Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown rootkit


  • This topic is locked This topic is locked
12 replies to this topic

#1 zedhed

zedhed

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 February 2010 - 04:14 PM

This began over a month ago. I have been unable to clean-install Windows XP from an original (non-OEM) CD (SP3 slipstreamed) without being infected before the installation is finished. Have tried many times, with only one hard disk (system disk) installed and no 'net connection to reinfect me.

I built the system last Summer: Gigabyte GA-MA770-UD3 motherboard with AMD Phenom X3, 4GB G.Skill DDR2-1066 RAM. No overclocking - all stock settings. I have used Acronis Disk Director to wipe the disk prior to installing Xp. Soon after this all started I noticed a message in the POST screen:
"Intel Integrator Toolkit has modified this BIOS" as well as a new line (I think): "CPUID:00100F42 PatchID:0086"

I have since re-flashed the BIOS multiple times from the original F5 up to F8, and only the CPUID line remains in the POST screen.

Other indications: Terminal Server service and others seem to be replicated in the ROOT context. If I disable the normal Terminal Server service, I still see Termdd running in the Handles window of Process Explorer in many processes. During the month I have been repeatedly installing XP, there have been many different indications that others are connected as clients to my computer, e.g. when logged in (always locally - no server) as an administrator, I lost permission to view my Program Files folder; or when I install any security software (Comodo firewall, Avast or Avira antivirus) the .exe files are often deleted, that sort of thing. Even my Netgear router has been tampered with, e.g. the IP address/mask and DNS addresses might be deleted or the password changed. This is a small home network using a Netgear WPN824v3 wireless router into a Thomson ST536v6 DSL modem. I use a 63 ASCII char wireless access code (WPA-TKIP) and a very strong password. I have two wireless devices (wife's Dell laptop from work and a ROKU TV box) and my desktop PC is wired in. DHCP reserves only two addresses, both assigned to my wireless MAC addresses, so I don't think wireless is available to neighbors or war drivers. My wife's laptop was also infected a couple of weeks after my troubles started. The machine would not boot and the IT dept at her workplace installed an XP image which has survived for about 3 weeks now.

Right now I am working barebones - I have very few services running, and I find that when DCOM, WMI, MSDTC and COM+ are running that my CPU runs constantly between 10% and 15%, and the drive pulses constantly. Seems very much like a Managed Services application to me, as in nAble's nCentral product, if you know what that is.

I have worked with malware problems for many years as a corporate network admin and as a consultant to home users - just basic cleaning/quarantine and installing firewall and AV setups to keep my customer's machines clean. But I have never seen anything like this. I do suspect the dropper is in firmware, but I'll let you control the troubleshooting process. Tell me what to do and I won't do anything you don't tell me to do. (BTW, I'm the one who disabled SFC, just this morning. Was planning to delete aaclient.dll but thought better of it and started this thread instead.)

Thanks for any help you can offer! I'm at my wit's end.

zed


DDS (Ver_09-12-01.01) - NTFSx86
Run by Zed at 14:38:06.01 on Fri 02/05/2010
Internet Explorer: 6.0.2900.5512

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.michaelbade.com/
mWinlogon: SFCDisable=-99 (0xffffff9d)
uRun: [com.codeode.privacymantra] "c:\program files\privacy mantra 2.06\privacymantra.exe" -minimized
uRun: [SetDefaultMIDI] MIDIDef.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {A8792FF2-91AA-4765-A4B9-4BC10E3DBB5D} = 10.231.158.187,4.2.2.3
Notify: AutorunsDisabled - wlnotify.dll
IFEO: AutorunsDisabled - ntsd -d

