Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Malware, Blue screen of death & DDS logs


  • This topic is locked This topic is locked
60 replies to this topic

#1 WMichaelH

WMichaelH

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 11 December 2011 - 02:30 PM

Hi,

I followed the instructions in "Preparation Guide For Use Before Using Malware
Removal Tools and Requesting Help Instructions for receiving help in cleaning
your computer"

I sucessfuly ran and saved two DDS files. Then during the GMER process, my
wife disconected my laptop and closed it. GMER was interrupted, prior to
completion, and saving the log. When i turned on the pc, it crashes during
start up. Gives me the blue screen, and advises to seek dditional help. I can
only boot in safe mode now. In safe mode I tried running the GMER program, and
it scan fine for a couple of hours. It completed the scan and indicated it had
found rootkit malware. However, the 640x480 resolution in safe mode, will not
allow the GMER interface to fully fit within the screen, hence I can not see or
reach he save button to create the GMER log file. I tried tabbing to toggle
between button commands, but that didn't work I also tried control s, and alt s,
but those didn't work either. I tried rebooting the pc several more times in
regular mode, but could not get passed the blue screen. Please advise on how to
proceed from safe mode.

Below is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Wassim Hajar at 18:18:31 on 2011-12-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.251 [GMT -8:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://isearch.avg.com/?cid={97A0059B-CD33-44CA-8A6D-0DA55100DCC1}&mid=5c5524cc142247d1b1bfd159803636f6-6ce5ffc420200814d6df155cd569fdffce15292d&lang=en&ds=ins10&pr=&d=2011-12-08 20:41:30&v=8.0.0.34&sap=hp
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\19.2.0.10\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\19.2.0.10\ips\IPSBHO.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\19.2.0.10\coIEPlg.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [EPSON WorkForce 600(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S85.tmp" /EF "HKCU"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Auto EPSON WorkForce 600(Network) on RIHAMZEIN] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S3A.tmp" /EF "HKCU"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HostManager] c:\program files\common files\aol\1171177749\ee\AOLSoftware.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
Trusted Zone: internet
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://navigatela.lacity.org/download/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140572300147
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad lt 2002\AcPreview.ocx
TCP: Interfaces\{8C91146F-86D6-41E3-BE62-A1F505690E85} : DhcpNameServer = 192.168.0.1
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\wassim hajar\application data\mozilla\firefox\profiles\xfc1m590.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1302000.00a\symds.sys [2011-12-8 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1302000.00a\symefa.sys [2011-12-8 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\bashdefs\20111123.001\BHDrvx86.sys [2011-11-23 819320]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\nis\1302000.00a\ccsetx86.sys [2011-12-8 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1302000.00a\ironx86.sys [2011-12-8 149624]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\19.2.0.10\ccsvchst.exe [2011-12-8 138760]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-12-8 246600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-8 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\ipsdefs\20111208.001\IDSXpx86.sys [2011-12-9 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20111209.003\NAVENG.SYS [2011-12-9 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.0.28\definitions\virusdefs\20111209.003\NAVEX15.SYS [2011-12-9 1576312]
S2 gupdate1c98102bb0e0c2c;Google Update Service (gupdate1c98102bb0e0c2c);c:\program files\google\update\GoogleUpdate.exe [2009-1-27 133104]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MCVSRte;MCVSRte; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-1-27 133104]
.
=============== File Associations ===============
.
.scr=AutoCADLTScriptFile
.
=============== Created Last 30 ================
.
2011-12-10 01:43:57 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{ac4149d1-8785-4c56-9ca9-76893646a74f}\offreg.dll
2011-12-09 15:55:08 -------- d-----w- c:\windows\pss
2011-12-09 15:13:40 2321288 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-12-09 15:13:26 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{ac4149d1-8785-4c56-9ca9-76893646a74f}\mpengine.dll
2011-12-09 15:13:21 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-12-09 04:53:33 2 --shatr- c:\windows\winstart.bat
2011-12-09 04:53:12 -------- d-----w- c:\program files\UnHackMe
2011-12-09 04:41:31 -------- d-----w- c:\documents and settings\wassim hajar\application data\AVG Secure Search
2011-12-09 04:41:24 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-12-09 04:41:23 -------- d-----w- c:\program files\AVG Secure Search
2011-12-09 04:41:17 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-12-08 23:04:13 -------- d-----w- c:\documents and settings\wassim hajar\local settings\application data\NPE
2011-12-08 20:55:31 -------- d-----w- c:\documents and settings\wassim hajar\application data\Curiolab
2011-12-08 20:36:31 -------- d-----w- c:\documents and settings\wassim hajar\application data\GetRightToGo
2011-12-08 19:36:25 344184 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\symtdiv.sys
2011-12-08 19:36:24 387192 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\symtdi.sys
2011-12-08 19:36:24 314488 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\symnets.sys
2011-12-08 19:36:23 897656 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\symefa.sys
2011-12-08 19:36:23 566904 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\srtsp.sys
2011-12-08 19:36:23 340088 ----a-r- c:\windows\system32\drivers\nis\1302000.00a\symds.sys
2011-12-08 19:36:23 31864 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\srtspx.sys
2011-12-08 19:36:22 149624 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\ironx86.sys
2011-12-08 19:36:22 132744 ----a-w- c:\windows\system32\drivers\nis\1302000.00a\ccsetx86.sys
2011-12-08 19:35:01 -------- d-----w- c:\windows\system32\drivers\nis\1302000.00A
2011-12-08 18:20:04 -------- d-----w- c:\documents and settings\wassim hajar\application data\SPE
2011-12-08 15:12:00 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-08 15:12:00 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-08 15:11:59 -------- d-----w- c:\program files\Symantec
2011-12-08 15:11:59 -------- d-----w- c:\program files\common files\Symantec Shared
2011-12-08 15:10:13 -------- d-----w- c:\windows\system32\drivers\NIS
2011-12-08 15:10:10 -------- d-----w- c:\program files\Norton Internet Security
2011-12-08 15:10:06 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-12-08 15:09:44 -------- d-----w- c:\program files\NortonInstaller
2011-12-08 15:09:44 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-12-07 11:51:33 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-07 11:51:33 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-06 14:56:10 130560 --sha-w- c:\windows\system32\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
2011-12-06 14:56:10 130560 --sha-w- c:\documents and settings\all users\application data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
.
==================== Find3M ====================
.
2011-12-08 19:50:04 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-10-15 23:24:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 13:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 10:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:20:14.67 ===============

