Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.win32.Zaccess.e


  • This topic is locked This topic is locked
40 replies to this topic

#1 efrost

efrost

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 10 October 2011 - 08:44 AM

So I ran TDSSKiller, and this is the virus that it says I'm infected with. I try to cure, but it keeps coming back. When I look at my processes running in the task manager, I see 3468633093:4206872817.exe which I assume is the virus. I can't seem to end the process. After TDSSKiller says it cured the infection and requires a reboot, it comes right back. I ran Gmer, and it just closes and doesn't allow the app to finish, then the executable file isn't usable anymore, so I assume the virus is killing things. My Stopzilla antivirus is disabled, it killed malwarebytes and others..
please help.. thanks! Below are the files requested..

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 10 October 2011 - 03:11 PM

Good evening. :)

There should be a file called DDS.txt created when you run DDS, as well as Attach.txt which you've posted. Can you copy and paste the contents of that into your next reply.

So long, and thanks for all the fish.

 

 


#3 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 10 October 2011 - 03:16 PM

Apparently the virus now killed IE and won't let me use that, so I'm forced to use Firefox. When I try to load IE, I get "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item".
Below is the DDS file information:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Elvin Frost at 9:34:55 on 2011-10-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2797 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\3468633093:4208672817.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.myway.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{70325A49-F3D4-4BCC-8C12-03FC941A635C}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uWinlogon: Shell=c:\documents and settings\elvin frost\local settings\application data\0524bfce\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230910998250
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{DCD87B9E-B834-455B-9D90-C5813BCB29B4} : NameServer = 167.206.245.19,167.206.245.83
TCP: Interfaces\{E2F7C7C3-E15A-400B-A379-9535DF759A23} : DhcpNameServer = 167.206.245.19 167.206.245.83
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\elvin frost\application data\mozilla\firefox\profiles\76gvmtni.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://my.myway.com/index.jsp?speedbarconfigchanged
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d53ee91&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-1 47640]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-9-22 23624]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-4-30 57248]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 AirPrint;AirPrint;c:\program files\airprint\airprint.exe -s --> c:\program files\airprint\Airprint.exe -s [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-10 12:49:48 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-08 23:05:58 -------- d-----w- c:\windows\system32\wbem\Logs
2011-10-07 22:07:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-07 22:02:43 -------- d-sh--w- c:\documents and settings\elvin frost\local settings\application data\0524bfce
2011-09-22 18:15:24 -------- d-----w- c:\windows\Internet Logs
2011-09-22 16:31:52 -------- d-----w- c:\documents and settings\elvin frost\application data\Toolbar4
2011-09-22 16:31:34 -------- d-----w- c:\program files\Temp File Cleaner
2011-09-22 16:30:10 -------- d-----w- c:\program files\CCleaner
2011-09-22 15:54:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-22 15:54:06 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-09-22 15:26:11 -------- d-----w- c:\program files\STOPzilla!
2011-09-22 15:26:11 -------- d-----w- c:\program files\common files\iS3
2011-09-22 15:26:10 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-22 12:57:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-22 12:57:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-22 00:15:44 -------- d-----w- c:\documents and settings\elvin frost\application data\SUPERAntiSpyware.com
2011-09-22 00:15:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-22 00:11:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-19 22:16:14 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-09-19 22:16:12 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-09-19 22:16:12 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-09-19 22:16:10 480720 ----a-r- c:\windows\system32\SZBase5.dll
2011-09-19 22:16:10 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-09-19 22:16:08 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-09-19 22:16:06 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-09-19 22:16:06 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-09-19 22:16:04 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-09-19 22:16:04 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-09-19 22:16:04 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-09-19 22:16:02 738768 ----a-r- c:\windows\system32\IS3Base5.dll
.
==================== Find3M ====================
.
2011-10-10 13:08:45 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-10 12:37:31 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-10-07 18:20:54 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 18:20:54 52096 -c--a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 18:20:53 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-07 18:20:53 30592 -c--a-w- c:\windows\system32\LMIport.dll
2011-10-03 23:47:25 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-16 21:48:30 59080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2011-07-18 13:55:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-07-18 13:55:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1f
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6364A0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B2A2AB8]
3 CLASSPNP[0xB81B8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A674330]
\Driver\00000923[0x8A7169E0] -> IRP_MJ_CREATE -> 0x8A6364A0
kernel: MBR read successfully
_asm { ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 9:35:27.37 ===============

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 10 October 2011 - 04:59 PM

Please download DummyCreator.zip by Farbar from here and save it to your Desktop - you will then need to unzip it.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the "Extraction Wizard" window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish.


  • Double click DummyCreator.exe to run the tool.
  • Copy and paste the following into the edit box:

    • C:\WINDOWS\3468633093
  • Click the Create button.
  • Make sure you have a copy of Result.txt that should appear once the tool has completed.
  • Important: Restart the computer and then let me have a copy of Result.txt in your next reply.

