Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKey 4DW4R3 Need help to Get Rid of it


  • This topic is locked This topic is locked
41 replies to this topic

#1 interomike

interomike

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 27 February 2010 - 08:38 PM

Hi there
Looks like I've managed to acquire and bad pesky rootkey
C:\WINDOWS\system32\drivers\4DW4R3wISKnqGWQj.sys (*** hidden *** )

I was also able to find a trojan called sdra64.exe that was hiding in my registry at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
C:\Windows\System32\Userinit.exe,C:\Windows\System32\sdra64.exe

I can't run mbam because it crashes to kernal32.dll and can't boot to safe mode.

Here is my dss log file

Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.1527.803 [GMT -8:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ASScrPro.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\acovcnt.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\N5NRNVQK\dds[1].scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com.tw/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: Yahoo!奇摩捷徑列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-9-18 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-12-30 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-12-30 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-12-30 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-11 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-12-30 677128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-3-11 335376]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-2-25 15944]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-30 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-02-27 13:21:21 0 d-----w- c:\docume~1\alluse~1\applic~1\fssg
2010-02-27 12:36:11 0 d-----w- c:\docume~1\alluse~1\applic~1\f-secure
2010-02-26 07:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-02-26 07:34:34 0 d-----w- c:\program files\Hitman Pro 3.5
2010-02-21 11:35:43 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-21 11:35:33 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-21 11:35:33 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-21 11:35:32 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-21 11:35:32 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-21 11:35:31 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-21 11:35:27 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-15 01:59:24 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2010-02-12 03:59:14 0 d-----w- c:\program files\common files\Akamai
2010-02-09 03:40:47 0 d-----w- c:\docume~1\user\applic~1\AnvSoft
2010-02-09 03:40:41 0 d-----w- c:\program files\AnvSoft
2010-02-02 11:00:50 83376 ----a-w- c:\temp\npijjiautoinstallpluginff.dll
2010-02-02 11:00:35 0 d-----w- c:\program files\ijji
2010-02-01 06:20:23 0 d-----w- c:\program files\Yahoo!
2010-01-31 02:24:33 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2010-01-29 04:35:50 0 d-----w- c:\program files\common files\INCA Shared
2010-01-29 03:56:09 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-01-29 03:56:00 0 d-----w- c:\docume~1\user\applic~1\AVS4YOU
2010-01-29 03:54:45 0 d-----w- c:\program files\common files\AVSMedia
2010-01-29 03:54:06 0 d-----w- c:\program files\AVS4YOU

==================== Find3M ====================

2010-02-28 00:01:20 45056 ----a-w- c:\windows\system32\acovcnt.exe
2010-02-27 23:23:58 90112 ----a-w- c:\windows\DUMP4b03.tmp
2010-02-27 22:41:44 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-02-27 11:53:52 28160 ----a-w- c:\windows\system32\4DW4R3dTeXcxTERC.dll
2010-02-27 10:04:26 90112 ----a-w- c:\windows\DUMP4cd7.tmp
2010-02-26 19:51:42 46592 ----a-w- c:\windows\system32\drivers\4DW4R3ELgcxlEFoB.sys
2010-02-21 11:24:40 77824 ----a-w- c:\windows\system32\kdfapi.dll
2010-02-21 11:24:40 53248 ----a-w- c:\windows\system32\Kdfhok.dll
2010-02-21 11:24:40 387288 ----a-w- c:\windows\system32\kdfmgr.exe
2010-02-21 11:24:40 192512 ----a-w- c:\windows\system32\kdfvmgr.exe
2010-01-29 00:56:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-02 07:50:52 475872 ----a-w- c:\windows\system32\kdfinj.dll
2009-12-31 16:50:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:04 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-22 05:21:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-21 19:14:06 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:06 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:06 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:04 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:02 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:28 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:28 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:24 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:24 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:52 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:16 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:52 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:52 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:56 PM

Posted 03 March 2010 - 08:51 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt
GMER.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 04 March 2010 - 03:01 AM

Hi Blade thanks for your help,

I have attached the three files as requested.

