Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being redirected to random sites, and not allowed to run anti spyware/malware programs


  • This topic is locked This topic is locked
25 replies to this topic

#1 sgalow

sgalow

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 16 November 2009 - 08:59 PM

Been having all kinds of problems with this machine, including being redirected to random websites when clicking on google search results. The worst part is it's stopping various programs from running. For instance:

1) Spybot Search and Destroy - I install it, run the scan, and the scan dies immediately and the window disappears. I can no longer run the EXE, or completely uninstall it because the primary EXE is left and can't be deleted/run. If I install again to Spybot2 folder (can't do it to the original cause it can't overwrite the EXE), same thing.

2) SuperAntiSpyware - This program actually runs and lists a few things. I clicked to remove them. Tried to run it again but the primary EXE won't work and when uninstalled, won't remove the EXE. Reinstall to a SuperAntiSpyware2 folder, and it runs again, finds nothing, but the EXE is rendered useless again.

3) MalwareBytes - Same as #1 above. The program shuts down as soon as I start a scan, and the EXE is then useless. Can't run it, delete it, uninstall it, etc. Installing to another folder does the same thing.

4) Have Norton on the computer, and the realtime scanning is stuck at disabled. Try to click the "update" button, and updates come down, install, but still won't start or do anything.

5) Ran DDS.SCR from the desktop, and I see the DOS window pop up and immediately disappear and go away, so I was not able to get you a log.

6) Ran RootRepeal.exe. Went to the reports tab and hit scan... I see it scan the drivers, and then move onto the files. I see it get all the way into the windows folder, scan through, and the program disappears. If I try to double-click the EXE again, nothing happens. I am able to delete it, recopy it back onto the desktop and try again, but it shuts down as it finishes files again.

7) The folks who own this computer (I'm the technical person helping them and have the computer at my house how) do believe they had the Windows Antivirus Pro virus, and were able to remove it, but it seems that other stuff is left. They had an issue when I got to it where they didn't even have access to run EXE files or browse their computer, but someone else was able to get that working for them when they got the other virus off. Not sure if that matters, but whatever else is left seems bad or worse.

I'm at a loss because I haven't been able to get any program to run on this machine without it just shutting it down and doing nothing, and it always seems to render the programs I run useless somehow (most can't even be deleted or used)...

Any help would be greatly appreciated.

Sean

One note. I did try to rerun RootRepeal.exe and turn off "files" which was what was causing the program to shut down. That did finish, and I got the log which is attached. I hope this helps.

Thanks,
Sean

Merged posts. ~ OB

Attached Files

  • Attached File  ark.txt   14.09KB   6 downloads

Edited by Orange Blossom, 19 November 2009 - 09:44 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 24 November 2009 - 04:51 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 24 November 2009 - 11:55 PM

Elise,

Thanks for the reply. I'll give the description of the problem again as requested, and below this will be the results of the 2 programs you asked me to run:

Been having all kinds of problems with this machine, including being redirected to random websites when clicking on google search results. The worst part is it's stopping various programs from running. For instance:

1) Spybot Search and Destroy - I install it, run the scan, and the scan dies immediately and the window disappears. I can no longer run the EXE, or completely uninstall it because the primary EXE is left and can't be deleted/run. If I install again to Spybot2 folder (can't do it to the original cause it can't overwrite the EXE), same thing.

2) SuperAntiSpyware - This program actually runs and lists a few things. I clicked to remove them. Tried to run it again but the primary EXE won't work and when uninstalled, won't remove the EXE. Reinstall to a SuperAntiSpyware2 folder, and it runs again, finds nothing, but the EXE is rendered useless again.

3) MalwareBytes - Same as #1 above. The program shuts down as soon as I start a scan, and the EXE is then useless. Can't run it, delete it, uninstall it, etc. Installing to another folder does the same thing.

4) Have Norton on the computer, and the realtime scanning is stuck at disabled. Try to click the "update" button, and updates come down, install, but still won't start or do anything.

5) Ran DDS.SCR from the desktop as requested, and I see the DOS window pop up, see 2 colons with what appears to be a status bar appear on the bottom, and then the program disappears completely and nothing else happens (no notepad document pops up or anything). I think I shut down my AV software and did everything correctly, but no go.