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zed\applic~1\mozilla\firefox\profiles\j11tepl6.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-02-03 23:20:22 0 d-----w- C:\SDFix
2010-02-03 12:58:29 0 d-----w- c:\program files\WS_FTP
2010-02-03 05:41:13 0 d-----w- c:\windows\system32\LogFiles
2010-02-02 22:03:12 56400 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-02-02 22:03:12 18515 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-02-02 22:03:12 11914 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-02-02 22:03:11 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-02-02 22:03:10 0 d-----w- c:\program files\Sygate
2010-02-02 22:02:37 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-02 22:02:03 0 d-----w- c:\program files\Microsoft Bootvis
2010-02-02 21:54:07 0 d-----w- c:\program files\WinPcap
2010-02-02 21:53:59 939224 ----a-w- c:\windows\system32\Flash.ocx
2010-02-02 21:53:57 0 d-----w- c:\program files\Net Tools
2010-02-02 21:50:54 0 d-----w- c:\docume~1\zed\applic~1\WinPatrol
2010-02-02 21:50:49 0 d-----w- c:\program files\BillP Studios
2010-02-02 19:34:56 1706800 ------w- c:\windows\system32\gdiplus.dll
2010-02-02 19:26:00 4958588 ----a-w- c:\windows\{00000004-00000000-00000000-00001102-00000008-42011102}.CDF
2010-02-02 19:21:21 64 ----a-w- c:\windows\system32\BMXStateBkp-{00000004-00000000-00000000-00001102-00000008-42011102}.rfx
2010-02-02 19:21:21 64 ----a-w- c:\windows\system32\BMXState-{00000004-00000000-00000000-00001102-00000008-42011102}.rfx
2010-02-02 19:21:21 1224 ----a-w- c:\windows\system32\BMXCtrlState-{00000004-00000000-00000000-00001102-00000008-42011102}.rfx
2010-02-02 19:21:21 1224 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000004-00000000-00000000-00001102-00000008-42011102}.rfx
2010-02-02 19:20:51 0 d-----w- c:\docume~1\zed\applic~1\EmuPatchMixDSP
2010-02-02 19:17:52 86016 ----a-w- c:\windows\system32\cttele.dll
2010-02-02 19:17:48 11564 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000008-42011102}.rfx
2010-02-02 19:16:19 0 d-----w- c:\windows\system32\ReinstallBackups
2010-02-02 19:16:01 2560 ----a-w- c:\windows\CTXFIRES.DLL
2010-02-02 16:17:48 1294336 ----a-w- c:\windows\system32\vorbis.acm
2010-02-02 16:17:32 0 d-----w- c:\program files\FLStudio4
2010-02-02 16:13:21 0 d-----w- c:\program files\Free Easy Burner
2010-02-02 16:08:34 0 d-----w- c:\program files\Privacy Mantra 2.06
2010-02-02 16:08:07 0 d-----w- c:\program files\CCleaner
2010-02-02 15:44:29 0 d-----w- c:\docume~1\zed\applic~1\PDF reDirect
2010-02-02 15:44:25 0 d-----w- c:\program files\PDF reDirect
2010-02-02 15:43:56 0 d-----w- c:\program files\Foxit Software
2010-02-01 20:28:51 0 ----a-w- C:\Documents
2010-02-01 19:57:09 35840 ----a-w- c:\windows\bintext.exe
2010-02-01 19:48:48 0 d-----w- c:\program files\common files\Creative Professional
2010-02-01 08:15:37 0 d-----w- c:\docume~1\zed\applic~1\REAPER
2010-01-31 22:49:59 90112 ----a-w- c:\windows\Updreg.xex2
2010-01-31 22:37:13 27958 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2010-01-31 22:37:13 17871 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2010-01-31 22:37:13 167936 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-01-31 22:37:13 0 d-----w- c:\program files\Illustrate
2010-01-31 22:35:43 0 d-----w- c:\program files\REAPER
2010-01-31 22:33:29 0 d-----w- c:\program files\MediaPlayerClassic
2010-01-31 22:02:17 7078 ----a-w- c:\windows\system32\E-DSP.ICO
2010-01-31 22:02:17 2102 ----a-w- c:\windows\system32\E-DSP.BMP
2010-01-31 22:02:16 53248 ----a-w- c:\windows\system32\CTDPROXY.DLL
