Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Forum 103 told me I have a very persistent rootkit


  • This topic is locked This topic is locked
26 replies to this topic

#1 patent987

patent987

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 20 November 2009 - 09:45 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/271895/i-think-i-am-infected/ ~ OB

A few weeks ago, my norton antivirus auto detected a threat. I ran a full scan and deleted the threat. However, every few days something new would be detected. The names of these various risks included: Downloader, Suspicious.Vundo, Trojan.Vundo, Packed.Generic.214, Bloodhound.Exploit.193, and Trojan Horse. After reading a few of the threads in this forum, I downloaded SUPERAntiSpyware and Malwarebytes' Anti-Malware. Occasionally these products would detect some threats also and I would delete them as they were found. I am at the point now where none of these products detect anything wrong, but I think that there is something wrong. Google searches sometimes will get redirected to strange places, and popups will sometimes appear if my Internet Explorer is open (without having touched anything). I tried to do some full scans in Safe Mode, but I can no longer enter safe mode. When I try to do so, I just get an apology for a failure to start and a select list for startup options. Only Normal Startup will work. I downloaded RootRepeal and ran a scan with all the options checked and this is the report:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/16 15:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF76AC000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8601ea28

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa6956dc0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa6957020

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa315b0b0

==EOF==


The moderator in Forum 103 told me to run Win32kDiag.exe and generate a report. This was that report:

Running from: C:\Documents and Settings\Charlie.Vivian\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Charlie.Vivian\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\Prefetch\layout.ini
[1] 2009-11-12 12:19:56 352390 C:\WINDOWS\Prefetch\layout.ini ()

Finished!


The moderator in Forum 103 also asked me to type this into the cmd window:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

The report it generated was:

Volume in drive C has no label.
Volume Serial Number is C0C8-9961

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 69,467,242,496 bytes free


This was when the moderator from forum 103 told me run a DDS log and to post it in this forum.

DDS log:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Charlie.Vivian at 9:17:05.95 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.315 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Charlie.Vivian\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Technical Computer Solutions, Inc.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187065190250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187032443476
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {1DEC3269-BA8B-4624-8965-C2B854555186} = 192.168.10.10
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-8-13 6784]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-11-13 20:16:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-13 20:14:14 0 d-----w- c:\windows\system32\appmgmt
2009-11-13 19:13:04 0 d-----w- C:\ComboFix
2009-11-13 15:10:10 3253 ----a-w- c:\windows\system32\wbem\Outlook_01ca6473648e9748.mof
2009-11-13 15:09:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 14:51:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 14:51:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 14:51:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 21:06:50 0 d-sh--w- c:\documents and settings\charlie.vivian\IECompatCache
2009-11-05 14:18:50 0 d-sh--w- c:\documents and settings\charlie.vivian\PrivacIE
2009-11-05 14:14:55 0 d-sh--w- c:\documents and settings\charlie.vivian\IETldCache
2009-11-05 14:12:06 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-05 14:11:38 0 d-----w- c:\windows\ie8updates
2009-11-05 14:09:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-05 14:09:54 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-05 14:08:11 0 dc-h--w- c:\windows\ie8
2009-11-04 20:07:43 0 d-----w- c:\docume~1\charli~1.viv\applic~1\Malwarebytes
2009-11-04 20:07:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 19:06:59 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-04 19:06:43 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 19:06:42 0 d-----w- c:\docume~1\charli~1.viv\applic~1\SUPERAntiSpyware.com
2009-11-04 19:05:41 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-28 18:37:54 0 d-sha-r- C:\cmdcons
2009-10-28 18:36:26 98816 ----a-w- c:\windows\sed.exe
2009-10-28 18:36:26 77312 ----a-w- c:\windows\MBR.exe
2009-10-28 18:36:26 260608 ----a-w- c:\windows\PEV.exe
2009-10-28 18:36:26 161792 ----a-w- c:\windows\SWREG.exe
2009-10-28 13:42:26 0 d-----w- c:\windows\pss
2009-10-27 14:10:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

==================== Find3M ====================

2009-10-01 14:29:14 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 9:19:13.48 ===============


I also ran rootrepeal again to generate this log:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/20 09:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF771C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x867ebb98

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa5a10dc0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xa5a11020

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa17a30b0

==EOF==


Any help you can give me would be very apreciated!!!