So long, and thanks for all the fish.

 

 


#5 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 10 October 2011 - 05:07 PM

done.

DummyCreator by Farbar
Ran by Elvin Frost (administrator) on 10-10-2011 at 18:02:21
**************************************************************

C:\WINDOWS\3468633093 [10-10-2011 18:02:21]

== End of log ==

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 11 October 2011 - 02:42 PM

Good evening. :)

Download Junction.zip by Mark Russinovich from here and save it to your Desktop - you'll need to unzip this one as well.

  • Copy and paste the file junction.exe into the Windows directory (C:\Windows).
  • Go to Start > Run..., copy the following into the textbox and click OK:

    • cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A Command Window will open and the tool will start scanning.
  • When it's done, a text file called log.txt will appear - i'd like a copy of that in your next reply.

So long, and thanks for all the fish.

 

 


#7 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 October 2011 - 02:59 PM

Here you go:

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


.
Failed to open \\?\c:\\Documents and Settings\Administrator\Local Settings\temp\{DDFFC74E-0130-45E7-AC15-3AD49749F8B1}\en-us: Access is denied.


..

...

...

...

...

...


Failed to open \\?\c:\\Documents and Settings\Elvin Frost\My Documents\Downloads\HitmanPro35.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe: Access is denied.


...

...


Failed to open \\?\c:\\Program Files\Internet Explorer\iexplore.exe: Access is denied.


...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\7fe221e8-5e86-4e7b-a371-ff3ab278a87d.com: Access is denied.


..

...

...

...

...

...

...


Failed to open \\?\c:\\Test\tdsskiller\5l501w76.exe: Access is denied.



Failed to open \\?\c:\\Test\tdsskiller\odp54hsd.exe: Access is denied.



Failed to open \\?\c:\\Test\tdsskiller\rootkit virus remove gmer.exe: Access is denied.



Failed to open \\?\c:\\WINDOWS\$NtUninstallKB17685$: Access is denied.


.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790


Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini: Access is denied.


\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

..

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5

...

..
Failed to open \\?\c:\\WINDOWS\Registration\CRMLog: Access is denied.


.

..
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.


.

...

...

...

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 11 October 2011 - 04:48 PM

Please download GrantPerms.zip by Farbar from here and save it to your Desktop - you will then need to unzip it.

  • Run GrantPerms.exe and copy the following into the textbox:

    • \\?\c:\\Documents and Settings\Administrator\Local Settings\temp\{DDFFC74E-0130-45E7-AC15-3AD49749F8B1}\en-us
      \\?\c:\\Documents and Settings\Elvin Frost\My Documents\Downloads\HitmanPro35.exe
      \\?\c:\\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
      \\?\c:\\Program Files\Internet Explorer\iexplore.exe
      \\?\c:\\Program Files\SUPERAntiSpyware\7fe221e8-5e86-4e7b-a371-ff3ab278a87d.com
      \\?\c:\\Test\tdsskiller\5l501w76.exe
      \\?\c:\\Test\tdsskiller\odp54hsd.exe
      \\?\c:\\Test\tdsskiller\rootkit virus remove gmer.exe
      \\?\c:\\WINDOWS\$NtUninstallKB17685$
      \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop.ini
      \\?\c:\\WINDOWS\Registration\CRMLog
      \\?\c:\\WINDOWS\system32\MRT.exe
  • Click Unlock and when you are given the message "Unlock operation completed", click OK.
  • Click List Permissions to create a log of the actions - a copy will be saved as Perms.txt into the folder that GrantPerms.exe was run from.
  • I'd like you to copy and paste the contents of this textfile into your next reply.

So long, and thanks for all the fish.

 

 


#9 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 October 2011 - 05:06 PM

Followed the directions.. put those files in the text box and hit unlock. then the box disappeared and never came back. Showed up for a sec in the system tray, but then disappeared. Doesn't show up in task manager as running and won't let me run again..
now what?

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 11 October 2011 - 05:28 PM

Run DDS again and let me have the log that it produces.

So long, and thanks for all the fish.

