Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Remnant Blocking Symform Online Backup Software


  • This topic is locked This topic is locked
36 replies to this topic

#1 Lebowitz IT Services

Lebowitz IT Services

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 September 2011 - 04:51 AM

I have encountered a particularly vexing problem. I'm working on a computer that was infected by malware at some point in time. The malware was removed, but apparently some crumbs remain, and one or more of those crumbs appears to be redirecting certain kinds of network requests to a localhost port, 127.0.0.1:6522. Because of this, I have been unable to get Symform Online Backup running on this computer. The relevant error message from its installation log is:

2011-09-16 08:44:16,093Z [7] FATAL SyncHost - Symform Node Synchronization Service is unable to retrieve node information from cloud control.
2011-09-16 08:44:16,093Z [7] ERROR SyncService - Caught Exception during service start:
Symform.Core.Rest.RestfulException: Unable to connect to the remote server ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:6522
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address,

Incidentally, Symform uses Microsoft .NET v3.5 SP1, which I uninstalled and reinstalled in hopes that maybe the infected file was part of the .NET package.

I looked on various sites, including this one, and found evidence that malware that included a rootkit and redirection had been present and incompletely removed. I got rid of the Registry crumbs that I found, but the problem still persists. At this point, Ad-Aware Internet Security and MalwareBytes both report the computer is clean, and the computer shows none of the usual signs of a malware infection - no pop-ups, performance is about what you'd expect given its age and configuration, and Microsoft updates work fine.

However, in addition to the redirection indicated by the error message above, I do get occasional complaints from Windows that the Windows Firewall is not running. (Ad-Aware Internet Security Free does not include a firewall; it relies on the Windows Firewall.) However, whenever I look in Control Panel, Windows Firewall IS running. The message saying the firewall is down is not constant and being hidden; it comes occasionally, sticks around for a few minutes and then goes away, apparently as Windows Firewall reasserts itself. But it seems to me that some rogue process knocks it down periodically, causing the message. Just an educated guess on my part.

No other error messages appear, and no other software has problems running on this computer.

I'd be grateful for any assistance in finding and eliminating the rogue process or infected file.

- Mark Lebowitz, Lebowitz IT Services LLC

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Administrator at 4:00:30 on 2011-09-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.354 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symform\Node Service\symformupdater.exe
C:\Program Files\Symform\Node Service\symformconfig.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMAScheduler] c:\program files\sonic\digitalmedia plus\digitalmedia archive\DMAScheduler.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cobian Backup 10 Interface] "c:\program files\cobian backup 10\cbInterface.exe" -service
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://remote.suitemates.net/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
TCP: DhcpNameServer = 68.255.214.134
TCP: Interfaces\{7A67F190-7257-4F17-B30E-F45F9C0E4205} : DhcpNameServer = 68.255.214.134
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-6 64512]
R1 oxmep;OXPCI support driver;c:\windows\system32\drivers\oxmep.sys [2006-6-21 4224]
R1 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [2006-6-21 16384]
R1 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2006-6-21 50944]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-9-6 67584]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-7-6 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-9-6 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 symformcontrib;Symform Contribution Service;c:\program files\symform\node service\symformcontrib.exe [2011-9-12 13312]
R2 symformupdater;Symform Software Updater Service;c:\program files\symform\node service\symformupdater.exe [2011-9-12 18432]
R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [2006-6-21 4992]
S0 oslncmhr;oslncmhr; [x]
S2 CobianBackup10;Cobian Backup Boletus;c:\program files\cobian backup 10\cbService.exe [2011-9-6 1125376]
S2 symformsync;Symform Synchronization Service;c:\program files\symform\node service\symformsync.exe [2011-9-12 13824]
S3 {E15B9ACA-3C89-4F42-808ABF14F35F7CD4};{E15B9ACA-3C89-4F42-808ABF14F35F7CD4};\??\c:\windows\temp\915.tmp --> c:\windows\temp\915.tmp [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-9 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-16 07:46:12 -------- d-----w- c:\windows\system32\winrm
2011-09-16 07:46:12 -------- d-----w- c:\windows\system32\GroupPolicy
2011-09-16 07:46:03 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-09-16 07:45:17 -------- d-----w- c:\program files\Windows Media Connect 2
2011-09-16 01:38:39 388096 ----a-r- c:\documents and settings\compaq_administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-16 01:38:38 -------- d-----w- c:\program files\Trend Micro
2011-09-16 01:11:11 -------- d-----w- c:\documents and settings\compaq_administrator\local settings\application data\ApplicationHistory
2011-09-16 00:47:15 -------- d-sha-r- C:\cmdcons
2011-09-16 00:43:50 98816 ----a-w- c:\windows\sed.exe
2011-09-16 00:43:50 518144 ----a-w- c:\windows\SWREG.exe
2011-09-16 00:43:50 256000 ----a-w- c:\windows\PEV.exe
2011-09-16 00:43:50 208896 ----a-w- c:\windows\MBR.exe
2011-09-16 00:43:39 -------- d-----w- C:\ComboFix
2011-09-15 21:30:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-15 21:30:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-07 07:07:53 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-09-07 01:13:20 -------- d-----w- c:\documents and settings\compaq_administrator\local settings\application data\LogMeIn
2011-09-07 01:13:17 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-09-07 01:13:16 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-09-07 01:13:16 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-09-07 01:13:16 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-09-07 01:13:09 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-09-07 01:13:05 -------- d-----w- c:\documents and settings\all users\application data\LogMeIn
2011-09-07 01:12:53 -------- d-----w- c:\program files\LogMeIn
2011-09-07 00:07:26 -------- d-----w- c:\program files\RegSeeker
2011-09-06 21:22:35 -------- d-----w- c:\program files\Symform
2011-09-06 20:55:23 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-06 20:53:31 -------- d-----w- c:\documents and settings\compaq_administrator\local settings\application data\Safe mirror
2011-09-06 20:47:43 -------- d-----w- c:\program files\Cobian Backup 10
2011-09-06 20:45:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-06 20:44:57 -------- d-----w- c:\program files\Lavasoft
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-08-14 17:19:15 60 ----a-w- c:\program files\sh4.dat.vir
2010-08-14 17:19:15 1 ----a-w- c:\program files\sh3.dat.vir
2010-08-13 22:31:03 36 ----a-w- c:\program files\skynet.dat.vir
.
============= FINISH: 4:02:00.18 ===============

