Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have one rootkit. IRP hook \Driver\atagi DriverStartlo


  • This topic is locked This topic is locked
37 replies to this topic

#1 Sam Gunn

Sam Gunn

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 19 January 2014 - 08:41 PM

I have one rootkit. It is called IRP hook \Driver\atagi DriverStartlo. I can hear music playing, a commercial playing, or sometimes news playing. Sometimes there are no webpages open. when the sound is playing. When I end the largest svchost.exe process, the sound stops. I also sometimes lose sound. I have the volume control panel up, and I use it to adjust the sound. It also slows down loading websites. But after I end the process for the largest svchost, it then speeds up.

 

Information about my computer.

Microsoft XP
Media Center Edition
Version 2002
Service Pack 3.

Dell Inspiron 1501

The only can I done is AVG.



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 22 January 2014 - 11:56 AM

Hello Sam Gunn,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 23 January 2014 - 10:50 PM

Hey fireman4it, I saw your message tonight. I didn't see it in my email. Tonight I clicked follow this topic. I downloaded Combofix, and ran it. But when it got to deleting folders, it stopped. It was more than 90 minutes later. So I decided to stop it, and restart the computer. I will try to do it in the morning, or afternoon. I did copy, and pasted what it had up there, into my email. and then saved it. Do you want me to post that here?  I didn't click on it when it was running. I did move the mouse when the computer went into sleep mode.

 

I wanted to see how it was doing, so I moved the mouse.

 

Yesterday, I downloaded the update to the Second Life viewer.  You said something about downloads.



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 24 January 2014 - 10:37 AM

Please post the log it gave before running Combofix again.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 24 January 2014 - 11:47 AM

Ok. Here it is.

 

 


Scanning for infected files . . .
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double
 
Completed Stage_1
Completed Stage_2
Completed Stage_3
Completed Stage_4
Completed Stage_5
Completed Stage_6
Completed Stage_6A
Completed Stage_7
Completed Stage_8
Completed Stage_9
Completed Stage_10
Completed Stage_11
Completed Stage_12
Completed Stage_13
Completed Stage_14
Completed Stage_15
Completed Stage_16
Completed Stage_17
Completed Stage_18
Completed Stage_19
Completed Stage_19B
Completed Stage_20
Completed Stage_21
Completed Stage_22
Completed Stage_23
Completed Stage_24
Completed Stage_25
Completed Stage_26
Completed Stage_27
Completed Stage_28
Completed Stage_29
Completed Stage_30
Completed Stage_31
Completed Stage_32
Completed Stage_32A
Completed Stage_33
Completed Stage_34
Completed Stage_35
Completed Stage_36
Completed Stage_37
Completed Stage_38
Completed Stage_39
Completed Stage_40
Completed Stage_41
Completed Stage_42
Completed Stage_43
Completed Stage_44
Completed Stage_45
Completed Stage_46
Completed Stage_47
Completed Stage_48
Completed Stage_49
Completed Stage_50
 

Deleting Files:
 