2010-01-31 20:16:26 13646 ----a-w- c:\windows\system32\wpa.bak
2010-01-31 20:13:39 0 d-s---w- c:\documents and settings\zed\UserData
2010-01-31 19:58:05 186824 ----a-w- c:\windows\system32\nvapps.xml
2010-01-31 19:57:35 446464 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-31 19:57:35 446464 ----a-r- c:\windows\system32\nvuninst.exe
2010-01-31 19:57:35 18070 ----a-w- c:\windows\system32\nvdisp.nvu
2010-01-19 21:57:16 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys
2010-01-19 21:57:16 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-01-19 21:57:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-01-19 21:57:16 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-01-19 21:57:16 53376 -c--a-w- c:\windows\system32\dllcache\1394bus.sys
2010-01-19 21:57:16 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-01-16 04:48:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-14 18:45:20 0 d-----w- c:\program files\REAPER_OLD
2010-01-13 13:16:24 19037484 ----a-w- c:\documents and settings\zed\File.CSV
2010-01-12 22:46:22 0 d-----w- c:\docume~1\zed\applic~1\Wireshark
2010-01-12 12:39:08 18070 ----a-w- c:\windows\system32\atidisp.atu
2010-01-12 07:05:14 82 ----a-w- c:\windows\system32\-1
2010-01-11 06:05:37 212480 ----a-w- c:\windows\system32\Pcdlib32.dll
2010-01-11 06:05:20 0 d-----w- c:\program files\ACDSee32
2010-01-11 04:10:12 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-01-10 23:21:33 0 d-----w- C:\Download
2010-01-10 21:08:39 0 d-----w- c:\program files\Safer Networking
2010-01-10 20:53:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2010-01-10 20:53:14 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2010-01-10 20:53:14 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-10 20:50:11 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-01-10 20:17:01 0 d-----w- c:\documents and settings\zed\BNC
2010-01-09 05:48:27 0 d-----w- c:\program files\Creative
2010-01-09 05:47:59 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys
2010-01-09 05:46:45 0 d-----w- c:\windows\system32\Data
2010-01-09 05:46:31 0 d-----w- c:\program files\Creative Professional
2010-01-09 05:43:08 0 d-----w- c:\windows\nview
2010-01-09 05:10:52 327168 ----a-w- c:\windows\IsUninst.exe
2010-01-09 04:58:13 9728 ----a-r- c:\windows\system32\RtNicProp32.dll
2010-01-09 04:58:13 111360 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2010-01-09 04:58:04 0 d-----w- c:\windows\OPTIONS
2010-01-09 04:58:04 0 d-----w- c:\program files\Realtek
2010-01-09 04:53:14 16608 ----a-w- c:\windows\gdrv.ysy
2010-01-09 04:53:14 16608 ----a-w- c:\windows\gdrv.sys
2010-01-09 03:22:35 0 d-sh--w- c:\documents and settings\all users\DRM
2010-01-09 03:22:20 0 d--h--w- c:\program files\WindowsUpdate
2010-01-09 03:21:48 0 d-----w- c:\program files\common files\MSSoap
2010-01-09 03:20:18 0 d-----w- c:\program files\MSN Gaming Zone
2010-01-09 03:19:46 0 d-----w- c:\program files\Windows NT
2010-01-08 22:13:40 0 d-----w- c:\program files\common files\ODBC
2010-01-08 22:13:37 0 d-----w- c:\program files\common files\SpeechEngines
2010-01-08 22:13:17 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2010-02-02 19:16:17 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-02 19:16:17 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-09 03:20:49 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 14:38:11.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 12 February 2010 - 07:49 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 12 February 2010 - 10:15 PM

