Jump to content

CBL still infected


Recommended Posts

Hello and thanks for any help you give.

I ran the Root program and saw alot of the ones you said with the wierd letters. You mentioned there would be only one sys. file , but I had several and don't know what to do.

I am clearing up my disk and then will send you a c n p copy of the Root program.

Link to post
Share on other sites

Hi froglover and Welcome to the Malwarebytes' forum.

Please post the RootRepeal log. There are legitimate SYS files that may appear in the scan report that are mixed in with the rootkit driver.

In addition, please do the following and post ARK.txt after completing the instructions.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please post ARK.txt

Are you able to run MBAM?

Link to post
Share on other sites

Hello and thanks for any help you give.

I ran the Root program and saw alot of the ones you said with the wierd letters. You mentioned there would be only one sys. file , but I had several and don't know what to do.

I am clearing up my disk and then will send you a c n p copy of the Root program.

I got down to the "ARK " scan and it said there was damage because of the anit rookit program. Some thing like Gemre? It was scanning then quit.

Link to post
Share on other sites

I got down to the "ARK " scan and it said there was damage because of the anit rookit program. Some thing like Gemre? It was scanning then quit.

I forgot to attach the message, sorry for the dbl post.

GMER 1.0.15.14972 - http://www.gmer.net

Rootkit scan 2009-06-03 15:25:18

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 897B0610 ZwEnumerateKey

Code 89A52E58 ZwFlushInstructionCache

Code 897B0966 IofCallDriver

Code 89778BB6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89DC61F8

Device \FileSystem\Fastfat \Fat 893D6478

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

Device \Driver\NDIS \Device\Ndis [89CD5984] NDIS.sys[.reloc]

---- Processes - GMER 1.0.15 ----

Process C:\Documents and Settings\Owner\Application Data\Google\epvhe1116163.exe (*** hidden *** ) 1220

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi froglover,

You didn't post the RootRepeal log showing the SYS files, and the ARK scan was aborted, if I am understanding your correctly.

There is a hidden malicious file that the ARK found and I know MBAM can remove it.

You didn't answer my question about whether MBAM can run or not, but I am assuming it can't or you wouldn't be following the CLB rootkit driver removal procedure.

Let's do this:

Download DDS and save it to your desktop from here

dds_scr.gif

Disable any antivirus script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste DDS.txt into your next reply

    [*]Attach the the file called attach.txt to your reply

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as froggie.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:

  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

---

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already (Vista users do not need to install Recovery Console):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (froggie.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Once the Combofix log is generated, you may re-enable your active protection.

Please post ARK.txt, C:\ComboFix.txt and a new HJT log in your next reply.

To sum it up, I need:

1. DDS.txt & posted in your reply - and Attach.txt attached

2. C:\Combofix.txt

Link to post
Share on other sites

I am about to cry. I can't get the D.D.S to work. I get the black box up and it tells me how it's not permanent. But... with all these stupid bad image error messages I can't get anything to run.

Should I uninslall the MBAM and try over? I am at my wits end here.

Again, thank you for all your help.

Karen

Link to post
Share on other sites

Please copy and paste all logs unless instructed to do otherwise, in your reply.

When you attach a log, I have to download your log to my PC - open it in my text editor and then copy/paste it for you. I do not want to do that. Unless a log is excessively long, and I instruct you to do so - please copy and paste it.

Unfortunately, HijackThis barely scratches the service when it comes to malware detection.

Before you attempt to run Combofix, you should have Viper disabled which I am assuming is your AV, since I see Sunbelt in your HJT log.

To do that:

Click Start -> Run and type in: cmd, then hit Enter

A DOS command window will launch -- inside that box, copy and paste in the following:

sc stop SBAMSvc

Then hit enter and close the box.

To restart Vipre service after running tools:

Click Start -> Run and type in: cmd, then hit Enter

A DOS command window will launch -- inside that box, copy and paste in the following:

sc start SBAMSvc

Then hit enter and close the command window.

If CMD won't run:

Make sure you can view hidden files:

Go to Start ->Control Panel ->Folder Options ->View

Under Hidden files and folders,

  • Check Show hidden files and folders.
  • Uncheck Hide file extensions for known file types.
  • Uncheck Hide Protected Operating System Files

Navigate to:

C:\WINDOWS\system32\cmd.exe

Right-click cmd.exe and select copy.

Then paste cmd.exe onto your desktop and rename it frog.exe.

Ignore system warning about renaming files!

Now, you should be able to open a command window by launching (double-clicking) frog.exe on your desktop

Are you sure there is no log at C:\Combofix.txt?

When you first open the ARK program, it does a very quick scan (a few seconds), before you even press the scan button. This will often capture most rootkit entries without you having to do a complete system scan. Can you copy/paste that report?

I'll be back with some alternate instructions for running Combofix if you cannot find the log. I'm on my other computer now which doesn't have the info I need.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:47:33 PM, on 6/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

C:\Program Files\Systweak\Advanced System Protector\ASP.exe

J:\New Games D\iWin Games\iWinTrusted.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

C:\Program Files\BigFix\BigFix.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\AVANQU~1\Fix-It\mxtask2.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\Program Files\Common Files\AntiVirus\SBRC.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Advanced System Protector] "C:\Program Files\Systweak\Advanced System Protector\ASP.exe" /autorun

O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Owner\Application Data\mjusbsp\cdloader2.exe" MAGICJACK

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\RunOnce: [ypagerps1] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps1.DLL"

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Enchanted Katya - Mystery of the Lost Wizard\Images\stg_drm.ocx

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Annabel\Images\armhelper.ocx

O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe

O23 - Service: iWinTrusted - iWin Inc. - J:\New Games D\iWin Games\iWinTrusted.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Fix-It (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

--

End of file - 6775 bytes

Link to post
Share on other sites

Please see my last reply first!

Only If you cannot find the Combofix log at C:\Combofix.txt, then do the following:

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdskor any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

If you still did not get a log, then run Combofix the same way but in safe mode:

To boot into Safe Mode for.

Windows XP:

1. Restart the computer

2. Watch the screen while it is black. After the BIOS memory check is done,

start tapping the F8 key. If done right, the Windows Advanced Options Menu will

appear.

3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take

several minutes

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.