Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clever Little Rootkit Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 wave-mechanic

wave-mechanic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 04 January 2010 - 04:27 PM

So there I was, running WinXP SP3 w/all updates, XP firewall ON, and NAV 2005 w/all updates ON... and moments after a single ill-advised visit to a shareware site (I swear I don't remember clicking anything) NAV suddenly flagged an infection (but of course couldn't do anything about it) and IE8 began displaying bogus security alerts.

Ah, heck...

So I looked around, and taskmgr had a single instance of Iexplore.exe (w/o an IE window, of course) which regenerated itself when killed. Other unfamiliar processes were present. I killed them and deleted their executables and dll's (including, curiously, a "test.reg" file which claimed to make IE the default browser) which had appeared in /Win/Sys32 and /D&S/User/Local Settings, as well as a start key which appeared in the /SW/MS/Windows/CV/RUN path of HKEY_USERS/.DEFAULT using UnHooker and ProcExp liberally as needed.

The Iexplorer.exe file in /PF/Internet Explorer reappeared whenever deleted using UnHooker. By quickly killing the Iexplore process, deleting the file, and replacing it with a copy of the (much smaller) IE6 executable from DLLCache I was able to run IE6 w/o issue. I also confirmed that the HOSTS file appeared unchanged.

I rebooted on a different disk: GMER ran there w/no problems found, and a full virus scan on all disks found no problem.

I rebooted back into the original disk and reinstalled IE8, and all PC functions now appear OK. Boot and shutdown is OK, regedt32.exe runs OK, there are no visible issues with registry RUN keys and no unknown processes appear in taskmgr or procexp, and there's no misbehavior by IE8 or any other programs.

BUT:

The PC reboots shortly after starting the GMER devices scan (all other GMER scans run OK) and RootRepeal stops after displaying the message "DeviceIoControl Error! Error Code = 0xc000009a Could not read system registry! Please contact the author!"

Ah yes... are we having fun yet?

To this post I've attached "attach.txt" from DDS, the RootRepeal log "ark.txt", and the RootRepeal error message "error.txt". Help me, Obi-Wan Kenobi - you're my only hope...

Here's the DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86
Run by PB at 15:20:49.67 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [NeroFilterCheck] ;c:\windows\system32\NeroCheck.exe
mRun: [Acrobat Assistant 7.0] ;"c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [PVR Agent] ;c:\program files\msi\tv@anywhere plus\tvr\Scheduled.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] ;"c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myirc.lnk - c:\program files\myhd\MyIRC.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\old program files\aim95\AIM.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119891989406
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://yourconferencing.webex.com/client/T26L10NSP49EP8/webex/ieatgpc.cab
DPF: {E19F9331-3110-11d4-991C-005004D3B3DB} - hxxp://java.sun.com/products/plugin/1.3.0_02/jinstall-130_02-win.cab
TCP: {3ED9ECA5-774D-413E-84A1-7BBE91F62788} = 216.254.95.2,216.231.41.2,216.231.41.2
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pb\applic~1\mozilla\firefox\profiles\opxlm17i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\pb\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-03 06:09:25 2126 ----a-w- c:\windows\system32\wpa.dbl
2010-01-01 02:04:13 0 d-----w- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-11-14 00:47:32 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-09-15 14:38:46 56 --sh--r- c:\windows\system32\CFBB133D4D.sys
2006-02-06 19:01:05 56 --sh--r- c:\windows\system32\DBC934D07C.sys
2007-01-02 14:38:49 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-25 09:07:11 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-25 09:07:11 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-09-25 09:07:11 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 15:21:02.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 05 January 2010 - 08:20 PM

Hi wave-mechanic,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I don't see any bad entry. But the DDS log has unusually some missing sections. I would like to go along with you and see what is causing it and what is crashing GMER.
  • You have the latest version of Java (Java 6 Update 17) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please uninstall the following:

    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment Standard Edition v1.3.0_02
    Java™ 6 Update 5


    You may uninstall them, one by one and then reboot once at the end.

