Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe - Application error


  • This topic is locked This topic is locked
43 replies to this topic

#1 KBR1

KBR1

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 11 May 2012 - 08:14 PM

This all started when my roommate was searching the "fun" internet sites on my laptop, he told me later that he's having internet bombardment issues. :whistle: REALLY???

Here we go:
Toshiba A105 Satellite Laptop, Win XP MCE SP3, 2gb RAM

After running Combofix, see insert text file below, upon bootup following was observed:
1. Svchost.exe - Application Error, The instruction at 0X00635F94 referenced memory at 0X00C60000. The memory could not be "written".
This window constantly shows up 15 times before logon screen, then another 14 times after logon to desktop.
Any time you try to run, look at, go anywhere, this message pops up.
Choice of: OK to terminate, CANCEL to debug, neither did anything but show error window again, again, and again, etc...
2. Cannot copy or paste AT ALL with mouse or keyboard shortcuts, won't allow it,
have to use CMD window and DOS commands to copy files from one location to another, ie: flashdrive to c:\ directory
3. There is NO internet access whatsoever, the LAN card has been REMOVED from network connections window, is available within device manager tho.
4. Cannot run ANY anti-malware (Malwarebytes) or Anti-spyware programs (Super Anti-Spyware), totally disabled.
5. Cannot access ANY restore points, apparantly they have been hidden from view, even in DOS mode.
6. ALL files, folders, desktop icons, ALL shortcuts are missing from view (hidden).

When Combofix runs, following is displayed:
You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack.
This is a partcularly DIFFICULT infection. <_< (No Way!)
If for any reason that you're unable to connect to the internet after running Combofix, reboot onceand see if that fixes it.
If it's not fixed, run Combofix one more time.
Have run mutltiple times, keeps stating same issue.

When finished running, text file states that "explorer.exe" is still INFECTED!

Programs I've ran or tried to run:
1. Combofix: see above info, text file below.
2. Malwarebytes: not a chance wont even run, changed extensions and renamed, comes back with "Run-time error 372",
Failed to load control "vbalgrid" from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated.
Make sure you are using the version of the control that was provided with the application.
Tried downloading NEWEST from server on GOOD machine, saved with UPDATED rules.ref, still no joy, same as above.
3. Super Anti-Spyware: runs but svchost.exe error occurs and wont do anything until you select OK or CANCEL, which upon EVERY scan you have to click this box.
4. OTL: wont even load, gives error: Exception EReadError in module OTL.exe at 00016A68. Error reading DiskPartitionInfo1.Active
5. Unhide: ran to unhide the hidden attribute, worked great, now I can at least see my files again. Yoorah!
6. Rkill: didn't find anything!
7. TDSSkiller: also didn't find anything!!
8. RootkitRemover: Error loading service...hmmm wonder why that is??? NO internet access maybe! waste of time!
9. AND so many more other virus detection programs that require internet access to update...more waste of time!!
10. Researched svchost.exe error, kept informing me that it was a windows update issue,
so I've downloaded and tried to run following with no avail:
WindowsUpdateAgent20-x86.exe, fix_svchost.bat, WindowsXP-KB927891-v3-x86-ENU.exe

ANY SOLUTIONS???
PLEASE PLEASE HELP!




COMBOFIX TEXT FILE:

