Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Identified by AVG11 that won't heal during reboot


  • This topic is locked This topic is locked
113 replies to this topic

#1 InnerGold

InnerGold

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 22 August 2011 - 11:36 PM

Hello...and thank you in advance for helping me with this.

This computer is infected with something in the rootkit that keeps activating each time I go online causing it eventually into a countdown shutdown with the error message: dcom server process launcher service terminated unexpectedly
It may be caused by the cryptic32 virus as that was one of the names that got cleared in one of the scans as well as Win32.TDSS.reg as well as numerous other trojans.

I have run Spybot, Malwarebytes, and AVG11 numerous times and all come up infected & healed or cleaned except the AVG rootkit scan which AVG attempts to clean, asks for a reboot but it does not get rid of it, as a repeat scan shows it still there after a reboot. So I get a clean systen until I go back online again. I also found a randomly named exe. file in the Start folder which I deleted. All Temp files in IE and Firefox have been cleared.

I followed all the directions in the Preparation Guide and hope there is some direction you can give me please.

Running WinXP SP3 32 bit

Thanks

Here is the DDS File
.
DDS (Ver_2011-06-23.01) - FAT32x86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Run by User at 20:45:59 on 2011-08-22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.435 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG10\AVGCHSVX.EXE
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
SVCHOST.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AVG\AVG10\AVGRSX.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\www.update
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flyword.com/loaderword_win.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1307580785406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239661805905&h=ac1effac9045cdff405c7f085b5dc48f/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 80.79.117.219 www.google.com
Hosts: 80.79.117.220 search.yahoo.com
Hosts: 80.79.117.220 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\hegi4tiw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-4 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S0 hqhtnfee;hqhtnfee;c:\windows\system32\drivers\fwwxmjfz.sys --> c:\windows\system32\drivers\fwwxmjfz.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 f619f902;f619f902;c:\windows\system32\drivers\f619f902.sys --> c:\windows\system32\drivers\f619f902.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]
S2 srv884;srv884;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S2 srvF80;srvF80;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S2 srvFAC;srvFAC;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]
.
=============== Created Last 30 ================
.
2011-08-22 04:41:44 -------- d-sh--w- C:\FOUND.003
2011-08-18 14:00:09 890368 ----a-w- c:\documents and settings\all users\application data\A67D.tmp
2011-08-17 22:05:36 -------- d-sh--w- C:\FOUND.002
2011-08-16 21:02:26 -------- d-sh--w- C:\FOUND.001
.
==================== Find3M ====================
.
2011-07-07 03:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 03:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-08 02:06:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Windows 5.1.2600 Disk: TOSHIBA_MK1234GAX rev.AC001A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B454C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x86b4c8a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86b4c730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x86F51AB8]
3 CLASSPNP[0xF759F05B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\000000b5[0x86F54258]
5 ACPI[0xF7395620] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x86F43940]
\Driver\atapi[0x86F49A28] -> IRP_MJ_CREATE -> 0x86B454C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B452E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:46:49.68 ===============

Attached is the Attach.txt
Ark.txt and the log from Malwarebytes last scan

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:58 PM

Posted 27 August 2011 - 02:06 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not wait to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log and post it in your next reply along with other changes that may have occured since you last posted.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 28 August 2011 - 10:08 PM

Thank you Elle,

I had almost given up hope. I was gone over the weekend but now back and can work on this machine. While I was waiting I downloaded the AVG Rescue disk and ran it while in safe mode from a bootable flash drive. That cleaned up some things but not all. I have done full system scans with AVG 11 Free, Malwarebytes and spybot but still keep getting reinfected. The only thing that won't clean up is the rootkit with AVG scan. I also tried the ESET online scan but system would crash before getting done.