  • Let see if the system has made a minidump file at the time that you run GMER. It might tell us what is causing the crash.

    Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a /od /s c:\mini*.dmp > log.txt 2>&1 &start log.txt

    A command window opens. Wait until the A text file (log.txt) opens. Please post its content to your reply.

  • I would like to check for a particular kind of rootkit. Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Go to Start -> Run, copy and paste the following lines one by one in the run box and click OK after each line.

    cmd /c c:\mbr.exe -t
    c:\mbr.log


    A log file (c:\mbr.log) will open. Post the contents of it to your reply.


#3 wave-mechanic

wave-mechanic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 January 2010 - 08:36 AM

Hi farbar -

Thanks for your kind offer of assistance. I agree to refrain from making any changes to my system during our troubleshooting process, and I've turned off Automatic Updates in the Windows Update control panel applet.

I've taken the steps you recommended as follows:

Step 1:
J2SE Runtime Environment 5.0 Update 2 - uninstalled cleanly
J2SE Runtime Environment 5.0 Update 4 - uninstalled cleanly
J2SE Runtime Environment 5.0 Update 6 - uninstalled cleanly
Java™ 6 Update 5 - uninstalled cleanly
Java 2 Runtime Environment Standard Edition v1.3.0_02 - uninstalled and flagged the following for manual removal:

"Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.0_02\lib\ext'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.0_02\lib'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE\1.3.0_02'.
Unable to delete folder 'C:\Program Files\JavaSoft\JRE'.
Unable to delete folder 'C:\Program Files\JavaSoft'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\.jar'.
Unable to delete all subkeys under 'HKEY_CLASSES_ROOT\jarfile'."

I rebooted after the uninstalls without issue.

Step 2:
The directory scan (below) found what looks like an old legacy dump file. I should note that the forced reboot in the GMER devices scan occurs instantaneously, with no BSOD, as if the hardware reset button had been pushed.

Volume in drive C is WD7200120GB
Volume Serial Number is E027-E4AC

Directory of c:\WINDOWS\Minidump

05/26/2005 05:50 AM 90,112 Mini052605-01.dmp
1 File(s) 90,112 bytes

Total Files Listed:
1 File(s) 90,112 bytes
0 Dir(s) 27,876,347,904 bytes free

Step 3:
I downloaded mbr.exe to my c:\ root directory without issue, but when I used start>run to enter "cmd /c c:\mbr.exe -t" and again to enter "c:\mbr.log", I received an error message after entering the second command:

"Windows cannot find 'c:\mbr.log'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I opened explorer and confirmed that there was no file named mbr.log in the c:\ directory, and got the same results on two retries using start>run.

I then used start>run>cmd to open a DOS box, executed "cd \" to go to the root directory, and executed "c:\mbr.exe -t" manually, and this resulted in the creation of the file c:\mbr.log. Here are its contents:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll dvd43llh.sys atapi.sys viaidexp.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

I await further instructions... and thanks again for the help, farbar!

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 09:44 AM

Well done and thanks for the detailed feedback.

We have essentially covered everything. Just to see if we can run GMER once more.
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  • We try GMER, this time with the following settings.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Devices
    • Files
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#5 wave-mechanic

wave-mechanic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 January 2010 - 10:10 AM

Hi farbar -

I downloaded DeFogger to my desktop and ran it. It displayed the window with text and the "Disable" and "Re-enable" buttons. I clicked the "Disable" button and after 15-20 seconds it displayed the window with text and the "OK" button. I clicked the "OK" button and that window disappeared. The first window remained open. No subsequent windows were displayed. I did not get a window asking me to reboot the machine.

A file "defogger_disable.log" was created on my desktop. Here are its contents:

defogger_disable by jpshortstuff (28.11.09.2)
Log created at 10:00 on 06/01/2010 (PB)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

I have not taken any further action at this time, so the original DeFogger window with text and the "Disable" and "Re-enable" buttons remains open. Next steps, please?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 10:22 AM

Very well, when you get OK it is done. Please close the first window and proceed to GMER part.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 10:40 AM

Sorry my post was postponed due to maintenance of the site.

