Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed "Smart HDD" virus from computer, im afraid something is still there


  • This topic is locked This topic is locked
9 replies to this topic

#1 capibara

capibara

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2012 - 01:14 PM

Hi, few weeks ago my sister's computer got owned by one of those nasty "Smart HDD" malwares.
Smart HDD is a malicious software that will display fake alerts, claiming that several hard drive errors were detected on your computer.
It did any sort of bad stuff to the computer, hiding files, installing proxies and all sort of shenanigans.
In a normal situation i would have wiped the hd and reinstalled from scratch, but my sister has a loong list of software she uses and customizations, it would have taken a LOT of time to bring it back to the original state.
Of course no backup was present.
So i tried my luck and attempted to remove the malware, following this procedure:
http://malwaretips.com/blogs/uninstall-smart-hdd/
At first it looked like the computer was clean and working ok, all data back, files un-hided, but something was still there, because after a while her internet stopped working, i did a quick check and noticed that the dns ip numbers were missing. Ran a few checks with malwarebytes but found nothing.
I manually typed in the dns ip number back, but after a few days SAME PROBLEM.
So my guess is that some rootkit trojan or something was left back on the system (Windows XP), but despite my efforts i couldnt find anything.
This is when i made a mistake, i ran combofix, without doing the correct procedure suggested here.
Now i found this forum and the topic with the rules and how to perform the correct procedure, so i ran DDS and GMER. I hope i didnt mess it up too much by running combofix beforhand.
So i wonder whether there is still some malware running, i hope this can help to figure it out... thanks!
Here is the DDS log, and attached the attach.txt and atk.txt

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_35
Run by TIZIANA at 22:56:08 on 2012-11-11
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.1980.1409 [GMT 1:00]
.
AV: Avira Desktop *Enabled/Updated* {00000000-0715-0000-08F2-12003094807C}
AV: Avira Desktop *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Avira Desktop *Enabled/Updated* {00000000-9FF8-FF14-1E00-010000000000}
.
============== Running Processes ================
.
C:\Programmi\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Intel\AMT\LMS.exe
C:\Programmi\File comuni\Intel\Privacy Icon\UNS\UNS.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Programmi\File comuni\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programmi\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Programmi\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\File comuni\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programmi\Logitech\SetPointP\SetPoint.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Athena\IDProtect Client\Utils\IDProtect Monitor.exe
C:\Programmi\AVAST Software\Avast\avastUI.exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\programmi\file comuni\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\programmi\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\programmi\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\programmi\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\programmi\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\google toolbar\GoogleToolbar_32.dll
uRun: [googletalk] "c:\programmi\google\google talk\googletalk.exe" /autostart
uRun: [swg] "c:\programmi\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\programmi\intel\intel matrix storage manager\iaanotif.exe
mRun: [picon] "c:\programmi\file comuni\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [StatusClient] c:\programmi\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\programmi\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [bit4id csp store register (M)] "RUNDLL32.EXE" "c:\windows\system32\bit4upki-store.dll",RegisterMyPhysicalStore
mRun: [TrueImageMonitor.exe] c:\programmi\acronis\trueimageechoworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\programmi\acronis\trueimageechoworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programmi\file comuni\acronis\schedule2\schedhlp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\programmi\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\programmi\file comuni\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\programmi\file comuni\java\java update\jusched.exe"
mRun: [EvtMgr6] c:\programmi\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [SoundMAXPnP] c:\programmi\analog devices\core\smax4pnp.exe
mRun: [IDProtect Monitor] "c:\programmi\athena\idprotect client\utils\IDProtect Monitor.exe"
mRun: [avast] "c:\programmi\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\logite~1.lnk - c:\programmi\logitech\setpoint\SetPoint.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
Trusted Zone: serverteamsys
DPF: {469E2B4F-BEE2-4A0F-98FA-D07ACAFAFCEA} - hxxps://mutssl.cnce.it/CESO/denunce/dll/XMLFileTRansfer.CAB
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.euro.dell.com/systemprofiler/SysProExe.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1336168058421
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.euro.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {93B08541-9F6B-4697-9F9A-7058F1E33785} - hxxp://77.238.2.187/inquiero/mod/setup/ntractivex1182.cab
DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} - hxxp://213.217.135.145/inquiero/mod/setup/ntractivex118_24.cab
TCP: Interfaces\{82B5A04D-4091-4285-AC0A-8FECE46280F4} : NameServer = 192.168.0.101
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\programmi\file comuni\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tiziana\dati applicazioni\mozilla\firefox\profiles\s449pu9w.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\programmi\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\programmi\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\programmi\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\programmi\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-09-12 11:16; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: -
FF - user.js: security.enable_tls - false
FF - user.js: network.http.accept-encoding -
FF - user.js: secnetwork.http.accept-encodingurity.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-12-13 24064]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-8-24 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-8-24 361032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-8-24 21256]
R2 avast! Antivirus;avast! Antivirus;c:\programmi\avast software\avast\AvastSvc.exe [2012-8-24 44808]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2012-5-20 12184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\programmi\file comuni\intel\privacy icon\uns\UNS.exe [2008-12-12 2054680]
R3 ACSET;ACS USB Smart Card Reader;c:\windows\system32\drivers\acr30up.sys [2009-2-7 31616]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2008-12-13 144480]
S0 cerc6;cerc6; [x]
S2 gupdate1ca1b351fdff7ce;Servizio di Google Update (gupdate1ca1b351fdff7ce);c:\programmi\google\update\GoogleUpdate.exe [2009-8-12 133104]
.
=============== Created Last 30 ================
.
2012-11-11 21:55:38 -------- d-----w- C:\JOB
2012-11-11 21:52:19 -------- d-----w- c:\programmi\VS Revo Group
2012-11-11 20:32:37 98816 ----a-w- c:\windows\sed.exe
2012-11-11 20:32:37 256000 ----a-w- c:\windows\PEV.exe
2012-11-11 20:32:37 208896 ----a-w- c:\windows\MBR.exe
2012-11-11 20:32:33 -------- d-s---w- C:\ComboFix
.
==================== Find3M ====================
.
2012-10-30 22:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51:07 41224 ----a-w- c:\windows\avastSS.scr
2012-10-09 14:53:26 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 14:53:26 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-28 18:24:56 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-28 18:24:53 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 16:39:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-28 15:05:06 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:05:04 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:05:04 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:53 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-23 06:27:05 2152448 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-23 06:27:04 2031104 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 22.56.43,96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 capibara

