Guy Buttersnaps Posted March 4, 2010 ID:209546 Share Posted March 4, 2010 I had the search engine redirect problem recently. I ran Malwarebytes, which found a couple of item, which I told to clean, and it needed to reboot. When it reboot, I ran MWB again, and this time it gave a BSOD after about 8 seconds. Now whenever I log in with my primary login, it flashes the desktop icons, then they disappear, come back, and disappear again several times. Dr Watson gives an error, and at this point all I can do is a restart via Windows Task Manager. Loging in under my alternate login doesn't lock up , but it doesn't seem like explorer ever really loads (no desktop items, no toolbar, etc, just black background. I can ctrl-alt-del and get to Task Manager and I can run programs from there. I had to run HJT and GMER that way. Logs are attached. Any ideas? Thanks in advance...HJT log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:34:31 AM, on 3/4/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\taskmgr.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\cmd.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-21-602162358-2077806209-1177238915-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cabO16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/...veX_Control.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ml.comO17 - HKLM\Software\..\Telephony: DomainName = ml.comO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ml.comO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ml.comO20 - Winlogon Notify: NotLog - C:\WINDOWS\SYSTEM32\SGLogEx.dllO20 - Winlogon Notify: SGLogNotification - C:\WINDOWS\O21 - SSODL: SnsShell - {A38300ED-853B-462b-A69F-DF0BB36B496A} - C:\Program Files\S.N.Safe&Software\Safe'n'Sec\snsshex.dll (file missing)--End of file - 3814 bytesgmer logGMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-03-04 09:57:21Windows 5.1.2600 Service Pack 3Running: 1jx9hrgq.exe; Driver: C:\WINDOWS\TEMP\axlcruod.sys---- System - GMER 1.0.15 ----Code 9C0B9EB5 ZwCallbackReturnCode 9C0B9979 ZwEnumerateKeyCode 9C0B996F ZwSaveKeyCode 9C0B9974 ZwSaveKeyExCode 9C0B9BD2 IofCompleteRequest---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Utimaco Safeware AG)AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)Device \FileSystem\Cdfs \Cdfs B84D5400Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)Device -> \Driver\iastor \Device\Harddisk0\DR0 8A3E3CA1---- Services - GMER 1.0.15 ----Service C:\WINDOWS\system32\drivers\4DW4R3SmYCAPhfkI.sys (*** hidden *** ) [sYSTEM] 4DW4R3 <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3 Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@start 1Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@type 1Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@group file systemReg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sysReg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\connections@5bf3bc6c Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\injector@* 4DW4R3cReg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sysReg HKLM\SYSTEM\CurrentControlSet\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3utIGLBKOOL.dllReg HKLM\SYSTEM\ControlSet002\Services\4DW4R3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@start 1Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@type 1Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@group file systemReg HKLM\SYSTEM\ControlSet002\Services\4DW4R3@imagepath \systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sysReg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\connections@5bf3bc6c Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\injector@* 4DW4R3cReg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3 \\?\globalroot\systemroot\system32\drivers\4DW4R3SmYCAPhfkI.sysReg HKLM\SYSTEM\ControlSet002\Services\4DW4R3\modules@4DW4R3c \\?\globalroot\systemroot\system32\4DW4R3utIGLBKOOL.dllReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs AMINIT.dllReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yesReg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; ---- Files - GMER 1.0.15 ----File C:\WINDOWS\system32\drivers\iastor.sys suspicious modification---- EOF - GMER 1.0.15 ---- Link to post Share on other sites More sharing options...
kahdah Posted March 6, 2010 ID:210600 Share Posted March 6, 2010 Hello Guy ButtersnapsWelcome to Malwarebytes.=====================Looking at your system now, one or more of the identified infections is a backdoor Trojan.If this computer is ever used for on-line banking, I suggest you do the following immediately:1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.========================First temporarily disable any antivirus program or any real time shields that are present:If you do not know how then you can refer to this link:http://www.bleepingcomputer.com/forums/topic114351.html================Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.Link 1Link 2 --------------------------------------------------------------------Double click on kahdah.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt ============================We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Link to post Share on other sites More sharing options...
Guy Buttersnaps Posted March 7, 2010 Author ID:210909 Share Posted March 7, 2010 Combofix was run. Log attached.combofix.txt Link to post Share on other sites More sharing options...
kahdah Posted March 7, 2010 ID:210922 Share Posted March 7, 2010 1. Open notepad and copy/paste the text in the codebox below into it:http://forums.malwarebytes.org/index.php?showtopic=42259&st=0entry210909Driver::4DW4R3Collect::C:\WINDOWS\system32\drivers\4DW4R3SmYCAPhfkI.sysSave this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exeWhen finished, it shall produce a log for you. Post that log in your next reply.**Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.===========Note::If Combofix fails to upload anything please do the following:Go to Start > My Computer > C:\Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zipClick Here to upload the submit.zip please. Link to post Share on other sites More sharing options...
Guy Buttersnaps Posted March 9, 2010 Author ID:212053 Share Posted March 9, 2010 Got a BSOD multiple times after running the combofix script--may have been a problem with the disk encryption on the harddrive. Ended up doing a clean install of XP. Link to post Share on other sites More sharing options...
kahdah Posted March 9, 2010 ID:212116 Share Posted March 9, 2010 Ok thanks for letting me know. Link to post Share on other sites More sharing options...
Recommended Posts