6) Ran RootRepeal.exe per the original instructions. Went to the reports tab and hit scan... I see it scan the drivers, and then move onto the files. I see it get all the way into the windows folder, scan through, and the program disappears. If I try to double-click the EXE again, nothing happens. I am able to delete it, recopy it back onto the desktop and try again, but it shuts down as it finishes files again. I was able to uncheck "files" inside of RootRepeal and then it finished. The log is attached to my original post.

7) The folks who own this computer (I'm the technical person helping them and have the computer at my house now) do believe they had the Windows Antivirus Pro virus, and were able to remove it, but it seems that other stuff is left. They had an issue when I got to it where they didn't even have access to run EXE files or browse their computer, but someone else was able to get that working for them when they got the other virus off. Not sure if that matters, but whatever else is left seems bad or worse.


You requested information on DDS and GMER. The results for DDS were the same as I typed in #5 above so see that. Just can't get a log.

GMER - Launched the EXE from the desktop. It did the mini-scan. I then hit the "scan" button and it was scanning and in the "drivers" folder in windows system32, and I got a blue-screen crash. The main error was "fwroapow.sys - an attempt was made to write to read-only memory" and then gave some memory addresses and said on the blue screen that it was shut down to avoid damage, blah blah.

****** I restarted the computer in safe mode and ran GMER again. It ran all the way through to scanning files. After a bit, the program shut down (similar to what happened with RootRepeal) and the EXE was unusable. I deleted it, put GMER there again, and unchecked "files" on the right (since that appears to be killing every program I run) so you can at least get a partial log. I've pasted it below.

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 22:52:48
Windows 5.1.2600 Service Pack 3
Running: 5b6o6iun.exe; Driver: C:\DOCUME~1\Juli\LOCALS~1\Temp\fwroapow.sys


---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1040] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\63C5E676.x86.dll
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1040] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\63C5E676.x86.dll
.text C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1040] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\63C5E676.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\63C5E676.x86.dll
IAT C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe[1040] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\63C5E676.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\63C5E676.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [576] 0x35670000
Library \\?\globalroot\Device\__max++>\63C5E676.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1040] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo@imagepath \systemroot\system32\drivers\geyekrwqknukju.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrwqknukju.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules@geyekrcmd.dll \systemroot\system32\geyekrfniduter.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules@geyekrlog.dat \systemroot\system32\geyekrxmeeqtmt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules@geyekrwsp.dll \systemroot\system32\geyekrtkpmpuov.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrixqqvpwo\modules@geyekr.dat \systemroot\system32\geyekrborowdib.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@InprocServer32 *r=^Vn-}f(ZXfeAR6.jiTranslationHidden>BbxH8x=!g(3?!!!_GX=b?
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ ITIR.LocalDatabase.5.2

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 25 November 2009 - 01:38 PM

Hello sqalow,

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


----------------------------------
Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


---------------------------------
We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • Win32kDiag.txt
  • Junction log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 25 November 2009 - 08:48 PM

1) I was not able to run ComboFix. It kept saying it detected Symantic Endpoint Protection enabled. I read the post on this forum for how to disable it, and I followed the directions. When double-clicking on the icon in the system tray, it said all the items were "off". It said it could damage the computer, so I hit the "X" instead of "OK". Is there anything else I can do? It thinks it's active even when I disable it...

2) I ran the Win32kDiag as explained and have attached the file to this post.

3) I ran Junction and have pasted the comments below.

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a06506622f8d0aaad04594051d708e5_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\663b729bffec2a02702f50be0bd303d4_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75e8b8b74dbdcbfc4a8928e254f24f6b_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac9682ca9437b8d184d5e3bde0f3828d_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f1a86b8c5c781938cd55ecf77ca8f4e4_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.




...


Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp: Access is denied.


...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\Jami\My Documents\My Music\iTunes\iTunes Music: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


..

...

...

.
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy2\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy3\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware2\SUPERAntiSpyware.exe: Access is denied.


..

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.


.

.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..

...

...

...

...

\\?\c:\\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\ASSEMBLY\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\WINDOWS\SYSTEM32\eventlog.dll: The process cannot access the file because it is being used by another process.




...

...

...

