Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Combo-Fix.sys rootkit.agent found by malwarebytes

13 replies to this topic

#1 geasy

geasy

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 23 November 2009 - 05:39 PM

i noticed that everytime i opened a web page with flash player on , my cpu was going crazy.
it was running at 90-95 %.
i thought it might might be the fact that i was useing google chrome.
i had avg free as anti virus but my partner changed broadband provider and with the package came mcafee. i dont use these type of anti v but i thiught as it was free i would give it a go. the problems started soon after. i rembererd reading on this website some time ago that nod 32 was a good anti v so i uninstalled mcafee and got a months trial of nod 32. that picked up 2 viruses. things were ok for a couple of days after that but then things have really started slowing down. i use chrome, dont know if that has anything to do with it.
if someone could help i would be greatfull.

DDS (Ver_09-11-23.01) - NTFSx86
Run by geasy at 22:00:16.78 on 23/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.106 [GMT 0:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\DNA\btdna.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\geasy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [O2] "c:\program files\o2\bin\sprtcmd.exe" /P O2
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-9980-0010-8000-00AA00389B71}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-11 96408]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-11 735960]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2009-3-4 202016]

=============== Created Last 30 ================

2009-11-23 21:16:50 0 d-----w- c:\program files\SystemRequirementsLab
2009-11-23 10:55:43 0 d--h--w- c:\windows\PIF
2009-11-21 14:24:50 0 d-----w- c:\windows\pss
2009-11-21 08:33:01 0 d-----w- c:\program files\PowerISO
2009-11-15 14:44:38 0 d-----w- c:\program files\iPod
2009-11-15 14:43:54 0 d-----w- c:\program files\iTunes
2009-11-15 13:38:03 0 d-----w- c:\program files\AskBarDis
2009-11-15 13:37:15 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-15 13:37:12 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-11-15 13:31:46 0 d-----w- c:\program files\Zone Labs
2009-11-09 03:21:18 59388 ----a-w- c:\windows\system32\drivers\scdemu.sys

==================== Find3M ====================

2009-11-15 13:37:33 4212 -c-ha-w- c:\windows\system32\zllictbl.dat
2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll

============= FINISH: 22:01:07.40 ===============

i posted this in am i infected but when no one replyed to it i done some more research and this is what i come up with.

Attached Files

Edited by geasy, 23 November 2009 - 05:51 PM.

#2 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 29 November 2009 - 08:38 AM

Hello ,
And to the Bleeping Computer Malware Removal Forum

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.

We need to see some information about what is happening in your machine. Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

• Main Mirror
• Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
• The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

• A detailed description of your problems
• A new DDS log
• GMER log

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#3 geasy

geasy
• Topic Starter

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 30 November 2009 - 05:52 PM

here are the logs you asked me post.

#4 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 01 December 2009 - 04:04 AM

Hello geasy,

P2P WARNING
-------------------
Going over your logs I noticed that you have BitTorrent installed.
• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent and DNA, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

COMBOFIX
---------------
ForoSpyware
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

• Combofix.txt

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#5 geasy

geasy
• Topic Starter

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 01 December 2009 - 04:09 PM

hi again. i done the combifix scan although i disabled nod32 the way it said in link you posted, but when i came run combifix a warning popped up and i couldnt stop the scan. i hope this has not interfered with the scan.(nod 32 did say it was disabled but combifix said it was still running.

i use bittorent to send my brother mp3 and wav files as we both make computer music and send samples and info to one another. i tried sending the though hot mail but it seemed to take forever so this is the fastest way we have found . i know my daughter has downloaded at least one p2p file . iv tod her the dangers of doing this and not everything you download from the net is what it says it is. when she comes home from collage i shall have words , but as far as i know she does not use it anymore( i hope).

if you think i should delete it then i shall take your advise as you are a lot more knowledgeable than i am in these matters.

once again thank you ever so much for taking your time to help me out.

#6 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 01 December 2009 - 04:26 PM

Hello geasy,

Please be aware that you can infect your brother also if he download your torrents! At the moment I don't see any active malware, but its always a risk factor, so you might want to ask him to do some malware scans, just to be on the safe side.

Lets see if we can get your flash cookies cleaned up. Let me know how your flash problem is afterwards.

• Double click from your desktop

• Check "Everything but Adobe Site Settings"

• Mouse click "Make it so!"

• Now go to the Adobe Flash Player Settings Manager

• In the "Website Storage Settings" choose the "Delete All Sites" tab then "Confirm"

• Next in the "Global Storage Settings" uncheck "Allow third-party Flash content to store on your computer"

• Finally in the "Global Privacy Settings" choose "Always Deny" then "Confirm"

• You have now successfully deleted cookies stored and changed the Flash Players default settings to prevent access in the future.
CF-SCRIPT
-------------
We need to execute a CF-script.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

folder::
c:\program files\AskBarDis
Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

• Combofix.txt

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#7 geasy

geasy
• Topic Starter

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 01 December 2009 - 06:34 PM

i went to a myspace page as thats where i first noticed the problem. it didnt load the flash player at all so i went to youtube and put on a random video . when i checked task manager it said google chrome was using 65% cpu. if you right click on the blue bar at the top of the page when using chrome it gives you a task manager just for chrome. that said that plug in flash player was using 60% cpu. i dont understand it as it never used so much before, i can only have one web page open at time and if i want to run a program like itunes i have to start it before i go to work in the morning and if im lucky it will be ready when i get home.

thank you for all your help.

#8 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 02 December 2009 - 08:41 AM

Please try to re-install Adobe Flashplayer and see if that changes anything.

Also, your logs show you are still running BitTorrent, please do not use it until we are done here.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#9 geasy

geasy
• Topic Starter

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 05 December 2009 - 08:59 AM

hi , sorry i havent been in contact for a while but been away working.

iv reinstalled flash player but still nothing, im not using bittorrent to receive any files but i have few bits i still need to send to finish a track we have been working on for a couple of months as soon as i have sent them all i will be deleting it. the reason i didnt reformat my pc was because i am so close to finishing it, my brother has better sound system i do so he eq everything for me so iv asked him to put on cd and send it back through the post instead of bittorrent.

sorry to be a pain

#10 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 05 December 2009 - 10:01 AM

the reason i didnt reformat my pc was because i am so close to finishing it,

Does this mean you are planning to do a reformat in the near future?

Sorry, short post, I am real busy and will get back to this ASAP

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#11 geasy

geasy
• Topic Starter

• Members
• 46 posts
• OFFLINE
•
• Gender:Male
• Location:uk
• Local time:02:46 PM

Posted 06 December 2009 - 02:06 PM

not if i can help it , so much work wil be lost.

i was thinking about it as a last option, i can normaly iron out these little problems but this has got me .

if nothing can be done here then its time to dust off the xp disc, and spend the whoe of christmas trying to put everything back in order.

i really am greatful for you taking your own time to help me.

#12 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 06 December 2009 - 03:41 PM

Hello geasy,

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

TFC
--------
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

SUPERANTISPYWARE
-----------------------------
• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
• Close browsers before scanning.
• Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
• Click Preferences, then click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
• Click Close to exit the program.
• SUPERAntiSpyware scan log

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#13 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 09 December 2009 - 03:57 PM

Hello, are you still there?

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

#14 Elise

Elise

Bleepin' Blonde

• 61,581 posts
• ONLINE
•
• Gender:Female
• Location:Romania
• Local time:09:46 PM

Posted 14 December 2009 - 03:45 PM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic to be re-opened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."

Malware analyst @ Emsisoft

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users