Thanks Mole, I'm here.

Yeah, there are a lot of changes since my post. My browser quit working right after I posted, my firewall seemed to be feeding clients behind its back, etc. At this point I'm using a UBCD4WIN CD with no drives plugged in when online. A lot of my data (mainly sys drive backups) has been deleted so I've been in the process of making fresh backups and undeleting. I'll stop and let you have it from here.

Thank you for your help.

zed

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 13 February 2010 - 05:49 AM

Hi zedhed,

This sounds like the MBR rootkit.

Please run SystemScan

Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert and allow the download.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 14 February 2010 - 08:12 AM

Hi M0le,

Here's the report. See my note at bottom.

Thanks,
Zed

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\Zed\Desktop\sys17754.exe
Running in: User mode
Date: 2/14/2010
Time: 7:18:30 AM

Output limited to:
-PC accounts

===================== ACCOUNTS ON THIS PC =====================


Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
| Guest (Disabled)
| HelpAssistant (Disabled)
| Online
| SUPPORT_388945a0 (Disabled)
Yes | Zed

### users folders

06/02/2010 12:34:32 (DIR) 0 byte 8 days old -- All Users
09/02/2010 00:54:42 (DIR) 0 byte 5 days old -- NetworkService
09/02/2010 00:54:42 (DIR) 0 byte 5 days old -- LocalService
09/02/2010 00:54:42 (DIR) 0 byte 5 days old -- Default User
11/02/2010 03:11:25 (DIR) 0 byte 3 days old -- Zed
11/02/2010 10:41:23 (DIR) 0 byte 3 days old -- Online

### startup files in users folders

C:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Online\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Zed\Start Menu\Programs\Startup\desktop.ini
C:\documents and settings\Zed\Start Menu\Programs\Startup\nfg.bat

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work


CONCERNING NFG.BAT

M0le: Assuming it couldn't hurt, I have been
deleting the admin and hidden volume shares
with this batch file on startup. I use this
machine primarily for multitrack recording,
thus the many volumes. I have four disks
online, two internal one USB and and one
firewire.

My primary goal is to be able to fresh-install
XP from a slipstreamed SP3 CD without the
rootkit riding along. I have tried writing
all zeros on the target disk and verifying
that even the first sector (mbr) is all zeros
(except for the two bytes that identify the disk)
before starting the XP installation, but
I think the dropper is installed before the
installation is done - maybe BIOS related?
See this: http://blogs.zdnet.com/security/?p=2962


zed

nfg.bat:


@echo off
c:
cd \windows\system32
net share c$ /delete >nul
net share f$ /delete >nul
net share g$ /delete >nul
net share h$ /delete >nul
net share i$ /delete >nul
net share j$ /delete >nul
net share k$ /delete >nul
net share l$ /delete >nul
net share p$ /delete >nul
net share s$ /delete >nul
net share admin$ /delete >nul

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 14 February 2010 - 11:04 AM

Nothing there. thumbup2.gif

You are fine to continue to delete admin and hidden volume shares. We just need to check for other tell-tale signs of the MBR rootkit so please just run this short program so I can check the registry entries.

Download Profiles by noahdfear

Double click the file and copy and paste the resulting log into your next reply.


Next please run this next program so we can eliminate another foe.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Edited by m0le, 14 February 2010 - 11:09 AM.
forgot to answer question...

Posted Image
m0le is a proud member of UNITE

#7 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 14 February 2010 - 04:02 PM

M0le:
Here are the files you requested. Again, see note at bottom.

Thanks,
Zed

Profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-329068152-920026266-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Zed

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-329068152-920026266-682003330-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Online

SystemRoot REG_SZ C:\WINDOWS


Next File:

Running from: C:\Documents and Settings\Zed\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Zed\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


Finished!


M0le:
I might be walking you into a trap here. The information in these reports is

probably tainted by my own attempts to fight this thing over the last few weeks.

After a dozen attempts to install a malware-free version of XP on a couple of

different disk drives, I gave that up and started trying to defend the existing

installation - simply because I needed to get back to my audio work. Mainly, I

have been trying to stop clients on the Internet from connecting to servers on my

PC that are well hidden (from me, anyway).

As an example, I suspect the reason Win32kDiag can't get backup privileges is

because I implemented a local security policy that prevents anyone from getting

that privilege. I had seen Volume Shadow Copy running in the lower pane of Process

Explorer when I had all VSS services disabled. Many other disabled services e.g.

Terminal Services, Remote Registry etc are also running, though I have them

disabled in the Services console.