capibara
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 November 2012 - 01:18 PM

I forgot this: she used to have microsoft security essentials on the computer, then changed with avira and now with avast. Both Microsoft Security Essentials and Avira are uninstalled, but for some reasons combofix warned me to disable avira even though it's not even present anymore on the computer.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 13 November 2012 - 10:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I did you you note about ComboFix reporting old virus programs. Ignore it for now.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#4 capibara

capibara
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 November 2012 - 03:05 PM

Hi, thanks a lot for the help.
For sure there is still a rootkit running in this computer, in the last few days Avast Antivirus found and deleted two files recognized as "Win32:Rootkit-gen [Rtk]".
One found November the 8th and one today, November the 14th.
Microsoft malware software also detected this "Trojan:DOS/Aleuron.E" and reported it as "partially removed".

Despite all the scans i did with Avast or Malwarebytes, after some days some of this malware crap still keeps showing up.
The dns ip number was also wiped out again today.

I attach the 3 logs requested (combofix, securitycheck and adwcleaner).

Thanks again for the help.

Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Avira Desktop
avast! Antivirus
Microsoft Security Essentials
Avira Desktop
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
Java™ 6 Update 35
Java™ 6 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_13
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 15.0.1 Firefox out of Date!
Google Chrome 20.0.1132.57
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

# AdwCleaner v2.007 - Logfile creato il 14/11/2012 alle 21:00:33
# Aggiornamento 06/11/2012 by Xplode
# Sistema Operativo : Microsoft Windows XP Service Pack 3 (32 bits)
# Utente : TIZIANA - DELLOPTIPLEX
# Modalità Avvio : Modalità Normale
# Eseguito da : C:\_SOFTWARE_INSTALLATI\adwcleaner.exe
# Opzioni [Cerca]


***** [Servizi] *****


***** [File / Cartelle] *****

Cartella Trovato : C:\Documents and Settings\All Users\Dati applicazioni\Ask

***** [Registro] *****

Chiave Trovata : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Chiave Trovata : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

***** [Browser Internet] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registro Pulito.

*************************

AdwCleaner[R1].txt - [863 octets] - [14/11/2012 21:00:33]

########## EOF - C:\AdwCleaner[R1].txt - [922 octets] ##########

Attached Files


Edited by nasdaq, 15 November 2012 - 08:29 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 15 November 2012 - 08:38 AM

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 35
Java™ 6 Update 7
Java 2 Runtime Environment Standard Edition v1.3.1_13


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
===

p.s.

For sure there is still a rootkit running in this computer, in the last few days Avast Antivirus found and deleted two files recognized as "Win32:Rootkit-gen [Rtk]".
One found November the 8th and one today, November the 14th.
Microsoft malware software also detected this "Trojan:DOS/Aleuron.E" and reported it as "partially removed".


If by any chance the files removed or found are in a Quarantine or in the System restore they are inactive.
Let me know if you can where these files are located.

