Jump to content

Persistent infection not detected by Malwarebytes Pro, ZoneAlarm Pro or TDDSKiller.


Recommended Posts

Please help ... I have an infected PC that causes emails being sent to be blocked by my ISPs Exploit Blocking software.

Initially I scanned my PC with Malwarebytes Pro and found two back door trojans. These were removed and the problem persisted despite a clean bill of health from MalwareBytes Pro. I ran TddsKiller and found two differently named 'trojans'? and removed them with TdssKiller. All went well for a month or two and then yesterday my ISP started rejecting my sent emails again because of their SpamHaus Exploit Blocking software. Scans by MalwareBytes Pro, ZoneAlarm Pro and TdssKiller detect nothing.

The PC, that I am presently using in writing this, is clean and I have no problems sending emails with it.

I have executed dds.com as directed on the infected PC. Please find attached the resulting dds.txt, attach.txt and attach.zip as requested.

I appreciate any help that I might get.

dds.txt

attach.txt

Attach.zip

Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 48 hours, please send me a PM)

Link to post
Share on other sites

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

Hello MrCharlie.

I carried out your instructions. From what I can judge, the AntiRootKit sofware MBar found no threats. Please see attachments.

I then hooked my 'infected' PC back on line. I am now writing this message with it. I then tried sending test emails as previously done. My ISP sent them this time without any Exploit Blocking error messages from Spamhaus.org software. Test emails sent to myself went through my ISP servers and were received back - no problem.

All I have done to this 'supposedly infected' PC is to carry out the scans using RogueKiller and MBar. Is it possible that this RootKit is ultra smart and lies low for a while when it senses scans? Or is my ISP's Spamhaus Exploit Blocking Software intermitently problematic in manifesting false positives??

Thanks again for your clearly written and easy to follow instructions as well as your patience with my lack of knowledge in this regard.

mbar-log-2012-12-20 (09-18-35).txt

system-log.txt

Link to post
Share on other sites

That scan was clean...lets see if this one finds anything >>>>>>

Please read the directions carefully so you don't end up deleting something that is good!!

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

Hello MrCharlie.

I carried out your instructions. This time, with the extensions enabled, TDSSKiller found 19 threats.

Please find attached the 'before' and 'after' Cure Reports. Now this previously infected PC is running much, much faster. This result is mighty encouraging. I await your next post, advising me of what next (if anything) needs to be done.

Thanks again for this very much appreciated help.

TDSSKiller.2.8.15.0_21.12.2012_15.56.57_log.txt

TDSSKiller.2.8.15.0_21.12.2012_16.16.33_log.txt

Link to post
Share on other sites

(2)Hello Again Mr. Charlie

Errata: My silly mistake !!! When I clicked 'Continue' after leaving the 19 Options set to 'Skip', I assumed this would Cure the infections. The second 'after' report attached in my above post, was generated by TDSSKiller with the extensions unselected by default - unbeknown to me at the time. The first attachment(TDSSKiller....56.57.txt) of course, was generated with all extensions selected as per your instructions. Another scan with extensions enabled revealed all 19 'infections' still there. The PC speed increase must have been due to my overactive imagination.

When selecting the Options, I was presented with three alternatives; they are:(1) SKIP, (2)COPY TO QUARANTINE and (3)DELETE. See attached 'screen grab' image file of the options presented by TDSSKiller. I left all 19 set to the default option, SKIP. In the absence of a CURE option, which OPTION should I have selected?

post-122650-0-39603700-1356073338.jpg

Link to post
Share on other sites

Hello MrCharlie.

Thanks for your help.

From the results of the previous tests, can I assume that my PC is not infected and the previous email Exploit Blocking by my ISP's Spamhaus software was a false positive, since rectified by Bigpond.com my ISP? Or to be sure, do you think I should resort to the blunderbuss/barn door approach of reformatting my hard drive and then performing an XP operating system reinstall?

Link to post
Share on other sites

I would like to run one more scan for malware:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Hello MrCharlie

I carried out your instructions. A dialog box appeared notifying me that the Recovery Console was 'either not installed or was out of date'. All went well with the scan no further error messages being received. After the scan my PC rebooted without a problem.

