Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected PC - Win32.Bobic? - SAV will not launch


  • This topic is locked This topic is locked
12 replies to this topic

#1 bullfrog65

bullfrog65

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 08 September 2011 - 11:41 PM

Referred to this forum from Broni
See this thread for prior attempts to restore PC and diagnose issue(s). http://www.bleepingcomputer.com/forums/topic417626.html/page__st__45__gopid__2401946#entry2401946

Many of the symptoms seem to have been caught - but Symantec still won't open to GUI and I can't check defs, run scan ,etc - not sure what else or where else the virus may be embedded.

Malwarebytes runs as do other tools that were previously not able to launch.
I do still get startup and shutdown error messages (see above thread for specific details, pls)

Thank you

The DDS Attach.txt file says don't attach to posting unless asked - the Preparation Guide says attach - not sure if or not - so I'm holding off until you say its needed...

DDS file

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by JBM_1 at 21:00:19 on 2011-09-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1094 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://headlines.verizon.com/headlines/portals/headlines.portal
uSearch Bar =
mSearch Bar = hxxp://srch-us7.hpwis.com/
uInternet Settings,ProxyServer = proxy.verizon.com:80
uInternet Settings,ProxyOverride = *.verizon.com;*.gte.com;*.bellatlantic.com
uCustomizeSearch =
uSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: ZeonIEEventHelper Class: {da986d7d-ccaf-47b2-84fe-bfa1549bebf9} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: Nuance PDF: {e3286bf1-e654-42ff-b4a6-5e111731df6b} - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe" -scheduler
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NAV CfgWiz] c:\progra~1\norton~1\Cfgwiz.exe /R
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [AutoTBar] c:\hp\bin\autotbar.exe
mRun: [EXSHOW95.EXE] EXSHOW95.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [strtas] lo71.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [PDFHook] c:\program files\nuance\pdf professional 7\pdfpro7hook.exe
mRun: [PDF7 Registry Controller] c:\program files\nuance\pdf professional 7\RegistryController.exe
mRun: [Nuance PDF Converter Professional 7-reminder] "c:\program files\nuance\pdf professional 7\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\pdf converter professional 7\ereg\Ereg.ini"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SetDefPrt] c:\program files\brother\brmfl06b\BrStDvPt.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRunServices: [strtas] lo71.exe
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-explorer: <NO NAME> =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append the content of the link to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to existing PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Create PDF file - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\nuance\pdf professional 7\bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: Open with Nuance PDF Converter 7.0 - c:\program files\nuance\pdf professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\nuance\pdf professional 7\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: intuit.com
Trusted Zone: presidentialpcbanking.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: JavaConnect - hxxp://fhst02.verizon.com/sametime/javaconnect/JavaConnect.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: ST MRC ST31IF1 PMR-90722999000 - hxxp://fwst03.verizon.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.98/cab/aolpPlugins.10.6.0.6.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/306ea15714c94464ae16/netzip/RdxIE601.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133240460625
DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} - hxxp://ttst03.verizon.com/sametime/stmeetingroomclient/STJNILoader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38095.83125
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://sapevents.webex.com/client/v_mywebex-t20/event/ieatgpc.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{28A72E1A-85B6-491A-A852-EE1852E2AB0A} : DhcpNameServer = 192.168.1.1 71.252.0.12
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno5\bin\jmsgpph.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 83234288;83234288;c:\windows\system32\drivers\83234288.sys [2011-9-7 133208]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-20 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-20 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R2 DbgMsg;Debug Message;c:\windows\system32\drivers\DbgMsg.sys [2010-5-8 18240]
R2 marimba;marimba;c:\marimba\castanet tuner\Tuner.exe [2008-9-25 36953]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-11-15 116336]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.1.247\SymcPCCULaunchSvc.exe [2009-12-29 123248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.1.247\ccSvcHst.exe [2009-12-29 126392]
R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\nuance\pdf professional 7\PDFProFiltSrv.exe [2010-10-16 134944]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-26 169200]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R2 VZWinVnc5;VZ VNC Service 5;c:\windows\system32\winvnc5.exe [2008-12-8 942080]
R2 XCPSPWD;Xerox PrintingScout Status Watcher;c:\program files\xerox office printing\printingscout\XCPWDN.EXE [2007-9-23 90112]
R2 XCPSSDB;Xerox PrintingScout Status Database;c:\program files\xerox office printing\printingscout\XCSDBN.EXE [2007-9-23 135168]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-6-18 2944]
R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-6-18 3168]
R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-6-18 39552]
R3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-6-18 60416]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2010-8-5 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2010-8-5 10368]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-4-4 24521]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110903.002\naveng.sys [2011-9-3 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110903.002\navex15.sys [2011-9-3 1576312]
RUnknown 1207006drv;1207006drv; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-26 1764592]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2005-9-19 811008]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-9-19 155184]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\system32\drivers\MosIrUsb.sys [2010-5-8 20736]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
.
=============== Created Last 30 ================
.
2011-09-08 01:52:46 133208 ----a-w- c:\windows\system32\drivers\83234288.sys
2011-09-07 11:06:03 -------- d-----w- c:\documents and settings\jbm_1\application data\Malwarebytes
2011-09-07 11:05:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-07 11:05:49 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-07 11:05:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-07 11:05:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-07 00:50:57 -------- d--h--w- c:\windows\$hf_mig$
2011-09-05 14:03:04 -------- d-----w- c:\documents and settings\jbm_1\application data\SPE
.
==================== Find3M ====================
.
2011-09-08 02:41:37 439808 ----a-w- c:\windows\system32\searchindexer.exe
2011-09-07 00:10:28 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-09-05 08:47:57 942080 ----a-w- c:\windows\system32\winvnc5.exe
2011-09-05 08:47:07 159810 ----a-w- c:\windows\system32\nvsvc32.exe
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 21:03:08.01 ===============