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 26 November 2009 - 03:29 AM

It kept saying it detected Symantic Endpoint Protection enabled. I read the post on this forum for how to disable it, and I followed the directions. When double-clicking on the icon in the system tray, it said all the items were "off". It said it could damage the computer, so I hit the "X" instead of "OK". Is there anything else I can do? It thinks it's active even when I disable it...

Symantec Endpoint warned you that turning it off could damage the computer? Just ingore that warning and click OK in order to turn it off.

After that run Combofix. For this infection, its really necessary to run Combofix and AFTER that the win32kdiag fix. So please, after running Combofix, repeat the win32kdiag fix I instructed in my previous post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 26 November 2009 - 09:59 AM

My apologies for not explaining better...

I right-clicked on Symantic in the system tray and said "disable". I then went in to make sure all of the items were showing as "off" and they were.

I ran ComboFix. It first said it detected Symantic Endpoint Protection running and I should shut it down before continuing (and had an OK button). I checked again, and I see the icon in my system tray, but I followed the directions and made sure I right-clicked and disabled (I have no idea if you can totally shut it down and make it go away). It appeared to be disabled.

I hit OK in ComboFix, and then I got another warning saying that it was still running, and I could continue at my own risk, and warned me that it could do damage and to only continue at my own risk...

Thanks,
Sean

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 26 November 2009 - 10:33 AM

Okay :(

If you are sure Symantec is turned off, you can disregard that warning Combofix gives you and continue with the steps I gave you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 26 November 2009 - 11:14 AM

Thanks for the quick response... Should I see a window on the screen or anything? I hit OK on the second message about Symantec, and the hard drive made noise for a few seconds and now it's just been sitting for a while... The computer is not currently on the internet so I don't know if that matters or not, but no windows are up and it appears to just be sitting there.

Sean

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 26 November 2009 - 12:41 PM

You should see a blue window, so I think in your case something went wrong.

Its important to have a working internet connection in this case. If you are not able to connect, let me know and I will give you additional instructions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 26 November 2009 - 09:36 PM

Got Combofix to run, and then ran Win32diag after. Both logs are below. Combofix is first.

ComboFix 09-11-25.03 - Juli 11/26/2009 19:42.1.2 - x86
Running from: c:\documents and settings\Juli\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kortni.D7BPHH71\Favorites\Online Security Test.url
C:\p2hhr.bat
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\AVR09.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\bszip.dll
c:\windows\system32\geyekrpqodputv.dll
c:\windows\system32\geyekrtkpmpuov.dll
c:\windows\system32\htaftsfa.ini
c:\windows\system32\s.exe
c:\windows\system32\sysnet.dat
c:\windows\SYSTEM32\xbeeg.bak2
c:\windows\SYSTEM32\xbeeg.tmp