So, because this version of Windows has been tampered with (but for now I can use

it for my work), would it make sense for me to put a fresh copy of XP on a

different drive so you have known quantities to work with? For one thing, it would

confirm that I really am infected before Windows is even finished installing,

which my experience tells me is impossible! I could use my original non-OEM CD,

pre SP1, that I bought in 2002 or thereabouts (for 300 bucks!) and run the same

programs you have specified so far (if you like) for my next post. I also have a

SP3 slipstreamed copy that I created with the aforementioned CD last Spring - long

before this problem began in mid November. I will do the installation however you

say.

I do hope this doesn't scare you off. I'm no expert - you are - but I have been

working with basic home Internet security (cleaning infections and installing

firewalls and antivirus programs as a consultant to home users) for many years and

this problem astounds me. I have spent months trying to figure this out to no

avail. My only other option is to start replacing hardware components which I

cannot afford to do at this point (currently unemployed). But you call the shots,

not me. Mine haven't worked at all. smile.gif


zed

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 14 February 2010 - 07:10 PM

zedhed, don't worry about it. The backup privileges are never given on Win32diag.

So far, there's no sign of anything malicious and the system looks stable. However, I've only scratched the surface by looking for the nastier rootkits which would shut down and, in some cases, disable the search.

The symptoms you are describing are not leading me to any obvious place at the moment so I would like to take a look with Combofix. Anything Combofix can find will help the search but I believe the scan will not find anything with a severe threat label. I hope that is the case.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 15 February 2010 - 04:28 PM

Here it is M0le. Got an error message: IPConfig.exe couldn't locate wtsapi32.dll, and that's because I deleted it from system32. It's still in dllcache, though, so if you want me to put it back and rerun, let me know.

