Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkitted or virus ? remote machine, exe files de-associating at reboot


  • This topic is locked This topic is locked
20 replies to this topic

#1 ZPrime

ZPrime

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 09 June 2011 - 04:30 PM

Background - I'm an experienced (10+ years in the field) IT engineer at a company with 50-some remote locations. Most of the remote locations are "wild wild west" when it comes to security - we have a company license for NOD32 but there are times that computers get missed, and the users are the opposite of computer savvy so they always manage to get new infections on machines. (Yes, it's not right, but unfortunately I don't have the manpower or resources to do everything the way it should be done. :() I'm normally able to clean machines given my background, but this one has me stumped so I'm turning to the masters of (anti-)malware. :)

Machine is running Windows XP Pro, SP3.
After a reboot, the machine won't run .exe files, coming up with the "Windows needs you to choose a program to run this file" dialog. If I run "assoc .exe" at a command prompt (have to use command.com as cmd.exe doesn't work), it is properly associated with "exefile", but running "ftype exefile" gives the "There is no handler for this file type" error (I'm paraphrasing because I don't have it directly in front of me right now).

If I put in the correct argument for ftype (ftype exefile="%1" %*) I can get exe files to work again, but a reboot of the system finds them broken once more.

System does not currently have any A/V software installed - I will put on NOD32 once I have it clean but I didn't want to complicate things further.

Tricky part - the machine is remote to me. I have two different pieces of remote control software installed, our preferred corporate system (Bomgar), and I've also temporarily installed TeamViewer free because I have seen some spyware/rootkit tools disable my Bomgar system. This makes rebooting into safemode somewhat complicated - I should be able to do it with TeamViewer, but I don't believe that Bomgar will let me get into safe mode (or at least I know I've had problems with it in the past).

I have tried SuperAntiSpyware and MBAM and while SAS recognizes the exefile problem, it doesn't get anything else. MBAM sees nothing other than cookies. I can obviously post logs of this when requested.

If anyone would like to take a stab at this I am all ears. The machine is around 400 miles from me so I don't want to drive out there. :)

Here is the DDS output, this was run in safe mode:
.
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 19:24:59 on 2011-06-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.999.747 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
C:\Program Files\TeamViewer\Version6\tv_w32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://news.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
uRun: [SmileboxTray] "c:\documents and settings\administrator\application data\smilebox\SmileboxTray.exe"
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\YspService.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SDMSSplash] "c:\program files\hp_sdms\sdmssplash\launcher.exe" "launchdir=c:\program files\hp_sdms\SDMSSplash"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [LayoutM] KLayMgr.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
mRun: [BYRUA_AGENT] c:\documents and settings\all users\application data\lgmobileax\byr_client\VZWUAAgent.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{B931E3D8-E972-489D-B829-61D349641DAC} : DhcpNameServer = 208.67.222.222 208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-6-1 2337144]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-10-26 36608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
S2 bomgar-ps-1307647906-1307648000;Bomgar Jump Client [1307647906-1307648000];c:\documents and settings\all users\application data\bomgar-scc-4df11fa2\bomgar-scc.exe [2011-6-9 809920]
S2 bomgar-scc-1307647906;Bomgar Support Customer Client [1307647906];c:\documents and settings\all users\application data\bomgar-scc-4df11fa2\bomgar-scc.exe [2011-6-9 809920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys --> c:\windows\system32\drivers\lgandbus.sys [?]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys --> c:\windows\system32\drivers\lganddiag.sys [?]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys --> c:\windows\system32\drivers\lgandgps.sys [?]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys --> c:\windows\system32\drivers\lgandmodem.sys [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys --> c:\windows\system32\drivers\lgandadb.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-9 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
.
=============== Created Last 30 ================
.
2011-06-09 20:28:30	--------	d-----w-	c:\documents and settings\administrator\application data\Malwarebytes
2011-06-09 20:28:26	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 20:28:26	--------	d-----w-	c:\documents and settings\all users\application data\Malwarebytes
2011-06-09 20:28:23	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-09 20:28:23	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-09 20:10:03	--------	d-sha-r-	C:\cmdcons
2011-06-09 20:07:55	98816	----a-w-	c:\windows\sed.exe
2011-06-09 20:07:55	518144	----a-w-	c:\windows\SWREG.exe
2011-06-09 20:07:55	256512	----a-w-	c:\windows\PEV.exe
2011-06-09 20:07:55	208896	----a-w-	c:\windows\MBR.exe
2011-06-09 20:04:27	--------	d-----w-	c:\program files\TeamViewer
2011-06-09 20:03:23	--------	d-----w-	c:\documents and settings\administrator\application data\TeamViewer
2011-06-09 19:31:46	--------	d-----w-	c:\documents and settings\all users\application data\bomgar-scc-4DF11FA2
2011-05-22 18:00:24	--------	d-sh--w-	c:\documents and settings\administrator\IECompatCache
.
==================== Find3M  ====================
.
.
============= FINISH: 19:25:07.68 ===============