C:\Documents and Settings\All Users\Application Data\Microsoft\MSOFFICE\TEMP\doc
~1.dat
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\incavi.avm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_cz.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_da.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_es.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_fr.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_ge.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_hu.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_id.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_in.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_it.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_jp.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_ko.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_ms.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_nl.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_pb.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_pl.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_pt.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_ru.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_sc.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_sk.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_sp.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_tr.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_us.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_zh.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\license_zt.htm
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfacz.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfada.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaes.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfafr.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfage.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfahu.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaid.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfain.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfait.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfajp.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfako.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfams.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfanl.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfapb.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfapl.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfapt.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaru.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfasc.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfask.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfasp.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfatr.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaus.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfavera.txt
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfazh.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\mfazt.lns
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\setup.exe
C:\Documents and Settings\All Users\Application Data\TEMP\AVG\setup.ini
C:\Documents and Settings\BESSIE HICKAM\My Documents\zeogvvlbdv.tmp
C:\Documents and Settings\BESSIE HICKAM\zeogvvlbdv.tmp
C:\WINDOWS\EventSystem.log
C:\WINDOWS\system32\Cache\075884af680ff6dc.fb
C:\WINDOWS\system32\Cache\227113dfa1ca894d.fb
C:\WINDOWS\system32\Cache\23d2505300890490.fb
C:\WINDOWS\system32\Cache\49fbbc5a8678d502.fb
C:\WINDOWS\system32\Cache\5c54eb1a1655b076.fb
C:\WINDOWS\system32\Cache\613e8ce7ab7106af.fb
C:\WINDOWS\system32\Cache\633a76311867bd11.fb
C:\WINDOWS\system32\Cache\691f14230153a9e1.fb
C:\WINDOWS\system32\Cache\6cb409d7ac73d9f1.fb
C:\WINDOWS\system32\Cache\7614bd6cfa99e546.fb
C:\WINDOWS\system32\Cache\77664b6ccc36be9f.fb
C:\WINDOWS\system32\Cache\7e7a64d65b345bc4.fb
C:\WINDOWS\system32\Cache\881b3593316772f0.fb
C:\WINDOWS\system32\Cache\98657d0579ae1930.fb
C:\WINDOWS\system32\Cache\b63439c2f5be3405.fb
C:\WINDOWS\system32\Cache\bf7df7947970829f.fb
C:\WINDOWS\system32\Cache\c2c2d8179c364119.fb
C:\WINDOWS\system32\Cache\c32f4c3bbe1880bb.fb
C:\WINDOWS\system32\Cache\d5c0f4e7bbe35bf3.fb
C:\WINDOWS\system32\Cache\d946e66075f88663.fb
C:\WINDOWS\system32\Cache\d9ca663388d21ec0.fb
C:\WINDOWS\system32\Cache\f2cda51fd108941f.fb
C:\WINDOWS\system32\Cache\f34d8db84131d925.fb
C:\WINDOWS\system32\windrv.sys
C:\WINDOWS\wininit.ini
 
Deleting Folders:
 
C:\Documents and Settings\All Users\Application Data\TEMP
C:\WINDOWS\system32\Cache


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 25 January 2014 - 01:26 PM

Go ahead and run Combofix again and post its log.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 25 January 2014 - 07:18 PM

Ok, I ran the scan again. I thought it wasn't going to work. But it did. Here is the report.

Attached Files



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 25 January 2014 - 10:42 PM

1.

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\SETFC.tmp

Driver::
djtarbxf

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

2.

Download AdwCleaner

  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    "Run as administrator"
  • Click the Scan button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

 

 

Things to include in your next reply::

Combofix.txt

AdwCleaner log

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 26 January 2014 - 05:36 PM

I'm not sure if I did this right. Here are the reports.

Attached Files



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 26 January 2014 - 05:43 PM

1.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

 

Can you still here the ads?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 27 January 2014 - 05:27 PM

I don't hear any ads. But I have the taskmanager up, and there are 8 svchost.exe on there. One has 171,000 of memory usage. And is using 32 CPU. But sometimes less than that. Not sure if it is supposed to be that high. When I heard the ads, it would be high, then I would click end process, and I wouldn't hear the ads for a few minutes, or more. It is the number four svchost.exe from the top.

Attached Files



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 27 January 2014 - 05:40 PM

Please read the directions carefully.

 

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


Edited by fireman4it, 27 January 2014 - 05:41 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 28 January 2014 - 03:56 PM

Ok, I did the scan again, and I closed everything. I also turned off AVG. This report is not very long. So not sure if I did everything right. When I double clicked, the option to clean was not there. So I did a scan first. Then I clicked clean.

Attached Files



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:50 AM

Posted 01 February 2014 - 08:50 AM

How is the machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Sam Gunn

Sam Gunn
  • Topic Starter

  • Members
  • 396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tarheel State
  • Local time:09:50 AM

Posted 01 February 2014 - 09:32 AM

I can still hear the sound, and it is about the same. There are longer periods without the sound. Should we run Hijack this, or another program? I'm not going to run anything until you tell me.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users