Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uber persistent router infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 Frustrated Updater

Frustrated Updater

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 18 February 2013 - 03:57 PM

Hi,

 

I've been battling a monstrous malware infection for the better part of the past two months. It all started when Windows Update suddenly stopped working (error code 8024402F) and I noticed that specific downloads such as anti virus software installers, Adobe Reader etc. would fail. I then cleaned up my system and tried a bunch of malware removal procedures (http://www.bleepingcomputer.com/forums/t/479803/malware-prevents-windows-and-other-security-updates/) but nothing seemed to work.

 

I then began to suspect my router had been infected and tried connecting to the Internet via a 3G data stick. This worked fine and I was able to get Windows Updates and security software installers. I then went and formatted my computer, reinstalled Windows 7, and got a brand new router. I set everything up today and suddenly the problem reappeared. Windows Updates and specific downloads don't work via the wired connection but work just fine with the 3G data stick. I am completely baffled by this as I haven't loaded anything on to the computer after formatting it and have no idea how the router became infected within seconds. Could this be a BIOS virus? I have run Malwarebytes and TDDS Killer and both the scans came out fine. I would really appreciate any help as I have no idea what to do. Thanks!

 

DDS Log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385
Run by Sangeet Kendra at 13:51:58 on 2013-02-19
Microsoft Windows 7 Professional   6.1.7600.0.1252.91.1033.18.4011.2575 [GMT 5.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskhost.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: Interfaces\{12EFA11C-5AD7-4E0C-8C96-3DF4688767CF} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe -/service --> C:\ProgramData\DatacardService\HWDeviceService64.exe -/service [?]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2013-2-15 133800]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-18 398184]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-2-18 682344]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-2-16 86016]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-2-15 317440]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-2-18 24176]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-10 83080]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-10 184968]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-2-16 117248]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
.
=============== Created Last 30 ================
.
2013-02-19 08:14:11 76232 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A61E0CBC-4F7D-42C4-9959-7150FEDF4057}\offreg.dll
2013-02-19 06:59:44 972264 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B65EBF8D-17F5-4846-9684-F6B921FC3311}\gapaengine.dll
2013-02-19 06:59:41 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A61E0CBC-4F7D-42C4-9959-7150FEDF4057}\mpengine.dll
2013-02-19 06:37:07 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2013-02-19 06:37:01 -------- d-----w- C:\Program Files\Microsoft Security Client
2013-02-19 06:36:55 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2013-02-19 06:36:55 1898376 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-02-18 15:02:36 -------- d-----w- C:\Users\Sangeet Kendra\AppData\Roaming\Malwarebytes
2013-02-18 15:02:30 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-02-18 15:02:30 -------- d-----w- C:\ProgramData\Malwarebytes
2013-02-18 15:02:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-02-18 15:02:20 -------- d-----w- C:\Users\Sangeet Kendra\AppData\Local\Programs
2013-02-16 06:04:37 -------- d-----w- C:\Windows\Panther
2013-02-15 18:38:22 98816 ----a-w- C:\Windows\System32\drivers\ew_jucdcacm.sys
2013-02-15 18:38:22 86016 ----a-w- C:\Windows\System32\drivers\ew_jubusenum.sys
2013-02-15 18:38:22 69632 ----a-w- C:\Windows\System32\drivers\ew_jucdcecm.sys
2013-02-15 18:38:22 421376 ----a-w- C:\Windows\System32\drivers\ewusbwwan.sys
2013-02-15 18:38:22 32768 ----a-w- C:\Windows\System32\drivers\ewdcsc.sys
2013-02-15 18:38:22 28672 ----a-w- C:\Windows\System32\drivers\ew_juextctrl.sys
2013-02-15 18:38:22 221312 ----a-w- C:\Windows\System32\drivers\ewusbmdm.sys
2013-02-15 18:38:22 22016 ----a-w- C:\Windows\System32\drivers\ew_hwupgrade.sys
2013-02-15 18:38:22 212992 ----a-w- C:\Windows\System32\drivers\ew_juwwanecm.sys
2013-02-15 18:38:22 13952 ----a-w- C:\Windows\System32\drivers\ew_usbenumfilter.sys
2013-02-15 18:38:22 117248 ----a-w- C:\Windows\System32\drivers\ew_hwusbdev.sys
2013-02-15 18:38:22 1001472 ----a-w- C:\Windows\System32\drivers\mod7700.sys
2013-02-15 18:33:13 1490656 ----a-w- C:\Windows\System32\WdfCoInstaller01007.dll
2013-02-15 18:33:13 1490656 ----a-w- C:\Windows\System32\drivers\WdfCoInstaller01007.dll
2013-02-15 18:33:04 -------- d-----w- C:\Program Files (x86)\Tata Photon+
2013-02-15 18:32:41 -------- d-----w- C:\ProgramData\DatacardService
2013-02-15 18:17:54 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B63BA38D-A5E7-4D56-B3D5-CBAD18DB9502}\mpengine.dll
2013-02-15 18:17:53 273840 ------w- C:\Windows\System32\MpSigStub.exe
2013-02-15 18:01:21 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-02-15 18:01:18 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-02-15 18:01:13 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-02-15 18:01:13 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-02-15 17:41:14 133800 ----a-w- C:\Windows\System32\IPROSetMonitor.exe
2013-02-15 17:40:59 314568 ----a-r- C:\Windows\System32\PROUnstl.exe
2013-02-15 17:40:14 68264 ----a-w- C:\Windows\System32\e1cmsg.dll
2013-02-15 17:40:14 36472 ----a-w- C:\Windows\System32\NicCo36.dll
2013-02-15 17:40:14 313520 ----a-w- C:\Windows\System32\drivers\e1c62x64.sys
2013-02-15 17:40:13 91840 ----a-w- C:\Windows\System32\NicInstC.dll
2013-02-15 17:39:32 -------- d-----w- C:\Program Files (x86)\Renesas Electronics
2013-02-15 17:36:07 -------- d-----w- C:\Windows\SysWow64\RTCOM
2013-02-15 17:36:07 -------- d-----w- C:\Program Files\Realtek
2013-02-15 17:33:06 53248 ----a-r- C:\Windows\SysWow64\CSVer.dll
2013-02-15 17:32:55 -------- d-----w- C:\Intel
2013-02-15 17:29:43 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2013-02-15 17:29:41 -------- d-sh--w- C:\Windows\Installer
2013-02-15 17:29:35 -------- d-----w- C:\TempEI4
2013-02-15 17:25:59 -------- d-----w- C:\Users\Sangeet Kendra\AppData\Local\Diagnostics
.
==================== Find3M  ====================
.
.
============= FINISH: 13:52:07.99 ===============

