Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With win32k.sys Rootkit & Possibly Other Leftover Infection Traces


  • This topic is locked This topic is locked
34 replies to this topic

#1 Wannabetechnerd

Wannabetechnerd

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 11 April 2010 - 04:38 PM

Hello, I believe I'm infected with the subject rootkit/virus/etc and possibly others. I have received blue memory dump screens several times after first trying to run gmer until I changed the name. I've been receiving pop-ups that I never used to get, and when I checked my event viewer, under windows security it's showing a lot of system integrity and other audit failures, suspicious logon events with processes by Advapi to services.exe, and security state changes.

I have already reviewed and done some of the stuff in this thread: http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/ because at first it was running noticeably slow.

Please see examples:

- Anonymous logons to the account domain NT Authority through NtLmSsp

- Audit policy changes to many of my c:/windows/system32 files (.dll's, .exe's, and others) and registry through a process named C:\Windows\servicing\TrustedInstaller.exe with a New Security Descriptor listed as: S:ARAI(AU;FA;KA;;;WD) OR S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD). I searched this security descriptor on the internet and it seems foreign it nature.

- Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Users\Konita\AppData\Local\Temp\fwryqkoc.sys

- Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\mcstrm.sys

- Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys

- Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege


- An account was successfully logged on (why would I log on as a guest to my own computer?).

Subject:
Security ID: KONITA-LAPTOP\Konita
Account Name: Konita
Account Domain: KONITA-LAPTOP
Logon ID: 0x256570

Logon Type: 3

New Logon:
Security ID: KONITA-LAPTOP\Guest
Account Name: Guest
Account Domain: KONITA-LAPTOP
Logon ID: 0x30bfce
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0xad0
Process Name: C:\Windows\explorer.exe

Network Information:
Workstation Name: KONITA-LAPTOP
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

- A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: KONITA-LAPTOP$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x300
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.


These are just to name a few. Am I being paranoid? It just seems as if someone has hacked my computer and now has access to change my security polices, startup services and processes, etc and has been logging on without me even knowing it.

Anyway, I have run Norton Internet Security, Malwarebytes, disk checks and cleans several times. I am not sure what I need to do at this point. I have followed the instructions for the scans you website requests, and they are posted and attached. I am prepared to do a disk wipe if needed. Please help!

Thanks.



--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



DDS (Ver_10-03-17.01) - NTFSx86
Run by Konita at 15:13:20.08 on Sun 04/11/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.935 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Users\Konita\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.excite.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uWinlogon: Shell=explorer.exe,c:\users\konita\appdata\roaming\ufxw.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\users\konita\appdata\roaming\micros~1\windows\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: excite.com\www
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\konita\appdata\roaming\mozilla\firefox\profiles\szogmew9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20100402.001\IDSvix86.sys [2010-4-5 286768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-5 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-26 20824]
S1 c2scsi;c2scsi;c:\windows\system32\drivers\C2SCSI.SYS [2007-8-18 252152]