Here attached is the Log.txt file generated by ComboFix.

log.txt

Link to post
Share on other sites

Can you find this file and upload it to VirusTotal for a free scan, let me know the results (just copy back the url)

c:\windows\system32\drivers\cxkpo.sys

http://www.virustotal.com/

~~~~~~~~~~~~~~~~~~~~~~~~

Please download AdwCleaner from here and save it on your Desktop.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

Hello MrCharlie.

After enabling the 'showing all hidden files' I was unable to find the system file named 'cxkpo.sys'.

However, after the first scan with ComboFix, I installed the Recovery Software from my XP operating system Dell Installation Disk. I then re-ran ComboFix. It executed this time without a hiccup. Attached is the second ComboFix Log file that was generated after the second ComboFix execution. The error message from ComboFix presented on the first run mentioned not deleting certain files because of the unavailability of the Recovery Software. Could ComboFix have deleted cxkpo.sys after this second run??

After running ComboFix twice as mentioned above, I then downloaded and executed ADWCleaner.exe. The ADWCleaner report file is in the second attached file. I never use Firefox; so deleting all Firefox related files is not a problem. I do not want to keep any other files either. However, I am running Zone Alarm Security Suite as my antivirus, firewall and malware protetion software. I see a couple of references to ZoneAlarm in this report. Will removing these files/folders cripple Zone Alarm? I guess I could easily reinstall Zone Alarm Suite if this happens. All my software has been purchased and not pirated. So reinstalling anything affected shouldn't present much of a drama.

Thanks muchly for all the help you are giving me.

log.txt

AdwCleanerR1.txt

Link to post
Share on other sites

Hello Mr Charlie.

After both physically searching in the system sub folder specified by you, with hidden files exposed and using the XP search function, I can find no file called 'cxkpo.sys'. Being very careful not to change anything, I resorted to using the Registry Editor. A search of the registry turned up several references to a file named 'cxkpo.sys'. Yet my software package Registry Expert, during a registry scan, did not find a single registry reference to a missing file named 'cxkpo.sys'. Attached is a severely edited image of my registry image grabs cut and pasted to show the path and the main references to this file 'cxkpo.sys'. I hope this is of some help to you in chasing this illusive demon.

post-122650-0-88012100-1356337355.gif

Link to post
Share on other sites

ZoneAlarm Security Toolbar is what's going to be removed, your ZoneAlarm will be OK:

http://www.systemloo...tbZon2_dll.html

~~~~~~~~~~~~~~~~~~~

Lots of adware found....lets clear it out.....

  1. Please re-run AdwCleaner
  2. Click on Delete button.
  3. Confirm each time with OK if asked.
  4. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

~~~~~~~~~~~~~~~~~~

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

Driver::

cxkpo

File::

c:\windows\system32\drivers\cxkpo.sys

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Mr Charlie.

When browsing with Opera and I disconnect my Thomson ST536 V6 DSL input from the phone land line filter, I get a Cross Networking Error message from Opera. See attached image file below. I did a search on the URL seen in the message. I am wondering if all my packets are being routed through a hijacker using this url (68.232.44.251). Has my router been hijacked as well as my other problems?

Further, while trying to process the attached image file RouterDisconnect.jpg seen below, with Corel Paint software, ZoneAlarm flashed up a frightening warning to my desktop. Please see below.

post-122650-0-16692500-1356427727.jpg

post-122650-0-83284500-1356427928.jpg

Link to post
Share on other sites

Hello Mr Charlie.

I will definitely reset my router and set up a password to prevent re-infection.

Corel Photo Paint is a part of my Corel Draw 11 software package. It looks like this bloody thing is trying to ride on the back of legit programs in its attempt to reinfect my system. At this stage I'm thinking that it might be best to reformat the hard drive and start afresh. What do you think? It's a pain to lose so many files. I'm reluctant to transfer them to my clean PC for fear of infecting that too. I've been transferring files via a pen drive which I scan each time I do this prior to copying files to my uninfected PC.

Link to post
Share on other sites

If you want to reinstall that's up to you.

Have you tried reinstalling Corel Draw 11 software package?

If you want, you can run these scans:

Norton Power Eraser: (take notice of what it finds, all may not be bad)

http://security.syma...m/nbrt/npe.aspx

and.....

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is unchecked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Link to post
Share on other sites

Mr Charlie.

I am grateful for all the help you have given me. I appreciate the time that you must have spent pouring over all those report files searching for these malevolent creations of damaged minds trying to inflict pain on their fellow time travelers. Your are a very generous and compassionate person in trying to alleviate the suffering of human beings whose PCs have been hacked.

Thanks again and have a very fruitful new year in 2013.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.