Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Animalware (without the "t") Doctor infection--cleaned?

  • This topic is locked This topic is locked
2 replies to this topic

#1 HikingStick2


  • Members
  • 2 posts
  • Gender:Male
  • Local time:12:07 AM

Posted 21 June 2010 - 10:32 PM

This machine locked up on me after writing my long-winded description, so the short and dirty one will need to suffice:

User got infected Thursday PM (per Symantec logs visible after malware cleaned), but did not see symptoms until logging on Friday morning--phony infection popups, warnings, etc. The infection disabled Symantec's proactive threat protection. Though it spotted infected files, the user never saw warnings. The program identified itself as "Animalware Doctor" (like "Antimalware Doctor", but without the "t").

The malware killed every process I tried to run to clean it, even after renaming tools and changing paths. Once it killed them, most of them would not run again (bad path error). A notable exception was RKILL.scr (and the copy named ieXplore.exe). I wrote a batch that launched multiple copies of RKILL (single runs would be killed or come up empty), and finally got it to kill some processes. I could not get Symantec Endpoint Protection to disable or uninstall (so as not to interfere with the anti-malware tools), because it reported that it had insufficient rights to modify one of its own folders--it would start the uninstall, error out, and roll back. I finally got one of the tools I was using to run by starting it while I was attempting to uninstall. It identified a possible rootkit and rebooted the machine. On reboot, there were numerous errors after logon about programs that could not load (because the files were gone). I ran RKILL again and it killed more processes, then ran Malwarebytes successfully. After a reboot, the next scan was clean.

This morning, the machine still had one error about a missing file at logon. Symantec started trying to install, but would roll back immediately (and repeatedly did this until cancelled). Numerous errors are showing up in the event logs, including RasMan references, and socket errors attempting to reach a domain. I'm thinking this machine is not clean after all. Since the primary user has online access to financial accounts, I don't want him using it until either I can be sure it is clean, or until after I reboot it. Are any rootkits currently able to poison firmware, so that the machine could be reinfected after a format and fresh install?

Your review and help are much appreciated.

FYI: the one folder "MAJR" was an alternate folder I created for Malwarebytes, to see if the differnt path would get past the malware (it did until the first run was killed).

# # #

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:58:43.61 on Mon 06/21/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2532 [GMT -5:00]

FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MSN\Toolbar\3.0.0983.0\msntask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Defogger.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=4081120
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nfp.webex.com/client/T26L10NSP49EP30/webex/ieatgpc.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pa43uhfg.default\

============= SERVICES / DRIVERS ===============

R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-1-8 380928]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
S2 USBDriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [2008-4-25 14336]
S3 AZPE;AZPE;c:\docume~1\admini~1\locals~1\temp\azpe.exe --> c:\docume~1\admini~1\locals~1\temp\AZPE.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\admini~1\locals~1\temp\00000cf1.nmc\nse\bin\ndiskio.sys --> c:\docume~1\admini~1\locals~1\temp\00000cf1.nmc\nse\bin\ndiskio.sys [?]
S3 nsak;nsak;\??\c:\docume~1\admini~1\locals~1\temp\00000cf1.nmc\nse\bin\nsak.sys --> c:\docume~1\admini~1\locals~1\temp\00000cf1.nmc\nse\bin\nsak.sys [?]

=============== Created Last 30 ================

2010-06-21 22:57:46 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-06-21 22:31:33 0 d-----w- c:\windows\system32\NtmsData
2010-06-21 18:03:45 28160 --sha-w- C:\Thumbs.db
2010-06-18 22:10:50 0 d-----w- C:\ComboFix
2010-06-18 20:42:37 407040 ----a-w- c:\windows\system32\netlogon.dll
2010-06-18 20:39:20 0 d-----w- C:\IPSDEF
2010-06-18 19:34:14 0 d-sha-r- C:\cmdcons
2010-06-18 19:31:31 98816 ----a-w- c:\windows\sed.exe
2010-06-18 19:31:31 77312 ----a-w- c:\windows\MBR.exe
2010-06-18 19:31:31 256512 ----a-w- c:\windows\PEV.exe
2010-06-18 19:31:31 161792 ----a-w- c:\windows\SWREG.exe
2010-06-18 18:21:41 5760 ------w- c:\windows\system32\27.tmp
2010-06-18 18:20:52 0 d--h--w- c:\windows\PIF
2010-06-18 18:11:10 5760 ------w- c:\windows\system32\6.tmp
2010-06-18 18:11:06 0 d-----w- c:\program files\Sophos
2010-06-18 18:09:05 0 d-----w- c:\program files\MAJR
2010-06-18 13:55:54 0 d-----w- c:\docume~1\admini~1\applic~1\Search Settings
2010-06-18 13:55:53 0 d-----w- c:\docume~1\admini~1\applic~1\pdfforge
2010-06-18 13:48:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-17 20:11:53 110592 --sha-r- c:\windows\system32\rsvpcnts5.dll
2010-06-17 19:52:22 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-06-17 19:52:22 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-06-17 19:52:21 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-06-17 19:52:21 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-06-16 18:37:40 719814 ----atw- C:\Trike Shop 6_16_10.pdf
2010-06-09 14:11:14 0 d-----w- c:\program files\pdfforge Toolbar
2010-06-09 14:11:14 0 d-----w- c:\program files\Application Updater
2010-06-09 14:10:53 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-06-09 14:10:52 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-06-09 14:10:51 0 d-----w- c:\program files\PDFCreator
2010-05-25 19:12:03 498899 ----a-w- C:\GSView.ps
2010-05-24 15:54:35 38605 ----a-w- C:\ap_aging_vnno_sum 5_24_10.pdf

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-08 18:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 17:58:53.82 ===============

Attached Files

BC AdBot (Login to Remove)


#2 HikingStick2

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Male
  • Local time:12:07 AM

Posted 25 June 2010 - 08:11 AM

I don't know if it's typical for posts to go four days without review (or download of the files). I know you guys see a ton of posts, but I can't hold off on this one any longer. I'm going to try to salvage some of the user's settings and the reformat and reinstall.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:03:07 PM

Posted 27 June 2010 - 04:51 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users