ComboFix 10-02-12.01 - Zed 02/15/2010 16:12:03.2.3 - x86
Running from: c:\documents and settings\Zed\Desktop\ComFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-12 03:37 . 2010-02-12 03:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-12 02:34 . 2010-02-12 02:34 -------- d-----w- c:\program files\gdb332
2010-02-12 02:25 . 2010-02-12 02:25 -------- d-----w- c:\program files\Restoration
2010-02-11 13:52 . 2010-02-15 15:01 -------- d-----w- c:\program files\Unlocker
2010-02-11 13:10 . 2010-02-11 13:12 -------- d-----w- c:\program files\RegScrubXP
2010-02-10 13:41 . 2010-02-11 03:10 -------- d-----w- C:\EMU Concert
2010-02-10 13:08 . 2010-02-10 14:05 -------- d-----w- c:\program files\MP3 Tag Editor
2010-02-10 13:04 . 2010-02-10 13:04 2181 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
2010-02-10 13:03 . 2010-02-10 13:03 2154 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2010-02-10 03:50 . 2010-02-10 03:50 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-02-10 03:49 . 2010-02-10 12:20 -------- d-----w- c:\windows\Internet Logs
2010-02-09 20:34 . 2010-02-09 20:36 -------- d-----w- c:\windows\SxsCaPendDel
2010-02-09 14:58 . 2003-06-06 13:42 229376 ----a-w- c:\windows\procexp.exe
2010-02-09 06:36 . 2010-02-09 06:36 -------- d-----w- c:\documents and settings\Zed\Application Data\Malwarebytes
2010-02-09 06:36 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 06:36 . 2010-02-09 06:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 06:36 . 2010-02-09 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 06:36 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-07 20:05 . 2008-04-14 05:10 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-02-07 20:05 . 2008-04-14 05:10 43904 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2010-02-07 02:21 . 2010-02-07 02:21 -------- d-----w- c:\program files\FLStudio4
2010-02-07 00:35 . 2010-02-07 00:35 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\windows\Cookies
2010-02-06 17:34 . 2010-02-06 17:34 -------- d-----w- c:\windows\Recent
2010-02-06 15:09 . 2010-02-06 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-02-06 15:00 . 2010-02-06 15:09 -------- d-----w- c:\program files\GIGABYTE
2010-02-06 14:21 . 2010-02-06 14:21 -------- d-----w- c:\program files\ATI Technologies
2010-02-06 01:20 . 2010-02-06 01:20 -------- d-----w- c:\documents and settings\Zed\Local Settings\Application Data\Help
2010-02-03 12:58 . 2010-02-03 12:58 -------- d-----w- c:\program files\WS_FTP
2010-02-03 05:41 . 2010-02-03 05:41 -------- d-----w- c:\windows\system32\LogFiles
2010-02-02 22:03 . 2004-06-05 03:02 56400 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-02-02 22:03 . 2004-06-05 02:58 11914 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-02-02 22:03 . 2004-06-05 03:18 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-02-02 22:02 . 2010-02-03 06:10 -------- d-----w- c:\program files\Microsoft Bootvis
2010-02-02 21:56 . 2010-01-31 19:19 12016860 ----a-w- c:\documents and settings\Default User\SysinternalsSuite.zip
2010-02-02 21:54 . 2004-02-17 05:00 434252 ----a-w- c:\windows\system32\MSVCRTD.DLL
2010-02-02 21:50 . 2010-02-02 21:50 -------- d-----w- c:\documents and settings\Zed\Application Data\WinPatrol
2010-02-02 21:50 . 2010-01-09 03:23 0 ----a-w- c:\documents and settings\Zed\Application Data\WinPatrol\Config.sys
2010-02-02 21:50 . 2010-01-09 03:23 0 ----a-w- c:\documents and settings\Zed\Application Data\WinPatrol\Autoexec.bat
2010-02-02 21:50 . 2010-02-02 21:50 -------- d-----w- c:\program files\BillP Studios
2010-02-02 19:34 . 2003-08-18 17:33 1706800 ------w- c:\windows\system32\gdiplus.dll
2010-02-02 19:20 . 2010-02-02 19:36 -------- d-----w- c:\documents and settings\Zed\Application Data\EmuPatchMixDSP
2010-02-02 19:17 . 2006-11-14 20:28 86016 ----a-w- c:\windows\system32\cttele.dll
2010-02-02 19:16 . 2008-03-20 20:35 2560 ----a-w- c:\windows\CTXFIRES.DLL
2010-02-02 16:17 . 2010-02-09 05:47 -------- d-----w- c:\program files\FLStudio4_OLD
2010-02-02 16:08 . 2010-02-02 16:08 -------- d-----w- c:\program files\Privacy Mantra 2.06
2010-02-02 15:44 . 2010-02-05 19:31 -------- d-----w- c:\documents and settings\Zed\Application Data\PDF reDirect
