Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit: Zero Access from Security Tool 2011 [Also potentially Rootkit: Alureon]


  • This topic is locked This topic is locked
14 replies to this topic

#1 cnote1988

cnote1988

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 09 November 2011 - 05:44 AM

I originally received Security Tool 2011 from golf.com.au. It came through svchost.exe.

I found and deleted the .exe and System Restored to before the infection. In safe mode with networking (i..e without firewall), iexplore.exe was startig by itself and before I picked up on this I believe I was infected with a series of trojans and other nasties. Many of these were picked up by Malwarebytes and SUPERAntiSpyware. I then used Avast! and it picked up a Win32:Cossta and the Alureon Rootkit. The Cossta trojan was cleaned. The rootkit has remained.

MBRCheck diagnosed the MBR Code as being non-normal or infected. Boot_remover identified the code as 'FAKED!'

After cleaning as much as I could with Avast! Boot scans, I attempted to use both MBRCheck and boot_remover to 'fix' the MBR. Neither were able to.

My next step was to download aswMBR.exe but it would not run. I then attempted to download GMER but the options were greyed out. I then downloaded TDSSKiller which detected 1 Rootkit which I 'cured' and 1 locked file which was 'skipped'. A log is provided below.

This allowed me to access aswMBR.exe which I ran, and posted the log below. After this I ran ComboFix (sorry!!) which said I had Rootkit: Zero Access. ComboFix rebooted and successfully went through all its 'stages'. The ComboFix log is provided below. Interestingly, I had uninstalled all my Anti-Virus software prior to running ComboFix, except for Malware Anti-bytes, but ComboFix reported that an instance of Avast! was running. I searched my program for 'Avast' and it picked up multiple empty folders. I clicked through regardless and ComboFix ran without error.

I then used aswMBR.exe to 'Fix' the MBR Code. It said the fix was successful, but after scanning again the problems it had identified remain. A aswMBR.exe log is provided below.

I then decided to make a post here, and made a DDS log. The DDS log is pasted below, and the DDS 'Attach' is provided.

When I tried to run GMER it 'stopped working'. I then attempted to run it again and I got the BSOD. I rebooted and tried to run it again and got the 'stopped working' error. A screenshot has been provided below.

NOTE: Everything in the above has occurred in SAFE MODE, except the ComboFix process which was ran in SAFE MODE with networking.


This is the current state of events. I am posting this not on my infected computer because I am terrified of losing personal info and passwords if I use the net on it.

What I am after is how best to proceed. The logs (particularly aswMBR and ComboFix) show the nasties hanging around.

Thank you very much.

--

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_23
Run by Chris at 20:03:09 on 2011-11-09
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.1978.1329 [GMT 10:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [NetLimiter] c:\program files\netlimiter\NetLimiter.exe /s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\netlimiter\nl_lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 130.102.128.43 130.102.2.15 203.15.35.15
TCP: Interfaces\{09ECDA66-C534-4F16-AEEE-AE35E34CA08F} : DhcpNameServer = 203.21.112.40 203.21.113.40
TCP: Interfaces\{486EE369-2BF6-456C-B2C0-CA961BC1F1D6} : DhcpNameServer = 203.21.113.40 203.21.112.40
TCP: Interfaces\{5810A031-BBFC-49B1-BFC7-14C8149BC8E4} : DhcpNameServer = 202.124.65.22 202.124.65.18
TCP: Interfaces\{A5155108-A98D-48FE-9F45-CEDEB9F9A53E} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DC821841-4E75-4DC3-A06A-4C4278113E1F} : DhcpNameServer = 130.102.128.43 130.102.2.15 203.15.35.15
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\bt93i9c5.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-2-27 224384]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-2-27 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2009-2-27 14720]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-2 366152]
S2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2009-2-27 98304]
S2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-2-27 411488]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-7-3 9216]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-2-27 28464]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-3-1 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-3-1 102912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-2 22216]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-21 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2008-1-21 19968]
.
=============== Created Last 30 ================
.
2011-11-09 09:27:31 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-09 09:27:27 -------- d-----w- c:\users\chris\appdata\local\temp
2011-11-09 09:16:22 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{caf51567-1348-4149-af5f-b920474d2ec4}\offreg.dll
2011-11-09 09:16:17 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bac22f4c-e833-4cdc-9edc-3e42d5f2ebe3}\offreg.dll
2011-11-09 08:55:09 98816 ----a-w- c:\windows\sed.exe
2011-11-09 08:55:09 518144 ----a-w- c:\windows\SWREG.exe
2011-11-09 08:55:09 256000 ----a-w- c:\windows\PEV.exe
2011-11-09 08:55:09 208896 ----a-w- c:\windows\MBR.exe
2011-11-09 08:55:04 -------- d-----w- C:\ComboFix
2011-11-06 10:39:55 -------- d-----w- c:\programdata\AVAST Software
2011-11-04 04:15:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-04 04:15:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-04 00:56:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-03 05:25:50 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{caf51567-1348-4149-af5f-b920474d2ec4}\mpengine.dll
2011-11-02 11:18:56 -------- d-----w- c:\users\chris\appdata\roaming\Malwarebytes
2011-11-02 11:18:41 -------- d-----w- c:\programdata\Malwarebytes
2011-11-02 11:18:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-02 11:18:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-02 10:49:38 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bac22f4c-e833-4cdc-9edc-3e42d5f2ebe3}\mpengine.dll
.
==================== Find3M ====================
.
2011-09-19 22:29:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 20:03:17.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 PM

