Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeAlert and Dropper removed, now cannot get IP


  • This topic is locked This topic is locked
28 replies to this topic

#1 sideshowblah

sideshowblah

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 06 January 2012 - 10:36 AM

Hi,

I have a Windows XP laptop that was infected with a version of the FakeAlert and a Trojan.Dropper according to MalwareBytes. These infections seem to be completely removed according to Malwarebytes, TrendMicro's Housecall and Mcafee anyway. But after MalwareBytes removed the Trojan.Dropper the laptop will no longer get an IP or allow me to assign one to the adapter(s). Also, if I run ipconfig I get an "Internal error occurred: The request is not supported." Attempting a PING of LocalHost returns a "Unable to contact IP driver, error code 2,"
I can manually put an IP into the NIC properties but that does not seem to change anything as far as the errors. I have tried to reset tcp/ip with NETSH and reset WinSock, I even tried to install a USB NIC but nothing seems to get me past the underlying problem. I assume something was broken during the infection removal as the laptop could get to the Internet to run Housecall just the other day. Anyone had to fight this before, and have some ideas? thanks

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 07 January 2012 - 04:22 PM

Good evening. :)

Please follow steps six, seven and eight here and then post accordingly into this thread.

So long, and thanks for all the fish.

 

 


#3 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 09 January 2012 - 09:11 AM

Hi,

Thanks for the help.

I went thru the 3 steps, but did have a problem running the GMER tool. After extracting it and trying to start it up, I got a popup saying

LoadDriver("C:\DOCUME~1\Janet\LOCALS~1\Temp\uxlyapog.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

After clicking OK, it continued into the tool, but with limited selections along the right side. It only allowed selection of Services, Registry, Files, C:\, and ADS. But I ran it and attached the file anyway.

Here is the DDS.txt file:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Janet at 8:33:55 on 2012-01-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2451 [GMT -5:00]
.
AV: Total Protection Service *Enabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r211990\stacsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wral.com/
uSearch Page = hxxp://www.live.com
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} - c:\program files\d-link toolbar\dlinktb.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\managed virusscan\vscan\ScriptSn.20100421202858.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - c:\program files\d-link toolbar\dlinktb.dll
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} - c:\program files\d-link toolbar\dlinktb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [MVS Splash] "c:\program files\mcafee\managed virusscan\desktopui\XTray.exe" /LOGON
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245179467171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: DhcpNameServer = 66.192.86.7 208.67.222.222
TCP: Interfaces\{832DA7A6-2847-4A07-B3F2-F5F9306A0E67} : DhcpNameServer = 66.192.86.7 208.67.222.222
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt5.0.0.768.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NecUsb3Sevice - USB3Nw32.dll
Notify: USB3Nw32 - USB3Nw32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-6 214664]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2009-6-6 14144]
R2 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2009-6-6 144704]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2010-4-21 282824]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-6 112512]
R3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-6-6 79816]
R3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-6-6 35272]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2009-6-6 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2009-6-6 41760]
S2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2008-4-25 14336]
S2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\wlndis50.sys --> c:\windows\system32\drivers\wlndis50.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-21 136176]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-6-6 34248]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2012-1-5 40448]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\rtl8192su.sys --> c:\windows\system32\drivers\RTL8192su.sys [?]
.
=============== Created Last 30 ================
.
2012-01-05 21:51:07 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-05 21:51:07 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-05 21:19:44 40448 ----a-w- c:\windows\system32\drivers\MOSUMAC.SYS
2012-01-05 21:19:44 237568 ----a-w- c:\windows\system32\MacUnInstall.exe
2012-01-05 21:19:44 -------- d-----w- c:\program files\UsbMac
2011-12-30 19:41:41 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-29 16:56:12 37888 ----a-w- c:\windows\system32\USB3Nw32.dll
2011-12-29 15:16:11 -------- d-----w- c:\documents and settings\janet\application data\Malwarebytes
2011-12-29 15:15:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-29 15:15:47 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 15:15:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-29 14:55:04 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-29 14:55:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-12 14:55:24 -------- d-----w- c:\documents and settings\all users\application data\Vivitar Experience Image Manager
2011-12-12 14:55:19 -------- d-----w- c:\documents and settings\janet\local settings\application data\Vivitar Experience Image Manager
2011-12-12 14:54:29 -------- d-----w- c:\program files\ffdshow
2011-12-12 14:53:50 -------- d-----w- c:\program files\Vivitar Experience Image Manager
.
==================== Find3M ====================
.
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 8:40:19.37 ===============

Attached Files



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 09 January 2012 - 03:29 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Change parameters and check the two boxes under Additional Options.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#5 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 09 January 2012 - 04:08 PM

Thanks for the utility. TDSSKiller does not start on this PC. I tried it on another PC and it started OK, but it does nothing on the infected/damaged PC. Nothing gets logged in teh EventVwer and nothing is showing in the process list that looks like it is this tool.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 09 January 2012 - 04:31 PM

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • When prompted "Would you like to download latest Avast! virus definitions?" click Yes - you may need to allow access through your firewall.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully" click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#7 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 09 January 2012 - 04:56 PM

Is there a way to manually upgrade the definitions as this computer cannot get to the Internet?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 10 January 2012 - 03:13 PM

Good evening. :)

When prompted, click NO - although it reduces the tools usefulness somewhat, it should still do a good job.