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-26 01:36 . 2007-07-24 21:58 95616 ----a-w- c:\windows\junction.exe
2009-11-25 01:47 . 2006-05-24 19:36 110592 ----a-w- c:\documents and settings\Juli\Application Data\U3\temp\cleanup.exe
2009-11-17 02:06 . 2009-11-17 02:06 34816 ----a-w- c:\windows\system32\drivers\sean.sys
2009-11-17 02:06 . 2009-11-17 02:06 34816 ----a-w- c:\windows\system32\drivers\sean.bat.sys
2009-11-13 00:48 . 2009-11-13 00:48 -------- d-----w- c:\program files\SUPERAntiSpyware2
2009-11-13 00:33 . 2009-11-13 00:33 117760 ----a-w- c:\documents and settings\Juli\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 00:33 . 2009-11-13 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-13 00:32 . 2009-11-27 01:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 00:32 . 2009-11-13 00:32 -------- d-----w- c:\documents and settings\Juli\Application Data\SUPERAntiSpyware.com
2009-11-13 00:08 . 2009-11-13 00:10 -------- d-----w- c:\program files\Spybot - Search & Destroy3
2009-11-02 22:38 . 2009-11-03 02:47 -------- d-----w- c:\program files\AskBarDis
2009-11-01 04:41 . 2009-11-26 01:46 -------- d-----w- c:\documents and settings\Juli\Application Data\U3
2009-10-31 00:18 . 2009-10-31 00:18 -------- d-----w- c:\program files\Walgreens
2009-10-31 00:18 . 2009-10-31 00:18 -------- d-----w- c:\documents and settings\Juli\Application Data\Walgreens
2009-10-31 00:18 . 2009-10-31 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Walgreens
2009-10-28 23:04 . 2009-10-28 23:04 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-10-28 23:04 . 2009-10-28 23:04 1886320 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en_signed.exe
2009-10-28 23:04 . 2009-10-29 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 00:48 . 2007-12-08 00:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 00:08 . 2009-09-07 19:17 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2009-11-03 03:10 . 2009-09-07 18:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:27 . 2007-02-25 20:37 -------- d-----w- c:\program files\Google
2009-11-02 01:20 . 2007-03-03 00:33 -------- d-----w- c:\program files\Windows Defender
2009-10-31 00:19 . 2008-10-09 01:39 -------- d-----w- c:\documents and settings\Juli\Application Data\W Photo Studio
2009-10-30 20:09 . 2007-06-18 18:11 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-08 03:48 . 2009-10-08 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-08 03:48 . 2009-10-08 03:48 -------- d-----w- c:\documents and settings\Jami\Application Data\Office Genuine Advantage
2009-10-03 23:05 . 2009-10-03 23:05 -------- d-----w- c:\documents and settings\Jami\Application Data\Snapfish
2009-10-03 22:50 . 2009-10-03 22:50 -------- d-----w- c:\documents and settings\Kortni.D7BPHH71.000\Application Data\Snapfish
2009-10-03 21:43 . 2009-10-03 21:43 -------- d-----w- c:\documents and settings\Dad\Application Data\Snapfish
2009-10-03 19:24 . 2006-08-27 14:45 -------- d-----w- c:\documents and settings\Juli\Application Data\Snapfish
2009-10-02 01:38 . 2009-10-01 23:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-02 01:05 . 2009-09-19 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-10-02 00:58 . 2009-10-02 00:58 -------- d-----w- c:\program files\MSSOAP
2009-10-02 00:58 . 2009-10-02 00:58 -------- d-----w- c:\program files\Webroot
2009-09-29 01:31 . 2005-06-14 21:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-28 13:22 . 2009-09-23 00:42 46640 ----a-w- c:\windows\system32\msln.exe
2009-09-28 13:19 . 2005-06-05 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-28 13:19 . 2007-02-21 23:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-28 13:16 . 2005-06-05 05:45 -------- d-----w- c:\program files\Symantec
2009-09-28 13:16 . 2009-09-28 13:16 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-28 13:16 . 2009-09-28 13:16 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-28 13:16 . 2009-09-28 13:16 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-28 13:16 . 2009-09-28 13:16 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-28 13:09 . 2007-02-21 23:25 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-23 01:03 . 2008-03-06 22:48 70048 ----a-w- c:\documents and settings\Kortni.D7BPHH71.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 02:26 . 2005-06-05 04:13 70048 -c--a-w- c:\documents and settings\Jami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 19:21 . 2006-05-09 02:29 70048 -c--a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 18:22 . 2009-09-19 18:22 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-09-19 18:22 . 2009-09-19 18:22 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-09-19 18:22 . 2009-09-19 18:22 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-09-10 20:54 . 2009-09-07 18:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-09-07 18:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 23:26 . 2009-08-27 23:08 18432 ----a-w- c:\program files\Common Files\Windsor Tourney 2009.xls
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 23:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"MMTray"="c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe" [2005-10-06 110592]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2004-08-27 417792]
"HPHUPD05"="c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2004-04-01 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-05-04 491520]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-05-04 176128]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-10-06 8192]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-10 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-10 51984]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware2\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware2\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0?????$\0stera\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"sp_rssrv"=2 (0x2)
"SNAC"=3 (0x3)
"Symantec AntiVirus"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 EraserUtilDrv10821;EraserUtilDrv10821;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10821.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware2\SASENUM.SYS [2009-11-11 7408]
R3 sean.bat;sean.bat;c:\windows\system32\drivers\sean.bat.sys [2009-11-17 34816]
R3 sean;sean;c:\windows\system32\drivers\sean.sys [2009-11-17 34816]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware2\SASDIFSV.SYS [2009-11-11 9968]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-09-19 142592]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-17 102448]

