Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Rootkits -> Non-bootable XP


  • Please log in to reply
1 reply to this topic

#1 rlevy1234

rlevy1234

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 14 July 2011 - 06:55 PM

not sure how to fix this -- any ideas?

OS: Windows XP Pro.

So far I have:
1. found / cleaned issues w/ Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7057

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/9/2011 8:53:20 AM
mbam-log-2011-07-09 (08-53-20).txt

Scan type: Flash scan
Objects scanned: 80500
Time elapsed: 1 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\documents and settings\Bob Levy\application data\microsoft\conhost.exe (Spyware.Passwords.XGen) -> 2464 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\DOCUME~1\BOBLEV~1\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Bob Levy\application data\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Bob Levy\local settings\temp\0.5802119755359254.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\Bob Levy\local settings\temp\csrss.exe (Trojan.Agent) -> Delete on reboot.

and

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7057

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/9/2011 9:12:15 AM
mbam-log-2011-07-09 (09-12-15).txt

Scan type: Quick scan
Objects scanned: 181636
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Bob Levy\local settings\temp\2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Bob Levy\local settings\temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

and then

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7082

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/11/2011 6:40:53 PM
mbam-log-2011-07-11 (18-40-53).txt

Scan type: Quick scan
Objects scanned: 182163
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Bob Levy\application data\dwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

2. Realizing that was a fairly deep infection, ran Sophos Anti-Rootkit, found multiple issues and attempted clean (and replacing any critical Windows\System32 etc items that clean process deleted w/ files from another WinXP Pro machine w/ identical SP level)

Sophos Anti-Rootkit Version 1.5.4  (c) 2009 Sophos Plc
Started logging on 7/12/2011 at 19:09:01 PM
User "Bob Levy" on computer "RAVEN"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info:	Starting process scan.
Info:	Starting registry scan.
Info:	Starting disk scan of C: (NTFS).
Hidden:	file C:\WINDOWS\system32\debug.exe
Hidden:	file C:\WINDOWS\system32\edlin.exe
Hidden:	file C:\WINDOWS\system32\exe2bin.exe
Hidden:	file C:\WINDOWS\system32\fastopen.exe
Hidden:	file C:\WINDOWS\system32\mem.exe
Hidden:	file C:\WINDOWS\system32\nlsfunc.exe
Hidden:	file C:\WINDOWS\system32\share.exe
Hidden:	file C:\WINDOWS\system32\edit.com
Hidden:	file C:\Program Files\WinRAR\Dos.SFX
Hidden:	file C:\WINDOWS\system32\aksllmtp.exe
Hidden:	file C:\Documents and Settings\Bob Levy\My Documents\IT & PC\util\UUDECODE.EXE
Hidden:	file C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034475.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034476.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034477.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034478.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034479.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034482.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034483.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034484.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034486.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034487.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034488.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034489.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034490.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034491.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034492.com
Hidden:	file C:\WINDOWS\system32\Setup\aladdin\hasphl\hasplms.exe
Hidden:	file C:\WINDOWS\system32\hasplms.exe
Hidden:	file C:\WINDOWS\assembly\GAC_MSIL\Janus.Windows.Common.v3\3.5.0.0__21d5517571b185bf\Janus.Windows.Common.v3.dll
Hidden:	file C:\WINDOWS\assembly\GAC_MSIL\Janus.Windows.ExplorerBar.v3\3.5.0.0__21d5517571b185bf\Janus.Windows.ExplorerBar.v3.dll
Hidden:	file C:\WINDOWS\Installer\{B51995BA-BAB8-43E0-A84A-2717BBBED29E}\controlPanelIcon.exe
Hidden:	file C:\WINDOWS\Installer\{75B61CF0-B8A8-46E2-8709-C4A79898AC1D}\controlPanelIcon_1.exe
Hidden:	file C:\WINDOWS\Installer\{FB29B583-945C-4094-BB4B-3A405574C560}\_6FEFF9B68218417F98F549.exe
Hidden:	file C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Activities.Compiler.dll
Hidden:	file C:\WINDOWS\Installer\{B547CB8D-549A-436E-97B5-E79F911B11E2}\controlPanelIcon.exe
Hidden:	file C:\WINDOWS\Installer\{71AB39F9-EC91-41EC-8A73-67FFEAA4CBF5}\_6FEFF9B68218417F98F549.exe
Hidden:	file C:\WINDOWS\Installer\{71AB39F9-EC91-41EC-8A73-67FFEAA4CBF5}\_21F3885A18D238E15AAE81.exe
Hidden:	file C:\WINDOWS\Installer\{71AB39F9-EC91-41EC-8A73-67FFEAA4CBF5}\_2BF77238F2CC1D08D7D9A1.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034449.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034450.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034452.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034453.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034454.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034455.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034456.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034457.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034463.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034461.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034561.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034574.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034575.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034576.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034577.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034583.dll
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034584.dll
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034585.dll
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034586.dll
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034588.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034589.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034591.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034611.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034612.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034613.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034614.exe
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034617.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034618.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034619.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034620.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034621.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034622.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034623.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034624.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034625.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034626.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034627.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034630.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034633.EXE
Hidden:	file C:\System Volume Information\_restore{3552B976-010F-4FCE-BE3B-4F7B54E27149}\RP134\A0034634.EXE
Stopped logging on 7/12/2011 at 22:49:38 PM

While the system would boot correctly before all of this, it now shows BSOD on regular WinXP boot (infinite reboot loop),
Posted Image

or hangs on safe mode boot attempt.
Posted Image

Had turned off System Restore for the cleanup process. Machine passes hardware tests via CD-based boot. Have another machine from which I can interact with the drive if needed. Windows Recovery install fails as the machine uses a Raid0 array (Windows Recovery prompts that it does not see a drive, odd since I do not recall problems with the original install process). Do have a utilities boot disk for the machine (works well, and hardware tests pass) as well as another machine from which I can interact with the drive as needed.

Any ideas what I may do to a. finish cleaning the malware / rootkits, and b. get the machine bootable again?

Thanks,
Bob

Edited by rlevy1234, 14 July 2011 - 06:59 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:14 PM

Posted 22 July 2011 - 11:50 AM

Hello, and sorry for the delay.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users