=============== Created Last 30 ================

2010-04-11 19:12:48 0 ----a-w- c:\users\konita\defogger_reenable
2010-04-07 22:11:46 0 d-----w- c:\programdata\NortonInstaller
2010-04-04 14:21:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-04-04 14:21:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-04-04 04:26:44 0 d--h--w- c:\users\konita\InstallAnywhere
2010-04-03 02:34:33 0 d-----r- C:\Sandbox
2010-04-03 02:34:05 2112 ----a-w- c:\windows\Sandboxie.ini
2010-04-03 02:32:57 0 d-----w- c:\program files\Sandboxie
2010-03-26 21:46:20 0 d-----w- c:\users\konita\appdata\roaming\Malwarebytes
2010-03-26 21:46:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 21:46:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 21:46:12 0 d-----w- c:\programdata\Malwarebytes
2010-03-26 21:46:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 02:54:41 0 d-----w- c:\program files\Windows Portable Devices
2010-03-23 02:54:13 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-03-23 02:52:59 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-03-22 21:41:47 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-03-22 21:41:46 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-03-22 21:41:45 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-03-22 21:41:03 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2010-03-22 21:41:03 258048 ----a-w- c:\windows\system32\winspool.drv
2010-03-22 21:41:00 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-03-22 21:41:00 37888 ----a-w- c:\windows\system32\cdd.dll
2010-03-22 21:39:59 2626 ----a-w- c:\windows\system32\wbem\BthMtpEnum.mof
2010-03-22 21:37:56 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-03-22 21:37:54 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-03-22 21:37:53 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-03-22 02:56:22 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-03-22 02:56:22 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-03-22 02:56:21 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-03-22 02:44:35 0 d-----w- c:\program files\Ace Utilities
2010-03-21 21:49:42 0 d-----w- c:\windows\system32\eu-ES
2010-03-21 21:49:42 0 d-----w- c:\windows\system32\ca-ES
2010-03-21 21:49:40 0 d-----w- c:\windows\system32\vi-VN
2010-03-21 21:16:34 0 d-----w- c:\windows\system32\EventProviders
2010-03-21 19:46:15 0 d-----w- c:\program files\TomTom International B.V

==================== Find3M ====================

2010-04-06 13:03:28 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-06 13:03:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-02 21:54:30 143360 ----a-w- c:\windows\inf\infstor.dat
2010-03-23 02:54:31 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-03-21 21:30:36 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-30 00:09:12 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-17 20:38:27 87608 ----a-w- c:\users\konita\appdata\roaming\inst.exe
2010-01-17 20:38:27 47360 ----a-w- c:\users\konita\appdata\roaming\pcouffin.sys
2008-07-07 02:44:41 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2004-07-30 16:56:22 90112 ----a-w- c:\program files\common files\PCSBclean.exe
2004-07-26 22:30:14 291840 ----a-w- c:\program files\common files\PCSBoff.exe

============= FINISH: 15:15:45.75 ===============




Attached Files


Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 15 April 2010 - 06:00 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 15 April 2010 - 07:44 AM

Yes......I am here!!!!!! Thank you for responding. Please tell me what I need to do.
Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 15 April 2010 - 08:57 AM

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.




Posted Image
m0le is a proud member of UNITE

#5 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 15 April 2010 - 09:35 AM

I am at work right now, so I don't have my laptop with me. I will run the scan as soon as possible when I get home from work today and will post the log from Win32kdiag.exe immediately if that's okay.

I would also like to also ask if winlogon.exe (sp?) through user32 process is valid. When I searched on the web, it only seems to be associated with Windows XP which I'm not running on my laptop. Now I have within the past month updated to Vista SP2, so I don't know if that has something to do with it or not. I have a very small home network using a router that connects my laptop to my wireless printer and to my old Dell desktop computer that DOES have Windows XP, but I don't even use that computer....probably hadn't turned it on in a year! Possible network hack???

You can tell that I "Wannabeatechnerd", but I am seriously NOT!! I could be waaaayyyy off base.

Thanks.
Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 15 April 2010 - 04:41 PM

QUOTE
I would also like to also ask if winlogon.exe (sp?) through user32 process is valid.


sp? Service provider? Service pack? Stored procedure? Sorry, lost me there. tongue.gif

Yes, winlogon.exe is part of the dll for user32.



Posted Image
m0le is a proud member of UNITE

#7 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 15 April 2010 - 05:05 PM

Sorry...the sp? meant spelling. I wasn't sure if I had the exact file names spelled correctly. Anyway, my win32kdiag log is below:




Running from: C:\Users\Konita\Desktop\win32kdiag.exe

Log file at : C:\Users\Konita\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\drivers\etc\Hosts.bak

Attempting to restore permissions of : C:\Windows\System32\drivers\etc\Hosts.bak

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl



Finished!


Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 15 April 2010 - 05:22 PM

There's nothing there for the Max ++ rootkit.