So long, and thanks for all the fish.

 

 


#9 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 10 January 2012 - 03:55 PM

Here is the log.

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-10 07:56:23
-----------------------------
07:56:23.437 OS Version: Windows 5.1.2600 Service Pack 3
07:56:23.437 Number of processors: 2 586 0x170A
07:56:23.437 ComputerName: DBTOA000 UserName: Janet
07:56:24.937 Initialze error 0 - driver not loaded
07:57:30.718 Service scanning
07:57:39.281 Modules scanning
07:57:39.281 Disk 0 trace - called modules:
07:57:39.281
07:57:39.281 Scan finished successfully
07:58:00.671 The log file has been saved successfully to "C:\Documents and Settings\Janet\Desktop\aswMBR.txt"

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 10 January 2012 - 04:16 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#11 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 11 January 2012 - 10:20 AM

I got CombFix running on the computer and below is the log. During the scan it told me that it found a Rootkit and it would be difficult to remove, but I did not catch the name. After a reboot it seems to have rerun and then I got about 50 popups telling me that "Windows cannot find 'NIRKMD.'" Once after each stage. The NIC still cannot get an IP via DHCP tho. Looking at that now.

ComboFix 12-01-10.02 - Janet 01/11/2012 9:22.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3033.2277 [GMT -5:00]
Running from: c:\documents and settings\Janet\Desktop\ComFix.exe
AV: Total Protection Service *Disabled/Outdated* {8C354827-2F54-4E28-90DC-AD391E77808C}
FW: Total Protection Service *Disabled* {259FBE35-46BE-45F3-8F2F-4DB67BBBC614}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-11 )))))))))))))))))))))))))))))))
.
.
2012-01-11 13:09 . 2012-01-11 14:13 -------- d-----w- C:\ComboFix
2012-01-05 21:51 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-05 21:51 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-05 21:19 . 2012-01-05 21:19 -------- d-----w- c:\program files\UsbMac
2012-01-05 21:19 . 2010-02-10 16:29 40448 ----a-w- c:\windows\system32\drivers\MOSUMAC.SYS
2012-01-05 21:19 . 2010-02-10 16:29 237568 ----a-w- c:\windows\system32\MacUnInstall.exe
2011-12-30 19:41 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-30 12:34 . 2011-12-30 12:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-29 16:56 . 2011-12-30 14:41 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2011-12-29 15:16 . 2011-12-29 15:16 -------- d-----w- c:\documents and settings\Janet\Application Data\Malwarebytes
2011-12-29 15:15 . 2011-12-29 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-29 15:15 . 2011-12-29 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-29 15:15 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-29 14:55 . 2011-12-29 14:55 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:29 . 2008-04-25 16:16 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-25 16:16 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-18 11:13 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-10_22.53.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 14:10 . 2012-01-11 14:10 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-18 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-18 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-18 150040]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-06 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-04-05 476480]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 101136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [N/A]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [N/A]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
.
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [10/13/2011 5:21 PM 249648]
R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [6/6/2009 11:10 AM 14144]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/6/2009 1:58 PM 112512]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [6/6/2009 1:58 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [6/6/2009 1:58 PM 41760]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [10/21/2011 3:23 PM 196176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2011 4:10 PM 136176]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [4/25/2008 11:16 AM 14336]
S2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\DRIVERS\wlndis50.sys --> c:\windows\system32\DRIVERS\wlndis50.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/21/2011 4:10 PM 136176]
S3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [1/5/2012 4:19 PM 40448]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys --> c:\windows\system32\DRIVERS\RTL8192su.sys [?]
S4 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [4/21/2010 7:27 PM 282824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-21 21:10]
.
2012-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-21 21:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wral.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 66.192.86.7 208.67.222.222
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-11 09:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1708)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-01-11 10:13:39
ComboFix-quarantined-files.txt 2012-01-11 15:13
ComboFix2.txt 2012-01-11 14:04
ComboFix3.txt 2012-01-10 23:09
.
Pre-Run: 142,301,024,256 bytes free
Post-Run: 142,286,475,264 bytes free
.
- - End Of File - - CA5824F40CE6F9F82ED900B364C2F2B4

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 11 January 2012 - 03:18 PM

Good evening. :)

Do you have access to a flashdrive of at least 138 Mb that you can wipe clean for a little tool to play with?

So long, and thanks for all the fish.

 

 


#13 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 11 January 2012 - 04:14 PM

yes. that is how I am transferring the data to/from the infected computer now.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:41 AM

Posted 11 January 2012 - 04:22 PM

Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.

 

 


#15 sideshowblah

sideshowblah
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 11 January 2012 - 04:48 PM

the computer will boot from teh USB device but I cannot seem to find it once it is running. I can see /mnt/sda1, /mnt/sda2, and /mnt/sda3 and no others. BTW, there are 3 partitions on the internal hard drive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users