Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Infection, Help Needed


  • This topic is locked This topic is locked
2 replies to this topic

#1 niccador

niccador

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 08 August 2010 - 08:00 PM

First lesson learned here: never let the kids use anything but their own computer. Heh.

My wife's laptop (XP Pro, x86) has suddenly turned up with some manner of nasty virus. I suspect some kind of root kit, but I don't know. It's definitely not something I've encountered before, and has proven difficult to diagnose, much less remove. Whatever it is slipped past Spybot's resident protection (TeaTimer), and the up-to-date AntiVir on my wife's system. (I've been meaning to change her over to Avast....)


We've got the following symptoms:

-- Unable to access websites for Spybot, Malwarebytes, and other security sites (unable to resolve host, but found nothing in hosts files)
-- Certain (random? A Specific example would be almost anything from blog.trendmicro.com) search results links pertaining to malware information and removal are redirected to deadend ad pages, if not blocked entirely as above.
-- Spybot, Malwarebytes, HijackThis, ComboFix applications WILL NOT RUN, even in Safe Mode. (Those are all I've tried before realizing this was out of my league.)
-- Computer seems to randomly shut down, instantly, as though you'd yanked the battery. Assuming this pertains to the infection, as it has never happened before, and has conveniently occurred twice while trying to lookup info on the possible infection.

....and that's all I've got right now. Naturally, I'd like to avoid simply wiping the drive, but I've already accepted the possibility, if it comes to it.
Any help is greatly appreciated.

EDIT:
After some further reading, I tried renaming the exe file for combofix, and was able to run the program successfully. It's still running right now, so I'll post the log as soon as I'm able. I will note, however, at least one hiccup in the process: it was not able to install the Recovery Console...it gave an error "Boot partition could not be properly configured" or some such.

This is the ComboFix log...
Despite the deletions taken by ComboFix, the system remains clearly affected.


ComboFix 10-08-08.01 - Administrator 08/08/2010 20:32:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1507 [GMT -5:00]
Running from: c:documents and settingsAdministratorDesktopthunda.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsAdministratorLocal SettingsApplication Dataiiegvapsa
c:documents and settingsAdministratorLocal SettingsApplication Dataiiegvapsaoibndeltssd.exe
c:documents and settingsAdministratorLocal SettingsApplication Datamtphugbxd
c:documents and settingsAdministratorLocal SettingsApplication Datamtphugbxdocyybpgtssd.exe
c:windows2.exe
c:windowsDownloaded Program Filespopcaploader.dll
c:windowsDownloaded Program Filespopcaploader.inf
c:windowssystem32_000003_.tmp.dll
c:windowssystem32_000007_.tmp.dll
c:windowssystem32_000008_.tmp.dll
c:windowssystem32_000009_.tmp.dll
c:windowssystem32_000010_.tmp.dll
c:windowssystem32_000012_.tmp.dll
c:windowssystem32comsa32.sys
c:windowssystem32driversndisrd.sys
c:windowssystem32driverssrenum.sys
c:windowssystem32drmgs.sys
c:windowssystem32msrun.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Service_ndisrd
-------Legacy_srenum
-------Service_srenum


((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-08 16:00 . 2010-08-08 16:00 -------- d-----w- c:documents and settingsLocalServiceLocal SettingsApplication DataMozilla
2010-08-08 15:59 . 2010-08-09 01:40 783872 ----a-w- c:windowssystem32driversnkhlqwm.sys
2010-07-12 16:18 . 2010-07-12 16:18 -------- d-----w- C:mobile