Edited by Orange Blossom, 21 November 2009 - 08:13 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 27 November 2009 - 08:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 30 November 2009 - 08:55 AM

I am here. Sorry for the delay. I was away for Thanksgiving. I am now back and readily available. Thanks.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 30 November 2009 - 04:58 PM

Hey patent987,

There's no rootkit showing on RootRepeal so we'll run a program to kill any malicious running and run Combofix to see if it can identify a modified file.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 01 December 2009 - 09:38 AM

I did as you specified. ComboFix said it detected rootkit activity during the scan and that it needed to reboot. This was the log generated when the scan finished after the reboot.



ComboFix 09-11-30.05 - Charlie.Vivian 12/01/2009 9:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.997.569 [GMT -5:00]
Running from: c:\documents and settings\Charlie.Vivian\Desktop\comfix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-01 to 2009-12-01 )))))))))))))))))))))))))))))))
.

2009-12-01 14:08 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\NAVEX32A.DLL
2009-12-01 14:08 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\NAVENG.SYS
2009-12-01 14:08 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\NAVENG32.DLL
2009-12-01 14:08 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\NAVEX15.SYS
2009-12-01 14:08 . 2009-08-18 01:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\ERASER.SYS
2009-12-01 14:08 . 2009-11-28 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\ECMSVR32.DLL
2009-12-01 14:08 . 2009-09-09 01:24 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\CCERASER.DLL
2009-12-01 14:08 . 2009-08-18 01:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef802.vdb\EECTRL.SYS
2009-12-01 14:05 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\NAVEX32A.DLL
2009-12-01 14:05 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\NAVENG.SYS
2009-12-01 14:05 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\NAVENG32.DLL
2009-12-01 14:05 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\NAVEX15.SYS
2009-12-01 14:05 . 2009-08-18 01:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\ERASER.SYS
2009-12-01 14:05 . 2009-11-30 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\ECMSVR32.DLL
2009-12-01 14:05 . 2009-08-18 01:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\EECTRL.SYS
2009-12-01 14:05 . 2009-09-09 01:24 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2efc04.vdb\CCERASER.DLL
2009-11-13 20:15 . 2009-11-13 20:15 -------- d-----w- c:\program files\Java
2009-11-13 19:13 . 2009-11-13 19:31 -------- d-----w- C:\ComboFix
2009-11-13 15:09 . 2009-11-13 20:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 14:51 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 14:51 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 14:51 . 2009-11-13 14:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 13:50 . 2009-11-13 13:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 21:06 . 2009-11-09 21:06 -------- d-sh--w- c:\documents and settings\Charlie.Vivian\IECompatCache
2009-11-05 16:17 . 2009-11-05 16:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-05 14:18 . 2009-11-05 14:18 -------- d-sh--w- c:\documents and settings\Charlie.Vivian\PrivacIE
2009-11-05 14:14 . 2009-11-05 14:14 -------- d-sh--w- c:\documents and settings\Charlie.Vivian\IETldCache
2009-11-05 14:12 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-05 14:11 . 2009-11-05 14:12 -------- d-----w- c:\windows\ie8updates
2009-11-05 14:09 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-05 14:09 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-05 14:08 . 2009-11-05 14:09 -------- dc-h--w- c:\windows\ie8
2009-11-04 20:07 . 2009-11-04 20:07 -------- d-----w- c:\documents and settings\Charlie.Vivian\Application Data\Malwarebytes
2009-11-04 20:07 . 2009-11-04 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 19:17 . 2009-11-04 19:17 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 19:16 . 2009-11-04 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-04 19:07 . 2009-11-16 18:26 117760 ----a-w- c:\documents and settings\Charlie.Vivian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 19:06 . 2009-11-04 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-04 19:06 . 2009-11-04 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 19:06 . 2009-11-04 19:06 -------- d-----w- c:\documents and settings\Charlie.Vivian\Application Data\SUPERAntiSpyware.com
2009-11-04 19:05 . 2009-11-04 19:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-01 14:24 . 2007-08-14 06:31 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-09 21:07 . 2009-10-27 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-27 14:10 . 2009-10-27 14:10 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-01 14:29 . 2009-10-05 13:17 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:18 . 2004-08-04 11:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 11:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-11-13_19.25.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2004-08-04 11:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-12-01 14:24 . 2009-12-01 14:24 16384 c:\windows\system32\config\systemprofile\Local Settings\temp\Perflib_Perfdata_208.dat
- 2007-08-14 02:43 . 2009-11-13 14:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-08-14 02:43 . 2009-12-01 13:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-11-13 13:50 . 2009-11-13 14:17 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-11-13 13:50 . 2009-12-01 13:59 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-11-04 19:14 . 2009-11-13 14:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-04 19:14 . 2009-12-01 13:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-30 22:41 . 2009-11-30 22:41 32768 c:\windows\Installer\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}\icon.exe
+ 2007-04-17 02:43 . 2009-08-07 00:23 215920 c:\windows\system32\muweb.dll
+ 2007-08-14 08:08 . 2009-08-07 00:23 274288 c:\windows\system32\mucltui.dll
- 2009-11-13 15:09 . 2009-11-13 15:08 149280 c:\windows\system32\javaws.exe
+ 2009-11-13 20:16 . 2009-11-13 20:15 149280 c:\windows\system32\javaws.exe
- 2009-11-13 15:09 . 2009-11-13 15:08 145184 c:\windows\system32\javaw.exe
+ 2009-11-13 20:16 . 2009-11-13 20:15 145184 c:\windows\system32\javaw.exe
+ 2009-11-13 20:16 . 2009-11-13 20:15 145184 c:\windows\system32\java.exe
- 2009-11-13 15:09 . 2009-11-13 15:08 145184 c:\windows\system32\java.exe
+ 2009-11-30 22:41 . 2009-11-30 22:41 429568 c:\windows\Installer\1e8bdc3.msi
+ 2009-07-21 05:03 . 2009-07-21 05:03 1348432 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d5\msxml4.dll
+ 2008-08-30 01:06 . 2009-07-31 15:05 1372672 c:\windows\system32\msxml6.dll
+ 2009-07-21 05:05 . 2009-07-21 05:05 1348432 c:\windows\system32\msxml4.dll
+ 2006-11-29 15:53 . 2009-07-31 04:35 1172480 c:\windows\system32\msxml3.dll
+ 2008-09-16 12:40 . 2009-07-31 15:05 1372672 c:\windows\system32\dllcache\msxml6.dll
+ 2006-11-29 15:53 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2009-11-13 20:15 . 2009-11-13 20:15 1757696 c:\windows\Installer\189461.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-15 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-15 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-15 138008]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-13 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-06-15 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-8-13 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1082:TCP"= 1082:TCP:RDP-1082