 

 


#11 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 October 2011 - 06:47 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Elvin Frost at 19:46:20 on 2011-10-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3325.2571 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.myway.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://www.bigseekpro.com/tempcleaner/{70325A49-F3D4-4BCC-8C12-03FC941A635C}
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uWinlogon: Shell=c:\documents and settings\elvin frost\local settings\application data\0524bfce\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230910998250
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: Interfaces\{DCD87B9E-B834-455B-9D90-C5813BCB29B4} : NameServer = 167.206.245.19,167.206.245.83
TCP: Interfaces\{E2F7C7C3-E15A-400B-A379-9535DF759A23} : DhcpNameServer = 167.206.245.19 167.206.245.83
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\elvin frost\application data\mozilla\firefox\profiles\76gvmtni.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://my.myway.com/index.jsp?speedbarconfigchanged
FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d53ee91&i=23&tp=ab&nt=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-1 47640]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-4-30 57248]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 AirPrint;AirPrint;c:\program files\airprint\airprint.exe -s --> c:\program files\airprint\Airprint.exe -s [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-9-22 23624]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-10-10 22:04:34 -------- d--h--w- C:\BJPrinter
2011-10-10 22:02:21 -------- d-----w- c:\windows\3468633093
2011-10-10 14:58:27 87608 ----a-w- c:\documents and settings\elvin frost\application data\inst.exe
2011-10-08 23:05:58 -------- d-----w- c:\windows\system32\wbem\Logs
2011-10-07 22:07:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-07 22:02:43 -------- d-sh--w- c:\documents and settings\elvin frost\local settings\application data\0524bfce
2011-09-22 18:15:24 -------- d-----w- c:\windows\Internet Logs
2011-09-22 16:31:52 -------- d-----w- c:\documents and settings\elvin frost\application data\Toolbar4
2011-09-22 16:31:34 -------- d-----w- c:\program files\Temp File Cleaner
2011-09-22 16:30:10 -------- d-----w- c:\program files\CCleaner
2011-09-22 15:54:20 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-22 15:54:06 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-09-22 15:26:11 -------- d-----w- c:\program files\STOPzilla!
2011-09-22 15:26:11 -------- d-----w- c:\program files\common files\iS3
2011-09-22 15:26:10 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-09-22 12:57:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-22 00:15:44 -------- d-----w- c:\documents and settings\elvin frost\application data\SUPERAntiSpyware.com
2011-09-22 00:15:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-22 00:11:06 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-19 22:16:14 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-09-19 22:16:12 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-09-19 22:16:12 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-09-19 22:16:10 480720 ----a-r- c:\windows\system32\SZBase5.dll
2011-09-19 22:16:10 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-09-19 22:16:08 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-09-19 22:16:06 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-09-19 22:16:06 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-09-19 22:16:04 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-09-19 22:16:04 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-09-19 22:16:04 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-09-19 22:16:02 738768 ----a-r- c:\windows\system32\IS3Base5.dll
.
==================== Find3M ====================
.
2011-10-10 14:58:27 47360 ----a-w- c:\documents and settings\elvin frost\application data\pcouffin.sys
2011-10-10 14:58:21 87608 ----a-w- c:\documents and settings\elvin frost\application data\ezpinst.exe
2011-10-10 13:08:45 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-10-10 12:37:31 44544 ----a-w- c:\windows\system32\drivers\fips.sys
2011-10-07 18:20:54 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-10-07 18:20:54 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 18:20:54 52096 -c--a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-10-07 18:20:53 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
2011-10-07 18:20:53 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-07 18:20:53 30592 -c--a-w- c:\windows\system32\LMIport.dll
2011-10-03 23:47:25 404640 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-16 21:48:30 59080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1f
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A8AE4A0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B3332B0]
3 CLASSPNP[0xB81B8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8E25E8]
\Driver\00000843[0x8AFC2608] -> IRP_MJ_CREATE -> 0x8A8AE4A0
kernel: MBR read successfully
_asm { ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; ADD [BX+SI], AL; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:46:30.81 ===============

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 12 October 2011 - 03:17 PM

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#13 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 12 October 2011 - 08:41 PM

So I downloaded Combofix, changed the name and ran it. It came up with a warning that I should disable Microsoft security Essentials, but I deleted that a while ago, and ran Microsoft's uninstall for it, so i don't have it on the computer. I checked processes running in task manager, and didn't see it there either. So I said ok, and it started scanning. Came up with a dialog box indicating that it had to reboot, which it did. When it came back, Stopzilla loaded (for the first time in a while), which I stopped it. CF came up with a scanning dialog again, and then just disappeared and never came back. It never asked about the recovery console.
I ran Stopzilla and it found a couple of viruses which I told it to clean, and it did a reboot. Oddly enough, since running combofix the first time, without getting a log, I don't see the program file of just numbers running in task manager anymore. Does this mean that it is gone from the computer? Should I run combofix again? or another program?
Stopzilla is still showing spywares called Google Redirector, Cognac and InternetSecuritySuite.
let me know what I should do next please..
thanks for all your help!

#14 efrost

efrost
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 13 October 2011 - 06:33 AM

Stopzilla is staying there's 2 counts of Rootkit.win32.Sirefef and Vundo A7

#15 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:04:34 AM

Posted 13 October 2011 - 02:41 PM

Good evening. :)

Will you start by checking that the log wasn't saved as C:\ComboFix.txt. If you don't find it, run ComboFix again and see if you get a log this time.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users