Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Defender 2013


  • This topic is locked This topic is locked
9 replies to this topic

#1 luv2bike2nv

luv2bike2nv

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 02 October 2012 - 10:14 AM

The computer is infected with XP Defender 2013,
I followed the instructions on Bleepingcomputer.com to remove the virus however i can not run rkill and malwarebytes as the user. it won't let me do anything as that user. No error messages come up to tell you about why it won't run.

I ran the logs and scans as myself---network administrator in safe mode. The system is Window XP, SP3, up to date on ms updates, Trend Micro is the antivirus software and that is up to date as well.

I performed all the steps in the preparation:
data backed up
computer is not slow
enable topic reply
firewall is set through group policy on the network
ran defogger to disable cd emulation.
downloaded and ran DDS (copied and paste DDS.Txt file and attached the Attach.txt file)
downloaded and ran GMER (attached the ARK.txt file, there was a message that came up when GMER was finished and it said WARNING!! GMER has found system modifications caused by Rootkit Activity. I just clicked on OK.

Thank you in advance for your assistance.
Robin

DDS Text File:
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by robinadmin at 13:25:32 on 2012-10-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1536 [GMT -7:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {70108737-FBC6-43AC-B794-8948DF14E969}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070829
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070829
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PopUpKiller] c:\program files\popup killer\popupkiller.EXE
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [EPA_EZ_GPO_Tool] c:\windows\system32\EZ_GPO_Tool.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 1 = bckgzm.exe
uPolicies-disallowrun: 2 = chkrzm.exe
uPolicies-disallowrun: 3 = freecell.exe
uPolicies-disallowrun: 4 = hrtzzm.exe
uPolicies-disallowrun: 5 = mshearts.exe
uPolicies-disallowrun: 6 = pinball.exe
uPolicies-disallowrun: 7 = Rvsezm.exe
uPolicies-disallowrun: 8 = shvlzm.exe
uPolicies-disallowrun: 9 = sol.exe
uPolicies-disallowrun: 10 = spider.exe
uPolicies-disallowrun: 11 = winmine.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: patch.alvaka.net
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189024224262
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.31.40.10 10.31.40.11
TCP: Interfaces\{7C182F1A-87F1-4983-B4AE-0CF85A28195C} : DhcpNameServer = 10.31.40.10 10.31.40.11
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2007-8-29 3456]
R1 EPS;EPS;c:\windows\system32\drivers\eps.sys [2011-7-23 127856]
S2 EPA_GPO_PMService;Energy Star™ EZ GPO Power Management Configuration Tool;c:\windows\system32\PMService.exe [2009-6-17 94208]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 LEMSS Agent;LEMSS Agent;c:\program files\lumension\lemssagent\LMAgent.exe [2010-11-29 260424]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-11-26 262416]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-11-26 36624]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 250568]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-29 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 Patch Agent;Patch Agent;c:\program files\lumension\patch agent\GravitixService.exe [2011-7-21 95584]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 575064]
.
=============== Created Last 30 ================
.
2012-10-01 19:44:25 -------- d-----w- C:\Malwarebytes
2012-10-01 19:25:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-01 19:25:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-01 19:10:35 -------- d-----w- c:\documents and settings\robinadmin\application data\Malwarebytes
2012-10-01 18:59:13 -------- d-sh--w- c:\documents and settings\robinadmin\PrivacIE
2012-10-01 18:59:07 -------- d-sh--w- c:\documents and settings\robinadmin\IETldCache
2012-09-26 13:48:12 102400 ----a-w- c:\windows\RegBootClean.exe
2012-09-25 06:55:28 6980552 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{fc4c36cc-4d16-44cd-8897-6e8d4831f272}\mpengine.dll
.
==================== Find3M ====================
.
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-22 13:44:43 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-22 13:44:43 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 13:26:37.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 AM

Posted 02 October 2012 - 07:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 luv2bike2nv

luv2bike2nv
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 02 October 2012 - 07:32 PM

Yes I am here and waiting for instruction.
thanks M0le

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 AM

Posted 03 October 2012 - 05:02 PM

The rootkit further protects rogue rubbish like XP Defender. The guides don't provide help with that unfortunate complication.

Am I right that you are locked out of normal mode completely? Can you run aswMBR (in safe mode if necessary)

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 luv2bike2nv

luv2bike2nv
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 03 October 2012 - 05:47 PM

I can get into normal mode as the user however I can not run any programs as the user. as well i can not run any programs in Safe mode as the infected user.
I can run programs as myself (administrator) i ran aswMBR as myself in normal mode, below you will find the text.

aswMBR.txt file

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-03 16:23:04
-----------------------------
16:23:04.469 OS Version: Windows 5.1.2600 Service Pack 3
16:23:04.469 Number of processors: 2 586 0x605
16:23:04.469 ComputerName: NTLCAR-WS23 UserName: robinadmin
16:23:18.194 Initialize success
16:32:02.891 AVAST engine defs: 12100302
16:32:24.720 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
16:32:24.720 Disk 0 Vendor: WDC_WD1600AAJS-75PSA0 05.06H05 Size: 152587MB BusType: 3
16:32:24.751 Disk 0 MBR read successfully
16:32:24.751 Disk 0 MBR scan
16:32:24.813 Disk 0 Windows XP default MBR code
16:32:24.813 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
16:32:24.844 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152539 MB offset 80325
16:32:24.844 Disk 0 scanning sectors +312480315
16:32:24.952 Disk 0 scanning C:\WINDOWS\system32\drivers
16:32:53.764 Service scanning
16:33:20.677 Modules scanning
16:33:30.425 Disk 0 trace - called modules:
16:33:30.441 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll atiide.sys PCIIDEX.SYS
16:33:30.441 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a52bab8]
16:33:30.441 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0x8a4ead98]
16:33:30.889 AVAST engine scan C:\WINDOWS
16:34:04.607 AVAST engine scan C:\WINDOWS\system32
16:38:41.697 AVAST engine scan C:\WINDOWS\system32\drivers
16:39:10.172 AVAST engine scan C:\Documents and Settings\robinadmin
16:39:50.647 AVAST engine scan C:\Documents and Settings\All Users
16:41:35.813 Scan finished successfully
16:42:52.220 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\robinadmin\Desktop\MBR.dat"
16:42:52.220 The log file has been saved successfully to "C:\Documents and Settings\robinadmin\Desktop\aswMBR.txt"

Edited by luv2bike2nv, 03 October 2012 - 06:44 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 AM

Posted 03 October 2012 - 06:27 PM

Yes, please run aswMBR :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 luv2bike2nv

luv2bike2nv
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 04 October 2012 - 08:39 AM

Please see post above with the awsMBR text file. :thumbup2:

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 AM

Posted 04 October 2012 - 06:22 PM

Please run TDSSKiller next

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#9 luv2bike2nv

luv2bike2nv
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 05 October 2012 - 05:59 PM

you can close this ticket out.
i ran the TDSSKiller as myself (administrator) because I could not run it as the infected user.
the scan took less than 5 minutes and there were no infected files.
Management said to go ahead and partition and format the hard drive after backing up all relevant files.
i am in the process of re-imaging the system. thank you for your assistance.
Robin

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:31 AM

Posted 06 October 2012 - 06:31 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users