Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netbook - Network Redirects & Security Crashing


  • This topic is locked This topic is locked
7 replies to this topic

#1 Delsana

Delsana

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 25 March 2010 - 11:34 AM

A friends computer has been having several problems and while I've made considerable progress with a full compilation security suite of freeware and other such things, it seems I've hit a wall in this struggle as while it no longer is always redirecting or preventing security downloads the computer still won't allow Ad-aware to come up, is much slower than it should be, and isn't revealing any other infections or virus's via 'Malwarebytes, Spybot, Spy Sweeper, SuperANTISpyware, or AVG'; however, if I go online at any point that issue changes as all of a sudden numerous new issues are there, despite the fact it thinks its clean for a time.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:05 PM

Posted 25 March 2010 - 01:45 PM

Hello, We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Delsana

Delsana
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 26 March 2010 - 10:53 AM

On my own I removed quite a bit more but instead of crashing now, Ad-aware simply scans and then suddenly ends with a clean slate and I know for a fact that the computer has more than 50,000 files to scan, especially on full-scan.

I haven't put it back online yet because I'm positive there's more.

Here are the results from the scan:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/03/25 23:19
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA4352000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AC7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6407000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x865cc208

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf73bde64

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf739deee

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf739e0e0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x865a1440

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf73be652

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73be906

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf73bcb64

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x865cc280

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x865c0338

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf73bed72

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x865e7418

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x865a6c00

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x865e18a8

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8659f1e8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73be124

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8658b020

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x865a2e90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf739db5c

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x865c45b8

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x865c03b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x85b71210 Size: 1010

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85e38290 Size: 3440

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x85e4c318 Size: 1534

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x85e51440 Size: 1841

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x85e37828 Size: 2011

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85a26ea0 Size: 353

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x861425d8 Size: 2600

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c1f350 Size: 915

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x85a11898 Size: 1898

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85e49a08 Size: 473

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85a32438 Size: 513

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85e5c768 Size: 819

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85a31ab0 Size: 429

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85a25a38 Size: 843

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85e5a360 Size: 3233

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85e38438 Size: 3016

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85e53890 Size: 1761

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85e37470 Size: 2963

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x85e627e8 Size: 2072

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85e4a188 Size: 3704

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85e56808 Size: 2041

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85a31398 Size: 2245

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x85a1bbc8 Size: 455

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85a1bb50 Size: 575

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85a1bad8 Size: 695

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85a1ba60 Size: 815

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85a1b9e8 Size: 935

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x85a1b970 Size: 1055

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x858dd560

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x85981588

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85e6f020

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x864ad0f8

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x861345a8

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x858e4458

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x859daae8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86459da8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x862b9fa8

==EOF==

----

Edit:

Spyware Doctor believes I have Malware.Pilleuz, some privacy center infection a genertic trojan, and some application tracking cookies and what not.

Edited by Delsana, 26 March 2010 - 11:11 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:05 PM

Posted 26 March 2010 - 11:37 AM

Let's see one more MBAM scan please.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Delsana

Delsana
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 26 March 2010 - 12:12 PM

After I restarted the computer gave me an immense amount of memory errors with some app-tray that I hadn't seen before, but no idea what that's about at the moment.

Here you go:

Malwarebytes' Anti-Malware 1.44
Database version: 3910
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2010 1:02:33 AM
mbam-log-2010-03-26 (01-02-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 179981
Time elapsed: 18 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:05 PM

Posted 26 March 2010 - 02:08 PM

Hello ,I think we need a deeper look to find these issues..
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic as instructed in step 9. Not in this topic.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Delsana

Delsana
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 27 March 2010 - 12:25 AM

No it went pretty poorly, none of those really detected anything apart from an error log that showed that Ad-aware was dying randomly.

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:05 PM

Posted 27 March 2010 - 08:28 PM

Hello,

They weren't supposed to do anything. These logs will help our malware removal team diagnose the problems with the computer, and I am happy to see that you were successful in creating them.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/305183/infected-with-unknown-non-detected-entity/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users