Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Multiple Rootkit/Malaware on my system


  • Please log in to reply
11 replies to this topic

#1 ed37

ed37

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 14 December 2009 - 09:02 PM

Hello!

I am a complete new fish at all these weird Malaware / Rootkit problems, so firstly I turned to the chaps at GMER, who directed me to your website since I ran their program and couldn't interpret the results: but I definately have one or more problems with my system:

GMER said that this file was infected : C:\WINDOWS\system32\drivers\atapi.sys is infected. So I am supposed to use "Recovery Console" to replace the file. I managed to download the file to my system, but haven't tried to use it as I don't know what I am doing.

Then AVG every 2 minutes (or less) comes up with a threat detection whenever I am connected to the internet. I just move it to the virus vault, but it looks like it copies itself with a different 4 letter .tmp designation every time:

C:\WINDOWS\Temp\okxg.tmp\svchost.exe

I would attached the screen grab image, but I can't seem to upload screenshots on this section. (Please excuse me if I am blind!)

If I leave it for an hour or more, then AVG flashes up a 'multiple threat detection and the code is the same except for the 4 letter code before the .tmp, like so:

C:\WINDOWS\Temp\vvvg.tmp\svchost.exe
C:\WINDOWS\Temp\xrgm.tmp\svchost.exe
C:\WINDOWS\Temp\punl.tmp\svchost.exe
C:\WINDOWS\Temp\yyky.tmp\svchost.exe

If left longer, I can have hundreds of these found by AVG

Also, I run AVG every day and it finds and removes the following worms, but every day AVG keeps finding them and removing them over and over again:

"C:\WINDOWS\system32\csrss.exe (936):\memory_00270000";"Trojan horse Vundo.IY";"Moved to Virus Vault"
"C:\WINDOWS\system32\csrss.exe (936)";"Trojan horse Vundo.IY";"Reboot is required to finish the action"

The only thing that changes are the numbers in the brackets:

"C:\WINDOWS\system32\csrss.exe (944):\memory_00270000";"Trojan horse Vundo.IY";"Moved to Virus Vault"
"C:\WINDOWS\system32\csrss.exe (944)";"Trojan horse Vundo.IY";"Reboot is required to finish the action"

I have the DDS.txt, Attach.txt and ark.txt all available if required.

I hope someone can help...!

I use daily QUAD registry cleaner and Malaware bytes anti-Malaware and the latest version of Ad-ware. None of these have helped with my problem. They remove some problems, but not these ones...

Edited by ed37, 14 December 2009 - 09:13 PM.


BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 14 December 2009 - 09:08 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.



Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
• Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
• When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
• Now put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#3 ed37

ed37
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 27 December 2009 - 09:53 AM

Hello!

Many thanks for you input. I did try to subscribe to this topic, but it kept coming back an error and I only noticed a reply to my topic 10 days after you posted it! (sorry about that!)

Anyway, I downloaded Dr. Web, run it as per your instructions, It found a lot of problems. I ended up having to run it twice as for some reason there were several issues that didn't go away the fist time around, hence the two reports that I have published below.

AVG finds just one problem now every 10 minutes or so...the error reads like this:

C:\WINDOWS\system32\drivers\synsenddrv.sys

This may also have something to do with my letter 'R' not working unless I tap hard several times?


Here are the reports that Dr. Web Published:

Process in memory: C:\Program Files\Common Files\LightScribe\LSSrvc.exe:116;;BackDoor.Tdss.565;Eradicated.;
atapi.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.1365;Cured.;
puybjufl.sys;C:\WINDOWS\system32\drivers;Trojan.NtRootKit.1652;Deleted.;
popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Moved.;
blank.exe;C:\Documents and Settings\Eddie Simón\Application Data;Adware.BargainBuddy;Incurable.Moved.;
qt.exe\unvised_2.bin;C:\Program Files\Online Services\AOL\comps\qt\qt.exe;Tool.Reboot;;
qt.exe;C:\Program Files\Online Services\AOL\comps\qt;Archive contains infected objects;Moved.;
ScreenGrab.exe;C:\Program Files\ScreenGrab;Trojan.AdSubscribe.126;Deleted.;
A0175215.exe\unvised_2.bin;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402\A0175215.exe;Tool.Reboot;;
A0175215.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402;Archive contains infected objects;Moved.;
A0175216.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402;Trojan.AdSubscribe.126;Deleted.;
iTunes.msi/stream004\unvised_2.bin;C:\WINDOWS\Downloaded Installations\{EA6652A6-343E-4645-AF84-0BACF426C950}\iTunes.msi/stream004;Tool.Reboot;;
stream004;C:\WINDOWS\Downloaded Installations\{EA6652A6-343E-4645-AF84-0BACF426C950};Archive contains infected objects;;
iTunes.msi;C:\WINDOWS\Downloaded Installations\{EA6652A6-343E-4645-AF84-0BACF426C950};Archive contains infected objects;Moved.;

and the second report I did:

A0175234.msi/stream004\unvised_2.bin;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402\A0175234.msi/stream004;Tool.Reboot;;
stream004;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402;Archive contains infected objects;;
A0175234.msi;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402;Archive contains infected objects;Moved.;
A0175235.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1402;Adware.BargainBuddy;Incurable.Moved.;

I look foward to hearing your next reply!

