Rootkit Suspicious.Mystic

Hi, a friend has picked this virus up on their computer, explorer has disappeared, so the computer is basically unusable. They are using Win XP Home with SP3. They have Norton 360 v4 installed. That is what is telling me Suspicious.Mystic is on the computer. They have no Xp disc and a lot of files, so formatting and reinstalling is not an option.
Previous to Norton they had AVG installed. I doubt they would have had any firewall software apart from windows own.
Basically whilst they had AVG on they picked up a Security Tool virus that kept doing a fake file scan everytime windows booted up, they managed to get rid of that and removed AVG then I installed Norton once Norton completed it did a reboot and when XP booted up again Explorer was gone and Norton flashed up warning saying it had found Suspicious.Mystic.
I'm limited in knowing what is on the computer because all I have is the desktop Background and the cursor I have been able to access and browse files through Task Manager but not much else.
From browsing on the internet I have looked through processes and the Registry and there doesn't to be any Suspicious.Mystic files, but I'm sure they are there.
Any help getting rid of this would be greatly appreciated.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Maureen at 19:21:13.84 on 17/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1271.837 [GMT 0:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
E:\Mark\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://aol.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ActivFilter] c:\program files\activ software\activdriver\ActivFilter.exe
mRun: [ActivControl] c:\program files\activ software\activdriver\ActivControl2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [sniffer] c:\windows\temp\_ex-08.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQ"&"inst=NwA3AC0ANAA1ADkANAAzADkAOQA4ADUALQBUAEI"&"prod=90"&"ver=9.0.864
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\maureen\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\SymDS.sys [2010-11-15 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\SymEFA.sys [2010-11-15 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-11-15 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-11-15 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\Ironx86.sys [2010-11-15 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccSvcHst.exe [2010-11-15 126392]
R3 ActivHIDSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [2006-10-4 40064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-15 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\ipsdefs\20091105.001\IDSxpx86.sys [2010-11-15 329592]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101115.002\naveng.sys [2010-11-15 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.1.0.32\definitions\virusdefs\20101115.002\navex15.sys [2010-11-15 1371184]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [2006-10-4 5632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-3 136176]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-11-9 50704]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

=============== Created Last 30 ================

2010-11-15 21:15:48 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-11-15 21:14:58 126976 -c--a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2010-11-15 21:13:52 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2010-11-15 21:12:53 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2010-11-15 21:11:59 69194 -c--a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-11-15 21:10:59 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2010-11-15 21:09:59 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2010-11-15 21:05:59 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-11-15 21:04:50 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2010-11-15 21:04:49 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2010-11-15 21:04:49 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2010-11-15 21:04:48 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2010-11-15 21:04:47 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2010-11-15 21:04:47 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2010-11-15 21:04:47 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2010-11-15 21:04:46 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2010-11-15 21:04:45 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2010-11-15 21:04:45 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2010-11-15 21:01:04 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-11-15 21:01:04 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-11-15 21:01:03 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2010-11-15 21:01:03 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2010-11-15 21:01:02 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2010-11-15 21:01:02 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2010-11-15 21:01:01 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2010-11-15 21:01:01 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2010-11-15 19:59:53 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-12 13:33:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-11-09 21:12:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-09 20:49:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-11-09 20:49:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-11-09 20:49:19 100880 ----a-w- c:\windows\system32\Packet.dll
2010-11-07 20:29:52 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-07 20:29:52 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-11-07 20:29:05 -------- d-----w- c:\program files\iPod
2010-11-07 20:29:02 -------- d-----w- c:\program files\iTunes
2010-11-07 20:29:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-07 20:28:05 -------- d-----w- c:\docume~1\maureen\locals~1\applic~1\Apple
2010-11-07 20:27:26 -------- d-----w- c:\program files\Bonjour
2010-11-07 20:26:48 -------- d-----w- c:\docume~1\maureen\locals~1\applic~1\Apple Computer
2010-11-03 17:00:00 -------- d-----w- c:\docume~1\maureen\locals~1\applic~1\Google
2010-10-29 19:10:03 -------- d-----w- c:\program files\common files\Activ Software
2010-10-29 19:10:00 -------- d-----w- c:\program files\Activ Software
2010-10-29 19:10:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Activ Software

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 11:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 19:22:16.76 ===============

hi,

Sorry for the delay, no shortage of posters. If you still need help post back.

hi, I do still need help if someone could lend a hand that would be awesome. I can totally understand you guys being swamped.

ok We will get two downloads to start with. the first is combofix. It requires that you read through a guide first. Read the guide then apply the directions on your own machine.

Guide to using Combofix

After combofix you can run Malwarebytes:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

Hi, here are the 2 logs.

Haven't forgotten, will have more time tomorrow, to post

To help show all files you can do this:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Look here: c:\windows\ServicePackFiles\i386\explorer.exe
See if you can find explorer.exe
If so drag/drop a copy into the C:\WINDOWS directory and reboot the computer.

Brilliant! found that and rebooted, desktop appears to be back to normal. Is that me fixed or are there any final steps?

Ok good. You can do this: See if you can find winlogon.exe in the system32 directory:

c:\windows\system32\winlogon.exe

Go here and browse for the file then upload it using the send button. It will be checked by a dozen or so scanners. You should see nothing listed under the result column. May take several visits, the site can get busy at time

Hi, sorry about delay. Uploaded file to site and it had 3 entries, it was not clear. Wasn't sure how else to save the result so I copied it into a word file, which I have attached.
Thanks.

hi,
We will use combofix to replace two winlogon.exe that failed the sig check, replacing them with a good copy.

as a precaution, before using combofix:
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before using combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

Thanks, here is the new combofix log

hi,

Sorry for the delay. Looks good. If all is ok on your end we can finish it up.

Yeah, everything seems fine. Thanks so much for your help.

Your welcome. You can remove combofix like this:

start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /

note that the free version of Malwarebytes must be updated manually and a scan started manually.

You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures in links below.

Happy Safe Surfing.