Posted 14 November 2011 - 05:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427038 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2011 - 07:22 AM

I have resisted the temptation of touching anything since I made the first post. All the info from that post is thus still accurate. However, for some reason I was able to successfully run GMER recently. The log is attached below.

I am running Vista Business, and have a 'Reinstallation DVD' (no original full install disc).

Thanks so much!!

The updated DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_23
Run by Chris at 21:23:31 on 2011-11-14
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.61.1033.18.1978.1483 [GMT 10:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials *Disabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [NetLimiter] c:\program files\netlimiter\NetLimiter.exe /s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\netlimiter\nl_lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 130.102.128.43 130.102.2.15 203.15.35.15
TCP: Interfaces\{09ECDA66-C534-4F16-AEEE-AE35E34CA08F} : DhcpNameServer = 203.21.112.40 203.21.113.40
TCP: Interfaces\{486EE369-2BF6-456C-B2C0-CA961BC1F1D6} : DhcpNameServer = 203.21.113.40 203.21.112.40
TCP: Interfaces\{5810A031-BBFC-49B1-BFC7-14C8149BC8E4} : DhcpNameServer = 202.124.65.22 202.124.65.18
TCP: Interfaces\{A5155108-A98D-48FE-9F45-CEDEB9F9A53E} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DC821841-4E75-4DC3-A06A-4C4278113E1F} : DhcpNameServer = 130.102.128.43 130.102.2.15 203.15.35.15
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\bt93i9c5.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-2-27 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2009-2-27 14720]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-2 366152]
S2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2009-2-27 98304]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-2-27 28464]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-2-27 224384]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-3-1 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-3-1 102912]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-2 22216]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-21 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2008-1-21 19968]
S4 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2009-2-27 411488]
S4 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-7-3 9216]
.
=============== Created Last 30 ================
.
2011-11-14 11:22:28 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{caf51567-1348-4149-af5f-b920474d2ec4}\offreg.dll
2011-11-14 11:22:25 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bac22f4c-e833-4cdc-9edc-3e42d5f2ebe3}\offreg.dll
2011-11-09 09:27:31 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-09 09:27:27 -------- d-----w- c:\users\chris\appdata\local\temp
2011-11-09 08:55:09 98816 ----a-w- c:\windows\sed.exe
2011-11-09 08:55:09 518144 ----a-w- c:\windows\SWREG.exe
2011-11-09 08:55:09 256000 ----a-w- c:\windows\PEV.exe
2011-11-09 08:55:09 208896 ----a-w- c:\windows\MBR.exe
2011-11-09 08:55:04 -------- d-----w- C:\ComboFix
2011-11-06 10:39:55 -------- d-----w- c:\programdata\AVAST Software
2011-11-04 04:15:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-04 04:15:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-04 00:56:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-03 05:25:50 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{caf51567-1348-4149-af5f-b920474d2ec4}\mpengine.dll
2011-11-02 11:18:56 -------- d-----w- c:\users\chris\appdata\roaming\Malwarebytes
2011-11-02 11:18:41 -------- d-----w- c:\programdata\Malwarebytes
2011-11-02 11:18:37 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-02 11:18:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-02 10:49:38 6668624 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bac22f4c-e833-4cdc-9edc-3e42d5f2ebe3}\mpengine.dll
.
==================== Find3M ====================
.
2011-09-19 22:29:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:25:19.82 ===============