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 17 December 2011 - 07:16 AM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Since you're having issues with GMER, please do NOT select "Devices" as shown in the instructions...that often allows it to run.

In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 17 December 2011 - 06:51 PM

Hi, and thank you for your reply and assistance!

I completed the OTL & GMER scans, and am attaching the logs here. My laptop is reporting rootkit malware activity, on Norton antivirus. it repeatedly uses the ping command on its own, and hijacks my Firefox and internet explorer, and redirects me to other pages. I ran the Norton power erase tool, and their malware removal tool. neither was able to deal with the virus.

Please advise on the next step you would like me to perform.

Thanks

Attached File  Extras.Txt   43.38KB   2 downloads

Attached Files


Edited by WMichaelH, 17 December 2011 - 06:52 PM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 18 December 2011 - 05:34 AM

Hello, WMichaelH.
Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.







Viewpoint (foistware) Warning"

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.




Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 18 December 2011 - 06:33 PM

The laptop is no longer able to connect to the internet. I tried resetting the wireless network, and also tried plugging it directly to the router. could not restore connectivity.

Due to the lack of connectivity, Combofix scanned without installing the Windows Recovery Console. During the scan it gave the message that the rootkit malware had inserted itself into the TCP/IP stack. IF there is another way to download the Windows Recovery Console and install it manually, please let me know.

I am ready to proceed to the next step.

Thanks You

Attached File  ComboFix.txt   15.84KB   3 downloads

#6 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 18 December 2011 - 06:44 PM

I also uninstalled norton internet security 2012, in the process of attempting to get around the windows firewall that is not running properly.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 18 December 2011 - 07:40 PM

Hello, WMichaelH.

OK, you'll have to transfer these via flash drive then.



Step 1

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.



Step 2

You can see this tutorial to manually install the recovery console:
How to install and use the Windows XP Recovery Console



Step 3



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

REgistry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=0
file::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\Documents and Settings\NetworkService\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\Documents and Settings\All Users\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\WINDOWS\winstart.bat
AtJob::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 4

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 18 December 2011 - 10:31 PM

Hi Etavares, the tutorial to manually install the recovery console: How to install and use the Windows XP Recovery Console - does not provide instructions of how to find and download the appropriate version of the Windows XP Recovery Console to a flash drive or burn to a CD. the instructions install it on the computer you are downloading it too, and as you know my laptop does not have internet connectivity. my operating system CD is XP media center edition 2005 with update rollup 2. when i tried to use my cd, it said it could not continue, because MY installed version - (Build 2600.xpsp_sp3_gdr.101209-1647: service pack 3) is newer then the CD I am attempting to use. additionally, when the recovery console attempts to do a dynamic update, it will not be able to connect to the internet, to download the latest files.

