Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection trojan:dos/alureon.a and trojan:dos/alureon.dx


  • This topic is locked This topic is locked
86 replies to this topic

#1 gabstercol

gabstercol

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 22 July 2011 - 12:41 PM

I came from the security forum sent by boopme. We found a rootkit infection and He said I had a virus like driver modification. It started as a rootkit infection from a link. Showed the trojan dos alureon.a and .dx. Then found many trojan droppers.I have not been able to use google to search since the hit because I am being forced into redirects. We have been working on it for a few days now and then Boopme said to come to you. He told me rather than use gmer use RKunhooker and he asked me to post that log here. We already did a TDSS and a rkill and the rootkit still has it hooked up in a mess.

Here is the DDS Log followed by the Rkunhooker log. I attached the attach txt also. thanks for your help with this.
Gabstercol.



DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Gabi at 6:50:03 on 2011-07-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2560 [GMT -10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Gabi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Gabi\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all

users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\gabi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293658675125
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-12-17 902592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe

[2008-8-14 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
S4 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-07-19 10:32:43 -------- d-----w- c:\program files\ESET
2011-07-18 09:39:02 89088 ----a-w- C:\mbr.exe
2011-07-18 01:13:57 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-17 12:53:21 -------- d-----w- c:\windows\system32\MpEngineStore
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-17 10:55:28 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}
2011-07-17 09:46:25 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}(2)
2011-07-08 16:38:06 -------- d-----w- c:\windows\SxsCaPendDel
.
==================== Find3M ====================
.
2011-07-17 10:21:42 0 ----a-w- c:\windows\Pmubutagesag.bin
2011-06-21 20:38:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 00:37:37 72080 ----a-w- c:\documents and settings\gabi\g2mdlhlpx.exe
2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 19:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 19:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:30:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:23:45 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:47:42 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:09:34 919552 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:09:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:09:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 11:36:45 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 6:50:08.95 ===============

Here is the RK unhooker log.


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Gabi at 6:50:03 on 2011-07-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2560 [GMT -10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Gabi\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Gabi\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all

users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\gabi\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293658675125
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-12-17 902592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe

[2008-8-14 284016]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
S4 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-07-19 10:32:43 -------- d-----w- c:\program files\ESET
2011-07-18 09:39:02 89088 ----a-w- C:\mbr.exe
2011-07-18 01:13:57 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-17 12:53:21 -------- d-----w- c:\windows\system32\MpEngineStore
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-17 10:55:28 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}
2011-07-17 09:46:25 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}(2)
2011-07-08 16:38:06 -------- d-----w- c:\windows\SxsCaPendDel
.
==================== Find3M ====================
.
2011-07-17 10:21:42 0 ----a-w- c:\windows\Pmubutagesag.bin
2011-06-21 20:38:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 00:37:37 72080 ----a-w- c:\documents and settings\gabi\g2mdlhlpx.exe
2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 19:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 19:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:30:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:23:45 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:47:42 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:09:34 919552 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:09:34 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:09:34 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 11:36:45 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 6:50:08.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 PM

Posted 02 August 2011 - 10:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/410704 and follow the instructions there. If you no longer need help, this is all you need to do. If you do need help please continue below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 04 August 2011 - 06:36 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 04 August 2011 - 06:37 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 04 August 2011 - 06:56 PM

Hi Gringo and thank you for finally coming to my rescue.
I have been waiting a long time and had a rootkit attach itself to my computer and it seems like it has a device working in some hidden virtual space because every time I start my computer and the internet hooks up it seems like it has all these things starting up. I set a sound to that concept so I hear all these things starting and it never did that before. Please be aware that many things may be different in the computer now since these logs are old from 10 days ago. they told me not to do anything till someone helps me but because it has been 10 days and my computer was failing I had to keep removing the infection on the surface. I have run a scan using house call by trend micro and that program has gotten so much better than it used to be and it found 32 trojans that night and since then the computer has been running much better. but it still has a lot of stuff starting up when the internet starts that does not sound right. that part has not gone away from the initial hit. but the reason I ran house call was because it was not getting me on the internet. that would mean I can't reach you guys so I ran super antispyware but never let them finish and I ran hitman pro and it found stuff and then house call was the winner from those 3 and it helped it stay alive in the last week. So if you are using these old logs of 10 days ago and you want fresh logs of gmer and dds which I ran last night again then you can ask me for those. I love combofix but you may be going right to that fix based on the logs you saw from the 22nd of july and that was a long time ago. i couldn't just do nothing or I wouldn't have had a computer to work with today.

