Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

<- persistent redirect rootkit makes me feel like this


  • This topic is locked This topic is locked
21 replies to this topic

#1 gooby

gooby

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 09 April 2010 - 04:55 PM

I have a rootkit virus that makes search result links redirect and occasionally creates a popup. I tried Spybot, Malwarebytes, Hitman Pro, Kaspersky, and specific rootkit removal programs but none of them where successful. I'm clueless at this point and would greatly appreciate some help.

When I run TDSSKiller, it finds a kernel memory rootkit, but TDSSKiller is unable to cure it on reboot. I tried to delete this tmp file, but it gets recreated with a different name as tsk#.tmp

Attached File  tdsskiller.GIF   12.65KB   10 downloads

Edit: Posts merged ~BP

Attached Files


Edited by Budapest, 11 April 2010 - 06:40 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 12 April 2010 - 09:03 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 13 April 2010 - 05:30 PM

Hi EB. Thanks for the help. I still can't get rid of the root kit. It redirects links, opens popups, installs malware like XP Security Center, and XP has trouble booting. Avast or Malwarebytes seems like its preventing the malware from installing.

Attached Files


Edited by gooby, 13 April 2010 - 05:31 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 13 April 2010 - 06:15 PM

Hello.

I see a few things we need to do here.

One of the infection you have here is the TDL3 rootkit, more information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue with removing this, let's begin...

We'll start with Combofix, as it can deal with this infection you have, if not we'll try something else.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 13 April 2010 - 07:27 PM

Here's the log. I don't think it removed the rootkit, because I'm still getting redirects and popups.

Attached File  log.txt   19.23KB   8 downloads

Edited by gooby, 13 April 2010 - 07:28 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 14 April 2010 - 07:57 PM

Yes, it wasn't removed. Let's try dealing with this manually.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    CODE
    :filefind
    atapi.sys
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Let's try TDSSKiller against this variant as it has been successful in most cases with this variant of TDSS. If not, we'll try something else.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 16 April 2010 - 12:35 AM

Still no luck. I even tried reinstalling my IDE drivers and atapi.sys.

Attached Files


Edited by gooby, 16 April 2010 - 12:35 AM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 16 April 2010 - 03:49 PM

Hello.

That won't work since this infection is active. Let's try this, I suspect a second driver causing some trouble here.

Run GMER with the following instructions... Make sure Show All is UNCHECKED

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Registry
    • Files
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 30 April 2010 - 09:07 PM

Sorry, I went on vacation and forgot about this. I still have the redirects.

QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-30 22:03:19
Windows 5.1.2600 Service Pack 3
Running: t7dkj1ih.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxlorpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\intelppm.sys entry point in ".rsrc" section [0xF797B494]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[884] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[884] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[884] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[368] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\system32\wuauclt.exe[368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\wuauclt.exe[368] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\wuauclt.exe[368] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 87231AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
File C:\WINDOWS\system32\DRIVERS\intelppm.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 01 May 2010 - 08:20 PM

Hello.

Yes, seems to be the new TDL3 rootkit that's causing that. Let's deal with it. More information here: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

If you wish to continue, let's start off with Combofix and continue from there.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 02 May 2010 - 07:41 AM

Combofix may have been successful this time around. I did a few quick searches and so far no redirects.

ComboFix 10-05-01.04 - Jan-Vincent 05/02/2010 7:49.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.762 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate

Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-01 06:39 . 2010-05-01 06:39 -------- d-----w- c:\program files\iPod
2010-05-01 06:38 . 2010-05-01 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-01 06:16 . 2010-05-01 06:16 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-30 03:43 . 2010-04-30 03:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\GrabPro
2010-04-30 03:43 . 2010-04-30 03:43 -------- d-----w- C:\downloads
2010-04-25 16:09 . 2010-04-25 16:09 144160 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-04-25 16:08 . 2010-04-25 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2010-04-25 02:22 . 2010-04-25 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-12 15:04 . 2010-04-13 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-12 15:04 . 2010-04-12 15:04 -------- d-----w- c:\program files\Alwil Software
2010-04-12 14:41 . 2010-04-12 14:41 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-12 14:41 . 2010-04-12 14:41 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-12 14:41 . 2010-04-12 14:41 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-12 14:18 . 2010-04-12 14:18 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 14:18 . 2010-04-12 14:18 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-10 01:41 . 2010-04-12 14:40 -------- d-----w- c:\windows\system32\NtmsData
2010-04-09 18:15 . 2010-04-09 18:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-09 15:27 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\36051342.sys
2010-04-09 15:27 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3605134.sys
2010-04-09 15:27 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\36051341.sys
2010-04-09 05:59 . 2010-04-09 06:37 50176 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-04-09 05:17 . 2010-04-10 14:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2010-04-08 23:06 . 2010-04-12 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 23:06 . 2010-04-08 23:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 19:26 . 2010-04-08 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-08 19:21 . 2010-04-08 19:23 132 ----a-w- c:\windows\system32\rezumatenoi.dat
2010-04-08 19:13 . 2010-04-08 19:13 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-08 19:13 . 2010-04-08 19:13 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-08 18:58 . 2010-04-09 19:00 -------- d-----w- c:\program files\BitDefender
2010-04-08 18:56 . 2010-04-09 18:59 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-08 18:52 . 2010-04-08 18:52 -------- d-----w- c:\windows\system32\URTTEMP
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-08 04:42 . 2010-05-01 22:50 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-08 04:42 . 2010-04-08 04:42 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-08 02:25 . 2010-04-12 04:31 -------- d-----w- c:\program files\Spyware Doctor
2010-04-07 23:23 . 2010-04-07 23:23 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-07 23:23 . 2010-04-07 23:23 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-07 23:21 . 2010-04-08 01:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-07 23:21 . 2010-04-07 23:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-07 14:16 . 2010-04-07 14:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 14:16 . 2010-04-27 17:58 664 ----a-w- c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 03:58 . 2009-11-29 05:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2010-05-02 02:48 . 2010-01-01 23:57 -------- d-----w- c:\program files\Warcraft III
2010-05-01 06:40 . 2009-11-24 22:35 -------- d-----w- c:\program files\iTunes
2010-05-01 06:38 . 2009-11-24 22:33 -------- d-----w- c:\program files\Common Files\Apple
2010-05-01 06:34 . 2009-11-24 22:34 -------- d-----w- c:\program files\QuickTime
2010-05-01 06:28 . 2009-11-24 22:35 -------- d-----w- c:\program files\Bonjour
2010-05-01 01:45 . 2010-02-02 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 23:51 . 2010-03-16 07:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\ApexDC++
2010-04-30 22:04 . 2010-04-01 04:30 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-30 15:46 . 2009-11-24 04:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-04-29 21:41 . 2010-04-13 14:28 96512 ----a-w- c:\windows\system32\drivers\tsk32.tmp
2010-04-29 19:39 . 2010-02-02 00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-02-02 00:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-25 16:08 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-04-24 13:37 . 2009-11-24 04:04 -------- d-----w- c:\program files\uTorrent
2010-04-15 17:54 . 2009-11-27 03:06 -------- d-----w- c:\program files\JDownloader
2010-04-12 20:12 . 2010-04-12 20:12 96512 ----a-w- c:\windows\system32\drivers\tsk7.tmp
2010-04-12 15:30 . 2010-04-12 15:30 96512 ----a-w- c:\windows\system32\drivers\tsk13.tmp
2010-04-12 15:03 . 2010-04-12 15:03 96512 ----a-w- c:\windows\system32\drivers\tskB.tmp
2010-04-12 14:56 . 2008-04-13 23:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-12 14:20 . 2009-11-27 03:05 -------- d-----w- c:\program files\Java
2010-04-12 04:10 . 2010-02-05 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-12 03:05 . 2009-11-29 05:17 -------- d-----w- c:\program files\Orbitdownloader
2010-04-10 03:08 . 2009-11-24 22:43 20568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 05:15 . 2010-04-01 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Blumentals
2010-04-01 05:15 . 2010-04-01 05:14 -------- d-----w- c:\program files\Easy GIF Animator
2010-04-01 04:46 . 2010-04-01 04:46 -------- d-----w- c:\program files\CCleaner
2010-03-18 02:36 . 2010-03-18 02:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\GARMIN
2010-03-17 15:45 . 2010-03-17 15:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-16 07:49 . 2010-03-16 07:48 -------- d-----w- c:\program files\ApexDC++
2010-03-16 07:48 . 2010-01-26 03:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\DC++
2010-03-11 03:31 . 2010-01-02 00:00 77907 ----a-w- c:\windows\War3Unin.dat
2010-03-10 17:25 . 2010-03-10 17:25 -------- d-----w- c:\program files\Real Alternative
2010-03-10 15:29 . 2009-12-20 23:44 -------- d-----w- c:\program files\AllToAVI
2010-03-10 06:15 . 2008-04-14 04:42 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 22:45 . 2010-03-03 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-03-03 13:58 . 2010-03-03 13:58 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-03 13:58 . 2010-03-03 13:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2010-03-03 13:57 . 2010-03-03 13:57 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-03 13:57 . 2010-03-03 13:57 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-03 13:57 . 2010-03-03 13:57 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-03 13:57 . 2010-03-03 13:57 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-02-27 21:17 . 2009-11-24 01:02 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-25 06:24 . 2008-04-14 04:42 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-13 23:47 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2008-04-13 23:57 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 04:41 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-13 23:30 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-14_00.08.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-02 11:48 . 2010-05-02 11:48 16384 c:\windows\Temp\Perflib_Perfdata_65c.dat
+ 2010-05-01 06:28 . 2010-04-16 12:33 41472 c:\windows\system32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaapl.sys
+ 2010-05-01 06:26 . 2010-05-01 06:26 791552 c:\windows\Installer\f998de.msi
+ 2010-05-01 06:40 . 2010-05-01 06:40 372736 c:\windows\Installer\{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}\iTunesIco.exe
+ 2010-05-01 06:28 . 2010-04-16 12:33 3003680 c:\windows\system32\DRVSTORE\usbaapl_E0F497D6C8B1C59AEB6422181BF0AFABD8356D47\usbaaplrc.dll
+ 2010-05-01 06:40 . 2010-05-01 06:40 4795392 c:\windows\Installer\f9a849.msi
+ 2010-05-01 06:34 . 2010-05-01 06:34 9472000 c:\windows\Installer\f9a0ac.msi
+ 2010-05-01 06:29 . 2010-05-01 06:29 3168768 c:\windows\Installer\f9992c.msi
+ 2010-05-01 06:28 . 2010-05-01 06:28 1984000 c:\windows\Installer\f998f1.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-27 5937984]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 36051342;36051342 Boot Guard Driver;c:\windows\system32\drivers\36051342.sys [4/9/2010 11:27 AM 37392]
R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [4/9/2010 1:59 AM 50176]
R1 36051341;36051341;c:\windows\system32\drivers\36051341.sys [4/9/2010 11:27 AM 128016]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/24/2009 12:25 AM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/1/2010 8:50 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/1/2010 8:50 PM 20952]
S0 rosndcv;rosndcv;c:\windows\system32\drivers\oqhn.sys --> c:\windows\system32\drivers\oqhn.sys [?]
S0 skvggjw;skvggjw;c:\windows\system32\drivers\jnvnf.sys --> c:\windows\system32\drivers\jnvnf.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: {A6CA7E6D-8E52-4152-B9C2-031C410B1152} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e0p1jhpu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e0p1jhpu.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 07:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="

