Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit - PRAGMAd.sys? Paladin Antivirus?


  • This topic is locked This topic is locked
30 replies to this topic

#1 JPag

JPag

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2010 - 09:49 PM

Hello,

Over the past couple of days, I've been trying to clean up an infection, and I believe it's beyond my limited abilities.

I initially tried MBAM, Avast, SuperAS, etc. - while each of these found results, the ad popups and slow response times kept returning. I tried searching for some of the file names, and I couldn't find much information on the infection, beyond a few very recent threads that seemed relatively similar.

It seems like I'm infected with a rootkit, but I'm not entirely positive on how to safely remove it, so I figured the best thing to do was to ask for help here.

I have noted that all the rootkit scans I've run keep pointing to a hidden "pragmad.sys" result, but Google didn't return anything on it that seemed helpful.

Below is the DDS log, and attached are the Attach.txt and ark.txt files, as well as a HijackThis log. I'll monitor the topic closely. Thanks!

-Joe



DDS (Ver_10-03-17.01) - NTFSx86
Run by Craig at 21:59:32.08 on Sun 04/11/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2549.1662 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k dcomlaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k secsvcs
c:\windows\system32\svchost.exe -k localservicenetworkrestricted
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k gpsvcgroup
C:\Windows\system32\SLsvc.exe
c:\windows\system32\svchost.exe -k localservice
c:\windows\system32\svchost.exe -k networkservice
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Craig\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - No File
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF
IE: Convert Link Target to Adobe PDF
IE: Convert to Adobe PDF
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\hummingbird\connectivity\8.00\socks\\hclsock5.dll
Trusted Zone: adobe.com\get
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404}
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\craig\appdata\roaming\mozilla\firefox\profiles\kit8fe3b.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-9 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-5-26 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-9 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-9 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-9 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-9 40384]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-5-15 21504]
S3 GE;GE;c:\users\craig\appdata\local\temp\GE.exe [2010-4-11 523136]
S3 HVZL;HVZL;c:\users\craig\appdata\local\temp\HVZL.exe [2010-4-11 539520]
S3 MRVW147;Marvell TOPDOG ™ 802.11bgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\drivers\MRVW147.sys [2007-6-23 451072]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2004-10-29 32000]
S3 OMVUBQX;OMVUBQX;c:\users\craig\appdata\local\temp\OMVUBQX.exe [2010-4-11 580480]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 12872]

=============== Created Last 30 ================

2010-04-12 00:40:43 0 d-----w- c:\program files\TrendMicro
2010-04-11 23:12:52 0 ----a-w- c:\windows\system32\XMRTML
2010-04-10 21:15:45 212872479 ----a-w- c:\windows\MEMORY.DMP
2010-04-10 19:52:01 0 d-----w- c:\users\craig\DoctorWeb
2010-04-09 20:45:22 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-09 20:44:27 0 d-----w- c:\programdata\Alwil Software
2010-04-09 19:44:12 65536 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
2010-04-09 19:44:12 3276800 ----a-w- c:\windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
2010-04-09 19:44:12 196608 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
2010-04-09 19:44:07 0 d-----w- c:\program files\Microsoft ATS
2010-04-08 22:27:55 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-04-08 22:27:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-08 22:27:53 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-04-08 22:27:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-08 22:23:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-04-08 22:23:57 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-04-08 22:23:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-04-02 14:13:16 0 d-----r- C:\Sandbox
2010-04-02 14:12:44 1476 ----a-w- c:\windows\Sandboxie.ini
2010-04-02 14:12:27 0 d-----w- c:\program files\Sandboxie
2010-04-01 18:46:47 0 d-----w- c:\program files\D2
2010-03-29 19:52:28 11264 ----a-w- c:\windows\system32\SPORDER.DLL
2010-03-27 18:23:17 0 d-----w- c:\program files\Hummingbird
2010-03-27 18:19:41 0 d-----w- c:\users\craig\yf
2010-03-27 17:50:32 0 d-----w- c:\program files\HTTP-Tunnel
2010-03-27 17:43:47 0 d-----w- c:\windows\system32\Hummingbird
2010-03-27 17:43:27 0 d-----w- c:\program files\Hummingbird Electronic Media
2010-03-27 17:28:57 0 d-----w- c:\users\craig\appdata\roaming\ProxyCap
2010-03-27 17:22:29 64460 ----a-w- c:\users\craig\.ems.cfg
2010-03-27 17:21:31 0 d-----w- c:\program files\Your Freedom
2010-03-22 14:38:06 0 d-----w- c:\users\craig\appdata\roaming\.minecraft

