Temp
2009-10-03 17:08 <DIR> --d----- c:\program files\Sony
2009-09-25 17:28 <DIR> --d----- c:\docume~1\dadand~1\applic~1\Sony Online Entertainment
2009-09-18 17:53 <DIR> --d----- c:\program files\Sony Online Entertainment
2009-09-12 01:45 246,272 a------- c:\windows\system32\lfj2k13n.dll
2009-09-12 01:45 90,112 a------- c:\windows\system32\lfjbg13n.dll
2009-09-12 01:45 189,976 a------- c:\windows\system32\mfimgvwr.ocx
2009-09-12 01:45 <DIR> --d----- c:\program files\MFInstall
2009-09-11 12:48 32 a------- c:\windows\CD_Start.INI
2009-09-09 03:18 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-07 20:59 12,174 a------- c:\docume~1\dadand~1\applic~1\wklnhst.dat
2009-10-07 20:19 69,600 a------- c:\docume~1\dadand~1\applic~1\GDIPFONTCACHEV1.DAT
2009-10-07 13:59 38 a------- c:\documents and settings\dad and mom\jagex_runescape_preferences.dat
2009-10-07 13:49 45 a------- c:\documents and settings\dad and mom\jagex_runescape_preferences2.dat
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 17:44 515,416 a------- c:\windows\system32\XAudio2_5.dll
2009-09-04 17:44 238,936 a------- c:\windows\system32\xactengine3_5.dll
2009-09-04 17:44 69,464 a------- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 17:29 453,456 a------- c:\windows\system32\d3dx10_42.dll
2009-09-04 17:29 235,344 a------- c:\windows\system32\d3dx11_42.dll
2009-09-04 17:29 5,501,792 a------- c:\windows\system32\d3dcsx_42.dll
2009-09-04 17:29 1,974,616 a------- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 17:29 1,892,184 a------- c:\windows\system32\D3DX9_42.dll
2009-08-30 16:18 25,765,672 a------- C:\runeland.zip
2009-08-26 12:09 63,488 a------- c:\windows\xobglu16.dll
2009-08-26 12:09 23,552 a------- c:\windows\xobglu32.dll
2009-08-13 10:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-22 17:18 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-01-03 11:56 56 ---shr-- c:\windows\system32\F13BA36F45.sys
2009-01-03 11:56 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-03-03 21:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030320090304\index.dat

============= FINISH: 0:40:48.60 ===============

Attached Files


Edited by garmanma, 08 October 2009 - 08:57 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 04:04 AM

Hi steedross,

Hi steedross,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#3 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 08:04 AM

Farbar -

Let me catch you up from my posts that were deleted.

I sent my reports to BC at 1:30ish Thursday am, is was later that day when the Secuirty Tool hit us. We had done nothing except surf the web.

When Security Tool took over I tried to run Malware, but couldn't. I even did the renaming the file/ext thing and this didn't work. So the long and short of it is, I can't run Malware, and there are some fairly recently logs on it from earlier in the week..

I can try to run it again while I await your reply, but I'm pretty sure I can't.

steedross

#4 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 08:36 AM

Farbar:

I found my notes from yesterday. When I reboot I get the following message:
Error loading c:\windows\system32\busezidi.dll

The only file in my malware folder is: mbamext.dll

Eventually my computer will go to a blue screen that indicates is shutting down and the problem is in this file
SPCMDCOM.SYS

Just so I'm clear. The logs you received yesterday at 1:30am were before Security Tool started its tricks.

I'm not going to try to run Malware right now - I'll just wait for your reply.

steedross

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 08:47 AM

So we have to start from the beginning. There are possibly multiple (rootkits) infection on the system and if you have patience enough and can avoid using the computer between the fixes we can find them and remove them. Some of those rootkits are older but some of them are recenter and require special treatment.

Let's see if we can get some logs. Please inform me of any kind of error you get.
  • Please download exeHelper to your desktop.
    Double-click on exeHelper.com to run the fix.
    A black window should pop up, press any key to close once the fix is completed.
    Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

  • Download and run Win32kDiag:
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


#6 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 09:35 AM

F - It won't let me run either programs. It grabs them and "corrupts" the file saying they are infected with the Lsas.Blaster.Keyloger worm.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 09:44 AM

If you go to Start > Run and type cmd what you get if you press Enter.

Edited by farbar, 09 October 2009 - 09:44 AM.


#8 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 09:46 AM

Black screen comes up, goes away, SC gives message that cdm.exe is infected with worm Lsas.Blaster.Keyloger

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 09:49 AM

Okay, instead type command and press Enter. Tell me if the the command window stays.

#10 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 09:58 AM

No sir :(

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 10:09 AM

Can you run any programs like Internet Explorer, Firefox, Word perfect, Excel or any other program?

#12 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 10:19 AM

Only Internet Explorer - at least I think so, since that's what I use to go online.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 11:01 AM

Please follow the instruction line by line and tell me if there is any error. If the program didn't run try other programs I named on the computer and tell me which one runs.
  • Please set your system to show all files:
    • Click Start, open Computer, select the Tools menu and click Folder Options.
    • Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
    • Uncheck: Hide file extensions for known file types
    • Uncheck: Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
  • Please download OTL by OldTimer.
    • Name it iexplore.exe before saving it and Save it to your desktop.
    • Right-click on the iexplore.exe (the renamed OTL) on your desktop and select properties.
    • If there is a button "unblock" click on it, then press Apply and OK.
    • Double click to open it.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Under driver select "all".
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Press Unblock then Apply and OK.


#14 steedross

steedross
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 09 October 2009 - 11:28 AM

Ok - it ran great, however, the reports did not open - they are in the desktop folder. I'm leary to open them as notepad also won't work. I'm afraid if I open them, they will be hijacked and rewritten on. Should I attach the unopen files to a message?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 AM

Posted 09 October 2009 - 11:43 AM

Great. :(

Yes please attach them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users