Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Defense Bug


  • This topic is locked This topic is locked
2 replies to this topic

#1 pipfx

pipfx

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Location:London
  • Local time:01:48 AM

Posted 18 December 2009 - 06:46 PM

Donation will be given to the authorised technician that attempts to help me. Thank You in advance.

Maleware Defense program is a virus, my Norton IS 2009 noticed it and other attacks simultaneously attacking and seemed to resolve the problem, one Trojan horse had to be resolved by restarting the PC. I unistalled Malware Defense (i did not install it myself) using Add/remove Programs in the control Panel. It has totally disabled my Spybot Search & Destroy, Norton Internet security, and ability to connect to the internet. Update: I cannot connect to the internet because the Internet Gateway icon in XP is no longer there.

Norton had to restart my PC to fully resolve the trojan horse, but upon restart it has not been the same.

I ran the DDS logs, However i was unable to run Rootrepeal.exe all i got was error messages.


I think this is the End of my PC (Windows XP). Whenever I try and do anything I get error message:

The application or DLL globalroot/systemroot/system32/H8SRTqoehtpjbak.dll is not a valid windows image please check this against your installation diskette.

My gosh i think this is the end.

DDS.txt file

DDS (Ver_09-12-01.01) - NTFSx86
Run by Philip at 22:32:24.07 on 18/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1582 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
svchost.exe
C:PROGRA~1IomegaSystem32ActivityDisk.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32slserv.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:Program FilesIomegaDriveIconsImgIcon.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSsystem32rundll32.exe
C:Program FilesSoftware602Print2PDFPrint2PDF.exe
C:Program FilesIomegaAutoDiskAD2KClient.exe
C:WINDOWSsystem32ctfmon.exe
C:DOCUME~1PhilipLOCALS~1Temprichtx64.exe
C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe
C:WINDOWSsystem32wuauclt.exe
C:Documents and SettingsPhilipDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://startpage.com/
uSearch Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:program filesnorton internet securityengine16.5.0.135coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:program filesnorton internet securityengine16.5.0.135IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.5.0_09binssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:progra~1wanadoowsbarWSBar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:program filesnorton internet securityengine16.5.0.135coIEPlg.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Iomega Active Disk] c:program filesiomegaautodiskAD2KClient.exe
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [richtx64.exe] c:docume~1philiplocals~1temprichtx64.exe
mRun: [Iomega Startup Options] c:program filesiomegacommonImgStart.exe
mRun: [Iomega Drive Icons] c:program filesiomegadriveiconsImgIcon.exe
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [Print2PDF Print Monitor] "c:program filessoftware602print2pdfPrint2PDF.exe" /server
dRun: [Symantec NetDriver Warning] c:progra~1symnet~1SNDWarn.exe
StartupFolder: c:docume~1philipstartm~1programsstartupcyber-~1.lnk - c:program filessonysony picture utilityvolumewatcherSPUVolumeWatcher.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
IE: Search with Wanadoo - c:progra~1wanadoowsbarWSBar.dll/VSearch.htm
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:program filespartygamingpartycasinoRunCasino.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_09binssv.dll
IE: {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - {E4ABF418-CB30-470C-BFF7-674AC0FC564F} - c:program filessoftware602print2pdfPrint602.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
Trusted Zone: loot.comwww
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/ocis/OSInfo.cab
DPF: {16095503-786F-4097-AED6-5D567A26D760} - hxxp://www.sis.com/ocis/SiSAutodetectNT.cab
DPF: {161A7465-FEEE-4B40-8A85-ED752B93F73E} - file://E:IntraLaunch.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124887568136
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3503.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by113fd.bay113.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:program fileshphpcoretechcomphpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:program filesnorton internet securityengine16.5.0.135CoIEPlg.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

Merged posts. ~ OB

I have also found a trojan software in my processes and have located it but unable to manually delete it:

richtx64.exe

In the location

C:Documents and SettingsPhilipLocal SettingsTemp

also there was anothe program named Installer.exe with the windows security Centre Icon, but this is Malware Defense's fake program. I was able to send it to my recycle bin.

UPdate I was able to send both richtx64.exe and installer.exe to the recycle bin

Still has not helped my PC

2nd Update: Ok I got Malware Bytes to scan my PC but could not update due to internet connection issues.

I had to rename the program and install it to another program. Malware defense was stopping it from Opening. even when I tried to click on the install icon I had to change the name of it to something else before i could open it.

Maleware Defense seems to knows what programs may try and remove it.

Still it found 10 corrupt files and registrys and removed them, but my PC still has the same issues.

Would buying a new hard drive and buying a windows XP disc completely solve my problems? Is it possible for my hardware to be affected by this bug?

3rd Update: its getting a little better, but still infected.

I ran AVAST 4.8 and installed it found many H8SRT****** .sys and H8SRT*****.dll files.

It was unable to delete any of them, however for the first time i knew their location.

all in the windows/system32/drivers folder or windows/system32 folder, when i went into the folders I could not see them as they were invisible.

However I opened Notepad and wrote inside the word "nothing" and saved the file as "H8SRTqoehtpjbak.dll" and pasted it inside the system32 folder and now I nolonger get the error pop up on start up or whenever I click on an icon:

The application or DLL globalroot/systemroot/system32/H8SRTqoehtpjbak.dll is not a valid windows image please check this against your installation diskette. as said in my first post.

My Internet explorer plugins were all damaged. Internet is working, so far, it was'nt before. I was able to update Malware Bytes software

Also my Norton AntiVirus can open up again, it was attacked and damaged.

Still I have not got rid of the RootKit. and still probably have to restore my XP by buying the disc

I'm going to try and run all the Malware removal tools tommorow, especially rootrepeal.exe if i can.

Update 4: Still unable to run RootRepeal.exe even when i rename it, i get an error drivers could not load.
My Norton Antivirus had to be uninstalled as it was infected and could not perform any type of Scan. Plus it kept on displaying that the latest update was *** seconds ago...which must have been a hack.

I cannot delete hidden files H8SRThovbrnoxjx.sys in C:system32drivers and ..system32 folder

The rootkit is still there and I cannot access it,
I'm now scanning with SuperAnti Spyware Free Edition

Is there a MANUAL way I can delete this since I'm unable to run Rootrepeal?[

Attached Files


Edited by boopme, 21 December 2009 - 09:42 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:48 PM

Posted 31 December 2009 - 10:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 SpySentinel

SpySentinel

  • Members
  • 2,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The United States
  • Local time:08:48 PM

Posted 05 January 2010 - 10:26 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me or another staff member.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users