Many thanks fo your help!!
http://www.bleepingcomputer.com/forums/sty...lt/thumbup2.gif

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 27 December 2009 - 07:41 PM

Now Malwarebytes:

Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#5 ed37

ed37
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 29 December 2009 - 12:40 AM

Many thanks again for your quick reply and efforts!

Okay, followed your instructions and here is the report from Malwarebytes' Anti-malware log:

Malwarebytes' Anti-Malware 1.42
Database version: 3447
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2009 1:16:11 AM
mbam-log-2009-12-29 (01-16-11).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 252084
Time elapsed: 1 hour(s), 48 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\QUAD Registry Cleaner v2 (Adware.QUADRegClean) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\synsend (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\xksbpuljachx.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\gjkdjdxu.dat (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) -> Delete on reboot.

I rebooted as instructed...

Things are definitely looking up...!

I do have this annoying problem with the letter 'R' of all things now...aside from that, I will wait until morning to see if AVG found any threats...

My Quad Registry cleaner will not launch also...

These are the only two side effects I have noticed thus far...

I look forward to your next....

Edited by ed37, 29 December 2009 - 12:47 AM.


#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 29 December 2009 - 03:26 PM

Malwarebytes got rid of a piece of the Quad Registry Cleaner program because it is Adware.

Also I do not recommend the use of registry cleaners because if it accidentally deletes one single wrong key, your PC could be unbootable.

Please try a couple of searches and see how things are.

Edited by Computer Pro, 29 December 2009 - 03:27 PM.

Computer Pro

#7 ed37

ed37
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 01 January 2010 - 02:45 PM

Thanks again for your efforts. Between these two programs, they seem to have fixed all the problems, except for the letter 'R' issue.

In my attempts to resolve this issue, I have managed to do something not good with my sound. But I think I will have to post this under a new topic, unless by some sot of miracle I can fix it...


Anyway, I remain a firm supporter of this website and I wish you a Happy New Year! Thanks again!

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 02 January 2010 - 03:20 PM

The letter R issue maybe related to your keyboard. Have you tried another keyboard?

And if everything is good then:

Create a new Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.
Computer Pro

#9 ed37

ed37
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 03 January 2010 - 04:17 PM

Thanks again for your input.

Firstly, I have managed to sort out my sound, phew!

I have followed your latest input, my computer boots up faster than ever, its as responsive as it was when it was new, but the letter 'R' still manages to get past me...

I have tried to clean the keyboard, I don't think that's the problem, I have tried to re-install the keyboard driver, but I can only seem to find the driver for the quick launch keys...but I understand that may help...

Is there any program out there to test individual keys?

Many thanks again for your time...also, I found many useful applications on this forum that are genuinely excellent!

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 03 January 2010 - 06:17 PM

Another idea maybe to try a new keyboard.

To test individual keys, just try typing in a Word document, or a Notepad document. I would suggest to try each key about 3 times. Like eee, ttt, rrr. This could tell you if your R is possibly messed up.

Edited by Computer Pro, 03 January 2010 - 06:17 PM.

Computer Pro

#11 ed37

ed37
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dom Rep
  • Local time:03:58 AM

Posted 04 January 2010 - 10:12 PM

Okay, I tested the keys as described, it looks like the letter 'r' works only when I hit it hard or if I use the same pressure as I do the other keys, then I'd have to hit it anywhere between 3-8 times to get it to work.

The only reason I thought it may be program related, is because it worked just fine up until the point I removed all the viruses and malware and whatever else was causing a problem...it just seemed a coincidence that when the system was clean, then the letter stopped working...

I don't think laptop keyboards (at least, not mine, certainly) have drivers. There is no driver on the 'drivers' disk or one in the keyboard tab in the control panel.

I'd imagine an external keyboard would work fine, but then it kind of defeats the point of having a laptop, don't you think?

If there is anything else you can think of, I'd be most appreciative!

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:58 AM

Posted 08 January 2010 - 07:57 AM

I would check the brand that makes your laptop's website and look for drivers for your model. The letter R key must have something wrong with it.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users