Jump to content

Infected and stumped


RWILCO

Recommended Posts

This is the worst infection that I have seen.

The only scanner I was able to run was TDSSKiller, which found Rootkit.Win32.TDSS.TDL2 (SKYNETrdojundq)

Further scanning with TDSSKiller finds nothing.

Every other scan or tool I try is cancelled after a few seconds. I am presented with "Windows Cannot Access Specified Drive....." after trying to run the scan again.

The last straw for me was inserting a USB stick into the machine that contained RootKitUnhooker and OTL.exe... as soon as the drive was recognized I lost access to explorer.exe (taskbar etc.)

I just would like to know what the heck is on here as I've already moved this machine out of service.

Help and thank you.

Link to post
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

I ran ATF_Cleaner.

When I try to run Combofix, the splash screen for Combofix is displayed and then dissapears.

I see n.pif try to run in the processes list, but is terminated.

The AV on this machine may be running, but I can't terminate it without my desktop/taskbar. ( I see a few svchost.exe running.)

I believe this is running AVG in the background that I can't get to.

When I try to run explorer.exe I get " Windows cannont access the specified device......)

I appreciate you helping with this.

Link to post
Share on other sites

Delete the combofix you have now. Don't just rename what you have now.

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

If you have taskmanager try this:

Open taskmanager (Ctrl/Alt/Del keys)> at the top left, click File> New Task> copy paste this in or type it in:

c:\windows\explore.exe

That should show the destop

Also you could try System Restore

Open taskmanager (Ctrl/Alt/Del keys)> at the top left, click File> New Task> copy paste this in or type it in:

c:\windows\system32\restore

double click on: rstrui.exe

run it and find a date the pc worked.

Restart PC

Link to post
Share on other sites

Yeah, like I stated earlier... When I try to run c:\windows\explorer.exe I get " Windows cannont access the specified device......)

System Restore was able to get my desktop and taskbar back.

I am still unable to run iexplorer.exe(ComboFix). I see Antivirus 2010 listed in the add/remove programs.

Was attempting to disable AV to allow ComboFix to work.

Link to post
Share on other sites

I tried to reboot in normal mode to uninstall my AV and my desktop was removed again. Then the same when I try to run c:\windows\explorer.exe I get " Windows cannot access the specified device....

I booted back into safe mode and ran the system restore again to correct this.

Looks like I won't be able to get to uninstall the programs.

I know Antivirus 2010 is fake.

Not sure where to go from here.

I appreciate your help.

Link to post
Share on other sites

Open Taskmanager (Ctrl/Alt/Del) and end the process for the file AV.EXE if listed.

Can you open Notepad.

Click: Start > All Programs> Accessories

Open Notepad, click on Format and uncheck Word Wrap.

1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]

[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.

Link to post
Share on other sites

I am able to get access to my desktop by running this command:

cacls "c:\windows\explorer.exe" /G Everyone:F

I've tried to go through the Antivirus 2010 removal instuctions, but RKILL does not find any processes other than itself. (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010)

I've removed all of my AV products but I still show Antivirus 2010 and svchost.exe listed in my processes list.

Windows Defender is still installed.

I reran TDSSKiller and remove the SkyNet instance. (Was restored after the system restore(s).)

Malwarebytes closes after a second or two.

ComboFix (iexplorer.exe) still will not run.

I've started from scratch with your steps... running ATF_Cleaner, Then trying ComboFix, but it is cancelled.

I've tried random combinations of:

ATF_Cleaner

RKILL

HiJack This (Closes after a few seconds)

MalwareBytes (Closes after a few seconds)

TDSSKiller (None Found)

Rootkit Unhooker LE ( Error loading/opening driver )

OTL.exe

etc...

I must be missing something here.

I do appreciate your help with this.

Link to post
Share on other sites

Can you get a DDS scan?

Please download DDS by sUBs from one of the following links and save it to your desktop.

[*]Disable any script blocking protection (How to Disable your Security Programs)

[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)

[*]When done, DDS.txt will open.

[*]After a few moments, attach.txt will open in a second window.

[*]Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Link to post
Share on other sites

Sweet!

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK

Run by Administrator at 10:40:19.82 on Fri 11/19/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2317 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\explorer.exe

F:\dds.scr

============== Pseudo HJT Report ===============

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll

TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205528169187

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [2003-7-16 12800]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-10 136176]

S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 104000]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2010-11-19 15:45:02 -------- d-----w- C:\32788R22FWJFW.0.tmp

2010-11-19 15:43:20 -------- d-----w- C:\liter

2010-11-19 15:10:59 155648 ----a-w- c:\windows\system32\igfxres.dll

2010-11-19 00:10:03 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-11-19 00:10:03 -------- d-----w- c:\windows\system32\wbem\Repository

2010-11-18 23:48:44 -------- d-----w- C:\32788R22FWJFW(3)

2010-11-18 23:16:27 -------- d-----w- C:\32788R22FWJFW(2)

2010-11-17 23:55:59 150392 ----a-w- c:\windows\junction.exe

2010-11-17 23:32:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

==================== Find3M ====================

2010-09-23 22:02:20 574 ----a-w- C:\cleanup.bat

2010-09-23 22:02:20 135168 ----a-w- C:\zip.exe

============= FINISH: 10:40:54.15 ===============

Attach.txt

Link to post
Share on other sites

This is the guy we're after.

c:\windows\system32\drivers\mvb35316.sys

First make sure System Restore is active.

click Start > All Programs > Accessories > System Tools > System restore

Removing this infection can cause internet access killed as well as system startup.

Do you have your Windows OS CD/DVD?

Link to post
Share on other sites

If you lose you're desktop again, try this:

Please download this file and Save it to your Desktop.

Open Taskmanager (Alt/Ctrl/Del) > New Task(Run...) and copy/paste the following bolded text into the Create New Task box and click OK:

"%userprofile%\desktop\Inherit.exe" "c:\Windows\explorer.exe"

Now see if explorer.exe will work.

Link to post
Share on other sites

Try this:

Open taskmanager and end the process for: mvb3516 if listed

Next:

click Start > Run > type in CMD (tap enter)

At the command prompt, note the spaces, type in: ren c:\windows\system32\drivers\mvb35316.sys mvb3516.old (tap enter)

note the spaces, type in: del c:\windows\system32\drivers\mvb3516.old (tap enter)

Type in Exit (tap enter)

Let me know if that work without ant errors

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.