[HKEY_USERS\S-1-5-21-117609710-515967899-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,05,f4,3c,79,67,eb,43,ba,ab,be,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,05,f4,3c,79,67,eb,43,ba,ab,be,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,05,f4,3c,79,67,eb,43,ba,ab,be,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,05,f4,3c,79,67,eb,43,ba,ab,be,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,05,f4,3c,79,67,eb,43,ba,ab,be,\
.
Completion time: 2010-05-02 08:00:00
ComboFix-quarantined-files.txt 2010-05-02 11:59
ComboFix2.txt 2010-04-14 00:16

Pre-Run: 14,400,991,232 bytes free
Post-Run: 14,442,258,432 bytes free

- - End Of File - - 4A50245E16222CA893302AA9AFF639E2

Edited by extremeboy, 02 May 2010 - 01:44 PM.


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 02 May 2010 - 01:48 PM

Hello.

Yes, it seems CF dealt with it successfully. smile.gif

Just some leftover things to deal with,


Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :services
    rosndcv
    skvggjw
    :files
    c:\windows\system32\drivers\jnvnf.sys
    c:\windows\system32\drivers\oqhn.sys
    :Commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]
  4. Click the large button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 02 May 2010 - 10:15 PM

Hi again,

Here are the results for MB and OTM:

QUOTE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4060

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/2/2010 11:14:05 PM
mbam-log-2010-05-02 (23-14-05).txt

Scan type: Quick scan
Objects scanned: 112493
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


QUOTE
All processes killed
========== SERVICES/DRIVERS ==========
Service rosndcv stopped successfully!
Service rosndcv deleted successfully!
Service skvggjw stopped successfully!
Service skvggjw deleted successfully!
========== FILES ==========
File/Folder c:\windows\system32\drivers\jnvnf.sys not found.
File/Folder c:\windows\system32\drivers\oqhn.sys not found.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (0)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 750916 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 63634271 bytes
->Flash cache emptied: 11823 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 344131 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 5938 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 3227 bytes
->Flash cache emptied: 16306 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4804088 bytes
%systemroot%\System32 .tmp files removed: 2891281 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 386048 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 70.00 mb


OTM by OldTimer - Version 3.1.11.0 log created on 05022010_230122

Files moved on Reboot...

Registry entries deleted on Reboot...


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 03 May 2010 - 09:23 PM

Looking good. Let's get an online scan performed.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 gooby

gooby
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 04 May 2010 - 03:27 PM

QUOTE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 4, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 04, 2010 12:41:34
Records in database: 4046283
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 103695
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:15:40


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\intelppm.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users