Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware/Virus Infection


  • This topic is locked This topic is locked
47 replies to this topic

#31 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 10:25 AM

Hi,

So Malwarebytes is scanning right now, but I had the same problem with Rkill. I could not download it. So I changed the extension to a .zip and successfully downloaded it, then changed the file extension back to .exe but when I double clicked to execute I received the same message that I do not have permission. so I used another computer and a thumb drive to download and then when I plugged the thumb drive in I executed RKill from the thumb Drive and it worked. Am I dealing with a corrupted windows at this point. if that's the case I'll probably need to do a wipe. Damn!

BC AdBot (Login to Remove)

 


#32 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 19 May 2011 - 10:39 AM

you have an infection which is a new variant that our tools aren't finding at the moment, we'll find a way to kill it, if MBAM finds nothing then see if you can run the following:

Keep using rkill to disable whatever process is causing the issue

Scan With RootKitUnHooker

  • Please Download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#33 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 11:50 AM

Hi

Well wouldn't you know Malwarebytes found more. here is the log file. Also Avira just popped up telling me there are 5 virus/unwanted files but access was denied. I'm restarting the system as instructed by malwarebytes. Where does this C:/Qoobox file keep coming from. Please note I have a network storage attached could I be getting reinfected by that? Its one of those seagate wireless drives with automatic backup. I also included Avira log....



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6617

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/19/2011 12:31:44 PM
mbam-log-2011-05-19 (12-31-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 234110
Time elapsed: 1 hour(s), 12 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\John\application data\cleanhlc.dll.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\John\application data\cleanhlc.exe.vir (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\pdozab.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\sermap.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.


_____________________________________________________________________________________________________________________________




Avira AntiVir Personal
Report file date: Thursday, May 19, 2011 12:35

Scanning for 2746449 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : FAMILY

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/1/2011 21:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2011 21:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 4/1/2011 21:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 20:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 20:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 14:22:32
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 14:22:32
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 14:22:32
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 14:22:33
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 14:22:33
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 14:22:33
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 14:22:33
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 14:22:33
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 14:22:33
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 14:22:33
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 14:22:35
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 14:22:36
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 14:22:37
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 14:22:39
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 14:22:40
VBASE018.VDF : 7.11.6.237 156160 Bytes 4/22/2011 14:22:41
VBASE019.VDF : 7.11.7.45 427520 Bytes 4/27/2011 14:22:45
VBASE020.VDF : 7.11.7.64 192000 Bytes 4/28/2011 14:22:47
VBASE021.VDF : 7.11.7.97 182272 Bytes 5/2/2011 14:22:48
VBASE022.VDF : 7.11.7.127 467968 Bytes 5/4/2011 14:22:52
VBASE023.VDF : 7.11.7.183 185856 Bytes 5/9/2011 14:22:54
VBASE024.VDF : 7.11.7.218 133120 Bytes 5/11/2011 14:22:55
VBASE025.VDF : 7.11.7.234 139776 Bytes 5/11/2011 14:22:56
VBASE026.VDF : 7.11.8.16 147456 Bytes 5/13/2011 14:22:58
VBASE027.VDF : 7.11.8.46 169472 Bytes 5/17/2011 14:22:59
VBASE028.VDF : 7.11.8.47 2048 Bytes 5/17/2011 14:22:59
VBASE029.VDF : 7.11.8.48 2048 Bytes 5/17/2011 14:23:00
VBASE030.VDF : 7.11.8.49 2048 Bytes 5/17/2011 14:23:00
VBASE031.VDF : 7.11.8.67 53248 Bytes 5/19/2011 14:23:00
Engineversion : 8.2.4.236
AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 20:15:27
AESCRIPT.DLL : 8.1.3.63 1601915 Bytes 5/19/2011 14:23:25
AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 20:15:27
AESBX.DLL : 8.1.3.2 254324 Bytes 3/28/2011 20:15:26
AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 16:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 5/19/2011 14:23:22
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 5/19/2011 14:23:19
AEHEUR.DLL : 8.1.2.118 3469687 Bytes 5/19/2011 14:23:18
AEHELP.DLL : 8.1.16.1 246134 Bytes 3/28/2011 20:15:20
AEGEN.DLL : 8.1.5.5 401780 Bytes 5/19/2011 14:23:05
AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 20:15:19
AECORE.DLL : 8.1.20.4 196983 Bytes 5/19/2011 14:23:03
AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 20:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 20:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 4/1/2011 21:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 5/19/2011 14:23:26
AVREG.DLL : 10.0.3.2 53096 Bytes 4/1/2011 21:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/1/2011 21:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 4/1/2011 21:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/1/2011 21:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 20:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 20:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/1/2011 21:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 20:15:52

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4e10d46d\guard_slideup.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Thursday, May 19, 2011 12:35