GMER file

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-08 21:33:17
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JBM_1\LOCALS~1\Temp\uxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwAdjustPrivilegesToken [0xAF761690]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwClose [0xAF761F94]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwConnectPort [0xAF762DC8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateEvent [0xAF763312]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateFile [0xAF762270]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateKey [0xAF760500]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateMutant [0xAF7631F8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateNamedPipeFile [0xAF76127E]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreatePort [0xAF7630CC]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateSection [0xAF761426]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateSemaphore [0xAF763432]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateThread [0xAF761C1C]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwCreateWaitablePort [0xAF763162]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwDebugActiveProcess [0xAF764B1A]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwDeleteKey [0xAF760B0A]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwDeleteValueKey [0xAF760EBE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwDeviceIoControlFile [0xAF7626F2]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwDuplicateObject [0xAF765D26]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwEnumerateKey [0xAF76100A]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwEnumerateValueKey [0xAF7610A2]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwFsControlFile [0xAF762500]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwLoadDriver [0xAF764C0C]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwLoadKey [0xAF7604DC]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwLoadKey2 [0xAF7604EE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwMapViewOfSection [0xAF765374]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwNotifyChangeKey [0xAF7611CE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenEvent [0xAF7633A8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenFile [0xAF762016]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenKey [0xAF7606C0]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenMutant [0xAF763288]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenProcess [0xAF7618CC]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenSection [0xAF76510E]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenSemaphore [0xAF7634C8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwOpenThread [0xAF7617BE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwQueryKey [0xAF76113A]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwQueryMultipleValueKey [0xAF760D72]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwQuerySection [0xAF7656AE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwQueryValueKey [0xAF76099C]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwQueueApcThread [0xAF764FA0]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwRenameKey [0xAF760C2C]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwReplaceKey [0xAF75FF16]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwReplyPort [0xAF76382C]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwReplyWaitReceivePort [0xAF7636F2]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwRequestWaitReplyPort [0xAF7648B4]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwRestoreKey [0xAF76028E]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwResumeThread [0xAF765BC8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSaveKey [0xAF75FEAE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSecureConnectPort [0xAF762B0E]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSetContextThread [0xAF761E38]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSetInformationToken [0xAF764154]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSetSecurityObject [0xAF764DAA]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSetSystemInformation [0xAF7657FE]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSetValueKey [0xAF760816]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSuspendProcess [0xAF7658F0]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSuspendThread [0xAF765A2A]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwSystemDebugControl [0xAF764A3E]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwTerminateProcess [0xAF761A68]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwTerminateThread [0xAF7619C8]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwUnmapViewOfSection [0xAF765552]
SSDT \SystemRoot\system32\DRIVERS\1207006drv.sys ZwWriteVirtualMemory [0xAF761B52]