==================== Find3M ====================

2010-04-05 12:35:47 88024 ----a-w- c:\users\craig\appdata\roaming\GDIPFONTCACHEV1.DAT
2010-04-02 14:10:36 38907 ----a-w- c:\windows\DIIUnin.dat
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-26 23:42:39 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2010-01-26 23:42:39 17212 ----a-w- c:\windows\system32\SIntf32.dll
2010-01-26 23:42:39 12067 ----a-w- c:\windows\system32\SIntf16.dll
2010-01-26 23:36:32 94208 ----a-w- c:\windows\DIIUnin.exe
2010-01-26 23:36:32 2829 ----a-w- c:\windows\DIIUnin.pif
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-13 15:14:46 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-13 15:14:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-13 15:14:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-06 23:38:12 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-16 06:42:05 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-16 04:48:19 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-11 04:40:10 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat
2009-06-10 19:38:57 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009061020090611\index.dat
2009-06-17 16:31:10 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009061720090618\index.dat
2009-09-17 11:31:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009091720090918\index.dat

============= FINISH: 22:01:55.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 11 April 2010 - 10:02 PM

Hi, JPag smile.gif

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    QUOTE
    Rootkit::
    C:\Windows\PRAGMArqpbnrxcge\PRAGMAd.sys
    C:\Windows\system32\drivers\PRAGMArubitojwqc.sys

    Folder::
    C:\Windows\PRAGMArqpbnrxcge

    Driver::
    PRAGMAd.sys




    Once saved, referring to the picture above, drag CFScript.txt into Combo-Fix.exe.
  7. Install the Recovery Console if prompted.
  8. When finished, it will produce a report for you.
  9. Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2010 - 11:19 PM

Hello,

Sorry for the delay in response; I've been unable to access my laptop, and my sister just got back with hers.

I followed your instructions, but I seemed to have encountered a problem: after combofix restarted the computer and began its scan, I stepped away. I later returned to find my laptop in the process of a startup repair; I noted in the error log it found the root cause to be a corrupt atapi.svs file. What should I do here?

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 11 April 2010 - 11:39 PM

Are you able to boot?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 April 2010 - 11:48 PM

No, it keeps getting that same failure. I can access system recovery options, I figured I'd ask before I do anything though.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 12:27 AM

The file paths in Vista are quite long. We will need to replace the atapi.sys in order to boot.

For an advanced user, it will be easy to do throughout MSDOS. If you are up to it, this is the process.

First, you must verify that you can access the Vista Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)





Select the Command prompt. Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

x: <--- the red x represents your operating system drive letter, as shown in the image above. Replace the x by the letter shown above.
cd x:\
Dir atapi.sys /s


The computer will perform a scan and display all instances of the atapi.sys. With this information on screen type the following:

cd windows\system32\drivers
ren atapi.sys atapi.sys.vir
Copy x:\Path of one of the atapi.sys locations, other than the drivers folder\atapi.sys
Exit


If you are not up to the chalenge, then we will need to resolve this issue from an external environment.

This is what you have to do:

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 12:34 AM

Failed to tell you that you need a flash drive in order to transfer information from a working computer to a sick computer and back. All instructions will need to be saved in the flash drive in order to have access to it in the external environment.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2010 - 12:49 AM

I followed the first set of instructions, as I'd have to fish around the house for a flash drive; if it's necessary I should be able to find one though.

It said that the atapi.sys file was copied successfully, but it's still not booting up. I exited, hit restart, and was prompted by startup repair for a scan as the computer wasn't able to start. It's still reporting the culprit as the atapi.svs file being corrupted.

