Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

(*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!!


  • This topic is locked This topic is locked
21 replies to this topic

#1 Zen Seeker

Zen Seeker

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 16 May 2011 - 12:50 PM

Hello and thank you for the reply. Short explination and links to first two posts below.

Step 1 - 6 : I don't currently apply as I'm at the point where I'm running from Live Linux and DaRT CDs. If a OS install is required I have XP, Vista, and Windows 7. As long as we can remove this bug it doesn't matter to me which I use as I can change it at a later date.

Step 7 : I can DL this application and try to run it but even the most current DaRT disk tends to have issues. Let me know if we can skip this step or if you want an OS installed.

Step 8 : I have DL and run the latest GMER from this sites link. It was the second post I added to my topic 3 or 4 days after my original message. I will re-past the log from my old post here and attach the log later once I reload the HDD that has it. (Note: As it's run from a DaRT boot disk X: is the main drive with C: being either empty, only having my tools and logs, or not attached at all. D: is the CD/DVD drive I'm starting from.)

(First scan with HDD installed and booting from latest DaRT CD.)
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 00:34:53
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BEVS-75RST0 rev.04.01G04
Running: QXDX7CWT.EXE; Driver: X:\windows\TEMP\afroikoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8F482579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8F4A6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000002 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service X:\windows\system32\DRIVERS\usbhub.sys (*** hidden *** ) [MANUAL] usbhub <-- ROOTKIT !!!
Service X:\windows\system32\svchost.exe (*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC
Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ImagePath \SystemRoot\system32\DRIVERS\usbhub.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Start 2
Reg HKLM\SYSTEM\Setup@SetupType 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit userinit.exe
---- EOF - GMER 1.0.15 ----

(Second scan after deleting the above service in first scan.)
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 00:39:41
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BEVS-75RST0 rev.04.01G04
Running: QXDX7CWT.EXE; Driver: X:\windows\TEMP\afroikoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8F482579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8F4A6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? X:\windows\system32\DRIVERS\usbhub.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? X:\windows\system32\svchost.exe[504] X:\windows\system32\svchost.exe The system cannot find the file specified.
? X:\windows\system32\svchost.exe[568] X:\windows\system32\svchost.exe The system cannot find the file specified.
? X:\windows\System32\svchost.exe[648] X:\windows\System32\svchost.exe The system cannot find the file specified.

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000002 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Library X:\windows\system32\svchost.exe (*** hidden *** ) @ X:\windows\system32\svchost.exe [504] 0x00FE0000
Library X:\windows\system32\svchost.exe (*** hidden *** ) @ X:\windows\system32\svchost.exe [568] 0x00FE0000
Library X:\windows\System32\svchost.exe (*** hidden *** ) @ X:\windows\System32\svchost.exe [648] 0x00FE0000

---- Services - GMER 1.0.15 ----

Service X:\windows\system32\svchost.exe (*** hidden *** ) [AUTO] Winmgmt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName@ComputerName MINWINPC
Reg HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB@CurrentConfig 0
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@ImagePath \SystemRoot\system32\DRIVERS\usbhub.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@DisplayName Microsoft USB Standard Hub Driver
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@Group Base
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@DriverPackageId usb.inf_x86_neutral_e24d8d3fec6e4567
Reg HKLM\SYSTEM\CurrentControlSet\services\usbhub@BootFlags 4
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@DisplayName @%Systemroot%\system32\wbem\wmisvc.dll,-205
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ImagePath %systemroot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@Description @%Systemroot%\system32\wbem\wmisvc.dll,-204
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@DependOnService RPCSS?
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ObjectName localSystem
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@ServiceSidType 1
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt@FailureActions 0x80 0x51 0x01 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceDllUnloadOnStop 1
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceMain ServiceMain
Reg HKLM\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters@ServiceDll %SystemRoot%\system32\wbem\WMIsvc.dll
Reg HKLM\SYSTEM\Setup@SetupType 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@CurrentType Multiprocessor Checked
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion@SystemRoot X:\Windows
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit userinit.exe
---- EOF - GMER 1.0.15 ----