INT 0x2D \??\C:\WINDOWS\System32\Drivers\DbgMsg.sys (Driver for Compuware Driver Monitor application/Compuware Corporation - NuMega Lab) B225AC90

Code \SystemRoot\system32\DRIVERS\1207006drv.sys FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\1207006drv.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [0C, 4C, 76, AF, DC, 04, 76, ...] {OR AL, 0x4c; JBE 0xffffffffffffffb3; FADD QWORD [ESI+ESI*2]; SCASD ; OUT DX, AL ; ADD AL, 0x76; SCASD }
.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BD0 16 Bytes [2C, 0C, 76, AF, 16, FF, 75, ...]
.text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [F0, 58, 76, AF, 2A, 5A, 76, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAFCE 5 Bytes JMP AF7543AC \SystemRoot\system32\DRIVERS\1207006drv.sys
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F45B3 5 Bytes JMP AF753FD0 \SystemRoot\system32\DRIVERS\1207006drv.sys
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB94C3360, 0x24BB1D, 0xE8000020]
? system32\DRIVERS\1207006drv.sys The system cannot find the path specified. !
? C:\DOCUME~1\JBM_1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[408] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\WINDOWS\system32\SearchIndexer.exe[2140] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
? C:\DOCUME~1\JBM_1\LOCALS~1\Temp\4880663\1207006.exe[2748] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch;
? C:\DOCUME~1\JBM_1\LOCALS~1\Temp\4880663\1207006.exe[2748] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\DOCUME~1\JBM_1\LOCALS~1\Temp\4880663\1207006.exe[2748] USER32.dll!AlignRects 7E412A78 4 Bytes [70, 11, 34, 6C] {JO 0x13; XOR AL, 0x6c}
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3216] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\program files\real\realplayer\update\realsched.exe[3740] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

Edited by bullfrog65, 08 September 2011 - 11:46 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:11 PM

Posted 13 September 2011 - 11:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418156 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 bullfrog65

bullfrog65
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 14 September 2011 - 12:41 PM

Yes, I still need help.
PC still infected in some form or fashion.
I am out of town, but should be able to remote access the machine, but not until later this evening. Very, very little activity has occurred, I would expect the DDS and GMER files to be current - but will re-run tonight - my only change was to install TeamViewer to allow me to remote to the PC while I was working out of town.
The machine came pre-installed and I do not have the original Windows CD - I do have a very old Restore CD
I do have a spare licensed copy of Windows XP Pro, but its not the original Media Center edition for this machine.

The symptoms were documented in the linked thread Broni helped me with.
Right now I can't get Symantec AV (Corp Edition) to open (though I did get a 'your virus definitions are out of date' message this past Sunday (11th). Because of the virus, my machine is locked out from the corporate network as something is unable to register, but that never stopped live update from working - that only requires an internet access - not access to my corporate network.
IE is currently not redirecting, Malwarebytes appears to be running and was this past weekend catching items (one or two) that popped up.

Thanks!

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 14 September 2011 - 04:28 PM

IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:[quote]Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system[/quote]Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.[quote]The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Because your computer was compromised please read:


After reading this if you with to proceed further let me know.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bullfrog65

bullfrog65
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 14 September 2011 - 05:28 PM

Fireman -

Can you educate me (I have a lot of reading to do it would appear) about where / what you see in the log that says its a backdoor trojan?
During my downtime I was watching a couple of threads that seemed similar -
http://www.bleepingcomputer.com/forums/topic417678.html
and
http://www.bleepingcomputer.com/forums/topic417897.html

that seemed to be very close/related - just based on my untrained observation about the original names identified/detected. Was the same trojan present on either?

