Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pirhap.b rootkit changed to Alureon.b rootkit


  • This topic is locked This topic is locked
6 replies to this topic

#1 sh4rkbyt3

sh4rkbyt3

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 10 September 2012 - 12:01 PM

Found some issues with browser redirects which may now be solved but had several instances. Extremely slow computer at first so used Ccleaner and then followed up with SuperAntiSpyware. That found 4 instances of Trojan.Agent/Gen-DocFake and 1092 pieces of spyware. Removed but still acting slow and very hesitant. Used TDSS Killer and located rootkit Pihar.b which it said it removed. Restarted and ran Combofix which found a lot of things and removed them also. Then followed up by installing Avast and using their boot time scan tool which then located rootkit Alureon.b.

The system strill appears to be haing issues and Spybot is sending me fake browser notices from my Google Search engine about certain URLs.

Below is my DDS.txt log and I'll zip and attach the Attach file for you below that.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Owner at 12:42:53 on 2012-09-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3003.1528 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Spybot - Search and Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Defraggler\Defraggler.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: MySecurityVault Toolbar: {d3117279-e115-4c9b-a8fe-d2983653ec51} - c:\program files\whitecanyon\mysecurityvault\WCVaultToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: MasterCook: Select Image - c:\program files\mastercook 9\web\MCIEContext.hta
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{BD73CB15-912E-42D5-9F18-640BF2EB8506} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{BD73CB15-912E-42D5-9F18-640BF2EB8506}\5535154353 : DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{BD73CB15-912E-42D5-9F18-640BF2EB8506}\8686F6E6F62737 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BD73CB15-912E-42D5-9F18-640BF2EB8506}\C4160747F607 : DhcpNameServer = 192.168.1.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\qbdata\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ahuiospi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ahuiospi.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\MailUtil.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ahuiospi.default\extensions\{fa1cfe8c-66b4-4469-b360-b60c79d70c28}\components\MailUtil.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\2\NP_wtapp.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\owner\appdata\roaming\Move Networks
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: AOL Mail Toolbar: {fa1cfe8c-66b4-4469-b360-b60c79d70c28} - %profile%\extensions\{fa1cfe8c-66b4-4469-b360-b60c79d70c28}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-9-10 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-9-10 355632]
R1 MpKsl584d4cec;MpKsl584d4cec;c:\programdata\microsoft\microsoft antimalware\definition updates\{db74baa8-915b-42a2-939b-1620a5ef6a96}\MpKsl584d4cec.sys [2012-9-10 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-9-10 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-9-10 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-9-10 44808]
R2 MSSQL$WFP_MSDE;SQL Server (WFP_MSDE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-9-7 1074720]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-9-7 1358360]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-9-7 166528]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-10-5 166912]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-24 1343400]
S4 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-27 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-27 136176]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
.
=============== Created Last 30 ================
.
2012-09-10 16:19:15 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db74baa8-915b-42a2-939b-1620a5ef6a96}\MpKsl584d4cec.sys
2012-09-10 13:05:53 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-09-10 13:05:50 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-10 13:05:48 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-09-10 13:04:36 41224 ----a-w- c:\windows\avastSS.scr
2012-09-10 13:04:16 -------- d-----w- c:\programdata\AVAST Software
2012-09-10 13:04:16 -------- d-----w- c:\program files\AVAST Software
2012-09-10 12:20:26 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{db74baa8-915b-42a2-939b-1620a5ef6a96}\mpengine.dll
2012-09-10 12:16:42 100864 ----a-w- C:\uxldapow.sys
2012-09-09 06:11:04 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-09 06:11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-09 05:46:20 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-09 05:46:18 -------- d-----w- c:\users\owner\appdata\local\temp
2012-09-09 02:51:26 388096 ----a-r- c:\users\owner\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-09-09 02:51:25 -------- d-----w- c:\program files\Trend Micro
2012-09-09 02:25:20 7022536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-09-07 18:56:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-07 18:56:25 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-09-07 18:56:14 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-09-07 11:17:39 -------- d-----w- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2012-09-07 11:17:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-07 11:17:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-07 10:49:13 -------- d-----w- c:\program files\Defraggler
2012-09-07 07:16:07 5120 ----a-w- c:\windows\system32\wmi.dll
2012-09-07 07:16:07 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-09-07 07:16:07 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-09-07 07:16:07 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-09-07 05:52:25 400896 ----a-w- c:\windows\system32\srcore.dll
2012-09-07 05:44:57 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-09-07 05:44:16 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-09-07 05:44:15 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-09-07 05:39:30 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-09-07 05:39:18 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-09-07 05:39:03 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-09-07 05:39:03 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-09-07 05:19:06 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{62479223-609e-462b-b34b-797f98bd636c}\gapaengine.dll
2012-09-07 05:17:40 98816 ----a-w- c:\windows\sed.exe
2012-09-07 05:17:40 518144 ----a-w- c:\windows\SWREG.exe
2012-09-07 05:17:40 256000 ----a-w- c:\windows\PEV.exe
2012-09-07 05:17:40 208896 ----a-w- c:\windows\MBR.exe
2012-09-07 05:04:02 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-07 03:55:19 -------- d-----w- c:\program files\VS Revo Group
.
==================== Find3M ====================
.
2012-07-18 17:47:53 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 21:14:34 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14:34 102912 ----a-w- c:\windows\system32\browser.dll
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-17 21:42:17 3993600 ----a-w- c:\program files\GUT2AD7.tmp
.
============= FINISH: 12:44:52.96 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:29 AM

Posted 11 September 2012 - 06:10 PM

I see combofix has been run on this computer, can you please post the log(s) located at C:\ComboFix.txt

NEXT


download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 13 September 2012 - 11:32 AM

Ok CatByte I ran into a major problem, in that recovery mode someone (other than the owner) put a password on there with the user name ASPNET so I'm assuming someone else worked on it at some point and thats going to be untraceable according to the owner. The only solution I can think of from here would be to do a DBan wipe and fresh install? I'll wait for your response but I see little choice at this point.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:29 AM

Posted 13 September 2012 - 06:37 PM

there are other tools we can run, but the setup you are faced with may present issues in the future, so a complete reformat and re-install would be my choice

but it's up to you, we can see if it will clean up without having to access the recovery environment at this point

Edited by CatByte, 13 September 2012 - 06:37 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 sh4rkbyt3

sh4rkbyt3
  • Topic Starter

  • Members
  • 419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 13 September 2012 - 07:19 PM

I'll do a reformat and fresh install. Having too many of these rootkits lately that take forever and a day to try and clean up.

I do however appreciate your help immensley. No use in trying to kill it only to find out it's still hiding which I'm dealing with on another computer as well. Thank you for your help and you can close this case.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:29 AM

Posted 13 September 2012 - 07:49 PM

ok,

thanks for letting me know

good luck :)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:29 AM

Posted 13 September 2012 - 07:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users