As of January 2011 I bought a new ASUS laptop and noticed issues with it. I was unable to create the DR DVD set which was part of the install/setup process. After attaching the ASUS HDD via USB adapter I backed up the HDD and moved on. Shortly later I noticed that when I tried to disable unused services and devices I was gettng issues. (Most services had to deal with remote access, peer-to-peer, multimedia connections, etc. This is/was to be a standalone system with just the RJ-45 connection.) After a reboot some times services would be re-enabled. My router was showing many ports being opened and either making remote connections or being dropped. Trying to install anti-virus software/tools via safemode was denied. If I changed the registry to allow it other items would be blocked or closed part way through the install. Svchost, Rundll32, Dllhost all seem to be running and making connections. When I use Taskmgr and Resource to track things I see "unknown" and/or "-" running on occation.

If I disable things from safe mode and lock down/harden the system I have on occation been rebooted and/or stripped of admin rights. Trusted installer seems to be abused and used.

KIS 2011 has allowed me to reach a stand-still but as the option to disable digital signatures is greyed out I can't stop the bug. KIS does popup warnings that "unknown" is trying to run a untrusted or restricted item once I get this far. Again Svchost, Rundll32, and Dllhost seem to be used to work around my restrictions.

With the windows firewall on I see that even though a rule should restrict a service or process it is permitted. When KIS is used and locked down I get the same warning messages above.

At no time was the new system connected to the internet, local network, or other wireless device, until days later. I did find with GMER a Rootkit was attached to a sector of the HDD. I contacted ASUS and sent them my findings. Although ASUS refunded my money for that system my other systems have now acquired the same issues/infection and ASUS has refused assistance.

Until trying BCWipe this last week I was unable to find anything that would clean and remove the RAW hex values I found at 0x1B0. AA 55 still remains at the end of the last line.

Flashing the BIOS hasn't seemed to make a difference. Reinstalling a Windows OS starts things all over again at verying rates depending on the OS, condition of HDD, and network connection. One tool reported strange unknown and unautherised settings/code in the PCI and ROM memory when scanning.

I'll attach the links to the original topic and look for your update later today. I'll apply whatever you want including OS to resolve this issue, I have been doing the lowest foortprint of Win7 x64 usually as of late, but it takes time. I have NO trusted resource or equipment. Earlier attempts to resolve this just spread the problem.

Original Topic: http://www.bleepingcomputer.com/forums/topic396300.html/page__p__2239766__fromsearch__1#entry2239766


Thanks for the help.

Update: As I am running off a Linux live CD at the moment without a drive installed so I can surf I ran the pre-installed rkhunter. It had many warnings in the log, attached, as well as a noted file; "Warning: File '/tmp/3_nH2GGa.part' (score: 241) contains some suspicious content and should be checked."

Please careful as I've attached the log as well as the noted file which has windows code inside when viewed with VIM. (Not sure how or why that would be in the "/tmp" folder as this is Linux and I only have RAM for storage space...)

...seems I don't have rights to upload the suspect file.

Edited by memine, 17 May 2011 - 07:29 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 20 May 2011 - 10:38 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 22 May 2011 - 03:07 AM

Just saw the update. Thanks for the feedback.

As I noted in my earlier post I don't have an OS at the moment, I'm been using DaRT and Linux live disks. The infection seems to be in the chipset and usually infects a USB/HDD at 0xB10 at boot or install of an OS. (The GMER program is run off a empty HDD booted from a DaRT or OEM Vista recovery disk.)

I'll load Windows 7 and grab the tools later today and apply as noted, unless I see an update stating otherwise.

Regards

#4 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 22 May 2011 - 05:07 PM

Please find attached Logs.zip which includes a RKU-Error-ScreenShot.rtf file.

Couldn't get RKU to run in normal or safe mode, with or without run-as.

Look forward to your reply.

Thanks and regards, enjoy your weekend!

(Used a zip because the rtf was to large.)

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 22 May 2011 - 05:20 PM

don't see the reports


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 22 May 2011 - 05:25 PM

Trying to upload it. Won't display the upload button...just the browse. This happened in Windows the last time I wanted to post logs and I had to switch to a Linux distro. (I switched to the non-flash upload same thing...anything a fresh install of Windows 7 Home Basic needs to upload?)