I plan to look this over tonight and into tomorrow evening.
Since I don't store passwords on my computer (I did enter them and credit card info) on line before my infection occurred) - I believe I had cleared my Internet browsing history fairly recently - would this information be in jeopardy?
Also - are my documents possibly corrupted? If I move them to a backup now - am I just potentially moving the infection (perhaps this is in the reading...)
and as another option - could I slave the infected drive (after we clear up what we can find) to another HD on a different PC and move over my files ?

Thank you

Edited by bullfrog65, 14 September 2011 - 05:29 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 14 September 2011 - 06:27 PM

Hello,

Can you educate me (I have a lot of reading to do it would appear) about where / what you see in the log that says its a backdoor trojan?
During my downtime I was watching a couple of threads that seemed similar -
http://www.bleepingcomputer.com/forums/topic417678.html
and
http://www.bleepingcomputer.com/forums/topic417897.html

that seemed to be very close/related - just based on my untrained observation about the original names identified/detected. Was the same trojan present on either?


Those both have similar symptoms but very different infections than the one you have.
mRunServices: [strtas] lo71.exe
This what led me to what is happening.
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Rbot-BHU/detailed-analysis.aspx

Since I don't store passwords on my computer (I did enter them and credit card info) on line before my infection occurred) - I believe I had cleared my Internet browsing history fairly recently - would this information be in jeopardy?

It depends if the infection was there already , but just not showing any signs.

Also - are my documents possibly corrupted? If I move them to a backup now - am I just potentially moving the infection (perhaps this is in the reading...)
and as another option - could I slave the infected drive (after we clear up what we can find) to another HD on a different PC and move over my files ?


Regarding backup...

You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions . Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Note:
Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 bullfrog65

bullfrog65
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 15 September 2011 - 10:07 PM

Ok - I'm sufficiently scared to want to re-image/format

This is what I think I need to do
1. Inventory all my data files
2. Inventory all my programs
3. Back up all data files
4. Export favorites from IE to file (is this safe)
5. Since I use only yahoo mail - no address book to back up

I have an original Recovery Disk for the PC - many years old.
I don't have the XP service packs on CD - that I can locate
This PC has been a workhorse - and served me long and well (and was working just fine - got it refurbished in 2004 (!) so I have a lot of clutter that's built up on it - much I may not want to reinstall and others I don't think I have the CDs any longer.

Do you have any suggestions for tools to do any of the above? Considering I'm no longer internet connected via that PC (It however was connected during the time from when the log with Broni started until this evening when I got home from out of town - over 10 days - but Malwarebytes has been running for the last week.

Without looking yet - are the XP (Media Center) service packs still available - and I presume I'd have to download them to an alternate PC, burn them to CDs and then install them.

Lots of questions - I'm game, but in need of a game plan to make sure I don't miss any steps.
I've also got a slew of music files. The PC can burn DVDs so I'm guessing(!) that I might be able to use that media to back up the data related files -
Did a quick properties on the Documents and Settings folder - 15.2 GB - 52K+ files and I think there are some others that are potentially outside of that folder directory.

Would using Recovery from CD (vs the D drive partition?) be better?
Would the drive need to be formatted before trying the Recovery CD?
I do have a copy of Kill Disk I used on another hard drive a year ago that I could run on the infected PC.

WOuld it be better to attempt to remove the trojan, then back up the data files, then do the re-image/re-installation to try to minimize the risk of an infected data file?

What do I do with the thumb drive I used to move over some of the tools that I had to load onto the infected PC to try to cure it?
Is there a way to 're-image' that flash drive?

FWIW - I have Verizon FiOS and the service comes with an Actiontec Router that I think has some firewall and security protection embedded - so I'm not sure if that might have prevented traffic out - or captured / registered traffic that I could assess if packets were sent to a known site relate to the trojan.
Thanks

As I'm waiting on a response I've started the backup process (manual and time consuming) as part of the itunes folders - I've run into a series of .ITC files - are these needed/ok to backup?
Are .zips without any of the other extensions included in them - zipped files of images, documents, etc - safe to backup? Backed up those zips.....