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/15/2005 12:27 PM 169200]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:03 AM 102448]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 5:19 PM 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
.
.
------- Supplementary Scan -------
.
mWindow Title = Technical Computer Solutions, Inc.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {1DEC3269-BA8B-4624-8965-C2B854555186} = 192.168.10.10
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 09:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-01 09:32
ComboFix-quarantined-files.txt 2009-12-01 14:32
ComboFix2.txt 2009-11-13 19:31
ComboFix3.txt 2009-11-02 20:26
ComboFix4.txt 2009-10-28 18:51

Pre-Run: 69,265,551,360 bytes free
Post-Run: 69,233,307,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 52149AB41FBE23098A2F0013BD46C410

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 01 December 2009 - 06:10 PM

That should probably be that. Just to check we'll run a few scans

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Let me know how the PC is running too. :(
Posted Image
m0le is a proud member of UNITE

#7 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 02 December 2009 - 11:06 AM

While I was running MBAM my norton auto detect found and deleted something called a Trojan.ByteVerify. MBAM itself did not find any threats. I rebooted and then ran the ESET Scan. The ESET Scan found a threat called Win32/Olmarik.PV trojan although it is unclear to me whether it was deleted or just quarantined. The computer has seemed to run better since I ran Combofix as you instructed yesterday. I have not since seen funny popups or had google searches redirect to strange sites. I am also no longer prevented from entering safe mode. Here are the logs you requested. Thanks again for all the help you have been providing!

Malwarebytes' Anti-Malware 1.41
Database version: 3275
Windows 5.1.2600 Service Pack 3

12/2/2009 9:54:39 AM
mbam-log-2009-12-02 (09-54-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 158727
Time elapsed: 31 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.PV trojan cleaned by deleting - quarantined

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 02 December 2009 - 06:13 PM

That's a clean MBAM log and the trojan that ESET deleted was already in quarantine (as you rightly said) in a Combofix folder.

Your symptoms are gone and so...