#6 capibara

capibara
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 15 November 2012 - 04:06 PM

Ok i guess we found the culprit, let me start by posting the report from RogueKiller, which signals this Root.MBR blinking warning signal on Physical Drive 1 (i have 2 drives on this pc, drive 0 with the system and drive 1 used for backup).

RogueKillers suggests to Fix the MBR, there is a drop down windows where i can select the drive (only drive 1 is selectable) and another drop down where i select the operating system between xp, 7 and vista, of course i select XP.
Should i proceed with this fix or there is any other step i better follow? The data is all backed up.
Not to mention drive 1 only contains the backup data (which i also copied on another computer) so even if i lose it it's not a big deal.

I also followed all the other tasks suggested, im going to attach AdwCleaner log at this post.

Regarding the "Win32:Rootkit-gen [Rtk]" found by the antivirus in two different occasions, in both cases it wasnt quarantined or in the system restore, both where in two different folders in the C drive (im going to attach the screenshot for one of the two files found by Avast), anyway i think the Root.MBR malware found by Rootkit is the definitive culprit.


This is RogueKiller log:

by the way, i think the registry key marked as BLACKLIST (bit4upki-store.dll) is legit, bit4upki is a cardreader installed on the computer.

RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : TIZIANA [Admin rights]
Mode : Scan -- Date : 11/15/2012 21:49:50

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][BLACKLIST DLL] HKLM\[...]\Run : bit4id csp store register (M) ("RUNDLL32.EXE" "C:\WINDOWS\system32\bit4upki-store.dll",RegisterMyPhysicalStore) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 OPTYAMT.WORKGROUP # LMS GENERATED LINE


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-75L9A0 +++++
--- User ---
[MBR] 64c52388deda39576292a9f5148de75d
[BSP] 06343c633686c4b733b4eca33a9c52c4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD3200AAKS-75L9A0 +++++
--- User ---
[MBR] c788cccfdf2b106ce305439b1844604a
[BSP] 033ffa1ca83dab871a2b4ea67c17eafd : Windows XP MBR Code [possible maxSST in 0!]
Partition table:
0 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625121280 | Size: 7 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305234 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11152012_02d2149.txt >>
RKreport[1]_S_11152012_02d2149.txt

Attached Files


Edited by capibara, 15 November 2012 - 04:07 PM.


#7 capibara

capibara
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 15 November 2012 - 05:02 PM

Well i could not resist from fixing it and i tried the FIX MBR in Roguekiller, it said fixed but then i restarted Roguekiller, launched the Scan and it found the Rootkit again, so i physically took out the second drive from the computer (the one infected by the rootkit), relaunched Roguekiller and it doesnt find the rootkit anymore.

Waiting for some input about getting rid of this rootkit from the hard disk i took out, i guess re-partitioning and format isnt enough?

Thanks again for the great help you gave me, by the look of it the pc should be clean now, finger crossed.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 16 November 2012 - 10:47 AM

Let try this.

Make sure that your infected HD is installed.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#9 capibara

capibara
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 16 November 2012 - 04:42 PM

Ok i managed to get rid of the Rootkit but i had to do it using some kind of brute force, meaning that i deleted the partitions on the hard disk , repartitioned and formatted from scratch.

Before doing that, TDSKiller found the rootkit ( Rootkit.Boot.SST.b ) but it couldnt delete it, even though i selected "Cure" and then rebooted;
after rebooting i launched TDSKiller again the the rootkit was still there (i repeated this operation twice to be sure).

So at this point i just deleted the two partitions on the hard disk, created a new one, formatted, launched TDSKiller again and the rootkit was gone.

This hard disk was on a Raid 0 system before (mirrored), i think that's why it had two partitions and maybe, that's why i had so much troubles to get rid of the rootkit despite my attempt with different tools.

I attach the tdskiller log but keep in mind that i put the hard disk into a different computer (some old computer i use for testing) because i didnt want to compromise the original one that at this point is completely clean (at least it seems so).

There are two logs, one before i re-partitioned the hard disk, and one after.
In the first log (18.47) i had in the computer the Operating System HD (clean), the HD with the rootkit and one USB flash drive.
In the second log (20.03) i had the Operating System HD (clean), the HD with the rootkit and another Hard Disk that i used to back-up some data.

Thanks again for your help.

Attached Files


Edited by capibara, 16 November 2012 - 04:43 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 AM

Posted 17 November 2012 - 08:02 AM

It was unfortunate that you had to remove the partition.
Under normal situation the TDSSKiller tool would remove this infection. May be it was because of the RAID...

http://support.kaspersky.com/viruses/solutions?print=true&qid=208280748

However searching Google for this string Rootkit.Boot.SST.b proved that it's not an easy infection to deal with.

We may be dealing with a new version of this infection.

You did good.
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users