Edited by boopme, 09 June 2011 - 07:20 PM.


BC AdBot (Login to Remove)

 


#2 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 11:01 AM

I did try running mbr.exe from GMER as well, since whatever it is was persisting between reboots and in safe mode.

Log from that is here:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.3.CHF -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 03:04 PM

Hello ZPrime ,

Posted Image

Well, I agree Team Viewer is much simpler to work with. :thumbup2: Now my question for you is, if I ask you to run something that will require a disconnect, will there be someone on the other end to reconnect or talk to on the phone if you use Team Viewer? One other thing....might be a bit tougher to deal with, without you there, depending on the problem. Some of the newer infection are better dealt with outside the OS environment and we don't have that option here, if I read right.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 03:08 PM

teacup -
I can normally get someone to assist me with a reconnect if necessary, but I actually have the full version of TeamViewer installed on the remote end, which means it loads up as a service (and even seems to load up in safe mode w/networking) so I have been able to reboot the machine and reconnect to it without issue. If you're suggesting ComboFix, which I know disconnects the network, it should be OK as long as it runs to completion and re-enables the network at the end, as the machine will reconnect and I'll be able to get control again.

Working outside the OS environment will be impossible though. If it comes down to that, I will make them ship it back to me and I will simply reformat the thing, I have already wasted 8 very precious hours of my time on it. :thumbdown:

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 03:19 PM

I understand about the waste....I've spent days with folks, since this is the way I work most of the time. It's not fun, nor is it pretty.

Yes, with everything else you've already done, I think ComboFix would be the next logical step. I'll still give you the schpiel on the download: :wink:


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. I do see there is no AV, so you shouldn't have anything much to disable.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Prime.com and try again. I suggest the .com extension since you say .exe is giving you trouble. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 04:17 PM

I was able to run the .exe without renaming or trickery by starting command.com from Run dialog and launching that way. I :heart: command prompts. ;) The EXE files themselves are fine, it's just that Explorer is repeatedly losing the file association for them...

Combofix log is as follows:

ComboFix 11-06-10.08 - Administrator 06/10/2011  16:59:44.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.999.532 [GMT -4:00]
Running from: c:\docume~1\ADMINI~1\DESKTOP\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~1\Internet Explorer\iexplore.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-10 to 2011-06-10  )))))))))))))))))))))))))))))))
.
.
2011-06-10 18:33 . 2011-06-10 18:33	--------	d-----w-	c:\documents and settings\Saber   <<<<<<<<<<  I tried adding a second user profile to see if the issue was only affecting the original "Administrator" account  -- ZPrime
2011-06-10 15:48 . 2009-10-22 17:54	37392	----a-w-	c:\windows\system32\drivers\70900642.sys
2011-06-10 15:48 . 2009-10-10 03:31	315408	----a-w-	c:\windows\system32\drivers\7090064.sys
2011-06-10 15:48 . 2009-09-25 21:59	128016	----a-w-	c:\windows\system32\drivers\70900641.sys
2011-06-10 15:20 . 2011-06-10 15:20	--------	d-----w-	c:\program files\ESET
2011-06-09 20:28 . 2011-06-09 20:28	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-06-09 20:28 . 2011-06-09 20:28	--------	d-----w-	c:\docume~1\ADMINI~1\APPLIC~1\Malwarebytes
2011-06-09 20:28 . 2011-06-09 20:28	--------	d-----w-	c:\docume~1\ALLUSE~1\Application Data\Malwarebytes
2011-06-09 20:28 . 2011-05-29 13:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 20:28 . 2011-06-09 23:01	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-06-09 20:28 . 2011-05-29 13:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-06-09 20:04 . 2011-06-09 20:04	--------	d-----w-	c:\program files\TeamViewer
2011-06-09 20:03 . 2011-06-09 20:03	--------	d-----w-	c:\documents and settings\Administrator\Application Data\TeamViewer
2011-06-09 20:03 . 2011-06-09 20:03	--------	d-----w-	c:\docume~1\ADMINI~1\APPLIC~1\TeamViewer
2011-06-09 19:31 . 2011-06-10 21:04	--------	d-----w-	c:\docume~1\ALLUSE~1\Application Data\bomgar-scc-4DF11FA2
2011-06-01 19:47 . 2011-06-01 19:47	--------	d-----w-	c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2011-05-27 13:42 . 2011-05-27 13:42	--------	d-----w-	c:\program files\NOS
2011-05-27 13:42 . 2011-05-27 13:42	--------	d-----w-	c:\docume~1\ALLUSE~1\Application Data\NOS
2011-05-22 18:00 . 2011-05-22 18:00	--------	d-sh--w-	c:\documents and settings\Administrator\IECompatCache
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"SDMSSplash"="c:\program files\HP_SDMS\SDMSSplash\launcher.exe" [2006-03-10 86016]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"LayoutM"="KLayMgr.exe" [2004-08-17 45056]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"BYRUA_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWUAAgent.exe" [2011-05-19 388184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
setup_9.0.0.722_10.06.2011_17-03.lnk - c:\documents and settings\Saber\Desktop\Virus Removal Tool\setup_9.0.0.722_10.06.2011_17-03\startup.exe [N/A]  <<<<<<<  Kaspersky AV removal tool, also tried this <img src='http://www.bleepingcomputer.com/forums/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
.
c:\docume~1\ADMINI~1\Start Menu\Programs\Startup\
setup_9.0.0.722_10.06.2011_17-03.lnk - c:\documents and settings\Saber\Desktop\Virus Removal Tool\setup_9.0.0.722_10.06.2011_17-03\startup.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-10-28 331776]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 70900642;70900642 Boot Guard Driver;c:\windows\system32\drivers\70900642.sys [6/10/2011 11:48 AM 37392]
R1 70900641;70900641;c:\windows\system32\drivers\70900641.sys [6/10/2011 11:48 AM 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R1 setup_9.0.0.722_10.06.2011_17-03drv;setup_9.0.0.722_10.06.2011_17-03drv;c:\windows\system32\drivers\7090064.sys [6/10/2011 11:48 AM 315408]
R2 bomgar-ps-1307647906-1307648000;Bomgar Jump Client [1307647906-1307648000];c:\documents and settings\All Users\Application Data\bomgar-scc-4DF11FA2\bomgar-scc.exe [6/9/2011 3:31 PM 809920]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [6/1/2011 8:44 AM 2337144]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/26/2008 2:39 AM 36608]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:17 AM 135664]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys --> c:\windows\system32\DRIVERS\lgandbus.sys [?]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys --> c:\windows\system32\DRIVERS\lganddiag.sys [?]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys --> c:\windows\system32\DRIVERS\lgandgps.sys [?]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys --> c:\windows\system32\DRIVERS\lgandmodem.sys [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys --> c:\windows\system32\Drivers\lgandadb.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:17 AM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/9/2011 4:28 PM 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 13:17]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-12 13:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\McAfeeFirewall]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\PandaAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\PandaFirewall]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\SophosAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\SymantecFirewall]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\TinyFirewall]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\TrendAntiVirus]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\TrendFirewall]
@DACL=(02 0000)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3692)
c:\windows\system32\WININET.dll
c:\program files\TeamViewer\Version6\tv_w32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\RTHDCPL.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\program files\teamviewer\version6\TeamViewer_Desktop.exe
c:\program files\TeamViewer\Version6\tv_w32.exe
.
**************************************************************************
.
Completion time: 2011-06-10  17:06:39 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-10 21:06
.
Pre-Run: 57,695,133,696 bytes free
Post-Run: 57,687,019,520 bytes free
.
- - End Of File - - 3863C976D1694D6531775070FAE74C58

EXE files do seem to be functioning again now, but I haven't restarted the computer a second time to verify if the fix "held." I will wait to do that until I get a confirmation from you that it is OK to try.

Edited by ZPrime, 10 June 2011 - 04:20 PM.


