Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.Exe's Keep closing Rootkit Virus Problem Directed to Post Here


  • This topic is locked This topic is locked
2 replies to this topic

#1 Nicm15

Nicm15

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 26 September 2011 - 08:23 PM

All of us were discussing our issues in this thread. http://www.bleepingcomputer.com/forums/topic420572.html <== Tangled topic with several posters. ~ OB

Essentially referred from here: http://www.bleepingcomputer.com/forums/topic420624.html much fuller description of computer issues and no other members' computer issues tangled up in topic. ~ OB

Basically all of our .exe files keep closing and then when we try to access them again we're told we don't have permission. This virus/rootkit appears to shut down any .exe process it even shut down GMER when I tried to run it. We were told to post separate topics here with the requested detailed information so I am following through with that request. I hope this helps. Thanks guys!!


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Marie at 20:44:56 on 2011-09-26
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.250 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
C:\WINDOWS\3159867378:222341187.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uURLSearchHooks: H - No File
BHO: {0038b3b8-746c-4227-9e29-9b8f91ff1f5b} - c:\windows\system32\atkctrs32.dll
BHO: {00468b5f-9dcc-44ae-9a62-6e748112ca92} - c:\windows\system32\atkctrs32.dll
BHO: {00716770-746c-4227-9e29-9b8f91ff1f5b} - c:\windows\system32\atkctrs32.dll
BHO: {008d16bf-9dcc-44ae-9a62-6e748112ca92} - c:\windows\system32\atkctrs32.dll
BHO: {00e2cee0-746c-4227-9e29-9b8f91ff1f5b} - c:\windows\system32\atkctrs32.dll
BHO: {011a2d7f-9dcc-44ae-9a62-6e748112ca92} - c:\windows\system32\atkctrs32.dll
BHO: {01c59dc0-746c-4227-9e29-9b8f91ff1f5b} - c:\windows\system32\atkctrs32.dll
BHO: {02345afe-9dcc-44ae-9a62-6e748112ca92} - c:\windows\system32\atkctrs32.dll
BHO: {038b3b81-746c-4227-9e29-9b8f91ff1f5b} - c:\windows\system32\atkctrs32.dll
BHO: {0468b5fd-9dcc-44ae-9a62-6e748112ca92} - c:\windows\system32\atkctrs32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1313004083921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A1E4FCFE-2389-49F4-B38E-5CBF643E74EB} : DhcpNameServer = 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: temsvw32 - temsvw32.dll
Notify: termfsvses - temsvw32.dll
AppInit_DLLs: c:\windows\system32\ndisapi32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-25 243152]
S0 rodvp;rodvp;c:\windows\system32\drivers\mjvynrld.sys --> c:\windows\system32\drivers\mjvynrld.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-25 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-25 29712]
S1 mmkmquho;mmkmquho;\??\c:\windows\system32\drivers\mmkmquho.sys --> c:\windows\system32\drivers\mmkmquho.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl07321602;MpKsl07321602;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{afcd3c70-6bcc-4957-923c-b614df01af6b}\mpksl07321602.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{afcd3c70-6bcc-4957-923c-b614df01af6b}\MpKsl07321602.sys [?]
S1 MpKsl31e3a574;MpKsl31e3a574;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{302c5a86-9c1b-4ab3-a0d9-2dc0b601424d}\mpksl31e3a574.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{302c5a86-9c1b-4ab3-a0d9-2dc0b601424d}\MpKsl31e3a574.sys [?]
S1 MpKsl45232b09;MpKsl45232b09;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3306831f-7758-4459-9702-0a06a86e2528}\mpksl45232b09.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3306831f-7758-4459-9702-0a06a86e2528}\MpKsl45232b09.sys [?]
S1 MpKsl73f9d00c;MpKsl73f9d00c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a681894-58b3-46b9-b9ee-7f76feb8e1ff}\mpksl73f9d00c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a681894-58b3-46b9-b9ee-7f76feb8e1ff}\MpKsl73f9d00c.sys [?]
S1 MpKsl7cf9df7f;MpKsl7cf9df7f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c3af5ac2-ca43-4c3f-9843-ce66bd184d01}\mpksl7cf9df7f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c3af5ac2-ca43-4c3f-9843-ce66bd184d01}\MpKsl7cf9df7f.sys [?]
S1 MpKsl930239d5;MpKsl930239d5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c58abe1-2788-4d3c-8c49-1aed86f64072}\mpksl930239d5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c58abe1-2788-4d3c-8c49-1aed86f64072}\MpKsl930239d5.sys [?]
S1 MpKsld5593547;MpKsld5593547;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acbf76cf-a2f4-4a7b-b80d-bb4c91a4004d}\mpksld5593547.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acbf76cf-a2f4-4a7b-b80d-bb4c91a4004d}\MpKsld5593547.sys [?]
S1 MpKslde4baedd;MpKslde4baedd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cd946171-6561-4f71-9c65-d1a973820f09}\mpkslde4baedd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{cd946171-6561-4f71-9c65-d1a973820f09}\MpKslde4baedd.sys [?]
S1 MpKsle942f9bf;MpKsle942f9bf;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c58abe1-2788-4d3c-8c49-1aed86f64072}\mpksle942f9bf.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7c58abe1-2788-4d3c-8c49-1aed86f64072}\MpKsle942f9bf.sys [?]
S1 MpKslf4f9407c;MpKslf4f9407c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acbf76cf-a2f4-4a7b-b80d-bb4c91a4004d}\mpkslf4f9407c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{acbf76cf-a2f4-4a7b-b80d-bb4c91a4004d}\MpKslf4f9407c.sys [?]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 SwPrv32;MS Software Shadow Copy Provider ;c:\windows\system32\mprddm32.exe --> c:\windows\system32\mprddm32.exe [?]
S2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfsc [2004-8-19 14336]
.
=============== Created Last 30 ================
.
2011-09-26 21:45:42 -------- d-----w- c:\documents and settings\all users\application data\RegCure
2011-09-26 18:24:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-26 18:24:13 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-26 18:21:56 94896 ----a-w- c:\windows\system32\drivers\23122013.sys
2011-09-25 20:11:59 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-09-25 19:08:24 -------- d-----w- c:\documents and settings\marie\local settings\application data\PCHealth
2011-09-25 18:20:20 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d5c6e345-2fd0-48f3-a1a6-42b9b1b3eb37}\offreg.dll
2011-09-25 18:20:08 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d5c6e345-2fd0-48f3-a1a6-42b9b1b3eb37}\mpengine.dll
.
==================== Find3M ====================
.
2011-09-25 21:45:42 56 --sh--r- c:\windows\system32\178C41440C.sys
2011-09-25 21:45:42 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-09-06 20:01:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-24 06:13:04 0 ----a-w- c:\documents and settings\all users\application data\xwed.exe
2011-07-24 06:13:04 0 ----a-w- c:\documents and settings\all users\application data\mgoh.exe
2011-07-24 06:13:03 0 ----a-w- c:\documents and settings\all users\application data\nabk.exe
2011-07-24 06:13:03 0 ----a-w- c:\documents and settings\all users\application data\blkp.exe
2011-07-03 21:40:32 0 ---ha-w- c:\documents and settings\marie\zritbmwyhp.tmp
.
============= FINISH: 20:45:13.45 ===============

Edited by Orange Blossom, 27 September 2011 - 12:34 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:27 AM

Posted 30 September 2011 - 12:57 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:27 AM

Posted 17 November 2011 - 02:17 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users