Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Malware Removal Log


  • This topic is locked This topic is locked
1 reply to this topic

#1 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 11 October 2011 - 12:47 PM

Hello all,

I have a problem on a friend's computer. I am usually pretty good at "rooting out" malware and recovering -- pun intended-- but unfortunately this one is beyond me. I was able to get AVAST installed on the machine and run a scan, but it crashed out when it got to what I believe is a rootkit. Although the malware blocked Avast eventually, Avast was able to schedule a scan on reboot... this scan successfully discovered and deleted the first two of the following three discoveries:

Min32:MalOB-EM [Cryp]
Java:Agent-KN[Expl]
Win32:Sirefef-O[Rtk]

I think Sirefef-O is the big problem; even on the reboot scan the computer crashed when deleting the infected Sirefef-O file. I also think it is hidden/buried in the RECYCLER part of the C:Drive.

The network and several services are disabled on the computer with the problem in both safemode with networking, and normal mode.

Malwarebytes, Avast, and HijackThis all run and were blocked upon discovery of the malware. I am no longer able to run, rename, copy, or delete these anti-malware files or the folders in which they reside. Even as Administrator, I do not have permission: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."


I have run Defogger, dds.scr, and GMER as Administrator in safemode with networking... the log files are posted below.

Thank you for any assistance you can provide on this issue.


DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 10:03:58 on 2011-10-11
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070102
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070102
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\avast\aswWebRepIE.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\avast\avastUI.exe" /nogui
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7A0847E7-6300-4BA1-908C-63E590D72A98} : DhcpNameServer = 24.94.163.100 24.94.163.101
TCP: Interfaces\{98E45DD7-1690-4978-9012-A2EB0451B265} : DhcpNameServer = 65.24.7.10 65.24.7.11
TCP: Interfaces\{CBD80DE0-23F9-494C-A2BA-8099A3B8A905} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-10-11 14:17:29 -------- d-sh--w- C:\found.000
2011-10-10 22:31:32 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-10-10 22:31:32 57600 ----a-w- c:\windows\system32\dllcache\redbook.sys
2011-10-10 16:27:30 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-10 16:26:27 41184 ----a-w- c:\windows\avastSS.scr
2011-10-10 16:25:51 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-10-10 16:25:51 -------- d-----w- C:\AVAST
2011-10-06 14:36:23 243072 ----a-w- C:\Psinfo.exe
2011-10-06 14:36:23 234536 ----a-w- C:\psexec.exe
2011-10-06 14:36:23 207664 ----a-w- C:\psshutdown.exe
2011-10-06 14:36:23 187184 ----a-w- C:\pssuspend.exe
2011-10-06 14:36:23 187184 ----a-w- C:\pskill.exe
2011-10-06 14:36:23 187184 ----a-w- C:\psgetsid.exe
2011-10-06 14:36:23 125744 ----a-w- C:\pslist.exe
2011-10-06 14:36:23 113456 ----a-w- C:\psloglist.exe
2011-10-06 14:36:23 107560 ----a-w- C:\psservice.exe
2011-10-06 14:36:23 105264 ----a-w- C:\pspasswd.exe
2011-10-06 14:36:23 105264 ----a-w- C:\psloggedon.exe
2011-10-06 14:36:23 105264 ----a-w- C:\psfile.exe
2011-10-05 22:41:57 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-09-21 15:16:08 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-09-19 16:13:20 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4d42ab71-dc21-434d-a1b2-8fc1f799ddbc}\mpengine.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 10:04:56.60 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-11 12:42:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: v.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

ADS C:\RECYCLER\S-1-5-21-1546796425-2998649175-3168545596-500\Dc1.DELETE:244571244.exe 784 bytes executable
File C:\WINDOWS\$NtUninstallKB11520$\4050396051 0 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\bckfg.tmp 840 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\cfg.ini 359 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\L 0 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\L\pdmzmplg 57600 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\U 0 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\U\80000000.@ 2560 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4050396051\U\80000032.@ 71168 bytes
File C:\WINDOWS\$NtUninstallKB11520$\4097445599 0 bytes
ADS C:\WINDOWS\2468572401:244571244.exe 784 bytes executable <-- ROOTKIT !!!
ADS C:\WINDOWS\2468572401.txt:244571244.exe 784 bytes executable

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\2468572401:244571244.exe [MANUAL] f16c2393 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Thank you, Thank you, Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 12 October 2011 - 01:23 PM

Has working AII topic here they requsted to stay in.

http://www.bleepingcomputer.com/forums/topic423180.html/page__gopid__2438671#entry2438671
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users