ComboFix 12-05-11.03 - KBR-LT 05/11/2012 15:25:43.5.2 - x86
Running from: D:\CFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-05-11 10:21 . 2012-05-11 18:00 -------- dc----w- C:\ComboFix
2012-05-11 09:58 . 2012-05-11 09:58 -------- dc----w- C:\TDSSKiller_Quarantine
2012-05-11 09:23 . 2012-05-11 09:27 -------- d-----w- c:\program files\stinger
2012-05-11 08:05 . 2012-05-11 08:05 -------- d-----w- c:\program files\Unlocker
2012-05-11 08:04 . 2012-05-11 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-05-11 08:04 . 2012-05-11 08:04 -------- d-----w- c:\documents and settings\KBR-LT.KBR-LAPTOP\Application Data\TestApp
2012-05-10 23:13 . 2012-05-10 22:11 6139760 -c--a-w- C:\WindowsUpdateAgent30-x86.exe
2012-05-10 23:12 . 2012-05-10 22:00 4490712 -c--a-w- C:\WindowsUpdateAgent20-x86.exe
2012-05-10 23:10 . 2012-05-10 22:08 3038 -c--a-w- C:\fix_svchost.bat
2012-05-10 23:09 . 2012-05-10 22:03 1266056 -c--a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2012-05-09 00:51 . 2012-05-09 00:51 -------- d-s---w- c:\documents and settings\Administrator\IETldCache
2012-05-08 22:39 . 2012-05-08 22:39 -------- d-----w- c:\documents and settings\KBR-LT.KBR-LAPTOP\Local Settings\Application Data\Logitech® Webcam Software
2012-05-08 11:33 . 2012-05-08 11:33 -------- dc----w- C:\ae654300162b6ea263bc39c2226cd7
2012-05-08 11:33 . 2012-05-08 11:33 -------- dc----w- C:\d245725511a7a7a3cae184
2012-05-08 07:36 . 2012-05-08 07:36 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\PCHealth
2012-05-08 06:19 . 2012-05-08 06:19 -------- d-s---w- c:\windows\system32\config\systemprofile\IETldCache
2012-05-08 06:19 . 2012-05-08 06:19 -------- d-s---w- c:\windows\system32\config\systemprofile\PrivacIE
2012-05-08 06:04 . 2012-05-08 06:04 -------- dc----w- C:\24316880ace3eb1a92ec0401d4
2012-05-08 06:04 . 2012-05-08 06:05 -------- dc----w- C:\6d94e5c9c5c10331a01ba4089927
2012-05-08 03:16 . 2012-05-08 03:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2012-05-03 18:39 . 2012-05-03 18:39 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\Logitech® Webcam Software
2012-05-03 18:30 . 2012-05-03 18:30 -------- d-----w- c:\documents and settings\Ray\Application Data\Leadertech
2012-05-03 18:30 . 2012-05-03 18:30 53248 ----a-r- c:\documents and settings\Ray\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-05-03 18:29 . 2012-05-03 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2012-05-03 18:29 . 2012-05-03 18:29 -------- d-----w- c:\program files\Common Files\LWS
2012-05-03 18:28 . 2012-05-03 18:32 -------- d-----w- c:\program files\Common Files\LogiShrd
2012-05-03 18:28 . 2012-05-03 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2012-05-03 18:28 . 2012-05-03 18:30 -------- d-----w- c:\program files\Logitech
2012-05-03 18:05 . 2008-04-14 00:12 20992 ----a-w- c:\windows\system32\dshowext.ax
2012-05-03 06:58 . 2012-05-03 06:58 -------- d-----w- c:\documents and settings\Ray\Application Data\Windows Search
2012-04-26 02:03 . 2012-04-26 02:03 -------- d-----w- c:\documents and settings\KBR-LT.KBR-LAPTOP\Local Settings\Application Data\PCHealth
2012-04-20 04:06 . 2012-04-20 04:06 -------- d-----w- c:\documents and settings\Ray\Local Settings\Application Data\visi_coupon
2012-04-20 04:06 . 2012-04-20 04:07 -------- d-----w- c:\documents and settings\Ray\Application Data\Yahoo!
2012-04-20 04:06 . 2012-04-20 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-04-20 04:06 . 2012-05-08 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-04-20 04:03 . 2012-04-20 04:06 -------- d-----w- c:\program files\Yahoo!
2012-04-17 18:44 . 2012-04-26 02:10 -------- d-----w- c:\documents and settings\KBR-LT.KBR-LAPTOP\Local Settings\Application Data\AskToolbar