The scan of running processes will be started
Scan process 'NOTEPAD.EXE' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'HipServAgent.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'MemeoUpdater.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'InstantBackup.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'WG111v3.exe' - '1' Module(s) have been scanned
Scan process 'MemeoDashboard.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SeagateDashboardService.exe' - '1' Module(s) have been scanned
Scan process 'locator.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MemeoBackgroundService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.dll.vir'
Search path C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.dll.vir could not be opened!
System error [2]: The system cannot find the file specified.
Begin scan in 'C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.exe.vir'
Search path C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\cleanhlc.exe.vir could not be opened!
System error [2]: The system cannot find the file specified.
Begin scan in 'C:\Qoobox\Quarantine\C\WINDOWS\Pdozab.exe.vir'
Search path C:\Qoobox\Quarantine\C\WINDOWS\Pdozab.exe.vir could not be opened!
System error [2]: The system cannot find the file specified.
Begin scan in 'C:\Qoobox\Quarantine\C\WINDOWS\sermap.dll.vir'
Search path C:\Qoobox\Quarantine\C\WINDOWS\sermap.dll.vir could not be opened!
System error [2]: The system cannot find the file specified.
Begin scan in 'C:\Qoobox\Quarantine\C\WINDOWS\system32\AdbUpdater.exe.vir'
C:\Qoobox\Quarantine\C\WINDOWS\system32\AdbUpdater.exe.vir
[DETECTION] Is the TR/Azuhee.A Trojan

Beginning disinfection:
C:\Qoobox\Quarantine\C\WINDOWS\system32\AdbUpdater.exe.vir
[DETECTION] Is the TR/Azuhee.A Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c39ec26.qua'.


End of the scan: Thursday, May 19, 2011 12:41
Used time: 00:02 Minute(s)

The scan has been done completely.

0 Scanned directories
37 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
36 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes


The scan results will be transferred to the Guard.

#34 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 19 May 2011 - 12:24 PM

Hi

qoobox is ComboFix's quarantine, so we don't really have to worry about files located there.

It's the permission issue that is still a concern.

Please do the following:

Download this > inherit

Drag each of the exe files that you are unable to run into Inherit.exe.

Then wait for it to say "OK"

Please let me know if you are able to run them now.

Please run the following:

Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

You could try running the ESET scanner on the attached storage files to see if anything there is infected as something definitely reinfected you


Please run DDS and GMER once again to see if anything else shows up

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#35 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 12:26 PM

Hi

I was just sitting here and I decided to do a little snooping around because after my last post I still cannot run any .exe files or download anything. I still have to execute from my thumb drive. do I was looking in Administrative tools>local security policies>local policies>user rights assignments and I found in many of the policies an entry I don't recognize. " s-1-5-21-1220945662-343818398-1801674531-1004". I also noticed that many of my security options are different. and I have no software restriction policies even though I remember having them in place when I built this computer. Not sure if that helps....

John....

#36 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 12:27 PM

I still cant download anything. I tried downloading with IE and it said I don't have permission...... I'm going to disconnect the network storage and see what happens.

Edited by hilus, 19 May 2011 - 12:31 PM.


#37 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 19 May 2011 - 12:29 PM

do you recall when that first started, that you were unable to download anything? What happens when you try to download?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#38 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 19 May 2011 - 12:31 PM

can you please run the RKU from the USB (post #32) and try the inherit program for the exe files

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#39 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 02:36 PM

Hi

OK that inherit app did the trick. it let me run RKU and TFC. RKU seems to have found something. this thing is tenacious....Hey if I haven't said it in a while, thank you for all your help......

John...