Very well, when you get OK it is done. Please close the first window and proceed to GMER part.

#8 wave-mechanic

wave-mechanic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 January 2010 - 10:42 AM

Hi farbar -

Very good: I closed the DeFogger window, performed a manual reboot, disconnected my internet connection, halted NAV AutoProtect, and ran GMER.

It gave no alerts on startup. I unchecked the boxes you indicated, which left the following boxes checked:

System, Modules, Processes, Threads, Libraries, Services and Registry.

The scan completed without issue. Here is the contents of the logfile it generated:

GMER 1.0.15.15077 [5nzhhp07.exe] - http://www.gmer.net
Rootkit scan 2010-01-06 10:34:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8714BB50 ZwConnectPort
SSDT 87015E90 ZwOpenProcess
SSDT 87015C68 ZwOpenThread

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

I subsequently restarted NAV AutoProtect and reconnected my internet connection to send this reply, and await further instructions.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 10:51 AM

It looks good. Seems you have done a fine job removing the rogue software. It had also no rootkit component. :(

I don't think Defogger found anything to disable, but to be sure run it and this time enable. No need for reboot. You may then remove Defogger from your desktop.

First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

To set a new restore point:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
To remove the old restore points:
  • Go to Start > Run then type: Cleanmgr in the box and click "OK".
  • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
  • Click OK and Yes.
Happy Surfing wave-mechanic. :(

#10 wave-mechanic

wave-mechanic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 January 2010 - 12:25 PM

Hi farbar -

Thanks for your encouraging reply. I ran DeFogger and clicked the "Re-engage" button, and got the confirmation screen. I created a new restore point, and used cleanmgr to remove all old restore points. I then performed a reboot and confirmed that as before, all PC functions appear OK. Boot and shutdown is OK, regedt32.exe runs OK, there are no visible issues with registry RUN keys and no unknown processes appear in taskmgr or procexp, and there's no misbehavior by IE8 or any other programs.

BUT:

Nothing has changed in the behavior which I noted in my initial post. The PC still reboots shortly after starting the GMER devices scan and RootRepeal still displays the message "DeviceIoControl Error! Error Code = 0xc000009a Could not read system registry! Please contact the author!" I tried running a GMER device scan with NAV AutoProtect disengaged, but still get a reboot.

I greatly appreciate all the help you've given so far, but I am concerned that these errors are resulting from some cause that remains unidentified. Are there any other steps you could recommend that would help us understand why these reboots are taking place, and why RootRepeal is throwing the DeviceIoControl error?

Thanks!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 12:43 PM

You are most welcome wave-mechanic. :(

You should not be worried at all about those errors. They are known to us and the developers and there is nothing to do about them. Bear in mind that those scanners try to reach the non authorized sections of the system and it can't always get accomplished. Many clean systems crash when running the Devices section of GMER and the RootRpeal error we see everyday. What matters is that we made sure the system is clean. Putting the logs of those scanners together and the MBR.exe log we have covered pretty everything.

#12 wave-mechanic

wave-mechanic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 06 January 2010 - 12:53 PM

Hi farbar -

Thank you for confirming that the "DeviceIoControl Error! Error Code = 0xc000009a Could not read system registry! Please contact the author!" RootRepeal error and the PC reboot in GMER devices scan are known issues with RootRepeal and GMER themselves, and not due to some unidentified cause on my machine.

I consider this matter resolved.

Again, my sincere thanks go out to you and the BC HijackThis forum. All the good work being done here, and your efforts in particular, are outstanding examples of the original spirit of the Internet community. They are very much appreciated!

Best regards and happy hunting,
wave-mechanic

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 06 January 2010 - 12:58 PM

You are most welcome wave-mechanic and thanks for your kind words. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users