Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Howie11

Howie11

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 18 November 2010 - 08:59 PM

I believe I have a rootkit virus problem. I have followed the instructions in the post titled "Preparation Guide For Use BEfore Using Malware Removal Tools and Requesting Help".

I am running Windows XP SP3.

As indicated in a previous post, there are several symptoms I see:

(1) When running Internet Explorer and I open a new tab, multiple new Internet Explorer windows open automatically, one after another.
(2) After the machine has been on for about 5 minutes, I get an error message that says "Generic Host Process fort Win32 Services".
(3) After the machine has been on for about 5 minutes, I get the "Exclaimation" sound about once every 20 seconds.
(4) When I run MS Outlook, usually the border colors are some shade of blue. At some point, they turn to a shade of beige.

Also note: I have an issue where my machine locks up at random times. This issue predates the other issues by two months. It also happens at random times; some times the machine runs overnight without locking up, while other times it locks up during the boot-up process. I suspect this is a hardware issue, and is unrelated to the rootkit issue. However, in the interests of completeness, I included this information anyway.

Thanks!
Howie


--- DDS.TXT: ---


DDS (Ver_10-11-10.01) - NTFSx86
Run by Howie at 19:45:05.51 on Thu 11/18/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Howie\Desktop\dds.scr
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jewishworldreview.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S112.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Wisdom-soft AutoScreenRecorder 3.1 Free] 0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://g2v.visteon.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

============= SERVICES / DRIVERS ===============

R? gupdate;Google Update Service (gupdate)
R? MBAMSwissArmy;MBAMSwissArmy
R? Partizan;Partizan
R? prxu;prxu
R? RegGuard;RegGuard
S? tmcfw;Trend Micro Common Firewall Service
S? tmevtmgr;tmevtmgr
S? TmPfw;Trend Micro Personal Firewall
S? tmpreflt;tmpreflt
S? TmProxy;Trend Micro Proxy Service

=============== Created Last 30 ================

2010-11-14 23:48:54 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-11-14 14:22:05 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-11-14 14:22:05 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-11-14 14:22:00 2 --shatr- c:\windows\winstart.bat
2010-11-14 14:21:51 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-11-14 14:21:45 -------- d-----w- c:\program files\UnHackMe
2010-11-14 14:20:44 388096 ----a-r- c:\docume~1\howie\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-14 14:07:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-14 14:07:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-14 14:07:08 -------- d-----w- C:\VundoFix Backups
2010-11-14 13:34:49 4530 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-13 14:42:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 14:42:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-22 03:48:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-08-22 03:48:54 348160 ----a-w- c:\windows\system32\msvcr71.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDT722516DLA380 rev.V43OA96A -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5B2446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5b8504]; MOV EAX, [0x8a5b8580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5C2AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000067[0x8A5C99E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A55E940]
\Driver\atapi[0x8A601BD8] -> IRP_MJ_CREATE -> 0x8A5B2446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskHDT722516DLA380_________________________V43OA96A#5&30502222&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5B2292
user != kernel MBR !!!
sectors 321672958 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 19:51:34.64 ===============



--- GMER.LOG ---

< Note: GMER would not run. It started fine, but each time before it finished it would stop executing. I believe the process would eventually go into a "Not Responding" state. Note that it stopped at different points each time. >

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 PM

Posted 27 November 2010 - 09:20 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Howie11

Howie11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 01 December 2010 - 10:34 PM

As requested, here are some new log files from DDS. (Note: When I ran DDS, Trend Micro was still running, and I was not disconnected from the Internet.)


DDS (Ver_10-11-10.01) - NTFSx86
Run by Howie at 22:24:03.26 on Wed 12/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1570 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Howie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.jewishworldreview.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S112.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Wisdom-soft AutoScreenRecorder 3.1 Free] 0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [qkwaswfo] c:\windows\temp\lathutfwi\ofiddsatsbl.exe
StartupFolder: c:\docume~1\howie\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://g2v.visteon.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

============= SERVICES / DRIVERS ===============

R2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-7-25 36432]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-7-25 339984]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-11-14 35816]
S0 prxu;prxu;c:\windows\system32\drivers\lgqfmirr.sys --> c:\windows\system32\drivers\lgqfmirr.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-8-12 38224]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-11-14 24416]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-7-25 51792]
S3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-7-25 497008]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-7-25 689416]

=============== Created Last 30 ================

2010-11-14 23:48:54 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-11-14 14:22:05 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-11-14 14:22:05 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-11-14 14:22:00 2 --shatr- c:\windows\winstart.bat
2010-11-14 14:21:51 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-11-14 14:21:45 -------- d-----w- c:\program files\UnHackMe
2010-11-14 14:20:44 388096 ----a-r- c:\docume~1\howie\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-14 14:07:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-14 14:07:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-14 14:07:08 -------- d-----w- C:\VundoFix Backups
2010-11-14 13:34:49 4530 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-13 14:42:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-13 14:42:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 22:29:26.67 ===============