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 04:21 PM

Go ahead and try it....may as well know now so I can know what to do next. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 04:27 PM

Just as I feared, after a reboot, same problem is back. Double-click any .exe and here's the result (obviously the title bar changes to match, I was using a copy of process explorer I had dumped on the desktop):
Posted Image

I was thinking of trying a "sfc /scannow" next, but MBAM and SAS don't see any viruses in c:\Windows so I don't know how much ifit would help, if at all. (The system does have a c:\i386 folder with the install source so that is an option.)

Edited by ZPrime, 10 June 2011 - 04:35 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 04:39 PM

Okie dokie then.....try using this on it, by Doug Knox. Just the .exe one, and let me know if it sticks after a reboot. :) http://www.dougknox.com/xp/file_assoc.htm
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 04:55 PM

I've actually tried that one in the past already, but I just ran it again now and restarted again.

The EXEs work again immediately after running the fix, but after the reboot they are broken again. :killcomp:

there is a special circle of hell reserved for the people who write these virii/trojans, I swear... :angry:

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 04:56 PM

Oy...okay....what else have you tried so I don't duplicate again? :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 05:10 PM

the Microsoft removal kit (MSERT), ESet Online scanner, Kaspersky Virus Removal Tool, TDSSKiller (even though I saw no signs of it from MBAM; TDSSKiller didn't find anything anyway) and aswMBR for the heck of it (even though GMER didn't see anything in the MBR). That's about the entire toolkit that I've ever had to use on any machine in the past.

What baffles me is that I see absolutely no other signs of infection beyond the EXE problem. No tools come up with anything at all. The system runs fine, once I fix the EXEs after bootup I can load any website I want and I haven't seen any blocked downloads or any other odd behavior... although I suppose that could mean it is just a VERY good rootkit. <_<

I did just re-run SuperAntiSpyware (The full installed version instead of the self-contained .com file) and it turned up a trace of "Trojan.Agent/Gen-Nullo[Short]" but it was sitting in System Volume Information (i.e. System Restore), but no other instances of it found other than the old Sys Restore copy. I'm not even sure if disappearing .exe association is a symptom of that Trojan. :) I just rebooted after that runthrough of SAS and EXEs seem to be working. :blink: :blink: :blink: :huh: :huh:

I have no idea where that Nullo trojan could've even gotten launched/started from, since MBAM and other apps weren't seeing any hooks to it...

The only other thing I can think of that was done differently here -- in the past when rebooting the machine I'd been using TeamViewer's reboot menu command. This time I allowed SAS to perform the reboot, which makes me wonder if possibly the registry wasn't being saved correctly during the reboot when it was initiated by TeamViewer. (This would only make sense if TeamViewer is somehow performing a non-standard reboot call, but anything is possible and I'm just grasping for an explanation!) In other words, it's possible the system has been clean the entire time, but all of my fixes to the registry weren't staying because the reboots I was issuing via TeamViewer weren't allowing the registry to be fully written before the shutdown.... :wacko:

I have restarted it 3x now and EXEs still work though! The only odd part now is that Internet Explorer isn't working, although I do remember seeing something in one of the logs about it iexplore.exe getting quarantined. Thankfully it is much easier to fix that than reinstall the entire OS.

Edited by ZPrime, 10 June 2011 - 05:49 PM.


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 05:46 PM

Well, they won't come up with anything either. Hang on just a sec....Be right back
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:00 AM

Posted 10 June 2011 - 05:53 PM

Oh cool! I had to do a doubletake when I saw you'd edited your post. Well then, it may not be what I thought it might be. Let me know if it holds. If it does, then great! If not, I know where I'm going from here. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 ZPrime

ZPrime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, OH
  • Local time:02:00 AM

Posted 10 June 2011 - 06:01 PM

It is definitely holding across reboots now (4x in total thus far), the only problem is that iexplore.exe was removed by ComboFix and I'm not sure why. The only hunch I have is since I was running ComboFix from command.com, the paths were all truncated (i.e. it found it as c:\progra~1\intern~1\iexplore.exe) and I'm guessing that's why it was quarantined.

I know where the quarantine for ComboFix is so I'm going to upload the file to virustotal and check it, if it looks good I am planning on putting it back and everything should be OK. Thankfully the machine already has Google Chrome on it so I'm not browser-less. I just installed NOD32 4.2.71.2 from our corporate license so hopefully it will help keep this user clean in the future. :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users