GMER is still running, and looks like it could be going for several more hours yet. The hour is already ridiculously late, so I will follow up this post with the GMER log file when it's ready.

Attached Files



BC AdBot (Login to Remove)

 


#2 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 19 September 2011 - 10:51 AM

I was finally able to run GMER on the computer, and have attached the log to this reply. I look forward to hearing from a malware removal expert soon.

Removed business info. ~ OB

Attached Files

  • Attached File  ark.txt   6.62KB   1 downloads

Edited by Orange Blossom, 22 September 2011 - 11:00 AM.


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:06 PM

Posted 21 September 2011 - 04:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419197 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 21 September 2011 - 11:57 AM

Thanks for the reply, even if it was just from a "silly little program"!

The problem is that my customer's Symform online backup software is unable to communicate with Symform's server, because its requests are being redirected to 127.0.0.1:6522. I'm sure that other programs that use .NET calls to make multiple point-to-point connections would also fail to work, but they use no other such programs, and I'd need in-depth programming knowledge of what .NET functions the Symform software calls in order to even begin to find another such program to test with. The exact text of the error log appears in my original post.

The computer exhibits no other noticeable signs of a malware problem, but the remnants I found manually in the Registry make it fairly obvious that someone removed malware from the computer at some point in time. The most vexing part of this is that the place where many rootkits set redirection, the Proxy Server settings in Internet Options, are not set for any active account. (I did find Proxy Server settings in HKU\.DEFAULT, and I removed them, but the only thing these settings should be used for anyway would be a template when a new user account is set up.) In any case, whatever malware process is supposed to handle requests sent to 127.0.0.1:6522 was apparently eliminated when the malware was removed.

Steps I've tried so far include:
  • I installed the latest version of Ad-Aware Internet Security Free, since the customer's license for his previous malware program, Kaspersky Internet Security, had lapsed. It reports no problems.
  • I installed, updated and ran MalwareBytes Anti-Malware's free scanner, opting for a full scan. It found no problems, not even questionable cookies.
  • I looked up information about rootkits that redirect Internet requests to 127.0.0.1:6522, and tried following removal instructions for them. These included:
  • I ran rKill, which proved difficult because it tended to terminate almost immediately after I invoked it. That's usually a sign that a malware process is running, but when I finally got it to run, it found nothing.
  • I ran TDSSKiller, which found nothing.
  • I manually searched the Registry for "proxy", "127.0.0.1:6522" and just "6522", and removed anything that looked suspicious. I didn't find much to remove, and everything I did find was in harmless places, like the aforementioned .DEFAULT key of the HKU hive.
  • In complete desperation, I tried ComboFix. It found and removed a very short list of things that I missed (all Registry settings, if I remember correctly). I'll include the log if I can find it.