2010-02-02 15:44 . 2010-02-02 15:44 -------- d-----w- c:\program files\PDF reDirect
2010-02-02 15:43 . 2010-02-02 15:43 -------- d-----w- c:\program files\Foxit Software
2010-02-01 19:57 . 2000-11-13 00:28 35840 ----a-w- c:\windows\bintext.exe
2010-02-01 19:48 . 2010-02-01 19:48 -------- d-----w- c:\program files\Common Files\Creative Professional
2010-02-01 08:15 . 2010-02-06 01:46 -------- d-----w- c:\documents and settings\Zed\Application Data\REAPER
2010-01-31 22:37 . 2010-02-10 13:04 167936 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-01-31 22:37 . 2010-01-31 22:37 17871 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2010-01-31 22:37 . 2010-01-31 22:37 -------- d-----w- c:\program files\Illustrate
2010-01-31 22:35 . 2010-02-06 00:35 -------- d-----w- c:\program files\REAPER
2010-01-31 22:33 . 2010-01-31 22:33 -------- d-----w- c:\program files\MediaPlayerClassic
2010-01-31 22:02 . 2008-03-20 20:22 53248 ----a-w- c:\windows\system32\CTDPROXY.DLL
2010-01-31 21:13 . 2010-01-31 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-01-31 19:57 . 2008-05-16 18:31 446464 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-31 19:57 . 2008-05-16 18:31 446464 ----a-r- c:\windows\system32\nvuninst.exe
2010-01-19 21:57 . 2008-04-14 05:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-01-19 21:57 . 2008-04-14 05:16 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-01-19 21:57 . 2008-04-14 05:16 53376 -c--a-w- c:\windows\system32\dllcache\1394bus.sys
2010-01-19 21:57 . 2008-04-14 05:16 53376 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-01-19 21:57 . 2001-08-17 18:46 6400 -c--a-w- c:\windows\system32\dllcache\enum1394.sys
2010-01-19 21:57 . 2001-08-17 18:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 09:57 . 2010-01-09 04:56 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-07 00:35 . 2010-01-09 04:53 16608 ----a-w- c:\windows\gdrv.sys
2010-02-06 15:09 . 2010-01-09 04:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-05 15:21 . 2010-02-02 16:13 -------- d-----w- c:\program files\Free Easy Burner
2010-02-02 19:34 . 2010-01-09 05:46 -------- d-----w- c:\program files\Creative Professional
2010-02-02 19:16 . 2010-01-09 05:48 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-02 19:16 . 2010-01-09 05:48 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-31 22:03 . 2010-01-09 05:47 -------- d-----w- c:\documents and settings\Zed\Application Data\Creative
2010-01-19 21:45 . 2010-01-14 18:45 -------- d-----w- c:\program files\REAPER_OLD
2010-01-16 04:48 . 2010-01-16 04:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-11 05:58 . 2010-01-11 00:54 -------- d-----w- c:\documents and settings\Online\Application Data\EmuPatchMixDSP
2010-01-10 23:28 . 2010-01-10 23:28 0 ----a-w- c:\windows\nsreg.dat
2010-01-10 21:08 . 2010-01-10 21:08 -------- d-----w- c:\program files\Safer Networking
2010-01-10 20:14 . 2010-01-10 20:14 12328 ----a-w- c:\documents and settings\Zed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-09 05:48 . 2010-01-09 05:48 -------- d-----w- c:\program files\Creative
2010-01-09 05:06 . 2010-01-09 05:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-09 04:58 . 2010-01-09 04:58 -------- d-----w- c:\program files\Realtek
2010-01-09 04:57 . 2010-01-09 04:57 -------- d-----w- c:\documents and settings\Zed\Application Data\InstallShield
2010-01-09 04:07 . 2010-01-09 03:22 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-09 03:23 . 2010-01-09 03:23 -------- d-----w- c:\program files\microsoft frontpage
2010-01-09 03:20 . 2010-01-09 03:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-02-09_05.53.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-23 12:00 . 2010-02-09 20:34 51260 c:\windows\system32\perfc009.dat
+ 2010-02-09 15:03 . 2001-09-11 03:04 98304 c:\windows\msagent\Filemon.exe
+ 2010-02-09 15:03 . 2001-09-04 20:30 58024 c:\windows\msagent\filem.sys
+ 2001-08-23 12:00 . 2010-02-09 20:34 336916 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"com.codeode.privacymantra"="c:\program files\Privacy Mantra 2.06\privacymantra.exe" [2009-03-28 958464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2008-03-20 23040]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