So my question to you is, do you need fresh logs of gmer and dds or any other program because I have them all downloaded and I can update you so you can help me most effectively.

Thank you. Gabstercol

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 04 August 2011 - 07:06 PM

go ahead and send me those reports


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 05 August 2011 - 11:47 AM

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Gabi at 5:54:08 on 2011-08-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2276 [GMT -10:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all

users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293658675125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: DhcpNameServer = 72.235.80.12 72.235.80.4
TCP: Interfaces\{A2D3B01B-1F33-4FE0-B85D-AD835BAADFAB} : DhcpNameServer = 72.235.80.12 72.235.80.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop

search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft

office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-12-17 902592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-7-28 21064]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe

[2008-8-14 284016]
S4 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-13 14336]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-08-03 11:58:15 -------- d-----w- c:\program files\CCleaner
2011-07-31 18:01:00 1404208 ----a-w- C:\tdsskiller.exe
2011-07-31 17:48:46 22032 ----a-w- c:\windows\DCEBoot.exe
2011-07-31 11:22:28 200464 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-31 01:27:40 -------- d-----w- c:\program files\Carbonite
2011-07-29 16:51:54 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-07-28 17:10:18 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-28 17:10:18 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-07-28 17:09:18 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-07-18 09:39:02 77312 ----a-w- C:\mbr.exe
2011-07-18 01:13:57 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-17 12:53:21 -------- d-----w- c:\windows\system32\MpEngineStore
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-17 10:56:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-17 10:55:28 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}
2011-07-17 09:46:25 -------- d-----w- c:\documents and settings\gabi\local settings\application

data\{07DB3D1E-647E-4F6D-9265-D399519624A7}(2)
2011-07-08 16:38:06 -------- d-----w- c:\windows\SxsCaPendDel
.
==================== Find3M ====================
.
2011-07-17 10:21:42 0 ----a-w- c:\windows\Pmubutagesag.bin
2011-06-21 20:38:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-17 00:37:37 72080 ----a-w- c:\documents and settings\gabi\g2mdlhlpx.exe
2011-06-02 14:07:35 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 19:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 19:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 5:54:28.89 ===============

GMER LOG


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-03 08:52:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Hitachi_HDT721010SLA360 rev.ST6OA31B
Running: gmer.exe; Driver: C:\DOCUME~1\Gabi\LOCALS~1\Temp\axdiraod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB4E2E380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[288] kernel32.dll!SetUnhandledExceptionFilter 7C844935 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB7107$\3613864667 0 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642 0 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\L 0 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\L\zniogszn 34688 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U 0 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@00000001 42512 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@000000c0 2560 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@000000cb 2048 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@80000000 24576 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@800000c0 33280 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB7107$\752273642\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 05 August 2011 - 01:04 PM

Hello



Not seeing much in there but still would like you to run combofix at this time



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 05 August 2011 - 07:03 PM

You got it. I will do that now. Thank you. I want to run it also because from what I read this trojan does not leave a whole lot of evidence that it is in the computer and because I know that now and because I hear all these hidden devices starting up behind the scenes and can't seem to find or identify them then I am as interested in getting combofix to run and clean up what we can't see.

One question about combo fix and the windows recovery console.

I did combo fix on this computer before so it did install the recovery console. however I think it may have gotten corrupted since it came up in a previous effort with bleeping computer where it didn't seem to work. Will it give me the ability to repair the corrupted one when we run the program of combofix this time? I want to make sure that the recovery console will be working correctly and that it doesn't just see it installed so it relies on it. I want to know that it will install over it and replace the old with the new just to be on the safe side.

please advise on that. then am I following the instructions that you gave me on your first message to me a couple of days ago for the combo fix install? I will run it this weekend based on your instructions.

thanks.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 05 August 2011 - 07:26 PM

Hello

remove this folder C:\cmdcons


and then run combofix and it will install it again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 05 August 2011 - 08:46 PM

Okay I tried. It said access is denied.

Do I need to get it out in safe mode? it is a hidden and read only system file.

thanks.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 05 August 2011 - 09:11 PM

it should not give you problems but try it in safe mode and let me know what happens


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:11 PM

Posted 08 August 2011 - 12:12 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 08 August 2011 - 03:21 AM

Hi there,

I could not delete the file cmdcons. I tried it in safemode a few different times and it would not do it. I did screen captures of everything I did in safe mode. When it said file was busy I captured the file that was busy. I opened the cmdcons folder and it was hidden and read only. I could change the read only but not the hidden aspect of it. I was logged in as the administrator.