What can I do to download the correct version of Windows XP Recovery Console on another computer, and transfer it to the infected laptop?

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 19 December 2011 - 06:26 AM

We can manually download it from Microsoft since the CD didn't work. Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer the file you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image


  • Drag the setup package onto ComboFix and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 19 December 2011 - 02:42 PM

Hi,

Sorry but I am stuck in the process of getting the Windows Recovery Console onto the infected laptop. If you would be kind enough to give me more specific instructions on how to get the files needed, and install them on the laptop, it would help me tremendously.

What I encountered in following the previous instructions is as follows:

As instructed I went to Microsoft's website @ http://support.microsoft.com/kb/310994, and downloaded the "Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install" as instructed, and burned the file, a single self extracting cabinet .exe file, onto a CD, and transferred it onto the desktop of the Infected laptop. When I double click on that file (Windows XP Home Edition with Service Pack 2 Utility: Setup Disks for Floppy Boot Install) it prompts asking what is the name of the Floppy drive, so that it may copy the information onto 6 floppies. The laptop does not have a floppy drive, and I simply want to install the Recovery console, but there is NO other option, then inputting a floppy drive letter.

Awaiting your specific instructions regarding windows recovery console download / install.

Thank You,

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 19 December 2011 - 06:11 PM

PLease follow the instructions in my previous post. There is no need to double-click on the exe file, rather copy it to your desktop and drag it onto the Combofix as shown in the image above. Please let me know how that goes.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 20 December 2011 - 02:03 AM

Thank you for the instructions. I was able to follow them and succeffully install the recovery console, and complete all the scans.

I am attaching the logs for all three here. Combofix has 2 logs, one from yesterday (combofix.txt)when it ran without being able to install the recovery console, and the other from today (combofix2.txt).

Thank You Again, I feel like I am making progress :)

Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 20 December 2011 - 06:12 AM

Hello, WMichaelH.


Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

REgistry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=0
file::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\Documents and Settings\NetworkService\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\Documents and Settings\All Users\Application Data\E61E28C5-D31F-E265-6FFF-32B887196B77.avi
C:\WINDOWS\winstart.bat
AtJob::
MIA::
C:\windows\system32\drivers\ipsec.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2


Please run FSS again after that and post the log. A critical file is missing. If CF can't find a replacement in Step 1, do you have your windows CD?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 WMichaelH

WMichaelH
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 20 December 2011 - 11:51 AM

Hi,

I do have the windows xp media center edition 2005 reinstallation DVD that came with the laptop.
I ran ComboFix, and FSS again. Attached are the logs.

Thank You

Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 AM

Posted 21 December 2011 - 06:35 AM

Hello, WMichaelH.

OK, the file is back, now we need to restore the registry entries. After this, you should have internet access and we can continue cleaning it.



Step 1

  • Please open Notepad.
  • Copy and paste the text in the box below into Notepad.
    swreg acl "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /g Everyone:F >log.txt 2>&1
    notepad log.txt
    This fix is custom made for this user's computer.
  • Select File-->Save As
  • Select File as Type: All Types (*.*)
  • Save it to your desktop as fixme.bat
  • Double-click fixme.bat on your desktop to run the fix.
  • A window will briefly pop up then close.
  • A log will open, please copy and paste it into your response.



Step 2


  • Next download XP.zip and save it to your desktop.
  • Double-click XP.zip to open it.
  • Copy ipsec.reg and legacy_ipsec.reg to your desktop.
  • From the desktop, double-click ipsec.reg. It will ask you if you want to merge it into the registry. Let it do so.
  • From the desktop, double-click legacy_ipsec.reg. It will ask you if you want to merge it into the registry. Let it do so.
  • Reboot




Step 3

  • Please open Notepad.
  • Copy and paste the text in the box below into Notepad.
    swreg acl "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /p /g System:F >log.txt 2>&1
    notepad log.txt
    This fix is custom made for this user's computer.
  • Select File-->Save As
  • Select File as Type: All Types (*.*)
  • Save it to your desktop as fixme.bat
  • Double-click fixme.bat on your desktop to run the fix.
  • A window will briefly pop up then close.
  • A log will open, please copy and paste it into your response.



Step 3


Do you have internet access after the reboot? Please post another Farbar Service Scan log.

etavares

Edited by etavares, 21 December 2011 - 06:35 AM.
type in code tag


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users