I'll have it up in a few minutes and then post again.

Strange...saved a copy to the root of C: from windows. Now it's a 500MB file? This is the original from my user profile desktop.

Please let me know what you find.

Edited by memine, 22 May 2011 - 05:47 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 22 May 2011 - 06:03 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 22 May 2011 - 10:35 PM

Please find attached requested logs:

System has only been created and used for this testing and nothing else. I've noted a few of the things I've noticed in the last email as well as the attached text file. Until I harden the system, update the firewall, and add anti virus things will run fine but with active services and open ports.

Although ComboFix ran it didn't record all the files/folders created between the test dates noted. I ran the tool again with strange results noted. Please let me know what you would like me to do next.

Regards

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 22 May 2011 - 10:42 PM

I would like to see a gmer scan now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 23 May 2011 - 10:04 AM

I downloaded the latest version of GMER and tried after midnight.

I'm no longer able to run proper scans. Only the last 3 boxes are checked at start, files, services, ADS I think, and the rest are greyed out. Same happens if I run the copy I have burned to disk a few weeks ago which was working fine without restriction.

Next I booted off a DaRT disk and was given an access denied message trying to launch the new version on the HDD. I was given an unsupported platform message when I tried to run the old version off my CD disk, and again when I copied it to the HDD in a new folder.

This is new and never happened in the past.

I have also found that I'm not able to boot into the default graphics mode of one of my linux boot disks. I now get a vesa error which is new.

I can always nuke the HDD and start again, if you wish, but the linux issue worries me as I remove all drives first and then boot from the CD only.

What would you like me to try next?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 23 May 2011 - 01:33 PM

that is normal for a 64 bit system and I would still like to see the scan


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 23 May 2011 - 06:31 PM

It wasn't normal for the last two weeks on X64, including the DaRT boot disk? I'll do it again and save the log this time, as-is. (My other system is x64 and still shows the other options checked rather than greyed out when I use the one saved to DVD.)

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 23 May 2011 - 06:54 PM

ok I will be waiting for it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Zen Seeker

Zen Seeker
  • Topic Starter

  • Members
  • 695 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:39 AM

Posted 24 May 2011 - 09:45 AM

Sorry for the delay; Family issues popped up last night.

Please find attached 20110524-Logs.zip

It contains the following files:
New_GMER_scan.log - Empty, not even a header.
Screen_shots.rtf - My written comments and screen shots.
cmd.cfxxe.txt - Renamed cmd.cfxxe.mui file found in new folder off C:.
1-ComboFix.txt - Added as I'm not sure you recieved it last time.
ComboFix.txt - Added as I'm not sure you recieved it last time.


The following note is also in the attached "Screen_shots.rtf".

I ran ComboFix again but a popup said that the version I had expired.
I set the date back to May 22nd and ran again.
ComboFix started but once the blue command window opened it closed, and the ComboFix executable was gone/deleted.

Now the "32788R22FWJFW" folder is back, noted in earlier post, off the root with a subfolder "EN-US" and file "cmd.cfxxe.mui". (See attached file cmd.cfxxe.txt which I just renamed.)

This is a copy of the last few lines of the code in the noted file...characters and spacing are altered but the original will show it.