.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-11-06 c:\windows\Tasks\HP DArC Task 2004-05-12 09:44ewlett-Packard0C415CBA1D36E12EF1F94B5BB45ACEE2494FF64E402004-05-12 20:18N44S33143J3.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2004-05-12 20:18]

2009-11-26 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 04:35]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://woodmansdigitalphoto.lifepics.com/net/Uploader/LPUploader57.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-ljjhheb - ljjhheb.dll
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
AddRemove-Gamevance - c:\program files\Gamevance\gvun.exe
AddRemove-Pdf995 - c:\program files\pdf995\setup.exe uninstall
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 20:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware2\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Juli\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\dlbxcoms.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-26 20:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 02:23

Pre-Run: 75,997,581,312 bytes free
Post-Run: 77,669,412,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=2 Sets=1,2,4,5
- - End Of File - - 51F3326831052D87F6F50409B1C274AF



Here is the win32kdiag log:
Running from: C:\Documents and Settings\Juli\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Juli\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 27 November 2009 - 05:35 AM

Can you also post the junction log? I know you did this already, but I need a log from Junction AFTER combofix and win32kdiag fix were run.

So please re-run Junction and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 27 November 2009 - 10:37 AM

Elise,

The junction log is below. One thing. I left the computer plugged in last night, and didn't realize windows updates were turned on, and I believe Windows did install an update. My apologies. I know you don't want anything installed during this time, and I didn't realize that it would do that. I have disabled automatic updates on this machine. Please advise if there's anything I have to do as a result of windows installing something late last night when I was away from it. My apologies. Here's the log:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a06506622f8d0aaad04594051d708e5_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\663b729bffec2a02702f50be0bd303d4_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75e8b8b74dbdcbfc4a8928e254f24f6b_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac9682ca9437b8d184d5e3bde0f3828d_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f1a86b8c5c781938cd55ecf77ca8f4e4_50e417e0-e461-474b-96e2-077b80325612: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.




...


Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp: Access is denied.


...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Documents and Settings\Jami\My Documents\My Music\iTunes\iTunes Music: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.




...

...

...
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy2\SpybotSD.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy3\SpybotSD.exe: Access is denied.





Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.



Failed to open \\?\c:\\Program Files\SUPERAntiSpyware2\SUPERAntiSpyware.exe: Access is denied.


...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...No reparse points found.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:58 AM

Posted 27 November 2009 - 12:16 PM

Hello sqalow,

We need to reset the permissions altered by the malware on a few files and folders.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:
    "%userprofile%\desktop\inherit" "c _linenums:0'><strong class='bbc'>"%userprofile%\desktop\inherit" "c:\Program Files\Windows Defender\MsMpEng.exe""%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe""%userprofile%\desktop\inherit" "c:\Program Files\Common Files\Symantec Shared\COH\COH32.exe""%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe""%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy2\SpybotSD.exe""%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy3\SpybotSD.exe""%userprofile%\desktop\inherit" "c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe""%userprofile%\desktop\inherit" "c:\Program Files\SUPERAntiSpyware2\SUPERAntiSpyware.exe""%userprofile%\desktop\inherit" "c:\Documents and Settings\Jami\My Documents\My Music\iTunes\iTunes Music"</strong>
  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
Only continue AFTER completing the steps above, otherwise you will not be able to run MBAM!!

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please start MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

Edited by elise025, 27 November 2009 - 12:17 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 sgalow

sgalow
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:58 PM

Posted 27 November 2009 - 04:12 PM

As expected, your fix did allow me to run the scanner again. :(
Here's the MBAM log.

Malwarebytes' Anti-Malware 1.41
Database version: 3244
Windows 5.1.2600 Service Pack 3

11/27/2009 3:11:07 PM
mbam-log-2009-11-27 (15-11-07).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 294374
Time elapsed: 1 hour(s), 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Kortni.D7BPHH71\Start Menu\Programs\VirusProtect 3.9 (Rogue.VirusProtect) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\AVR09.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kortni.D7BPHH71\Start Menu\Programs\VirusProtect 3.9\VirusProtect 3.9.lnk (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kortni.D7BPHH71\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusProtect 3.9.lnk (Rogue.VirusProtect) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kortni.D7BPHH71\Start Menu\VirusProtect 3.9.lnk (Rogue.VirusProtect) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users