Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Abnow Rootkit and No Internet After Running ComboFix


  • This topic is locked This topic is locked
9 replies to this topic

#1 neilz

neilz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 10 March 2012 - 11:38 PM

I had that google redirection ABNOW problem caused by rootkit. I did system restore and installed malware removers, but didn't help. I found the topic here with similar problem and ran comboFix without you permission and now my computer doesn't do anything. It showed quite a few errors (file corrupted, etc) It doesn't connect to internet anymore. It shows connected, but doesn't open any pages. Please guide as to what I need to do... without internet, I might not be able to run any logs. Any help will be appreciated. Thansk.

BC AdBot (Login to Remove)

 


#2 neilz

neilz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 11 March 2012 - 11:40 AM

Hello.... I downloaded the programs on thumb driver and was able to run on the infected computer. Here are the logs. Is it curable or need to format my hard-disc. Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by V at 11:30:10 on 2012-03-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.537 [GMT 5.5:30]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - c:\program files\acro software\cutepdf filler evaluation\CPFillerCoE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TouchFreeze] c:\program files\touchfreeze\TouchFreeze.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dcmsvc] c:\program files\dcmsvc\dcmsvc.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\v\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\v\startm~1\programs\startup\warner~1.lnk - c:\program files\warner bros. digital copy manager\Warner Bros. Digital Copy Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dot.gov\sra
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP24-10113/webex/ieatgpc.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sra.dot.gov/dana-cached/sc/JuniperSetupClient.cab
TCP: Interfaces\{0FB198A5-11F8-48FB-B18C-AF700F845BD5} : DhcpNameServer = 202.54.157.36 202.54.157.35
TCP: Interfaces\{657CBF8A-6D6F-4E6B-AFB6-CCCE4274F083} : NameServer = 59.185.3.10,59.185.3.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\v\application data\mozilla\firefox\profiles\l5i6i6e4.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-10 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-10 20464]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\admini~1.v-4\locals~1\temp\aticdsdr.sys --> c:\docume~1\admini~1.v-4\locals~1\temp\ATICDSDr.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
.
=============== Created Last 30 ================
.
2012-03-10 17:45:52 -------- d-sha-r- C:\cmdcons
2012-03-10 17:15:32 98816 ----a-w- c:\windows\sed.exe
2012-03-10 17:15:32 518144 ----a-w- c:\windows\SWREG.exe
2012-03-10 17:15:32 256000 ----a-w- c:\windows\PEV.exe
2012-03-10 17:15:32 208896 ----a-w- c:\windows\MBR.exe
2012-03-10 10:17:09 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 05:44:40 -------- d-----w- c:\program files\Anvisoft
2012-03-10 04:44:50 0 --sha-w- c:\windows\system32\dds_log_ad13.cmd
2012-03-09 09:47:36 81984 ----a-w- c:\windows\system32\bdod.bin
2012-03-08 17:20:25 -------- d-----w- c:\documents and settings\all users\application data\BitDefender
2012-03-08 17:02:59 -------- d-----w- c:\program files\common files\BitDefender
2012-03-07 13:41:43 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-07 13:41:43 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-07 10:05:06 -------- d-----w- c:\program files\common files\SpeedyPC Software
2012-03-07 10:05:05 -------- d-----w- c:\program files\SpeedyPC Software
2012-03-07 10:05:05 -------- d-----w- c:\documents and settings\all users\application data\SpeedyPC Software
2012-03-07 05:20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-06 11:58:39 -------- d-sh--w- c:\documents and settings\v\local settings\application data\6808adb6
2012-02-26 05:11:03 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlcF.tmp
2012-02-25 07:25:24 -------- d-----w- c:\documents and settings\v\application data\MSNInstaller
2012-02-18 14:38:19 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2012-02-18 14:38:19 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-02-16 04:17:41 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 04:17:41 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 11:31:19.73 ===============

Attached Files


Edited by Noviciate, 11 March 2012 - 03:06 PM.
DDS added from attachment


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:45 AM

Posted 11 March 2012 - 03:17 PM

Good evening. :)

The main issue here is the lack of adequate security programs. Although one of your logs shows that you installed BitDefender Free Edition 2009 a couple of weeks ago, you uninstalled it the same day and I don't know if you had anything running prior to that. This sort of thing leaves your PC open to a while range of malware that you can come across online and there is no way to know what exactly may have happened on your system, files patched, replaced, corrupted etc..., so if this was my PC I would back up all important data and the reformat and reinstall, and it's what I recommend you do too.