2012-04-12 03:34 . 2012-05-05 02:26 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-11 18:07 . 2009-12-18 17:54 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-05 02:26 . 2012-03-20 00:15 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2009-12-18 17:53 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-01 11:01 . 2006-02-15 14:04 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-15 14:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-15 14:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-15 14:04 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-15 14:02 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-15 14:02 385024 ----a-w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-22 04:42 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^KBR-LT.KBR-LAPTOP^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\KBR-LT.KBR-LAPTOP\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 03:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-10-15 14:29 88203 -c--a-w- c:\windows\agrsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-09-14 20:09 157592 -c--a-w- c:\program files\DAEMON Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-11-28 05:52 77824 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-11-28 05:55 118784 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-28 05:55 98304 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-11-28 18:41 602182 -c--a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-05 19:37 667718 -c--a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 11:03 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 11:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2005-12-22 04:29 30208 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2005-12-16 08:34 82009 -c--a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-03-11 23:03 73728 -c--a-w- c:\windows\system32\TDispVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2006-01-05 22:02 352256 -c--a-w- c:\program files\TOSHIBA\TOSHIBA Applet\THotkey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-05 17:26 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"McShield"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlexiSIGN-PRO 7\\Program\\App.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\FlexiSIGN-PRO 7\\Program\\App2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.3.5.12340-x86-Win-enUS-BKGND-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.3.0.10958-enUS-downloader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BM_Win\\bmw32.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R2 713xTVCard;SAA7134 TV Card;c:\windows\system32\DRIVERS\SAA713x.sys [2005-03-15 277504]
R2 WDMTVTuner;Universal WDM TV Tuner;c:\windows\system32\drivers\WDMTuner.sys [2005-03-30 23680]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-05-11 40776]
R3 MFE_RR;MFE_RR;c:\docume~1\ADMINI~1\LOCALS~1\Temp\mfe_rr.sys [x]
R3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2010-04-20 18432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-05-14 7408]
R4 NeatReceipts Database Controller;NeatReceipts Database Controller;c:\program files\Common Files\NeatReceipts\DB Controller\NeatReceiptsDBController.exe [2007-08-29 230760]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2006-10-04 611064]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-05-14 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-12-18 74480]
S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-22 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-22 33024]
S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [2005-12-22 3456]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
U3sHlpDr
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 02:26]
.
2012-04-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]
.
2012-05-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-01-03 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
TCP: DhcpNameServer = 192.168.2.1 65.32.5.111 65.32.5.112
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-11 15:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,ff,f7,1a,6a,40,9c,44,9a,8e,66,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,12,ff,f7,1a,6a,40,9c,44,9a,8e,66,\
.
[HKEY_USERS\S-1-5-21-341582202-1946585158-816934597-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(440)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'lsass.exe'(500)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
Completion time: 2012-05-11 15:55:25
ComboFix-quarantined-files.txt 2012-05-11 19:55
ComboFix2.txt 2012-05-11 18:00
.
Pre-Run: 39,099,912,192 bytes free
Post-Run: 39,094,157,312 bytes free
.
- - End Of File - - 7BBFA2C5D1A4A8A8FB8257C2674D8B6D