Attached Files



#4 Howie11

Howie11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 04 December 2010 - 01:11 PM

Well, now the problem has gotten worse. Today I was running the machine (in Safe mode with networking), and IE locked up, so I rebooted. During the boot process, it went straight to the "Blue Screen of Death". I rebooted several times, in Safe mode and not in Safe Mode, and the same thing happens: It always goes to the Blue Screen of Death during the boot process.

The error message I get is as follows:

*** STOP: 0x0000007E (0x0000005, 0x8A32E4E7, 0xF78DE7EC, 0xF78DE4E8)

After I recorded these hex values, I rebotted the machine again and verified that the same values came up a second time.

When I try to boot in Safe mode, the driver the machine is apparently loading when it goes to the Blue Screen is:

...\System32\DRIVERS\gagp30ky.sys

I noticed that all the other drivers before it had the word "Driver" in lower case, while this one was in upper case. I'm not sure this is significant or not.

I suppose I have no choice at this point but to reformat my entire hard drive. Unfortunately, I do not have the install disks or key values for my instance of XP. (I may be able to borrow the XP install disks from a friend, but I'll still need the key.)

Questions:

(1) Is there any way to recover at this point other than to re-format and re-install the OS? (Perhaps I can borrow a boot disk from a friend and boot from that, and then fix the virus issue?)

(2) If I need to reformat the drive and re-install XP, before I do that, is there any way to recover my current key for the XP OS, or am I forced to buy a new verion and use the new key?

Thanks,
Howie

#5 Howie11

Howie11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 10 December 2010 - 09:37 PM

I have another thread on this forum that has not yet been answered. This may be my fault because I replied to my own thread when I found some additional information that I thought was important to the diagnosis/recovery. (I didn't realize this was what people meant by "bumping" your own thread.) I see now that my replies may make people think my issue is already being addressed by someone, even though I posted on Nov 18th and have not recieve any responses yet.

I created this new post to call attention to my previous post. Can someone please search for it, review what I've written, and help me? It is very difficult to sit and do nothing to try to remedy the situation myself when I've gone now for almost four weeks without the use of my computer.
(UGH!)

Thanks,
Howie

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 11 December 2010 - 02:43 AM

Hello and my apologies for the delay.

There still might be a way to resolve this problem, but first let me know if you have an XP CD at hand you can use (maybe you can borrow one from a friend/family member).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Howie11

Howie11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 11 December 2010 - 08:29 AM

I do not have my original XP disks. I also do not have my original XP key recorded anywhere (I've checked for paperwork and stickers inside and outside of the case, but it's not there.)

Fortunately, I followed the instructions your site provided, and was able to back up all my important data files before the situation degraded to it's current state. (I'm very glad those instructions reminded me to do that...I should have been doing it all along.) However, over the last 2-3 years I've purchased a lot of small utilities on-line (for video and audio editing), and was not able to back those up. Since it will be dificult to remember what I had and where I got them, it would be nice if I could avoid a full reformat of the drive (if possible). However, if it become necessary to reformat the entire drive, I'm sure I'll live.

I was able to borrow an XP SP1 upgrade disk from a friend. He said that this should work as a boot disk.
If I need a full XP install disk, I may be able to borrow one from work.

If we can get the machine to boot (from a boot disk), is there a way to retrieve the original XP key?

Thanks for the help - I really appreciate it.

Howie

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 11 December 2010 - 08:37 AM

Hi Howie, first of all, please try this.

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 17 December 2010 - 08:03 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Howie11

Howie11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 18 December 2010 - 01:40 AM

Elise,

Yes, I'm still here. It took me a few days to get an XP install disk, but I have one now. I also have the components to make an Ultimate Boot CD for Windows, which I will attempt to make tomorrow. That way I'll be able to boot from something other than my hard drive. Finally, I also got a CD named Wintools ERD Commander. I'm not sure what capabilities that gives me, but the PC support guys at work swear by it.

Don't worry...even though I got all these "toys", I will be sure not to do anything on my infected PC until you tell me to.

I'll ping you when I have the boot disk made.

Thanks again for the help,
Howie

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 18 December 2010 - 08:45 AM

Hi, ERD commander is no longer free AFAIK. However, we should be able to at least diagnose the program using the steps above. :)

I will wait for the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 30 December 2010 - 06:04 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,817 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:26 PM

Posted 08 January 2011 - 06:25 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users