Because I couldn't delete the cmdcons file I did not run the program combofix yet. But I did spend some time reviewing things while in safe mode. I pay a lot of attention to my computer so that is not unusual that I would review things while it wouldn't let me remove it. I think there were some things that are worth mentioning to you so you can help me resolve this. While under this current attack of this trojan, I noticed thru scans that we ran, there was a file called netbios.sys that had been forged. I found a file called BIOSINFO.INF in the cmdcons folder. When I would right click on it, it was thinking that I was changing it even though I just looked at it and it was throwing up an alert box that said my changes will not be saved and access is denied. It wasn't even checked as to the read only or hidden attributes and it was denying me. There was also a file in there called migrate.inf that looked strange too. When I got hit the one file that was showing the trojan infected was the netbios.sys file.

So then I pulled the event viewer information and exported and saved the log files because it was filtering them and would not hold the changes I was making to the filter logging activities. Interesting to note that the system events were started right from the day that I was hit by the trojan which was 7-17-11. The security logging is only from 8-2-11 to 8-7-11 and there are tons of successful audits of logons in just 1 weeks time. That is scary. Then the applications event viewer goes back to 2-4-11. You can review the applications events on 7-17-11 and see exactly how it entered my system and what it did and where it went. I have saved the logs while in safe mode and they really give a vivid picture of how this got in and infiltrated the system. I'm really good at troubleshooting but that is where my expertise ends. And I am very happy to have your help in resolving it. I am only good at pointing you perhaps in the right direction from what I have noticed that is not well. I believe this trojan could be operating in a different memory space perhaps or a partition. That is just a wild guess because my computer is working pretty good considering I have an network infiltration. The admimistrator, while in safe mode, had a shortcut in the C: documents and settings, administrator, favorites, links, that said suggested sites. It was created on 7-17-11 the same day the trojan hit. After viewing the logs of security and seeing how many logons are successful daily and they are not all mine I am sure, and after seeing the system events started from the same day the trojan hit, I know this is very much hidden and not being revealed by normal means. I think it may be helpful for you to review the system events and the applications events in the log that I saved. You will see also that there is an assembly called side by side which keeps erroring out in the system event viewer. And when I did a scan of housecall the other day it showed 32 trojans and the first was in an assembly called GAC MSIL. Please let me know which logs would be helpful because the current logs are not really showing signs anymore.

I am concerned that this trojan has all my private information running in a separate partition. I only exported the event logs for fear that it would eliminate the evidence of all this intrusion and because it would not let me delete the cmdcons file. When you told me the other day that you don't see much going on but you still want to run combofix, I do also but today it seemed like this trojan may have gotten himself well hidden. I will send you any of the logs you want. In the event viewer there are entries showing an avapi device that I haven't seen before either. And I'm thinking this trojan has the cmdcons file taken as a hostage. Yikes.

Please advise me what to do next. I am waiting to run combofix since you said to delete that file first and it would make a new one, but that failed. I very much appreciate your help. Gabstercol.

#14 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 08 August 2011 - 05:06 PM

Hi Gringo,
Here are the settings that I found under the startup and recovery options of the system options in the control panel. I clicked the edit tab and this is what came up as far as those options are concerned. Since they have the cmdcons file in them that may be important for you to see.

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


Also while in the system info I clicked on device manager and clicked to show hidden devices. There were two of them that had yellow exclamation points on them under the non plug and play drivers. I know there never were any of those with an exclamation point previously. One of them is a ParPort driver device and it was showing stopped but automatic under the driver details. I clicked disable only on the driver tab but not on the general tab. It showed it was not present. Then the other one was one that had showed up in the logs thru this trojan issue. It is the one called adfs. It also showed stopped but automatic so I clicked disable under the driver tab since it also said it is not present. I did not change the general tab so it still showed it as use this device enabled. I did not want to make any drastic changes in case it would leave my system with a problem. There was also a device in there from hitman pro and I disabled that one too because I uninstalled that program after I used it.

Please advise me what to do next.

Thank you.
Gabstercol.

#15 gabstercol

gabstercol
  • Topic Starter

  • Members
  • 192 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:11 PM

Posted 08 August 2011 - 05:13 PM

I thought you only closed the topics after 5 days. I didn't know it would be a bump issue so please do not close any of this while we are working on this computer. :o I waited so patiently for a long time to get to you and would hate to think that I would get closed due to a weekend or something. I am a substantial time difference away from you so please be patient with me. I am very aware that you don't want it to sit around for days but it was only 2 days and it was only because I had trouble doing what you had asked me to do. I also use my computer all day every day and can only do the tasks when it is nightime. Thank you. I'm waiting for your next response to move forward on this.
:wink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users