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 13 May 2012 - 04:30 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 13 May 2012 - 07:08 PM

Hi Mole, I'm here awaiting your instructions, thanks so much for the help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 14 May 2012 - 07:07 PM

ZeroAccess is nasty, isn't it?

Firstly, you should not be running Combofix without expert help. Period.

However, your machine is fairly damaged at this stage so we need to tread carefully.

It sounds like you can still run tools through the flashdrive and we can also access the machine by booting the PC with a Linux operating system so we have some options.

First, let's try the Linux method - you need another machine and a flashdrive

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#5 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 14 May 2012 - 08:02 PM

m0le,
followed your dircetions, got all the way to sdb1, but there was no files in that directory.
first time duumpit ran, it opened in notepad, saved as .txt file.
thought that might be wrong, so I removed the .txt extention, tried again, but same problem. as above.
Kendall

#6 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 14 May 2012 - 08:26 PM

m0le, what is your hours at the computer desk (helping)?
I want to make sure I'm here during that time,
my time is Eastern Date Time.
Thanks,
Kendall

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 15 May 2012 - 06:07 PM

I don't have times as such. I am usually online between 10pm-1am GMT weekdays, weekends are more difficult to predict.

first time duumpit ran, it opened in notepad, saved as .txt file.


This is correct. You need to attach this text file (it can't be opened and read in the usual way) to your next post.
Posted Image
m0le is a proud member of UNITE

#8 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 15 May 2012 - 06:18 PM

m0le,
1. when i "ran" dumpit on GOOD computer (win7 home 64-bit), it ran then opened notepad, which I saved as dumpit.txt
2. followed instructions, got to sdb1, even showed there were NO files within that directory.
3. went under FIND command, looked for 'dumpit', still no joy.
4. "ran" dumpit again, but this time REMOVED the .txt, which is now saved as "dumpit"
5. again got to sdb1, still NO files within directory!

not sure why that is.
Kendall

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 15 May 2012 - 06:33 PM

Sometimes it just doesn't work and I'm not sure why that is. It is worth unplugging the USB while in xPUD and then plugging it back in. It can sometimes then recognise the USB device.

If that fails then we will set xPUD to install and run using a CD
Posted Image
m0le is a proud member of UNITE

#10 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 15 May 2012 - 06:54 PM

when I removed USB drive, window in right corner (flips between following)
/mnt/sg2 Unmounted
/mnt/host3 Unmounted
/mnt/sdb Unmounted
/mnt/4:0:0:0 Unmounted
/mnt/8:16 Unmounted
/mnt/host4 Unmounted
/mnt/I-4 Unmounted


still didnt find USB drive
Kendall

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 15 May 2012 - 07:25 PM

Try this please. You will also need a USB drive but we are going to boot xPUD using a CD

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#12 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 16 May 2012 - 02:20 AM

m0le,
everything worked as instructions...until the black window, just flashes, nothing more, nothing less, never unzipped anything.
flashes too quick for me to see what it's doing!

tried 3 different flashdrives.

cant copy file for you, lets try something else.
Kendall

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 16 May 2012 - 05:59 PM

Trying something else then.

Booting from Ubuntu Live from a USB Device

--------------

  • Please remove any existing information from your USB device
  • Download Ubuntu Live to your USB device (or if necessary do so from a working computer). This is a large file so allow it some time to download
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Once the Ubuntu desktop is loaded please select English and then Try Ubuntu

    Posted Image
  • Type terminal in the search box
  • Click on the frirst Terminal icon that is displayed - this will open a command prompt window
  • Type the following line and press Enter

    sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • Open Firefox and connect to this topic
  • To access the Home folder click the third icon from the top in the left panel (Home Folder). You will see some folders there, as well as the mbr.txt file you just created
  • Copy and paste the mbr.txt file located in Home Folder and post in your next reply
  • Remove the USB device from your computer
  • Restart your computer into Windows

Posted Image
m0le is a proud member of UNITE

#14 KBR1

KBR1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Orlando, FL
  • Local time:01:02 PM

Posted 16 May 2012 - 09:51 PM

m0le,
thanks for the info, got it working this time around, able to attach "mbr.txt" file.

Problems encountered:
first, the usb drive ISO didnt work, came up with error loading...crap!

1. used your previous BurnCDCC to burn "ubuntu-12.04-desktop-i386.iso" to CD, worked great!
2. changed boot to run from CD on infected computer as prior posting.

when the program ubuntu loaded:
1. selected "Dash Home", typed "terminal" into search bar at top, ran terminal
2. typed in: sudo dd if=/dev/sda of=mbr.txt bs=512 count=1,

guessing that you ONLY wanted the first 512 bytes of information?

3. which created "mbr.txt" into "home folder"
4. "Home Folder" was located from third down on left side-bar, no need to open firefox to connect.

Ubuntu is a real simple, clean OS, thanks for that link, kinda reminds me of Mac's OS...
Really appreciate your effort in getting this file created, hope it tells you more than it does me!
Looks like gobly-guek...haha

Kendall

Attached Files

  • Attached File  mbr.txt   512bytes   2 downloads


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 17 May 2012 - 06:08 PM

That MBR looks fine so we're still looking for the right variant.

I would like you to run this tool for me - fixTDSS

Download it to your desktop and start the program

Follow the prompts and OK any security prompts

When it is complete it will say the infection was cleared or no infection was found - let me know what it says
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users