EDIT: I think I see what the issue is. On this command:

QUOTE
ren atapi.sys atapi.sys.vir


Should that be atapi.svs? It's definitely reporting a .svs file in the startup recovery failure log.

EDIT2: Nope, seems like that's not the case; despite the reporting of a corrupt ".svs" filetype in the startup error log, cmd is reporting that atapi.svs doesn't exist in the drivers directory.

Edited by JPag, 12 April 2010 - 12:59 AM.


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 01:03 AM

The problem is in the registry. See if you can perform a System Restore to a date prior to the onset of the infection.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 01:10 AM

The atapi.svs is a bad file. The registry however was modified by the infection to point to this file. System Restore should correct this.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2010 - 01:14 AM

It seems as if the infection's hit my system restore function as well; it's reporting that no restore points have been created. Shouldn't there at least be one point from combofix? I thought that had created a system restore point as part of its pre-scan process.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 01:49 AM

Go back to the Command prompt. Type Regedit and press Enter. the Registry editor will be displayed. Click on the HKEY_LOCAL_MACHINE to highlight it. Select File from the Menu, then Load Hive. Browse to the C:\Windows\System32\Config folder. Select the System hive and click on Open. Name the key Test.

Expand the HKEY_LOCAL_MACHINE, then the Test key. Click on the Select key to highlight it. On the right pane, look at the value for Default. Under the Test key you will see keys such as Controlset001, Controlset002, Controlset003... etc.

If the value for default is 0X00000001, then you are going to work on the Controlset001, if 0X00000002, then Controlset002, and so forth. So expand the corresponding Controlset key, then services. Click on the atapi key. On the right pane right click the Imagepath and select modify. Only change the extention of atapi from .svs to .sys and click OK. If you make a mistake just click on cancel and try again.

Go back to the Test key and click on it to highlight it. Select File from the menu, then Unload Hive.

Close the editor and restart the computer.




No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2010 - 08:55 AM

I followed the above instructions, which allowed the computer to boot. I left the wireless off and booted it into safemode, and ran a SuperAS scan, which came up clean.

I just started a Dr. Web CureIt scan, which has unfortunately turned up a hit for backdoor.tdss.565. The scan's still running, and unless otherwise directed I'll begin a complete scan after the quick scan finishes.

If there's anything else I can do that might expidite the process, I'd like to try that instead; the last Dr. Web scan I ran took 21 hours to complete (although that was following advice to disable heuristics, I'm not sure how much time that added to the process).

I'll be in class for the next hour or so, I'll be able to check back shortly after that.

EDIT: I noted that Dr. Web advertised itself as being updated "several times a day" - I'd note that if that is the case, I'm currently running a slightly outdated version, I believe it was downloaded approximately twelve to sixteen hours ago. I don't think that'll be too relevant, but I figured it might be worth mentioning; at present I can't get an updated copy, but if it's necessary I should be able to.

Edited by JPag, 12 April 2010 - 08:58 AM.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:21 AM

Posted 12 April 2010 - 11:15 AM

Turn Off your security and run Combo-fix. Post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JPag

JPag
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 12 April 2010 - 11:39 AM

QUOTE(JSntgRvr @ Apr 12 2010, 12:15 PM) View Post
Turn Off your security and run Combo-fix. Post its report.


Got a bluescreen while conducting the scan, I believe around step 32 or so.

I was running it while in safe mode, if that's relevant.

I'll try again, and let you know if it happens again.

EDIT:
It seems to have successfully run; it went through to 50 steps, closed explorer, and deleted several files. It's currently stuck at the "shutting down" screen; it's been there for about five-ten minutes or so, should I just leave it alone, or should I force a shutdown?

EDIT2:
I ended up just forcing a shut-down, which seems to have worked. I rebooted back into safemode, and eventually it spat out a log report.

EDIT3: Dr.Web is still picking up a memory process called "BackDoor.Tdss.565."

Attached Files

  • Attached File  log.txt   20.96KB   12 downloads

Edited by JPag, 12 April 2010 - 01:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users