 


 

 

Attached Files


Edited by Frustrated Updater, 19 February 2013 - 04:46 AM.


BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 20 February 2013 - 06:23 PM

Hi  Frustrated Updater

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

White Warrior
 



#3 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 21 February 2013 - 09:58 AM


Hi Frustrated Updater.

First of all,

  • Download Security Check by screen317 from here or  here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Now, let's reset your router back to its factory defaults settings. If it is infected, then this will clean it.

How to Reset a Router back to the Factory Default Settings, go here

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you not know it.
here
here

How to Secure Your Wireless Router.
here
Note: Make sure to change the default password so the router can't be hacked.

Now---go to windows update---has this fixed the problem?

Next, on the modem, what lights are on and are they constant or flickering?

Finally, right click computer-->click properties-->at the top left hand side click device manager--> are there any symbols in front of network adapters? Such as an orange exclamation mark?  Please click the network adapters arrow and tell me what is written there.

Please post the security check log, and answers to my questions, thank you.

White Warrior.
 



#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 24 February 2013 - 10:19 PM

Hi Frustrated Updater

It has been three days since I posted a reply to you. Do you still want my help?
Please post a reply telling me what you want to do from now.
Thank you.

White Warrior



#5 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 02 March 2013 - 08:54 AM

Due to the passage of time without a reply, I am closing this topic.

 

White Warrior
 



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania

Posted 02 March 2013 - 09:29 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users