So far made 4 coasters and 1 seemingly good dvd, working on #2 - think I have 2 more to go.....

Edited by bullfrog65, 16 September 2011 - 09:25 PM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 16 September 2011 - 11:11 PM

Hello,

Dont back up any Zip files without first scanning then rescan them before you load them on the reformatted pc. I would recovery from a disk rather that the D drive. As the drive could also be infected.


Slipstreaming Windows XP To Create a Bootable Windows XP CD or DVD

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 bullfrog65

bullfrog65
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 17 September 2011 - 09:39 AM

Still creating backup DVDs - slow DVD burner - takes over 2 hours and the process of weeding out junk and the extensions above adds to it....

I had a few other questions above - and I posted this http://www.bleepingcomputer.com/forums/topic419314.html regarding Media Center v XP Pro.

I tried to find others that had a similar infection / virus to see how they made out - and only found (perhaps bad searching) a few with 'lo71' - including this - http://www.bleepingcomputer.com/forums/topic236286.html/page__p__1321099__hl__lo71__fromsearch__1#entry1321099. It didn't seem to have the same issue/concern - again trying to understand my situation vs prior scenarios. Is an lo71 infection uncommon?

If backing up is taking this long, rebuilding is going to be more painful in having to get all the software pieces again and service packs, some of which I may not have access to anymore.

Not doubting the advice to format and re-install - just looking at options / alternatives

Thanks again

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 17 September 2011 - 10:46 PM

I had a few other questions above - and I posted this http://www.bleepingcomputer.com/forums/topic419314.html regarding Media Center v XP Pro.


I agree with Broni on using Windowsxp pro so that you can slipstream.

I tried to find others that had a similar infection / virus to see how they made out - and only found (perhaps bad searching) a few with 'lo71' - including this - http://www.bleepingcomputer.com/forums/topic236286.html/page__p__1321099__hl__lo71__fromsearch__1#entry1321099. It didn't seem to have the same issue/concern - again trying to understand my situation vs prior scenarios. Is an lo71 infection uncommon?


They where also given a backdoor and reformat warning if you look in post #4 of that topic. They just chose not to reformat reinstall. This infection is not seen very much. At least I haven't seen it very much.

If backing up is taking this long, rebuilding is going to be more painful in having to get all the software pieces again and service packs, some of which I may not have access to anymore.

Unfortunately this is one of the downsides to having a computer for a long time that has been real good up to this point. If you where to search my name you will not see me giving to many backdoor warning to reinstall. This is just on of the more nastier infections. Personally if would have been me I would have chosen the same as you to reformat and re-install.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 19 September 2011 - 08:46 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 bullfrog65

bullfrog65
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 20 September 2011 - 08:47 AM

Fireman

Yes, still here. I'd been trading messages over in the Operating system forums - http://www.bleepingcomputer.com/forums/topic419314.html to prep for the re-install.
I think I'm back in business....
I created the XP Pro Slipstream
I backed up the data files only (music, docs, xls, etc)
I 'killed' the hard drive.
I installed the XP Pro slipstream (SP3)
I updated (Microsoft Update) all the fixes, etc for XP
Installed Norton 360 and also pulled down Malwarebytes (and ran a scan).
I re-installed Office, Visio, Projects and got all the fixes/patches for these as well.
IE8 was automatically downloaded and installed.
Reinstalled drivers for my printers, monitor and some other tools.

I still have a stack of s/w to install and don't plan on putting the data files back on until I get a backup drive and ghost/backup the clean install to preseve a backup so I could rollback should any of the data files prove to be infected. If there is a forum / thread for creating such a backup and what tools to use perhaps a link could be provided.

Much appreciated.

Thanks

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:11 PM

Posted 20 September 2011 - 04:09 PM

I would post here about your backup questions.


Since you have decided to reformat reinstall I will now close this topic if you need this topic reopened for Malware reasons send me or a Moderator a PM.

Edited by fireman4it, 20 September 2011 - 04:11 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users