Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Tool


  • This topic is locked This topic is locked
2 replies to this topic

#1 roboandkate

roboandkate

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 01 March 2011 - 02:53 PM

Hi, a couple of days ago we were infected with the System Tool virus, I have had a couple of goes at getting rid of it but have been unable to do so. I have also had problems with downloading Rkill, having disabled McAfee through stopping the services when downloading it does not appear to save, I am running XP Professional and have McAfee.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 19:19:35.62 on 01/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1278.779 [GMT 0:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.tiscali.co.uk/broadband
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110226193709.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://91.143.176.52/activex/AMC.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.cornwall.gov.uk/dana-cached/sc/JuniperSetupClient.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5raamkrg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-20 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-12-30 84072]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-12-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-12-30 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-12-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-12-30 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-12-30 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-20 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-20 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-12-30 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-12-30 88544]
R3 RTL8187B;TG123g USB Wireless Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-1-4 264576]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-16 136176]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-12-30 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-12-30 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-20 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-20 40552]

=============== Created Last 30 ================

2011-02-28 21:35:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-02-27 20:10:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\bNoLcHf06308
2011-02-26 22:40:56 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-02-26 22:40:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 22:40:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-26 22:40:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 22:40:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-26 21:53:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-02-26 19:33:50 -------- d-----w- c:\docume~1\admini~1\applic~1\McAfee
2011-02-26 19:21:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-26 19:21:29 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-26 18:52:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\mIfOdPo06300
2011-02-23 15:20:50 -------- d-----w- C:\Picasa Backup
2011-02-08 19:14:51 -------- d-----w- c:\windows\system32\NtmsData

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-12 16:51:05 1409 ------w- c:\windows\system32\tmpC770B.FOT
2010-12-12 16:51:05 1409 ------w- c:\windows\system32\tmp3F80B.FOT
2010-12-12 16:51:04 1409 ------w- c:\windows\system32\tmpDB40B.FOT
2010-12-12 16:51:04 1409 ------w- c:\windows\system32\tmp5160B.FOT
2010-12-12 16:51:03 1409 ------w- c:\windows\system32\tmpCAFFA.FOT
2010-12-12 16:50:53 1409 ------w- c:\windows\system32\tmp17ADA.FOT
2010-12-12 16:50:50 1409 ------w- c:\windows\system32\tmpB6ECA.FOT
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A44F735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a455990]; MOV EAX, [0x8a455a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A4D4AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A420558]
\Driver\atapi[0x8A4D4288] -> IRP_MJ_CREATE -> 0x8A44F735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340014A_______________________________8.16____#4a354c5835354a38202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A44F57B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 19:22:42.84 ===============



thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:41 AM

Posted 01 March 2011 - 03:39 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:41 AM

Posted 05 March 2011 - 07:00 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users