You're clean. Good stuff! :(

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Comfix /Uninstall in the runbox and click OK. (Notice the space between "Comfix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it patent987, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#9 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 03 December 2009 - 09:55 AM

Thank you very much for all of your help. I have done as you have instructed and hopefully things will run smoothly from here on out!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 03 December 2009 - 05:35 PM

The topic will stay open for five days if you need to come back. (you won't). PM me after that if you want to.

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 08 December 2009 - 12:14 PM

I was hijacked this morning out of the blue, my norton, task manager and probably other programs were disabled or would imediately close upon opening. However, during the chaos my Norton auto protect identified and deleted something called Trojan.ByteVerify. I was able to shut down the computer and restart in safe mode. I ran a quick scan with MBAM that found a lot of stuff. The log for that scan will be pasted in my next post (I am having trouble finding the log in normal mode now since I was loged on as adminstrator at the time). MBAM then prompted a restart to complete its changes. I then ran a full Norton anti-virus scan (aslo in safe mode) that found nothing and then I ran a full scan with MBAM (aslo in safe mode) that found nothing new. I rebooted in normal mode and noticed a strange icon on my desktop called AdbeRdrUpd817_all_incr. I did not double click or delete this icon. I then updated MBAM and did another quick scan. It found one threat which is currently quarantined and I have posted that log as the log below. Thanks for all your help so far.


Malwarebytes' Anti-Malware 1.42
Database version: 3322
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2009 11:39:02 AM
mbam-log-2009-12-08 (11-39-02).txt

Scan type: Quick Scan
Objects scanned: 119500
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 08 December 2009 - 12:35 PM

This is a different kind of rootkit than before. Do you know how this got in?

MBAM has noticed a registry change which some malware uses to gain control and to lock you out.


We need to ID this one first though.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then please run Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks, :(
Posted Image
m0le is a proud member of UNITE

#13 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 08 December 2009 - 01:21 PM

I am not sure how I would have been infected. but I did notice a JAVA icon in my taskbar that appeared just before things went crazy. At the time I was on the website livescience.com. I don't visit any questionable websites and only use well known sites. The other MBAM log I was talking about followed by the Win32Diag log are below. I will do the GMER step next. Thanks again!

Malwarebytes' Anti-Malware 1.41
Database version: 3275
Windows 5.1.2600 Service Pack 3 (Safe Mode)

12/8/2009 10:12:23 AM
mbam-log-2009-12-08 (10-12-23).txt

Scan type: Quick Scan
Objects scanned: 119011
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\personal protector (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56451bb8-20a7-40a0-aeb9-7c733b5d391a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalprotector (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\InternetProvider (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Charlie.Vivian\Start Menu\Programs\Personal Protector (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\q (Rogue.PersonalProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Charlie.Vivian\Start Menu\Programs\Personal Protector\Personal Protector.lnk (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\base.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\baseadd.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\conf.wcf (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\personalprotector.exe (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\quarant.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\queue.wdb (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Program Files\Personal Protector\un.exe (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winscent.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\certofSystem.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorers.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Microsoftdefend.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\regp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\secureit.com (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\spoos.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Charlie.Vivian\Desktop\Personal Protector.lnk (Rogue.PersonalProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft PData\inetprovider.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft PData\track.wid (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Running from: C:\Documents and Settings\Charlie.Vivian\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Charlie.Vivian\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\Prefetch\layout.ini

Attempting to restore permissions of : C:\WINDOWS\Prefetch\layout.ini



Finished!

#14 patent987

patent987
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 08 December 2009 - 02:07 PM

I tried to run GMER in normal mode. The initial scan listed about 4 different things (i don't remember them), but I didn't receive any warning prompts. I then hit the scan button as directed and it started. After about 5 seconds the computer just completely turned off and restarted (it did not go through any type of shut down procedure). Windows gave some warning that it had recovered from some sort of a big error. I then rebooted into safe mode and tried to run GMER there. That seemed to work fine, but this time only one thing appeared in the list. I hit the scan button and it did a full scan. When I hit the save button at the end this is the log that was produced:

GMER 1.0.15.15273 - http://www.gmer.net
Rootkit scan 2009-12-08 13:57:25
Windows 5.1.2600 Service Pack 3
Running: 4qnytymr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\axryikob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



Thank you again for the help you are providing!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:40 PM

Posted 08 December 2009 - 04:23 PM

You're welcome.

It is possible that you got this from a legitimate hacked site. This does show that your system may now be compromised. Please read this about backdoor/trojans:


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you are choosing to continue then we need to recheck for rootkits - Gmer's log seems very strange.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks :(
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users