Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Rootkit.Gen Trojan & TR/Dldr.Murlo.dzg


  • This topic is locked This topic is locked
6 replies to this topic

#1 jwh Bob

jwh Bob

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:11:29 PM

Posted 17 February 2010 - 08:17 PM

Hi there!

If I get the logs right the trouble on this XP started on the afternoon 15FEB. Was protected by an uptodate Avira Antivir, but I gues with an outdated engine.

Avira put some trojans into quarantaine, but still problems on the PC.

I made an unfructeous TrendMicro Houscall and then installed the new version of Antivir free, who managed to catch some but was unable to do something with C:\WINDOWS\system32\drivers\kwvwlh.sys (TR/Rootkit.Gen Trojan) and also with C:\Programme\HP\Digital Imaging\bin\hpqEmlsz.exe detected as TR/Dldr.Murlo.dzg Trojan.

After this Malwarebytes found c:\WINDOWS\system32\drivers\kwvwlh.sys (Rootkit.Agent) -> Delete on reboot.
but the delete on reboot didn't work - twice.

So know I'm stucked...

I did the DeFogger, DDS and GMER - details hereafter and attached. Unfortunately I see now that this computer speaks only German - if you want me too I can try to translate, but I think you understand the problems shown...

Btw I might only be back on-line Sunday evening to see your reply

Do appreciate all your help

Bob


DDS (Ver_09-12-01.01) - NTFSx86
Run by Monique at 1:04:55,82 on 18.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.49.1031.18.446.195 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\OpenOffice.org 2.1\program\soffice.exe
C:\Programme\OpenOffice.org 2.1\program\soffice.BIN
C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Dokumente und Einstellungen\Monique\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programme\gemeinsame dateien\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ATICCC] "c:\programme\ati technologies\ati.ace\CLIStart.exe"
mRun: [SunJavaUpdateSched] "c:\programme\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\programme\quicktime\qttask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [NWEReboot]
mRun: [HP Software Update] c:\programme\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\programme\gemeinsame dateien\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] c:\programme\cyberlink\powerdvd\PDVDServ.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\programme\gemeinsame dateien\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\dokume~1\monique\startm~1\progra~1\autost~1\openof~1.lnk - c:\programme\openoffice.org 2.1\program\quickstart.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\setpoint\SetPoint.exe
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\programme\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2010-2-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programme\avira\antivir desktop\sched.exe [2010-2-17 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe [2010-2-17 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-17 56816]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-12-22 3712]
S3 BS_DEF;BS_DEF;c:\windows\bs_def.sys [2010-2-15 13312]

=============== Created Last 30 ================

2010-02-18 00:03:15 0 ----a-w- c:\dokumente und einstellungen\monique\defogger_reenable
2010-02-17 22:15:31 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-17 22:15:15 0 d-----w- c:\programme\Panda Security
2010-02-17 21:41:06 0 d-----w- c:\dokume~1\monique\anwend~1\Malwarebytes
2010-02-17 21:40:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-17 21:40:55 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-17 21:40:55 0 d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-02-17 21:40:55 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Malwarebytes
2010-02-17 00:27:21 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-17 00:27:15 0 d-----w- c:\programme\Avira
2010-02-17 00:27:15 0 d-----w- c:\dokume~1\alluse~1\anwend~1\Avira
2010-02-15 15:38:10 792064 ----a-w- c:\windows\system32\drivers\kwvwlh.sys
2010-02-15 15:31:13 13312 ----a-w- c:\windows\bs_def.sys
2010-02-15 15:26:25 142464 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-02-15 15:26:25 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2010-02-15 15:19:20 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-15 15:19:20 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-15 15:19:11 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-15 15:19:11 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-15 15:19:04 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-15 15:19:04 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-02-15 15:16:13 12 ----a-w- c:\dokume~1\monique\anwend~1\sgcpom.dat

==================== Find3M ====================

2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 11:43:35 80108 ----a-w- c:\windows\system32\perfc007.dat
2009-12-22 11:43:35 448800 ----a-w- c:\windows\system32\perfh007.dat
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 07:57:56 346624 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:34 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:23:48 2182656 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:23:48 2060032 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:33:39 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:39 1296896 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 1:05:32,10 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-18 02:13:33
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOKUME~1\Monique\LOKALE~1\Temp\ufloqpog.sys


---- System - GMER 1.0.15 ----

SSDT F7D4B13E ZwCreateKey
SSDT F7D4B134 ZwCreateThread
SSDT F7D4B143 ZwDeleteKey
SSDT F7D4B14D ZwDeleteValueKey
SSDT F7D4B152 ZwLoadKey
SSDT F7D4B120 ZwOpenProcess
SSDT F7D4B125 ZwOpenThread
SSDT F7D4B15C ZwReplaceKey
SSDT F7D4B157 ZwRestoreKey
SSDT F7D4B148 ZwSetValueKey
SSDT F7D4B12F ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8439E590

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] kwvwlh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kwvwlh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwvwlh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwvwlh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kwvwlh@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\kwvwlh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kwvwlh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kwvwlh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kwvwlh@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 19 February 2010 - 11:58 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Drivers to disable:
kwvwlh

Drivers to delete:
kwvwlh

Files to delete:
c:\windows\system32\drivers\kwvwlh.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.


Then run GMER again and post the log here smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:11:29 PM

Posted 21 February 2010 - 12:11 PM

Hi Wan!

Thank you for taking care of my problem. Please find hereafter the avenger.txt ask well as the new ark.txt

I did GMER again with the certain functions disabled as shown on http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "kwvwlh" disabled successfully.
Driver "kwvwlh" deleted successfully.
File "c:\windows\system32\drivers\kwvwlh.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-21 17:02:54
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOKUME~1\Monique\LOKALE~1\Temp\ufloqpog.sys


---- System - GMER 1.0.15 ----

SSDT F7C9CFC6 ZwCreateKey
SSDT F7C9CFBC ZwCreateThread
SSDT F7C9CFCB ZwDeleteKey
SSDT F7C9CFD5 ZwDeleteValueKey
SSDT F7C9CFDA ZwLoadKey
SSDT F7C9CFA8 ZwOpenProcess
SSDT F7C9CFAD ZwOpenThread
SSDT F7C9CFE4 ZwReplaceKey
SSDT F7C9CFDF ZwRestoreKey
SSDT F7C9CFD0 ZwSetValueKey
SSDT F7C9CFB7 ZwTerminateProcess

---- EOF - GMER 1.0.15 ----


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 22 February 2010 - 09:17 AM

Looks good.. Run Malwarebytes' and scan with your antivirus once again.. do you still get the "rootkit" warning? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:11:29 PM

Posted 22 February 2010 - 08:56 PM

Yeaph Wan, all works fine now!

Malwarebytes' Anti-Malware 1.44
Database version: 3776
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

22.02.2010 20:16:25
mbam-log-2010-02-22 (20-16-25).txt

Scan type: Quick Scan
Objects scanned: 117215
Time elapsed: 18 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I've done missing Windows updates, installed Spybot and Spywareblaster too and applied a Startuplite. Have set a new restore point and deleted the old ones. So I guess this computer works fine again and so I hope to see it never back again.

Do thank you for your fast and efficient assistance.

Have a great day!

Bob


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 23 February 2010 - 07:19 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:11:29 PM

Posted 24 February 2010 - 05:17 AM


Did OTC too, all went OK.

Thank you for the documents - I'll pass them on and hope that at least some of the recommendations will be followed...

Besides this the PC now runs fine so I think you can close the topic.

Warmest thanks

Bob






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users