Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zentom infection, scans won't run


  • This topic is locked This topic is locked
2 replies to this topic

#1 BC045

BC045

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 19 September 2011 - 09:26 PM

Started getting the usual signs of an infection - browser redirects, fake system warnings, etc. Ran MBAM immediately, got through a few seconds of a search and it closed without any message. I tried reopening it, but got the "Windows cannot open the specified device, path, or file. You may not have the appropriate permissions to access the item." message. Attempting to rename mbam.exe gives me the "Cannot rename MBAM: access is denied" message. At this point, Zentom's window keeps popping up telling me to purchase their software. cmd prompt, task manager, and regedit all open for a few seconds and then close before I can do anything. Downloaded process explorer, same situation as MBAM (works once for a few seconds, then terminates and won't reopen and cannot be renamed). I moved a renamed copy of mbam.exe from another computer and it opened fine, stayed open until I started a scan, closed, and could not be reopened or renamed. Downloaded SuperAntiSpyware at the suggestion of another thread. It stays open until I start a scan, and then after a few seconds closes. Unlike MBAM, however, it can be reopened just fine. DDS terminated after a few seconds. GMER seems a bit unusual - it starts a rootkit scan upon opening, which completed with this log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-19 20:05:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1001FALS-40K1B0 rev.07.00K07
Running: gmer.exe; Driver: C:\DOCUME~1\B\LOCALS~1\Temp\uwtdrpoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 1953523715
Disk \Device\Harddisk0\DR0 PE file @ sector 1953523737

