Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit suspected, AV stopped, IE infected


  • Please log in to reply
1 reply to this topic

#1 TY2D2

TY2D2

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:37 AM

Posted 20 October 2009 - 08:17 PM

I have been battling this virus, malware or whatever it is for days nonstop now. It started with something called Antivirus2010 I think I got from turning off popup blocker on a movie website. Initially the first detected problem was the fake virus software starting with the PC, I googled and removed most of it I thought, it stopped starting and causing problems, but it remains in the msconfig startup tab, [permanently unchecked, but not findable in regedit] So then a few hours later I found out things were getting disabled, regedit was disabled, taskmanager was as well as system restore. I googled some more, and have enabled those as of this date, but system restore has no restore points except one for today. And I had to use an alternate registry editor to enable regedit and task manager.

Now the problem is my AV program eTrust is partially disabled, the Realtime monitor will not start. I tried to start it in the AV program itself and it won't, it sort of freezes the program. So I went into services and tried that way, that gave an error telling me it failed to start.

So I am at a brickwall, I cannot fix anything else, there are more things in the msconfig startup tab I don't recognize, pretty sure they are viruses or malware type stuff, I have managed to get them unchecked permanently after some SAfe mode back and forth stuff for a few hours... So for the most part the computer is running, but it isn't safe yet since the AV won't run correctly. I also tried running Malwarebytes, it automatically closes down after 5 seconds into the scan process. So I have assumed I have a smart little bugger that is automatically cutting off all AV software.

Most of what I have done I have found from forums like these [this one included] so I have come back here and went through the preparation guide sticky already.

Here's the DDS log, and the other two are attached.


*****DDS.txt******


DDS (Ver_09-10-13.01) - NTFSx86
Run by Barbara at 17:29:56.04 on Tue 10/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.123 [GMT -7:00]

AV: eTrust ITM *On-access scanning disabled* (Outdated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Barbara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Barbara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Barbara\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Barbara\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145408682875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-9-1 26144]
S3 xlink;XLink Driver (xlink.sys);c:\windows\system32\drivers\xlink.sys [2006-6-30 19677]
S4 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]

=============== Created Last 30 ================

2009-10-20 15:54 13,646 a------- c:\windows\system32\wpa.bak
2009-10-20 15:38 <DIR> a-dshr-- C:\cmdcons
2009-10-20 15:36 236,544 a------- c:\windows\PEV.exe
2009-10-20 15:36 161,792 a------- c:\windows\SWREG.exe
2009-10-20 15:36 98,816 a------- c:\windows\sed.exe
2009-10-20 15:13 <DIR> --d----- c:\program files\BYTESWAREMAL
2009-10-12 23:45 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-10-12 22:06 <DIR> --d-h--- c:\windows\PIF
2009-10-11 19:33 11,482 a------- c:\windows\anumyzosy.dat
2009-10-11 19:33 14,122 a------- c:\windows\lomylaze.lib
2009-10-11 17:44 0 a----r-- c:\windows\win32k.sys
2009-10-08 16:49 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-05 12:35 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-10-04 20:20 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-19 14:57 15,159 a------- c:\docume~1\barbara\applic~1\tajovajo.com
2009-07-19 14:57 10,061 a------- c:\program files\common files\eqivowi.db
2009-07-18 18:49 15,053 a------- c:\docume~1\barbara\applic~1\uvejybujoq.exe
2009-07-18 18:49 12,954 a------- c:\docume~1\alluse~1\applic~1\equlohydy.com
2009-07-18 18:49 11,821 a------- c:\program files\common files\lytil.dl
2009-01-20 04:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012020090121\index.dat

============= FINISH: 17:31:11.87 ===============








Thanks for any help, this isn't my computer but I am the only one who can fix it, no one else is computer savvy. Please if you are going to help give a bit simplified instructions, I am only 17, not a tech server coordinator dude with 50 clients or a warehouse full of server equipment and years of expereince. Thanks again!


-Tyler

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:37 AM

Posted 31 October 2009 - 06:18 AM

Hello TY2D2

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users