Attached Files

  • Attached File  ark.log   10.65KB   3 downloads


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 14 November 2011 - 12:20 PM

Hello, at this point, what makes you think you still have the Alureon rootkit? As far as I can see TDSSkiller removed it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 14 November 2011 - 05:08 PM

Hi. I wasn't sure what the infections aswMBR picked up are. I know that I have atleast one rootkit still going (ZeroAccess), but couldn't say for sure that Alureon had been removed. If it has, that is great but obviously I'm trying to get rid of ZeroAccess now.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 15 November 2011 - 03:26 AM

Combofix got the ZeroAccess. What actual problems are you still having?

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 15 November 2011 - 05:29 AM

I ran the junction tool as requested, a cmd window popped up, but no log was produced after it was finished.


My problem is that aswMBR shows a rootkit infection in my computer:

'18:33:55.680 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
18:33:55.852 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
18:33:56.476 Modules scanning
18:34:09.143 Disk 0 trace - called modules:
18:34:09.158 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x850151e8]<<
18:34:09.158 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85ba83e8]
18:34:09.174 3 CLASSPNP.SYS[8899c745] -> nt!IofCallDriver -> [0x85a5b918]
18:34:09.174 5 acpi.sys[807b26a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85a54398]
18:34:09.174 \Driver\atapi[0x85a52e70] -> IRP_MJ_CREATE -> 0x850151e8'

The GMER log also shows heaps of locked files and weird .SYS files:

C:\Windows\System32\Drivers\sptd.sys
System32\Drivers\ar7u1m17.SYS
C:\Users\Chris\AppData\Local\Temp\mbr.sys

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 15 November 2011 - 06:12 AM

ASWmbr does not show a rootkit, it merely detects your CD emulation software. Run the following tool, then rerun the scan.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 15 November 2011 - 07:04 AM

Hey elise, as it turns out the junction process actually did come up with a log. I've been unable to post it as it is 380 KB (and i cant attach it either). Is there a way to get this uploaded?

Edit: I'll try with defogger to see if that reduces the size of the log produced

Edit 2: After running defogger, it looks like it has produced an identical log (380KB). I've zipped it and attached it.

Attached Files

  • Attached File  log.zip   6.51KB   3 downloads

Edited by cnote1988, 15 November 2011 - 07:24 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 15 November 2011 - 07:33 AM

Junction's log indicates no problem.

And I meant, rerun aswMBR after Defogger, not junction. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 15 November 2011 - 08:23 AM

Ah ok.

Here's the aswMBR log.

Does it matter that I'm doing all this in safe mode? Is there going to be stuff that's going to only start up in normal mode?

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 15 November 2011 - 08:51 AM

For an MBR scan it really doesn't matter where you run it from; rootkits are active in both modes.

Do you have any problem left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 cnote1988

cnote1988
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 16 November 2011 - 06:38 AM

Hi elise. Thanks so much for your help, it looks like I'm fine at the moment.

Just one last question: when I'm trying to use JavaRa to do a complete uninstall of Java, I get the following error messages:

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

Is there anyway I can get around this? I really want to completely clean Java off my computer so that I can re-install the latest version.

Thanks!!

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 16 November 2011 - 07:15 AM

No need to remove that, it is related to a Java mozilla add-on. You can safely install the latest version this way.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 PM

Posted 22 November 2011 - 06:53 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users