So here is the current dds.log and dds.attach
.
DDS (Ver_2011-06-23.01) - FAT32x86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Run by User at 19:56:51 on 2011-08-28
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.482 [GMT -8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\www.update
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flyword.com/loaderword_win.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1307580785406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239661805905&h=ac1effac9045cdff405c7f085b5dc48f/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\hegi4tiw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-4 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S0 hqhtnfee;hqhtnfee;c:\windows\system32\drivers\fwwxmjfz.sys --> c:\windows\system32\drivers\fwwxmjfz.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 f619f902;f619f902;c:\windows\system32\drivers\f619f902.sys --> c:\windows\system32\drivers\f619f902.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]
S2 srv884;srv884;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S2 srvF80;srvF80;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S2 srvFAC;srvFAC;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 36352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-4 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-13 41272]
.
=============== Created Last 30 ================
.
2011-08-25 06:31:57 -------- d-----w- c:\program files\ESET
2011-08-22 04:41:44 -------- d-sh--w- C:\FOUND.003
2011-08-17 22:05:36 -------- d-sh--w- C:\FOUND.002
2011-08-16 21:02:26 -------- d-sh--w- C:\FOUND.001
.
==================== Find3M ====================
.
2011-07-07 03:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 03:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-08 02:06:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1234GAX rev.AC001A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B654C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x86b6c8a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86b6c730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x86F11AB8]
3 CLASSPNP[0xF75AF05B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\000000b5[0x86EDF510]
5 ACPI[0xF7395620] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x86F44D98]
\Driver\atapi[0x86BC63E8] -> IRP_MJ_CREATE -> 0x86B654C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B652E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:57:58.57 ===============


Thank you again for any help.

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:58 PM

Posted 30 August 2011 - 05:50 PM

Hi there :) ,



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 30 August 2011 - 10:24 PM

OK I disabled AVG, and windows firewall. Machine was off line but needed to install Recovery console. I went back online and it downloaded from Microsoft and installed. Combofix then started scans and ran lots of them. It froze and reported that Winlogin (or logon) was infected and there was no replacement found and it would have to go deeper or further or something like that. I said ok.It then went through somemore stuff and rebooted. I entered the password at the logon screen. Windows XP started to boot up and an error came up saying Windows explorer encountered a problem and needs to close and did I want to report/send to microsoft. I said no. Then another error came up saying System was going to shut down by NT Authority in 30 seconds DCOM server process launched. It shut down and rebooted. I reentered password and windows again started to boot up. This time it just went to will shut down by NT authority error message again. It counted down 30 seconds and now is hanging on the background image of the desktop with no icons. It did not finish so no log to post yet.

Note: When I went to check to make sure SPYBOT Teatimer was not running in "Advanced Mode" in "System Startup" I noticed that there were two start items checked
crypt32.exe
cryt32.dll or something like that.

I didn't uncheck them but think I should have :)

so now what?? If I don't hear back from you tonight I want to at least shut this down and take it off line. Maybe AVG has started back up since 15 minutes has clicked by...

Please help and try not to make me wait two days if at all possible. Thanks soooo much :)

#6 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 31 August 2011 - 07:28 PM

I turned the computer back on today and it starts up ok, asks for logon password which I put in then says Windows Explorer has encountered a problem and needs to shut down. It hangs on the desktop image with no icons. A CTRL-ALT -DEL brings up task manager. No applications are running.
Here are the following services that are running:

avgcsrvx.exe
AVGRSX.EXE
taskmgr.exe
alg.exe
CALMAIN.exe
LSSrvc.exe
JQS.EXE
SVCHOST.EXE Local service
wscnfty.exe
SVCHOST.EXE Network service
SVCHOST.EXE Local service
RegSrvc.exe
S24EMon.exe
EvtEng.exe
SVCHOST.EXE System
SVCHOST.EXE NETWORK SERVICE
SVCHOST.EXE System
LSASS.EXE
SERVICES.EXE
WINLOGON.EXE
CSRSS.EXE
AVGIDSAgent.exe
AVGCHSVX.EXE
SMSS.EXE
AVGNSX.EXE
ViewpointService.exe
SVCHOST.EXE System
admServ.exe
AVGWDSVC.EXE
SVCHOST.EXE Local Service
SPOOLSVC.EXE
System
System Idle Process


While i have been typing this up this list was updated and now this is also running:
WUAUCLT.EXE and then it stopped running.

any ideas??

#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:58 PM

Posted 01 September 2011 - 06:14 PM

Hi there,


Sorry for the delay, I'll analyze your problem and come back with a sollution later today.





