Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible root kit installing viruses


  • This topic is locked This topic is locked
82 replies to this topic

#16 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 21 March 2012 - 09:43 AM

ComboFix still won't run. It's behaviour has not changed. I downloaded it again, right clicking and just typing jibberish for the file name when I save it from BleepingComputer.com. Even though it says the folder is not located where it's expected to be, the folder is created but it seems to be some sort of copy of my computer which can result in an infinite loop of entering my computer, going to c:\, going to the combofix folder, which acts like my computer.

You can even right click and manage this folder. I'm not sure if this is normal behaviour for ComboFix.


It's not.

Delete your current copy of ComboFix .

Download a fresh copy as per the following instructions. DO NOT RUN IT just now.

Download ComboFix from any of the links below but rename it to Wrinkled.exe before saving it to your desktop. <- Important.

Link 1
Link 2
==================================

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    Double click on the renamed ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click combofix's window while it's running. That may cause it to stall
====

Follow the following instructions to disable AVG completely.
http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=94159

===

When completed run the ComboFix.exe (Wrinkled.exe)

Can you now run it to completion and post a log?

BC AdBot (Login to Remove)

 


#17 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 March 2012 - 10:39 AM

I will follow your instructions to the letter, I just want to make it known that every time I try to run ComboFix, or any anti-malware tool for that matter, I download a new copy: I google ComboFix or go straight to ComboFix.org; select the first link - combofix.org; click the download link; go to the bleepingcomputer.com link;right click the 10 minute download link and click save as; pretend I can type at 3,000 words a minute for a second. IE the last one I downloaded was named 'a12dh4j4.exe'. Before that it was 'cf.exe' and before that it was '3b1j7rzd.exe'.

I will report back shortly with the requested logs.

Edited by WrinkledCheese, 21 March 2012 - 10:41 AM.


#18 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 21 March 2012 - 11:43 AM

I performed every step you mentioned that I was able. I also explored the odd behaviour.

I created a video and posted it on YouTube unlisted: Use either of these links to view the video.
Shorthand link:
http://youtu.be/0rlfCAGadGs

Regular link:


#19 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 22 March 2012 - 07:43 AM

Lets start over. I suspect that you have some remant entries referencing ComboFix.


The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

Delete all the folders that combofix may have created.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    ComboFix.*
    cf.exe
    3b1j7rzd.exe
    a12dh4j4.exe
    Wrinkled.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Post the log for my review.

This search may take sometime. Let it finish.

#20 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 22 March 2012 - 09:00 AM

Unfortunately these aren't the only names of the ComboFix file I've used. Although if any are present it should give us an idea where to find the rest of them as I'm unsure of all the names since, like I said before, I only pretended I had a typing speed of 1,000,000 words a minute and they've been deleted.

Is it possible to remove the period from the ComboFix.* since there were some copies named 'ComboFix(1).exe' and 'ComboFix(2).exe' early in the process before I posted here when I was unable to get anywhere?

[EDIT]

combofix /uninstall does not work. Behaves the same as when just double clicking the icon. I did a search in the registry for other instances of ComboFix and I found thcbytes.exe as well as thcbytes2.exe.

Edited by WrinkledCheese, 22 March 2012 - 09:13 AM.


#21 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 22 March 2012 - 09:23 AM

I've attached the logs. I ran it twice. Once with a copy and paste as requested and one with my edits. I made edits because there were other possible ComboFix file names I added. The scans took ~10 seconds.

The edits I ran looked like:

:filefind
ComboFix*
cf.exe
3b1j7rzd.exe
a12dh4j4.exe
Wrinkled.exe
thcbytes.exe
thcbytes2.exe


#22 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 22 March 2012 - 10:12 AM

Well, I broke the rules. I did something without being asked to. I ran ComboFix - Wrinkled.exe - and just as the ComboFix window says:

Output folder: 32788R22WJFW

I pressed ctrl+c then ctrl+v as fast as I could and I believe I was able to copy all the files that were extracted before the odd behaviour starts. I renamed the folder to _32788R22WJFW_ then I posted this.

I suspect that whatever I'm infected with is renaming the folder when one of these programs are executed. If I remember correctly, the last program that manages to run is one of these two files:
swsc.3XE
swxcacls.3XE

I'm pretty sure it's swxcacls.3XE. Ever since I started getting the 'Inform sUBs' message posted above, it's not sticking there anymore. I'm hoping there is a way to manually perform the ComboFix scan using a command line option instead of relying on the programs automated procedure. There is probably good reason that ComboFix has been disabled from running in this way.

Here is a list of files.
03/22/2012 11:25 AM <DIR> EN-US
file removed for security reason.
nasdaq.

Edited by nasdaq, 24 March 2012 - 08:01 AM.


#23 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 23 March 2012 - 07:37 AM

Delete these files in bold.

C:\Documents and Settings\Administrator\Desktop\ComboFix.exe -r----- 4417295 bytes [11:10 01/01/2003] [18:54 23/02/2012] 1D44BDDBB06AFDB3EFBA0EFBAF4DA587
C:\Documents and Settings\Administrator\My Documents\Downloads\ComboFix.exe --a---- 4417295 bytes [18:54 23/02/2012] [18:54 23/02/2012] 1D44BDDBB06AFDB3EFBA0EFBAF4DA587
C:\Documents and Settings\Staff\Desktop\combofix.PNG --a---- 23697 bytes [18:27 20/03/2012] [18:27 20/03/2012] 33F63D5BC0DAD764AB94DF0E986809C5
C:\Documents and Settings\Staff\My Documents\Downloads\ComboFix.exe -r----- 4427148 bytes [14:58 06/03/2012] [14:58 06/03/2012] 8238460F024D8C3BDFF981BD53DCDAFF
C:\Documents and Settings\Staff\Recent\combofix.PNG.lnk --a---- 483 bytes [18:27 20/03/2012] [18:27 20/03/2012]

Just keep Wrinkled.exe and run it.

Let me know what happens. I may have to refer this to the owner or the tool.

#24 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 March 2012 - 08:57 AM

I deleted all of those files. I had forgotten I had logged into Administrator to try ComboFix before I posted my thread.

The behaviour has not changed at all.

#25 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 23 March 2012 - 09:40 AM

I'm investigating this issue with the owner.

Stay with me.

#26 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 23 March 2012 - 10:04 AM

I will intently stay tuned to this thread. I'm setting up forwarding emails from bleeping computer to my cell phone.

#27 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 25 March 2012 - 10:47 AM

I'm still waiting as are others for some feedback.

Can you boot to safe mode and run ComboFix?

What Virus protection and firewall do you presently have on this computer?

#28 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 25 March 2012 - 11:51 AM

I went out last night so it will be tonight or tomorrow before I can get a chance to try safemode with ComboFix, but I think I did it before I'm just not sure. For firewall, Windows Firewall is disabled. Just relying on the router firewall. I haven't tried enabling the Windows Firewall.

#29 WrinkledCheese

WrinkledCheese
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 26 March 2012 - 08:00 AM

I checked ComboFix from safe mode and it has the same behaviour as in regular mode.

#30 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:56 AM

Posted 26 March 2012 - 01:37 PM

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users