Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"SubSystem error", TR/Dropper.Gen2 found


  • This topic is locked This topic is locked
2 replies to this topic

#1 Trent09

Trent09

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 20 February 2012 - 12:50 PM

Windows XP SP2 installed on F: [C: is an old Windows install not actually used], IE not updated but never ever used (Chrome and Firefox instead).
No relevant symptoms apart from somewhat longer boot time and a few BSOD along the last days that reported a "SubSystem error".
Yesterday Avira's guard system signaled those:

F:\WINDOWS\system32\67028033.exe
[RILEVAMENTO] Contiene il modello di rilevamento del worm WORM/Renocide.499712
F:\WINDOWS\system32\58886638.exe
[RILEVAMENTO] Si tratta del cavallo di Troia TR/Dropper.Gen2
F:\WINDOWS\system32\cftm.exe
[RILEVAMENTO] Si tratta del cavallo di Troia TR/Dropper.Gen2
F:\Documents and Settings\Administrator\Dati applicazioni\Sokoz\xuoqug.exe
[RILEVAMENTO] Si tratta del cavallo di Troia TR/Spy.ZBot.dkce
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\4JWF2DY3\exe[2]
[RILEVAMENTO] Si tratta del cavallo di Troia TR/Dropper.Gen
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\SR0NEVYH\x[1].htm
[RILEVAMENTO] Contiene il modello di rilevamento del virus Javascript JS/Agent.bpz
C:\WINDOWS\system32\drivers\afd.sys
[RILEVAMENTO] Si tratta del cavallo di Troia TR/Patched.Gen
C:\WINDOWS\Temp\9wS7e3aA9.sys
[RILEVAMENTO] Contiene il modello di rilevamento del Rootkit RKIT/TDss.suu

All those were quarantined/cleaned. Without rebooting, I followed a few of your topics and did:

DDS, the download link doesn't work for me since yesterday.
Trendmicro online scanner, nothing reported.

ESET online scanner gave me this:

C:\Documents and Settings\Administrator\Documenti\Downloads\SoftonicDownloader82646.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\nps4D3.tmp probably a variant of Win32/Agent.NWYHLVE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Impostazioni locali\Temporary Internet Files\Content.IE5\4JWF2DY3\exe[1] Win32/Olmarik.ACK trojan deleted - quarantined
F:\Programmi\Call of Duty 4 - Modern Warfare\#readme#\rzr-cod4-keygen.exe Win32/Keygen.DK application cleaned by deleting - quarantined

HiJackThis (fresh copy) was sayin:

O4 - HKCU\..\Run: [{DCA9F9A5-0CB7-169C-7613-443F5E0D1010}] "F:\Documents and Settings\Administrator\Dati applicazioni\Sokoz\xuoqug.exe"

Combofix did erased:

C:\khq
f:\documents and settings\Administrator\Dati applicazioni\Sokoz\xuoqug.exe
F:\khq
f:\windows\system32\AutoRun.inf
f:\windows\system32\cc32100mt.dll

Avenger said nothing special.

MBAM:

F:\System Volume Information\_restore{5528834F-5644-4925-A326-A833FAF057CF}\RP277\A0063232.exe (Trojan.Zbot.CBCGen) -> Nessuna azione intrapresa.
F:\System Volume Information\_restore{5528834F-5644-4925-A326-A833FAF057CF}\RP278\A0063315.exe (Trojan.Agent.CK) -> Nessuna azione intrapresa.



Today, GMER's log attached. Did run ESET again and:

F:\Qoobox\Quarantine\F\WINDOWS\system32\AutoRun.inf.vir INF/Autorun.C.Gen virus deleted - quarantined
F:\System Volume Information\_restore{5528834F-5644-4925-A326-A833FAF057CF}\RP278\A0063614.inf INF/Autorun.C.Gen virus deleted - quarantined


HiJackThis, fresh copy again:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17.56.12, on 20/02/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programmi\Avira\AntiVir Desktop\sched.exe
F:\WINDOWS\Explorer.EXE
F:\Programmi\Avira\AntiVir Desktop\avguard.exe
F:\WINDOWS\system32\svchost.exe
F:\Programmi\Avira\AntiVir Desktop\avgnt.exe
F:\Programmi\Avira\AntiVir Desktop\avshadow.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\notepad.exe
F:\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "F:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O14 - IERESET.INF: START_PAGE_URL=http://www.google.it/
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C8FACEA-F4B2-4296-ACDE-904208D3FD7A}: NameServer = 193.70.152.15,193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C8FACEA-F4B2-4296-ACDE-904208D3FD7A}: NameServer = 193.70.152.15,193.70.152.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C8FACEA-F4B2-4296-ACDE-904208D3FD7A}: NameServer = 193.70.152.15,193.70.152.25
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - F:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia - F:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4035 bytes


So far seems running well and I can't see wrong stuff in the logs, what do you need to confirm it's now clean? DDS, I'm not able to download it yet.

Thank you very much.

Attached Files

  • Attached File  gmer.txt   37.72KB   4 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 25 February 2012 - 11:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:48 AM

Posted 02 March 2012 - 09:17 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users