c:\documents and settings\Zed\Start Menu\Programs\Startup\
nfg.bat [2010-2-9 335]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2008-04-14 09:42 92672 ----a-w- c:\windows\system32\wlnotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-03-20 98328]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2008-03-20 171032]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-03-20 171032]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2008-03-20 528920]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-03-20 528920]
R3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\System32\drivers\CTEAPSFX.SYS [2008-03-20 163352]
R3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.SYS [2008-03-20 163352]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\System32\drivers\CTEDSPFX.SYS [2008-03-20 259096]
R3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.SYS [2008-03-20 259096]
R3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.SYS [2008-03-20 134168]
R3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.SYS [2008-03-20 309784]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2008-03-20 99352]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-03-20 99352]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2008-03-20 1324056]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-03-20 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2008-03-20 72728]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-03-20 72728]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2008-03-20 534040]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-03-20 534040]
R3 smcdburner;smcdburner;c:\windows\system32\drivers\smcdburner.sys [x]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2008-03-20 98328]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\System32\drivers\CTEDSPIO.SYS [2008-03-20 134168]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\System32\drivers\CTEDSPSY.SYS [2008-03-20 309784]

.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://forum.cockos.com/forumdisplay.php?f=20
uStart Page = hxxp://www.michaelbade.com/
mStart Page = hxxp://forum.cockos.com/forumdisplay.php?f=20
TCP: {A8792FF2-91AA-4765-A4B9-4BC10E3DBB5D} = 10.231.158.187,4.2.2.3
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-02-15 16:14:53
ComboFix-quarantined-files.txt 2010-02-15 21:13

Pre-Run: 39,781,134,336 bytes free
Post-Run: 39,750,643,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - B3B09F3ECC2AAFD669C937F3BADEB254


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 15 February 2010 - 07:14 PM

Combofix confirms it. There is nothing malicious on the PC, one of the programs we have run would have found the type of malware that you suspect is infecting your machine.

We can run some further scans to search for remnants which might give us a clue but looking at the logs and reading your previous accounts it doesn't seem likely that we will find anything. It can't hurt though.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Following that please visit ESET to use their online scanner

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#11 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 18 February 2010 - 06:48 PM

Hi M0le,

Sorry for the delay. Here are the scan results you asked for.


Malwarebytes' Anti-Malware 1.44
Database version: 3753
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/17/2010 8:14:54 PM
mbam-log-2010-02-17 (20-14-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153319
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{8A26A0EE-78E7-4487-81B2-4A0A76A3D768}\RP22\A0019956.exe (PUP.KeyLogger) -> No action taken.


From ESET:

C:\Documents and Settings\Zed\Desktop\M0le\Programs\sys17754.exe probably a variant of Win32/Genetik trojan deleted - quarantined

(sys17754.exe is just SystemScan renamed - I'm guessing a false positive. It is in a folder on my desktop called M0le.)

The type of malware that I suspect is infecting my machine is something along the lines of FU Rootkit or hxdef which hooks every process (except Services in the case of Hacker Defender) and specializes in hiding the few renamed files that it needs to keep running, as well as hiding running processes and registry entries. And once the kernal is hooked anything I might do - even a simple dir or netstat command - is no longer trustworthy. The anti-malware scanners use the same hooking techniques that are used by the rootkits, so if the rootkit gets there first, the scanners won't see it.

I do appreciate your time and help. I doubt if there is a way to "detect" what this is. All I really need to do is format/reload a clean copy of Windows.

When I do a new install, I generally start (offline) by disabling all services that aren't necessary for either audio work or simple web browsing/email. So then, running with the barest minimum - maybe 6 or 7 services - I'll get online to update, and find that automatic updates (both AU and BITS services running) cannot download the initial programs. I have also tried leaving services alone and connecting with all default services enabled - same result. If I look at processes at this point using Process Explorer, every process begins with the handle:

Keyed Event: \KernalObjects\CritSecOutOfMemoryEvent

followed by clear evidence that many of the services that I just disabled are nevertheless running, specifically the remote control oriented ones. But the only evidence is in the Handles (lower pane) area of Process Explorer. Eventually Windows is disabled to the point that I am unable to use the network, or access the registry or some specific folders like Program Files or My Documents (or some such thing - different each time) and must try once again with another installation. I have done this more than a dozen times since early December. I can't really afford to just throw money at the problem; replacing the motherboard or network router/firewall MAY fix the problem but it's still guesswork. Whatever it is, it simply won't go away and I'm unable to use my computer. And I must admit, it's beginning to get on my nerves just a bit.

Zed

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 21 February 2010 - 11:57 AM

I have discussed this with a colleague who agrees with me that there is nothing malicious on the PC which leaves this thread dangling a bit. Sorry for the wait but I needed to check.

The last logs showed system restore to have malware showing so there was something here at one time. You have already ID'd the renamed SystemScan.

So, there is nothing dangerous left on the PC.

I would suggest you try a non-malware forum at Bleeping Computer to continue to try and fix the problems you are experiencing. Make sure you link to this topic so they are able to see what we have already done to make sure the PC is malware-free.

Good luck,

m0le


Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:41 PM

Posted 25 February 2010 - 07:40 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users