"" H \'01 T h e r e i s n o a c t i v e t r a n s a c t i o n .
d \'01 A t r a n s a c t i o n h a s b e e n s u c c e s s f u l l y s t a r t e d .
\'88 \'01 T h e r e i s n o t r a n s a c t i o n t o c o m m i t , r o l l b a c k , s u s p e n d o r r e s u m e .
\'04\'01\'01 A n a c t i v e t r a n s a c t i o n i s a l r e a d y i n p r o g r e s s . A n e w o n e c a n n o t b e s t a r t e d u n t i l t h e c u r r e n t o n e i s c o m m i t t e d o r r o l l e d b a c k .
\'b8 \'01 C a n n o t c o m m i t o r r o l l b a c k a t r a n s a c t i o n t h a t h a s b e e n i n h e r i t e d f r o m a n o t h e r p r o c e s s .
\'c8 \'01 C a n n o t c o m m i t a t r a n s a c t i o n t h a t w a s s t a r t e d o u t s i d e o f a b a t c h f i l e f r o m w i t h i n a b a t c h f i l e .
\'9c \'01 C a n n o t s u s p e n d a t r a n s a c t i o n b e c a u s e a t r a n s a c t i o n i s a l r e a d y s u s p e n d e d .
C a n n o t r e s u m e a t r a n s a c t i o n b e c a u s e n o t r a n s a c t i o n i s c u r r e n t l y s u s p e n d e d .
\'88 \'01 C a n n o t r e s u m e a t r a n s a c t i o n s u s p e n d e d i n a p r e v i o u s b a t c h f i l e .
L \'01 T r a n s a c t i o n s u c c e s s f u l l y r e s u m e d .
P \'01 T r a n s a c t i o n s u c c e s s f u l l y s u s p e n d e d .
T h e r e a r e s t i l l % 1 p r o c e s s ( e s ) r u n n i n g w i t h i n t h i s t r a n s a c t i o n . C o m m i t o r r o l l b a c k w i l l c o n t i n u e o n c e t h o s e p r o c e s s e s h a v e t e r m i n a t e d .
h \'01 T h i s t r a n s a c t i o n h a s a l r e a d y b e e n r o l l e d b a c k .
d \'01 T h e c u r r e n t t r a n s a c t i o n h a s b e e n r o l l e d b a c k .
\'c4 \'01 T h e c u r r e n t t r a n s a c t i o n h a s b e e n r o l l e d b a c k b e c a u s e C M D e x i t e d o r t h e b a t c h f i l e c o m p l e t e d .
d \'01 T h i s t r a n s a c t i o n h a s a l r e a d y b e e n c o m m i t t e d .
` \'01 T h e c u r r e n t t r a n s a c t i o n h a s b e e n c o m m i t t e d .
\'e0 \'01 T h e c u r r e n t t r a n s a c t i o n h a s b e e n c o m m i t t e d o r a b o r t e d o u t s i d e o f C M D , a n d h a s b e e n s u c c e s s f u l l y a b a n d o n e d .
\'88 \'01 F a i l e d t o q u e r y t r a n s a c t i o n s t a t e . U n k n o w n o u t c o m e s t a t e i s % 1 \par
, \'01 A d m i n i s t r a t o r : % 0
t \'01 L o c a l v o l u m e s a r e r e q u i r e d t o c o m p l e t e t h e o p e r a t i o n .

\'88\'034 V S _ V E R S I O N _ I N F O \'bd\'04\'ef\'fe \'01 \'01 \'06 \'01@\'b0\'1d\'01 \'06 \'01@\'b0\'1d? \'04 \'04 \'01 \'e6\'02 \'01 S t r i n g F i l e I n f o \'c2\'02 \'01 0 4 0 9 0 4 B 0 L \'16 \'01 C o m p a n y N a m e M i c r o s o f t C o r p o r a t i o n \\ \'1a \'01 F i l e D e s c r i p t i o n W i n d o w s C o m m a n d P r o c e s s o r l & \'01 F i l e V e r s i o n 6 . 1 . 7 6 0 0 . 1 6 3 8 5 ( w i n 7 _ r t m . 0 9 0 7 1 3 - 1 2 5 5 ) ( \'04 \'01 I n t e r n a l N a m e c m d \'80 . \'01 L e g a l C o p y r i g h t \'a9 M i c r o s o f t C o r p o r a t i o n . A l l r i g h t s r e s e r v e d . @ \page \'01 O r i g i n a l F i l e n a m e C m d . E x e . M U I j % \'01 P r o d u c t N a m e M i c r o s o f t \'ae W i n d o w s \'ae O p e r a t i n g S y s t e m B \'0f \'01 P r o d u c t V e r s i o n 6 . 1 . 7 6 0 0 . 1 6 3 8 5 D \'01 V a r F i l e I n f o $ \'04 T r a n s l a t i o n \tab\'04\'b0\'04PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD""


Let me know what you will need/like next. (Running out of upload space so I had to delete the last log zip file.)

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:39 AM

Posted 24 May 2011 - 08:49 PM

The GMer scan is blank


The CFXXX files are from combofix


I would like to see a GMer scan



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users