The basic security requirements are one resident anti-virus program and one third-party firewall and if you would like I can let you have some links to free examples of both. You also need to ensure that you regularly check that the rest of your software is up-to-date - both Adobe Reader and Java are older versions that they should be.

So long, and thanks for all the fish.

 

 


#4 neilz

neilz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 11 March 2012 - 10:57 PM

First of all, thank you so much for your reply. Yes, I did install Bitdefender and then also a couple of others after I got infected with ABNOW. Then, one of the things said I need to uninstall all the previous malware or something or uninstalled it. Even my new computer doesn't have any protection. It would be great if you can send me the links to free firewall and antivirus programs. Many thanks.

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:45 AM

Posted 12 March 2012 - 03:27 PM

Good evening. :)

Anti-virus programs.
AVG Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir Personal Edition Classic : Available here
Microsoft Security Essentials: Available here

Firewalls.
Comodo Firewall Pro, available here.
Zone Alarm, available here.
Online Armor Free, available here.

Although there are other options available, Comodo for example also has an anti-virus program, I have used all the above at one time or another so that is why I have posted them.

Remember that you should only have one active anti-virus program and one firewall installed at any one time - more than that can result in coflictions and things don't work as they should.

If you have any questions, please ask and i'll do my best to answer.

So long, and thanks for all the fish.

 

 


#6 neilz

neilz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 14 March 2012 - 11:55 PM

Thanks for the links. I did download one antivirus (AVG) and one firewall (ZA) on my new computer which also didn't have any protection. However, since yesterday, I have been getting this sudden blue screen with the following messages:

A problem has been detected and window has been shut down to prevent damage to computer

IRQL_NOT_LESS__OR EQUAL

If this is the first time you've seen the screen.....

check to make sure any new hardward or software......

Disable BIOS memory option such as caching or shawdow...


*** STOP: 0X0000000A, ......... 0XFFFFF80002ECFE95)

Is this the virus program that's doing this or anything else. Please let me know if you would need logs for this machine too to diagnose the issue. This is my new computer, hardly used.

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:45 AM

Posted 15 March 2012 - 03:22 PM

Good evening. :)

Did you reformat and reinstall or simply install the AV and firewall to the infected PC?

So long, and thanks for all the fish.

 

 


#8 neilz

neilz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 16 March 2012 - 01:26 AM

Hello,

Thanks for your reply. I apologize for the confusion. I haven't done anything with my old infected PC as of yet. That is pretty much dead still. I installed these antivirus and firewalls to my new laptop which was also not protected and I am facing issues with that now. It didn't have any malware or virus problem, but to be on safer side, I installed these programs on it to avoid future attacks. I am facing problems with this system now. If you would like, I can post the logs of this new system too.

Today I got the blue screen again on my new computer with a different message. It said:

Run a system diagnostic utility supplied by your hardware manufacturer. In particular run a memory check, and check for faulty or mismatched memory. Try changing video adapter.

Disable or remove any newly installed hardware, drivers or software....

*** STOP: 0X000007F (0X......8, 0X0....8050033, 0X0....0406F8, 0XFFFFF88004D2FB57)

*** igdkmd64.sys -- address 0XFFFFF88004D2FB57 base at FFFFF88004C38000, datestamp 4dd88994)

Edited by neilz, 16 March 2012 - 06:45 AM.


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:45 AM

Posted 16 March 2012 - 03:50 PM

Good evening. :)

I'd say that one of the security programs you chose doesn't play nicely on your system. I'd hazard a guess that if you uninstall Zone Alarm the Blue Screens will cease. If this is the case, pick another and try again.

So long, and thanks for all the fish.

 

 


#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:45 AM

Posted 21 March 2012 - 03:52 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users