GMER takes quite awhile to run on this computer, so I'll have to log in remotely and run it after the customer closes up shop for the night. I'll attach its log and the others requested afterwards.

The computer runs Windows XP Media Center Edition 2005, 32-bit. It did not come with Windows installation CDs, but as far as I know, its recovery partition is intact.

Many thanks in advance for your assistance.

Removed business info. ~ OB

Edited by Orange Blossom, 22 September 2011 - 11:03 AM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:06 PM

Posted 22 September 2011 - 04:38 PM

Hello Lebowitz IT Services,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.
Please post the contents of the Combofix log (C:\ComboFix.txt).


Things to include in your next reply::
AswMbr log
Combofix.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 22 September 2011 - 10:26 PM

I'll do these steps after the customer closes for business. One question: You asked for a ComboFix.txt log, but you didn't actually say to run ComboFix. Do you mean for me to include the ComboFix log that was created when I ran ComboFix earlier, or do you want me to run ComboFix again?

Mark

Removed business information. ~ OB

Edited by Orange Blossom, 23 September 2011 - 04:34 PM.


#7 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2011 - 02:31 AM

I ran aswMBR.exe, and have attached the logs requested.

- Mark

Attached Files



#8 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2011 - 07:10 AM

And here are the latest log files from DDS and GMER.

- Mark Lebowitz

Attached Files



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:06 PM

Posted 23 September 2011 - 02:47 PM

Hello,

Lets see if we can cure this problem.


1.
Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR or FIX button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Things to include in your next reply::
aswmbr. exe log
TdssKiller log
How is your amchine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 23 September 2011 - 04:31 PM

My next chance to work on the computer will be Sunday morning around midnight. I should have an update Sunday morning.

- Mark

#11 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 26 September 2011 - 06:07 AM

Well... I think we're getting somewhere.

On the one hand, the system seemed to reboot a LOT faster after aswMBR.exe fixed the master boot record.

On the other hand, the Symform software still won't run, and still reports that its network requests are being redirected to 127.0.0.1:6522.

I attached both the aswMBR and TDSSKiller logs.

What do I do next?

Thanks!

- Mark Lebowitz

Attached Files



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:06 PM

Posted 26 September 2011 - 11:47 AM

Hello,


I see in the TDss log skipped. Please re run TdssKiller again and this time choose Fix,Quarantine or Delete which ever action it gives you. Then post that log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 27 September 2011 - 04:02 AM

Done, but no change. My Symform clients still reports that it's being redirected to 127.0.0.1:6522. Log attached.

Ran TDSSKiller one more time, just to confirm that it thinks the system is clean. It found nothing this time.

- Mark

Attached Files



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:06 PM

Posted 27 September 2011 - 12:00 PM

Hello,

Go ahead a run aswmbr again and post its log. Don't choose the fix option if it available. I want to see it just as is.


Also try this and see if it helps.

  • Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice.
    spacer.gif
  • Go to Start -> Run...
  • In the Open: field type cmd and click OK or hit Enter.
    This will open a Command Prompt.
  • At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  • Exit the Command Prompt.
  • Reboot your PC and try to open any website.

Edited by fireman4it, 27 September 2011 - 12:02 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Lebowitz IT Services

Lebowitz IT Services
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 28 September 2011 - 02:22 AM

As I type this, the aswMBR.exe scan is in progress, and I can already see that the infected ftdisk.sys is back. Apparently, we missed something. I'll attach the log when it's ready.

The TCP/IP protocol was already set to obtain DNS addresses automatically, and I double-checked the Advanced and Alternate settings to maks sure the default tab settings weren't being overridden. I also tried turning off LMHOSTS lookup, but I have already confirmed that this computer has no LMHOSTS file, only a HOSTS file and it's clean.

However, I did a text search of all files on the hard disk for anything containing 127.0.0.1:6522. One file came up, named TmuDump.txt, located in C:\old-win-temp\TiPreAU\iaulog\. The contents didn't look harmful - it reads like a log file - but I've attached it just in case. Maybe it'll help identify what we're dealing with.

Thanks again!

- Mark

UPDATE: 6:15am, 9/28 - I have uploaded the latest aswMBR log file.

Attached Files


Edited by Lebowitz IT Services, 28 September 2011 - 06:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users