Jump to content

4DW4R3 problems...


Recommended Posts

I had the search engine redirect problem recently. I ran Malwarebytes, which found a couple of item, which I told to clean, and it needed to reboot. When it reboot, I ran MWB again, and this time it gave a BSOD after about 8 seconds. Now whenever I log in with my primary login, it flashes the desktop icons, then they disappear, come back, and disappear again several times. Dr Watson gives an error, and at this point all I can do is a restart via Windows Task Manager.

Loging in under my alternate login doesn't lock up , but it doesn't seem like explorer ever really loads (no desktop items, no toolbar, etc, just black background. I can ctrl-alt-del and get to Task Manager and I can run programs from there. I had to run HJT and GMER that way. Logs are attached. Any ideas? Thanks in advance...

HJT log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:34:31 AM, on 3/4/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-602162358-2077806209-1177238915-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/...veX_Control.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ml.com

O17 - HKLM\Software\..\Telephony: DomainName = ml.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ml.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ml.com

O20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dll

O20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\

O21 - SSODL: SnsShell - {A38300ED-853B-462b-A69F-DF0BB36B496A} - C:\Program Files\S.N.Safe&Software\Safe'n'Sec\snsshex.dll (file missing)

--

End of file - 3814 bytes

gmer log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-04 09:57:21

Windows 5.1.2600 Service Pack 3

Running: 1jx9hrgq.exe; Driver: C:\WINDOWS\TEMP\axlcruod.sys

---- System - GMER 1.0.15 ----

Code 9C0B9EB5 ZwCallbackReturn

Code 9C0B9979 ZwEnumerateKey

Code 9C0B996F ZwSaveKey

Code 9C0B9974 ZwSaveKeyEx

Code 9C0B9BD2 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Utimaco Safeware AG)

AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs B84D5400

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

Device -> \Driver\iastor \Device\Harddisk0\DR0 8A3E3CA1

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\4DW4R3SmYCAPhfkI.sys (*** hidden *** ) [sYSTEM] 4DW4R3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3c

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3utIGLBKOOL.dll

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sys

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections@5bf3bc6c

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector@* 4DW4R3c

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sys

Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3utIGLBKOOL.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs AMINIT.dll

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hello Guy Buttersnaps

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

========================

First temporarily disable any antivirus program or any real time shields that are present:

If you do not know how then you can refer to this link:

http://www.bleepingcomputer.com/forums/topic114351.html

================

Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.

Link 1

Link 2

--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

============================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

1. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=42259&st=0entry210909

Driver::
4DW4R3

Collect::
C:\WINDOWS\system32\drivers\4DW4R3SmYCAPhfkI.sys

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.