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 23:43 . 2007-11-04 21:03 -------- d-----w- c:program filesMobMapUpdater
2010-08-08 23:42 . 2008-10-17 19:22 -------- d-----w- c:program filesCurse
2010-08-08 23:42 . 2007-11-01 15:06 -------- d-----w- c:program filesSlySoft
2010-08-07 16:57 . 2010-01-07 17:38 -------- d-----w- c:documents and settingsAdministratorApplication Datavlc
2010-07-30 18:23 . 2007-09-12 22:21 -------- d-----w- c:documents and settingsAdministratorApplication DatauTorrent
2010-07-30 13:23 . 2007-09-12 08:34 822272 ----a-w- c:windowssystem32driversBCMWL5.SYS
2010-06-22 17:29 . 2009-08-21 20:48 -------- d-----w- c:documents and settingsAll UsersApplication DataBlizzard Entertainment
2010-06-21 17:58 . 2008-01-10 23:29 1 ----a-w- c:documents and settingsAdministratorApplication DataOpenOffice.org2useruno_packagescachestamp.sys
2010-06-21 17:58 . 2007-12-24 00:51 -------- d-----w- c:documents and settingsAdministratorApplication DataOpenOffice.org2
2010-05-24 02:44 . 2010-05-24 02:44 503808 ----a-w- c:documents and settingsAdministratorApplication DataSunJavaDeploymentcache6.046f84c6ae-65d72718-nmsvcp71.dll
2010-05-24 02:44 . 2010-05-24 02:44 499712 ----a-w- c:documents and settingsAdministratorApplication DataSunJavaDeploymentcache6.046f84c6ae-65d72718-njmc.dll
2010-05-24 02:44 . 2010-05-24 02:44 348160 ----a-w- c:documents and settingsAdministratorApplication DataSunJavaDeploymentcache6.046f84c6ae-65d72718-nmsvcr71.dll
2007-11-01 15:14 . 2007-10-05 16:51 120 --sh--w- c:windowsSCA681F83.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"SpybotSD TeaTimer"="c:program filesSpybot - Search & DestroyTeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2008-08-15 13570048]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
"SynTPEnh"="c:program filesSynapticsSynTPSynTPEnh.exe" [2007-01-12 827392]
"amd_dc_opt"="c:program filesAMDDual-Core Optimizeramd_dc_opt.exe" [2006-11-17 77824]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2008-08-15 86016]
"QlbCtrl"="c:program filesHewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe" [2007-12-06 202032]
"avgnt"="c:program filesAviraAntiVir Desktopavgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:program filesJavajre6binjusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregKernelFaultCheck]
c:windowssystem32dumprep 0 -k [X]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
2008-10-15 06:04 39792 -c--a-w- c:program filesAdobeReader 8.0Readerreader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregBgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 22:07 132392 -c--a-w- c:program filesCommon FilesNeroLibNMBgMonitor.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:windowssystem32ctfmon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregEasyLinkAdvisor]
2007-03-15 23:16 454784 ----a-w- c:program filesLinksys EasyLink AdvisorLinksysAgent.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregH/PC Connection Agent]
2006-11-13 19:39 1289000 ----a-w- c:program filesMicrosoft ActiveSyncwcescomm.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNBKeyScan]
2008-02-18 21:29 2221352 ----a-w- c:program filesNeroNero8Nero BackItUpNBKeyScan.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2008-02-28 14:59 570664 -c--a-w- c:program filesCommon FilesNeroLibNeroCheck.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregnwiz]
2008-08-15 11:22 1657376 -c--a-w- c:windowssystem32nwiz.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"hpqwmiex"=3 (0x3)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"PLFlash DeviceIoControl Service"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"NMIndexingService"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"IviRegMgr"=2 (0x2)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:Program FilesuTorrentuTorrent.exe"=
"c:GAMESWorld of WarcraftBackgroundDownloader.exe"=
"c:Program FilesMozilla Firefoxfirefox.exe"=
"c:Program FilesInterVideoDVD8WinDVD.exe"=
"c:program filesMicrosoft ActiveSyncrapimgr.exe"= c:program filesMicrosoft ActiveSyncrapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:program filesMicrosoft ActiveSyncwcescomm.exe"= c:program filesMicrosoft ActiveSyncwcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:program filesMicrosoft ActiveSyncWCESMgr.exe"= c:program filesMicrosoft ActiveSyncWCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:GAMESWorld of WarcraftWoW-3.2.0-enUS-downloader.exe"=
"c:GAMESWorld of WarcraftLauncher.exe"=
"c:GAMESWorld of WarcraftWoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:GAMESWorld of WarcraftWoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:GAMESWorld of WarcraftWoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesAviraAntiVir Desktopsched.exe [7/23/2009 11:14 PM 135336]

--- Other Services/Drivers In Memory ---

*Deregistered* - nkhlqwm

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cox.net
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
DPF: {B030900C-746A-47BF-8B1D-EA3FB3395563} - hxxps://fastconnect.cox.net/cd20/CoxFastConnect20.ocx
FF - ProfilePath - c:documents and settingsAdministratorApplication DataMozillaFirefoxProfilesvt70vndj.default
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 4
FF - component: c:documents and settingsAdministratorApplication DataMozillaFirefoxProfilesvt70vndj.defaultextensions{7b13ec3e-999a-4b70-b9cb-2617b8323822}componentsFFExternalAlert.dll
FF - component: c:documents and settingsAdministratorApplication DataMozillaFirefoxProfilesvt70vndj.defaultextensions{7b13ec3e-999a-4b70-b9cb-2617b8323822}componentsRadioWMPCore.dll
FF - plugin: c:documents and settingsAdministratorApplication DataMove Networkspluginsnpqmp071505000010.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnp-mswmp.dll
FF - plugin: c:program filesMozilla FirefoxpluginsNPDFusionWebFirefox.dll
FF - plugin: c:program filesTotal ImmersionDFusionHomeWebPlugInNPDFusionWebFirefox.dll

---- FIREFOX POLICIES ----
c:program filesMozilla Firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:program filesMozilla Firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:program filesMozilla Firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 20:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesnkhlqwm]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:windowssystem32NTMARTA.DLL

- - - - - - - > 'explorer.exe'(2592)
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:program filesAviraAntiVir Desktopavguard.exe
c:program filesJavajre6binjqs.exe
c:windowssystem32nvsvc32.exe
c:program filesAviraAntiVir Desktopavshadow.exe
c:windowssystem32RUNDLL32.EXE
c:progra~1MICROS~4rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-08-08 20:45:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 01:45

Pre-Run: 5,701,763,072 bytes free
Post-Run: 5,923,778,560 bytes free

- - End Of File - - 73FB8429A829C2037CF222670B0F3679

Edited by Budapest, 08 August 2010 - 09:53 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 niccador

niccador
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 10 August 2010 - 11:30 AM

(Sorry mods, can no longer edit, replying is only option.)

The problem seems to be resolved for now.
After finding that Combofix could run with a name change, I opted to try the same with the actual GMER app. Though the scanning built into COmbofix turned up nothing, using GMER directly identified an installed rootkit service and associated files, and we were able to remove them.

There still appear to be some odd lingering effects we're still sorting out, but nothing that seems to affect overall functionality, so we're calling this resolved for now. Any further cleaning house would likely result in a complete wipe anyway.

This topic can be closed or deleted at the mods' leisure.

A Big THANK YOU to BleepingComputer and its community!
Even though this was resolved before anyone could properly respond to it, the site and community are an invaluable wealth of information that I could not have resolved this without. I'm definitely keeping an eye on things here. smile.gif

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:49 AM

Posted 10 August 2010 - 04:29 PM

Topic closed. Please send a PM to a Moderator if you would like the topic reopened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users