---- EOF - GMER 1.0.15 ----

Following the "Preparation Guide for...Requesting Help", I started a new scan with IAT/EAT unchecked and it started picking up a bunch of things, but then closed mid-scan. After doing this a few times, I stopped the scan before it closed and saved the log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-19 20:09:13
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\B\LOCALS~1\Temp\uwtdrpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoAllocateIrp + C 804EAFC9 7 Bytes CALL 8A60EC95
.text ipsec.sys!k_izygskfOGQHDbou_bv_v B5DF1000 110 Bytes [B5, FF, B5, 04, FF, FF, FF, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v B5DF106F 105 Bytes [FF, DF, B5, 68, 1A, 12, DF, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v B5DF10D9 115 Bytes [00, 5C, 00, 52, 00, 65, 00, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v B5DF114D 27 Bytes [00, 45, 00, 6E, 00, 61, 00, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v B5DF1169 23 Bytes [00, 53, 00, 41, 00, 49, 00, ...]
.text ...
.text ipsec.sys!YH_MP_DIph_x_OVTIKOS + 42 B5DF11F7 34 Bytes [00, 00, 00, 4E, 00, 6F, 00, ...]
.text ipsec.sys!YH_MP_DIph_x_OVTIKOS + 65 B5DF121A 1 Byte [45]
.text ipsec.sys!YH_MP_DIph_x_OVTIKOS + 65 B5DF121A 71 Bytes [45, 00, 6E, 00, 61, 00, 62, ...]
.text ipsec.sys!YH_MP_DIph_x_OVTIKOS + AD B5DF1262 9 Bytes [75, 00, 6C, 00, 74, 00, 46, ...]
.text ipsec.sys!YH_MP_DIph_x_OVTIKOS + B7 B5DF126C 183 Bytes [72, 00, 77, 00, 61, 00, 72, ...]
.text ...
.text ipsec.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + 34 B5DF139C 269 Bytes [EC, 81, EC, 90, 00, 00, 00, ...]
.text ipsec.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + 142 B5DF14AA 157 Bytes [88, F3, A5, 33, FF, 8D, 45, ...]
.text ipsec.sys!WLU_GRFC_ejrg_qpf_ + 23 B5DF1548 554 Bytes [72, 00, 72, 00, 65, 00, 6E, ...]
.text ipsec.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + 9D B5DF1773 117 Bytes [00, 74, 00, 43, 00, 6F, 00, ...]
.text ipsec.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + 113 B5DF17E9 168 Bytes CALL B5DF0E2F \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + 1BC B5DF1892 38 Bytes [56, FF, 15, F0, F9, DF, B5, ...]
.text ipsec.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + 1F B5DF18B9 56 Bytes [C0, 5E, C3, 53, 33, D2, 33, ...]
.text ipsec.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + 58 B5DF18F2 85 Bytes [D6, 00, 00, 00, 85, C0, 0F, ...]
.text ipsec.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + AE B5DF1948 16 Bytes [1C, 16, 88, 1C, 0E, 41, 88, ...]
.text ipsec.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + BF B5DF1959 167 Bytes [33, F8, 81, E1, FF, 00, 00, ...]
.text ipsec.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + 167 B5DF1A01 138 Bytes [08, 5B, 88, 50, 01, C2, 0C, ...]
.text ipsec.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 39 B5DF1A8C 245 Bytes JMP B5DF15FE \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 12F B5DF1B82 45 Bytes [00, 00, 81, EB, 22, 00, 12, ...]
.text ipsec.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 15D B5DF1BB0 52 Bytes JMP B5DF08A1 \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 192 B5DF1BE5 44 Bytes JMP B5DF1CA6 \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + 3 B5DF1C12 99 Bytes [FF, FF, 8B, 07, 85, C0, 0F, ...]
.text ipsec.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + 67 B5DF1C76 83 Bytes [75, FC, EB, 2F, 6A, 28, 58, ...]
.text ipsec.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + BB B5DF1CCA 114 Bytes CALL B5DF89DD \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + 12E B5DF1D3D 366 Bytes CALL B5DFC544 \SystemRoot\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation)
.text ipsec.sys!ROKAHPJpu_e_rC_G___hJVKXN_FAg_MYIIMzhza_ + E3 B5DF1EAC 44 Bytes [FF, FF, 83, BD, 00, FF, FF, ...]
.text ipsec.sys!ROKAHPJpu_e_rC_G___hJVKXN_FAg_MYIIMzhza_ + 110 B5DF1ED9 187 Bytes [FF, 45, 00, 6E, 00, 61, 00, ...]
.text ipsec.sys!UAVjjqqveq_a_wgj_qctpdxbz_m_vw_ccQqiyWA_NSxqzpqH + E B5DF1F95 113 Bytes [45, 84, 83, 78, 04, 03, 74, ...]
.text ipsec.sys!UAVjjqqveq_a_wgj_qctpdxbz_m_vw_ccQqiyWA_NSxqzpqH + 80 B5DF2007 108 Bytes [B5, FF, 15, 3C, FF, DF, B5, ...]
.text ipsec.sys!UAVjjqqveq_a_wgj_qctpdxbz_m_vw_ccQqiyWA_NSxqzpqH + ED B5DF2074 548 Bytes [AB, AB, 33, FF, F6, 03, 20, ...]
.text ipsec.sys!IQJTQAM_K_K_DJA_FB + 156 B5DF2299 135 Bytes [68, 4F, 75, F0, 32, C0, E9, ...]
.text ipsec.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + 2B B5DF2321 20 Bytes [6C, F9, DF, B5, 8B, 47, 28, ...]
.text ipsec.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + 40 B5DF2336 154 Bytes [45, EC, 7C, 3E, 7F, 31, 8B, ...]
.text ipsec.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + DB B5DF23D1 68 Bytes [56, 8B, 75, 08, FF, 46, 0C, ...]
.text ipsec.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + 120 B5DF2416 524 Bytes [FF, FF, FF, 00, 53, 8B, 5D, ...]
.text ipsec.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 172 B5DF2623 208 Bytes [FF, FF, FF, 76, 08, 50, FF, ...]
.text ipsec.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 243 B5DF26F4 85 Bytes [83, E0, 04, 89, 7D, F4, 89, ...]
.text ipsec.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 299 B5DF274A 3 Bytes [C6, 45, D0]
.text ipsec.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 29D B5DF274E 29 Bytes [74, 04, C6, 45, D0, 00, 8D, ...]
.text ipsec.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 2BC B5DF276D 295 Bytes [C1, E0, 04, 05, 30, FB, DF, ...]
.text ...
.text ipsec.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 35 B5DF32C4 509 Bytes [4D, FC, 8D, 44, 41, 02, 89, ...]
.text ipsec.sys!UEFMkspm_fVTUunvwsMZPCziwzkT_G_FX_ + 76 B5DF34C2 612 Bytes [FF, FF, 50, 6A, 02, EB, 1E, ...]
.text ipsec.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 12C B5DF3727 168 Bytes [5F, 5E, 5B, 5D, C2, 10, 00, ...]
.text ipsec.sys!r__uvepHU_NB__Wbzu_ex__H_GWHKI_C + 1D B5DF37D0 906 Bytes [4D, 08, 89, 4D, 08, 75, 08, ...]
.text ipsec.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 1F4 B5DF3B5C 21 Bytes [33, C0, 89, 41, 10, 8B, 0D, ...]
.text ipsec.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 20A B5DF3B72 18 Bytes [DF, B5, 0F, 95, C1, 89, 48, ...] {FBSTP TBYTE [EBP-0x763e6af1]; DEC EAX; OR AL, 0x83; ADD EAX, 0xb5dfff14; AND AL, 0x80; JGE 0x26}
.text ipsec.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 21D B5DF3B85 80 Bytes [74, 1A, A1, 14, FF, DF, B5, ...]
.text ipsec.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 26E B5DF3BD6 14 Bytes [EC, 51, 51, 83, 65, FC, 00, ...]
.text ipsec.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 27D B5DF3BE5 63 Bytes [F6, 06, 20, 74, 22, F6, 05, ...]
.text ...
.text ipsec.sys!k_izygskfOGQHDbou_bv_v + 90 B5DF484B 100 Bytes [45, 08, 89, 45, E0, 8B, 45, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v + F5 B5DF48B0 57 Bytes [0E, 83, FA, 01, 75, 0F, 83, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v + 12F B5DF48EA 172 Bytes [45, D8, 8B, 45, EC, 8B, 00, ...]
.text ipsec.sys!k_izygskfOGQHDbou_bv_v + 1DD B5DF4998 86 Bytes [33, D2, 8B, C6, F7, F1, 8D, ...]
.text C:\WINDOWS\system32\DRIVERS\ipsec.sys section is writeable [0xB5DF1000, 0x3A84, 0xE8000020]
? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification

---- EOF - GMER 1.0.15 ----

ComboFix started and closed like the others. All scans were run in and out of Safe Mode (with networking) and with and without running rkill beforehand, though I'm not sure rkill was working, as it only saved a log the first time it ran:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/19/2011 at 19:42:14.
Operating System: Microsoft Windows XP

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 24 September 2011 - 09:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419662 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 29 September 2011 - 09:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users