Can you run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 15 April 2010 - 05:42 PM

Okay....working on it now.
Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#10 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 16 April 2010 - 07:29 AM

Okay...here are the logs from Malwarebytes and Eset:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3993

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/15/2010 8:15:40 PM
mbam-log-2010-04-15 (20-15-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 227273
Time elapsed: 1 hour(s), 29 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

---------------------------------------------------------------------------------------------------------------------------------------------


C:\Users\Konita\AppData\Local\etuyadomipu.dll a variant of Win32/Cimag.CA trojan cleaned by deleting - quarantined
C:\Users\Konita\AppData\Local\Microsoft\Windows Mail\imap.aol.com (1)\Spam\21FE55DD-01BB5415.eml Win32/Oficla.FO trojan contained infected files

Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#11 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 16 April 2010 - 10:49 AM

Also just noticed that every time I log in to my computer that my user account control is turned off. Then I change it back to on...then I restart, log in, and look again....UAC has been turned off......and I have many, many system integrity audit failures that say:

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_b2e033a8669434a1\tcpip.sys
Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 16 April 2010 - 12:16 PM

You may have corrupt critical system files. Let's see if we can fix that.
  1. Select
  2. Select All Programs
  3. Select Accessories
  4. Right click Command Prompt and choose Run as administrator
  • If you have the User Account Control (UAC) enabled you will be asked for authorization prior to the command prompt opening.
  • You may simply need to press the Continue button if you are the administrator or insert the administrator password.
  • Type in sfc /scannow in the command window and press enter.
  • Note the space between the c and the /
  • If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue. This can be done with a borrowed DVD if you don't have one.
  • Be patient because the scan may take some time.
  • Allow the scan to run and when completed, reboot the system.

Posted Image
m0le is a proud member of UNITE

#13 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 16 April 2010 - 01:34 PM

Okay, here are the results from the last scan you had me run:


Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

C:\Windows\system32>sfc /scannow


Then it saved a CBS log that I retrieved, but it's like 50 MB!!!!! It didn't even ask me if I wanted to fix or replace anything. It just did what it did, and that was the result above. If you know where in that big CBS log file are the details regarding the ones not able to be fixed, please let me know. Maybe, I can find that section, and copy and paste here.

Thanks.
Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:17 AM

Posted 16 April 2010 - 01:48 PM

No actual sections as such, you need to look for anything where there is a corrupt file, or an attempted repair, or a file being copied from another location.

Some help from Microsoft here

It should be fairly clear which lines are a problem. Please copy and paste those lines in to your reply.


Posted Image
m0le is a proud member of UNITE

#15 Wannabetechnerd

Wannabetechnerd
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia, USA
  • Local time:05:17 AM

Posted 16 April 2010 - 02:37 PM

Okay. Here is what I found for today's scan (I hope this is right):

(I know you didn't ask for this, but this seemed strange to me)

2010-04-16 09:16:43, Info CSI 00000006@2010/4/16:13:16:43.422 CSI Transaction @0x5f381c0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002 and client id [26]"TI5.30072166:4259795437:1/"

2010-04-16 09:16:43, Info CSI 00000007@2010/4/16:13:16:43.430 CSI Transaction @0x5f381c0 destroyed

I'm still trying to figure out what's what with the scan details, but I can tell you now....it's going to be a whole lot to copy. If I'm able to save it as a text file, please let me know and I'll just attach it.




Laptop 1: Toshiba Satellite A505-S6993, 16" HD TruBrite® Edge-to-Edge Widescreen Display, Intel Core 2 Duo P7450 2.13GHz, 6GB, 564GB (500GB HDD + 64GB SSD), Blu-ray Drive, NVIDIA GeForce GT 230M, HDMI, 802.11n, Bluetooth, Webcam, Windows 7 Home Premium x64

Laptop 2: Toshiba Satellite A135-S4427 15.4" TFT, 1.73GHz Core Duo T2250, 2GB DDR2, 160GB (5400 RPM) Serial-ATA, Double-layer DVD±RW, Integrated Intel GMA 950, WLAN 802.11a/b/g v92 modem, 10/100 Ethernet LAN, Windows Vista Home Premium X86




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users