Attached Files



#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:56 PM

Posted 08 March 2010 - 01:17 PM

Hello interomike

My apologies for the delay in reply; I have had some issues that had to be addressed.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 09 March 2010 - 12:51 AM

Hi there
Thanks again for your help in pointing me down the right path.
I have attached the log.txt file from Combo fix as instructed.


Thank you.

Attached Files

  • Attached File  log.txt   21.18KB   9 downloads


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:56 PM

Posted 11 March 2010 - 04:51 AM

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/299065/rootkey-4dw4r3-need-help-to-get-rid-of-it/

Collect::
c:\windows\system32\4DW4R3KCpeFrpXqo.dll
c:\windows\system32\4DW4R3jrIBnScfxH.dll
c:\windows\system32\4DW4R3dyeEXCfeNj.dll
c:\windows\system32\4DW4R3bMrVeYfpxS.dll
c:\windows\system32\drivers\4DW4R3xXexvYwVei.sys
c:\windows\system32\acovcnt.exe
c:\windows\system32\4DW4R3c.dll
c:\windows\system32\drivers\4DW4R3NCjucXOkMr.sys
c:\windows\system32\4DW4R3RupSnPupWB.dll
c:\windows\system32\4DW4R3pQYItqWfTt.dll
c:\windows\system32\4DW4R3mewbsnvpWB.dll
c:\windows\system32\4DW4R3eFHpiMtsEq.dll
c:\windows\system32\4DW4R3cCQBcINVOt.dll
c:\windows\system32\drivers\4DW4R3wSIqeClbun.sys
c:\windows\system32\4DW4R3uyVSuxctQr.dll
c:\windows\system32\drivers\4DW4R3VvHrCTpoUe.sys
c:\windows\system32\drivers\4DW4R3vtvXinDejv.sys
c:\windows\system32\4DW4R3sv.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-


Driver::
A08BAD5A
B87C3AAD


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 13 March 2010 - 04:06 AM

Hi there,
Ok attached is the log file from ComboFix
My system is still infected with a rootkey called Gen-4DWR3 and my browser occasionally gets redirected.

Attached Files



#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:56 PM

Posted 15 March 2010 - 06:47 PM

Hi,

Blade is currently on holidays and I will cover for him. smile.gif Please post a fresh log from OTL:
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened

regards myrti

Edited by myrti, 15 March 2010 - 06:58 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 16 March 2010 - 09:56 AM

myrti
Thanks for the follow up
When I try to run the scan/script my system reboots itself. Should we rename then script? as I did with combofix below?

Thanks
Michael

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:56 PM

Posted 17 March 2010 - 05:08 AM

Hi,

do you see a blue screen flash when your PC reboots? Please download and run the following tool: http://noahdfear.net/downloads/maxlook.exe

It should open a log, please post it in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 19 March 2010 - 03:24 AM

myrti,

I tried to run maxlook but that too triggers the system reboot. Yes it is the blue screen flash. Is there some way of tricking the rootkey and dlls into not detecting the scans? I will see if I can boot into safe mode, so far I have not been able to.

Thank you for your help.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:56 PM

Posted 20 March 2010 - 08:07 AM

Hi,

Please disable automatic restart:
  • Right-click My Computer, and then click Properties.
  • Click the Advanced tab.
  • Under Startup and Recovery, click Settings to open the Startup and Recovery dialog box.
  • Uncheck the Automatically restart check box, and click OK the necessary number of times.
  • Restart your computer for the settings to take effect.
Let me know which error message you get next time your PC crashes.

Maxlook.exe should create a log in C:\looklog.txt, could you please provide the content of that file if it's there.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 21 March 2010 - 05:07 AM

Hi there I made the changes to startup so it does not reboot, however when running the script the system goes to bluescreen before the script can write a log file.


Michael

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:56 PM

Posted 21 March 2010 - 06:02 AM

Hi,

what does the bluescreen say?


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 interomike

interomike
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 22 March 2010 - 01:02 AM

Hi there
The blue screen displays the following message

"A problem has been detected and windows has been shut down to prevent damage to your computer.

***stop: 0x00000023(0x000E0100) 0xA7AB8A74, 0xA7AB8770, 0xBAA49A3E

Beginning dump of physical memory

That is the guts of the messege




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users