Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects and possible rootkit infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 car15

car15

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 03 January 2011 - 05:36 PM

Hello,

I have been trying to help a friend solve what appear to be malware issues with her PC. I have run MBAM several times, which has found and removed some malware (logs available). The PC has the free version of Avira as well as Spybot S&D; both found a few other things and removed them.

The persisting issues are Google search redirects and new browser instances opening (I have a HJT log ready to post if requested to do so) and the JIT debugger (Visual Studio 2008 installed) keeps popping up asking to debug one of the svchost processes.

My DDS and GMER files are below/attached. I'd appreciate some help getting the last of the bad stuff off this machine.

Thanks in advance.


DDS.txt:


DDS (Ver_10-11-27.01) - NTFSx86
Run by Debbie at 16:01:09.68 on Mon 01/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3317.2442 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Fighters\SPAMfighter\sfus.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Fighters\FighterSuiteService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
C:\Program Files\Fighters\SPAMfighter\sfagent.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Debbie\Desktop\DDS.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nytimes.com/
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\windows\temp\E_S9A.tmp" /EF "HKLM"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [sfagent] c:\program files\fighters\spamfighter\sfagent.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {03A89EFD-E023-A200-A22D-45F77558EB4C} - hxxps://content10.ilinc.com/download/AXCltInstall.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {25F3E50D-0714-11D7-9AFF-0060085AA461} - hxxps://epr.medkinetics.com/WebTWAIN2.CAB
DPF: {381A579F-C095-433D-8AEF-96CED6EC227F} - hxxps://epr.medkinetics.com/Blocks/cab/OWAssist.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DB1B4C3B-8690-43B2-9045-91EDA7A12580} - hxxp://clientconfig.medkinetics.com/ewebeditpro4/ewebeditpro4.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://epr.medkinetics.com/DynamicWebTWAIN.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli pagp32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\debbie\applic~1\mozilla\firefox\profiles\gx6ksv13.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: XULRunner: {6A33C746-5D02-4183-A53F-D49692440C39} - c:\documents and settings\rick\local settings\application data\{6A33C746-5D02-4183-A53F-D49692440C39}
FF - HiddenExtension: XULRunner: {DFB20992-43D7-4543-89E6-16AA38527C13} - c:\documents and settings\debbie\local settings\application data\{DFB20992-43D7-4543-89E6-16AA38527C13}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: XULRunner: {6A33C746-5D02-4183-A53F-D49692440C39} - c:\documents and settings\rick\local settings\application data\{6A33C746-5D02-4183-A53F-D49692440C39}
FF - Extension: XULRunner: {DFB20992-43D7-4543-89E6-16AA38527C13} - c:\documents and settings\debbie\local settings\application data\{DFB20992-43D7-4543-89E6-16AA38527C13}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\debbie\applic~1\mozilla\firefox\profiles\gx6ksv13.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-30 11608]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-12-14 101528]
R2 ANPD;ANPD Service;c:\windows\system32\ANPD.SYS [2010-7-4 29411]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-30 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-30 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-30 61960]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2010-7-4 40960]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\fighters\spamfighter\sfus.exe [2010-10-21 189064]
R2 Suite Service;Suite Service;c:\program files\fighters\FighterSuiteService.exe [2010-10-21 1130120]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-12-14 24876]
S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2010-7-4 126976]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2009-9-9 55176]
S3 rt2870;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Drt2870.sys [2010-7-4 779136]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasusb.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-12-30 22:00:02 14336 ----a-w- c:\windows\system32\dllcache\tsprof.exe
2010-12-30 22:00:02 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2010-12-30 21:58:58 103936 ----a-w- c:\windows\system32\dllcache\sx.sys
2010-12-30 21:57:58 25034 ----a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2010-12-30 21:56:59 36480 ----a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-12-30 21:55:58 20992 ----a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-12-30 21:54:59 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-12-30 21:53:58 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2010-12-30 21:52:58 7168 ----a-w- c:\windows\system32\dllcache\mxport.dll
2010-12-30 21:51:59 58368 ----a-w- c:\windows\system32\dllcache\m3091dc.dll
2010-12-30 21:50:58 13056 ----a-w- c:\windows\system32\dllcache\inport.sys
2010-12-30 21:49:59 289887 ----a-w- c:\windows\system32\dllcache\hsf_fall.sys
2010-12-30 21:48:59 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-12-30 21:47:59 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-12-30 21:46:59 72832 ----a-w- c:\windows\system32\dllcache\cwbwdm.sys
2010-12-30 21:45:59 26880 ----a-w- c:\windows\system32\dllcache\atirtsnd.sys
2010-12-25 23:15:43 159744 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-12-15 21:42:03 -------- d-----w- c:\docume~1\debbie\applic~1\Avira
2010-12-14 20:39:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\hBlKh06309
2010-12-11 02:53:56 -------- d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:27:10 1862272 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD6400AAKS-75A7B0 rev.01.03B01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF64555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af6a7b0]; MOV EAX, [0x8af6a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AFC2AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006f[0x8AF75F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF74940]
\Driver\atapi[0x8AFC8270] -> IRP_MJ_CREATE -> 0x8AF64555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD6400AAKS-75A7B0___________________01.03B01#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AF6439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 16:03:24.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 AM

Posted 09 January 2011 - 09:29 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 car15

car15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 09 January 2011 - 09:52 AM

Thanks for the reply. If new logs are a requirement for assistance I'll be happy to run them, though the machine has remained off since running the ones posted.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 AM

Posted 09 January 2011 - 11:56 AM

Hello, car15.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1


You have a few infections on this machine we can take care of. One is a backdoor rootkit, so I need to provide this warning.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Step 2



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares

Edited by etavares, 09 January 2011 - 11:56 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 car15

car15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 12 January 2011 - 08:07 AM

Hi etavares, and thank you for the reply. We've decided to reformat this PC and reinstall the OS. MBAM is on my list of "must have" apps; this PC was running the free version of Avira. The owners were not proactive with checking the PC for "bad stuff" regularly. With that in mind, do you have any suggestions for antivirus/anti-malware solutions, both free and paid?

Edited by car15, 12 January 2011 - 08:08 AM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 AM

Posted 12 January 2011 - 11:01 PM

Sure, Avast and Avira are both good free antiviruses. I don't use a paid antivirus as the free ones work very well. No antivirus is 100% effective. New viruses and versions of viruses come out every second. Most antiviruses are about 50% effective at detecting viruses < 2 weeks old. Most are 90+% effective at detecting viruses that are older...more time to figure out what/how they work. But, you can see that behavior has a big impact when a new virus is a basically a coin flip if it gets on your machine. You should only have one antivirus running in real time mode...having two or more will conflict with each other as they fight for access. That can cause false positives, system slow downs and or crashes/freezes. I use Avast myself.

In addition to the antivirus, one antispyware program is a good idea. MBAM or SuperAntiSpyware are my personal choices. I use MBAM myself.

Finally, a firewall is a great idea. The Windows XP firewall is only one way...stops unwanted intrusions from outside. That is a lot better than nothing. A firewall that stops outbound threats too (e.g. a virus calling home) can help, but you have to determine what should access the internet. So that is up to you.

Hope that helps. Let me know if you have any other questions.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 car15

car15
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 14 January 2011 - 07:22 PM

Thank you etavares. The PC is going under the knife this weekend.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:09 AM

Posted 20 January 2011 - 08:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users