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB975F000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 6135808 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 178.13 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6057984 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 178.13 )
0xB932E000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 4026368 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189056 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189056 bytes
0x804D7000 RAW 2189056 bytes
0x804D7000 WMIxWDM 2189056 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6C53000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8F44000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6D86000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB8FF2000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF740C000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB6CEB000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6D5E000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB6C2D000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB6D16000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAB13D000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB92F6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9705000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB9728000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB6D3C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131968 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7462000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6B4D000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7482000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7439000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB92DF000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAC427000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xABEC2000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB974B000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6DDF000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7450000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB92CE000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7537000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2AC000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA28C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA29C000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAC137000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76B7000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA738000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA27C000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7687000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xBA25C000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7587000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 49152 bytes (-, SASKUTIL.SYS)
0xF7567000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2BC000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA26C000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7657000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xAC504000 C:\WINDOWS\system32\DRIVERS\EAPPkt.sys 40960 bytes (Realtek, Realtek EAPPkt Protocol Driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76A7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7697000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA2CC000 C:\WINDOWS\System32\DRIVERS\AN983.sys 36864 bytes (ADMtek Incorporated., ADMtek AN983/AN985/ADM951X NDIS5 Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7527000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA24C000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76D7000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xABE6F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7647000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7577000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77A7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77CF000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF773F000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF778F000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF776F000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xF77B7000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 28672 bytes (-, SASDIFSV)
0xF771F000 ultra.sys 28672 bytes (Promise Technology, Inc., Promise Ultra Series Driver for WindowsXP)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB8FDA000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7727000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xF7747000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7777000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF777F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7717000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xF7797000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8FE2000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF779F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF775F000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7767000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7757000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF781F000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF774F000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77EF000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF793F000 C:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA730000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB9D5D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA7F0000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF7937000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7943000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7EC000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9D55000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79B9000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xF79B1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79C5000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79AF000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79B5000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79A9000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79AD000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798B000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A89000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA313000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A88000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF7AB3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
0x054D0000 Hidden Image-->System.Data.dll [ EPROCESS 0x8A73BA98 ] PID: 1048, 2961408 bytes
0x05520000 Hidden Image-->DevComponents.DotNetBar2.dll [ EPROCESS 0x8A681990 ] PID: 1808, 3305472 bytes
0x03800000 Hidden Image-->Interop.ProfMan.dll [ EPROCESS 0x8A73BA98 ] PID: 1048, 36864 bytes
0x04E00000 Hidden Image-->Interop.eWebControl.dll [ EPROCESS 0x8A73BA98 ] PID: 1048, 36864 bytes
0x00F40000 Hidden Image-->System.Management.dll [ EPROCESS 0x8A866580 ] PID: 1444, 380928 bytes
0x04BD0000 Hidden Image-->Memeo.Dashboard.SeagatePreferencesPlugin.dll [ EPROCESS 0x8A681990 ] PID: 1808, 45056 bytes
0x04560000 Hidden Image-->Memeo.Dashboard.AddComputersPlugin.dll [ EPROCESS 0x8A681990 ] PID: 1808, 45056 bytes
0x04870000 Hidden Image-->Memeo.Dashboard.FolderViewPlugin.dll [ EPROCESS 0x8A681990 ] PID: 1808, 45056 bytes
0x04890000 Hidden Image-->Memeo.Dashboard.LoadContentPlugin.dll [ EPROCESS 0x8A681990 ] PID: 1808, 53248 bytes
0x04600000 Hidden Image-->Memeo.Dashboard.AddUserPlugin.dll [ EPROCESS 0x8A681990 ] PID: 1808, 61440 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#40 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 02:39 PM

do you recall when that first started, that you were unable to download anything? What happens when you try to download?




Sometime today after we ran ESET i think. You had me run ESET and it cleaned up a bunch of stuff. then thats when it started.

#41 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 19 May 2011 - 02:40 PM

Interesting,

OK, lets give this a try:

Earlier on ComboFix installed the Recovery Console. We're going to use that now.
  • Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
    (you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

    Posted Image


    Posted Image

  • When you get to the above screen, take note of the number that references your operating system.
  • If it's '1' like the picture above, type 1 and press Enter
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    Otherwise type in the password and then press enter.

    Posted Image

  • Next type FIXMBR

    Posted Image

  • If it asks if you're sure you want to write a new MBR, answer 'Y'
  • Then type EXIT to reboot the machine.


now let me know how the computer is behaving

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#42 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 19 May 2011 - 11:09 PM

Hi

sorry it took so long i had to go to work. I just completed your last post and nothing changed. Don't know what else to do....

#43 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 20 May 2011 - 06:05 AM

Please describe in as much detail as possible the outstanding issues and what happens when you try and download, so i can look into it further


please post a fresh set of diagnostic logs so I can take another look

DDS and GMER

(the first diagnostic logs you posted)


use inherit if they wont run initially

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#44 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:26 PM

Posted 20 May 2011 - 09:51 AM

Hi

I'm at a loss as to what happened, this is the worst infection ever. So right now the main issues are as follows. The browsers (IE and Firefox) redirects. Its not as bad as it was but its still going on.

As for downloads, regardless of where I try to save a download, It's unsuccessful. specifically, when I start a download, pick the location and start the download, it stops abruptly. IE tells me I don't have permission and never does anything. Firefox starts and stops abruptly. In the download window there is a small circle arrow, if I click on it, the download restarts and I can see the file appear at its destination. However when the download is completed the file disappears and I don't know where it goes.


Finally, as it stands right now I am unable to run most .exe applications that I was able to download several days ago. When I click on an app I get the "I don't have permission" message that pops up. oddly, If I download from another computer onto a thumb drive and run it from there, it works.

I just had a thought. , when I used the Microsoft website to "FIX" IE, I was still infected. Is it possible that the internet security settings were set to such a high threshold that nothing will run if I try to download and the run it? I'm going to look at my settings when I Get home and I will let you know. I will also try to get Gmer and DDS Logs for you....


Thanks For all your help.....

#45 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:26 PM

Posted 20 May 2011 - 09:57 AM

Hi, yes, check the security settings, that could definitely explain that particular issue.

The redirects may also be a result of a router hijack as there doesn't appear to be any rootkit left, we should try resetting the router as well.


Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you dont know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

NEXT

  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


Let me know if that makes a difference as well

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users