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 01 September 2011 - 11:07 PM

OK thank you

#9 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 02 September 2011 - 08:35 AM

Is there anyone else who can help me. This is taking too long. I guess I will try another forum if I can't get a response except every 2-5 days. I just don't have the money to take this to someone. Obviously combofix found a problem/infection with winlogon. Was I supposed to disable to password before running things? Nothing in the instructions said that. Sould I boot ion safe mode and try malwarebytes ans spybot again, and then combofix. Combofix has fixed my machine before but I don't know about rootkit infections.

CAN ANYONE HELP ME OR NOT?

Thank you in advance. I have been patient.

#10 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2011 - 11:59 AM

I can get to task manager to run whatever needs to be run even though this computer now hangs at the desktop background image with no icons available.

So what I want to do is start in safe mode and try running something (anything).

Maybe RKILL first, then see if I can run eset scanner on line. The problem is that I keep getting the shutdown message: "Windows explorer encountered a problem and needs to close" and did I want to report/send to microsoft. I said no. Then another error came up saying System was going to shut down by NT Authority in 30 seconds DCOM server process launched.

URG

#11 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2011 - 12:02 PM

I know you all say to do nothing else and post no where else to solve the problem, but don't you think that is a bit unfair to leave a person hanging?

Should I restart with recovery console?
Safe mode?
Get the big hammer out?
Buy a new computer? LOL

Whatever with you all

Posted 01 September 2011 - 03:14 PM
Hi there,
Sorry for the delay, I'll analyze your problem and come back with a sollution later today.


ELLE????????????

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 PM

Posted 03 September 2011 - 04:23 PM

Hello InnerGold,

First of all sincere apologies for the way it is gone up to now. I agree with every word of you and it is not fair. From now on I'm going to assit you without any delays other than the time difference because we are in different time zones.

The infection is know to us and with a little opening we will take care of it.

Please bring up Task Manger with CTRL+ALT+DEL. Then under File menu click "New Task...".
Type in explorer and click OK.
Do you get your desktop?

If not please do the following:

Start in Safe Mode Using the F8 key:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode (not safe mode with networking) menu item.
  • Press the Enter key.
  • Log to your usual account.

Please let me know if one of those steps gets us to where we can run some tools.

#13 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2011 - 05:01 PM

Thank you for your help


--Please bring up Task Manger with CTRL+ALT+DEL. Then under File menu click "New Task...".
Type in explorer and click OK.
Do you get your desktop?

--- No --gets an error message --- "Windows explorer has encountered a problem and needs to close. We are sorry for the inconvenience" I don't send the report.


I restarted and press F8 ---- now I am entering $afe mode....I turn off the wireless adapter and take machine offline....I enter password and same error. I don't send the report.

I try again---- bring up Task Mgr and C+A+D and browse to desktop. Run Rkill. try to run explorer again but same error.

I have access to some tools on the desktop -- gmer, defogger, rkill, malwarebytes, spybot, avg, or combofix....but I bet I have to end the AVG process before I can run combo fix. This list of running processes is listed above. :)same 33 processes...

any ideas?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 PM

Posted 03 September 2011 - 05:17 PM

Thanks for the feedback.

We are not going to run ComboFix once more at this time.

We are going to run another tool without starting Explorer.

Please download TDSSKiller.zip and extract it.
  • Copy TDSSKiller.exe to a USB drive.
  • Insert the USB drive to the infected computer.
  • Bring up task manger. First find out the drive letter of your USB drive by typing C:\ in the run box and clicking OK.
  • Then type e:\tdsskiller.exe into the run box and click OK (replace e with the drive letter of your USB drive).
  • When TDSSKiller opens click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open
  • Also tell how the computer starts up after applying the tool.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


#15 InnerGold

InnerGold
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 03 September 2011 - 05:36 PM

Ok Thank you again for the help

Scan showed infection
Rootkit.boot.Pihar.a

Device\Harddisk0\DR0 (rootkit.boot.Pihar.a) - will be cured after reboot
Device\Harddisk0|DR0 - ok

I rebooted it wanted to scandisk but I exited that.
Same boot up as before...enter password, sound comes up, load setting etc, then the same error message that
"Windows explorer has encountered a problem and needs to close. We are sorry for the inconvenience" I don't send the report.

hangs at the same place.
I try again---- bring up Task Mgr with C+A+D and run TDSSKiller again.... infection not found.

progress :

now what?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users