Jump to content

rootkit problems - Help very much appreciated


dazza6561

Recommended Posts

Hello there.

I'm having problems implementing the instructions for creating the logs for you support guys, but I suppose I need to explain the full problem. Hopefully I will be able to keep it relatively short and simple to follow, though I sometimes ramble on.

The first sign I noticed was around two months ago. When I opened task manager i could see multiple entries on the process tab for Internet Explorer, even though IE had closed down. So I watched it from start up and when I opened up the internet, 3 or 4 processes would open for IE at the same time. Clicking on "End process" only worked on some of them.

Then I started getting the Blue Screen Of Death. The frequency of the BSOD increased over a couple of weeks until it got to the stage where it was happening within minutes of starting up. So I took it to the PC shop and he charged me £25 for "fixing" it.

Soon as I got home the BSOD was happening still. So I followed loads of other instructions for checking these problems such as cleaning the drivers out and using memtest to check the RAM. I also got rid of IE and installed Chrome. Task manager shows the same thing. As soon as Chrome is started, 4 chrome.exe processes come into task manager.

Then I noticed that in the scan options of AVG you can conduct a scan for rootkits so that's what I did. It turned up some results and could not delete them so that's when I looked into using Malwarebytes. I could download and install it, but it wont run. I followed some instructions on this forum for shutting down a driver called TDSS.sys in the device manager, but when I clicked "Show hidden devices" it was not listed. There were two listed that had yellow icons on stating they were turned off or broken.

So then I got to wanting to create these logs for you guys. I ran fogger, then restarted. Then I ran dds but it would not complete. As its running i can see DDS in the process list in task manager. Also some .DAT processes keep popping up from time to time and i guess these are dds related. it gets to around the 75% complete mark and just stops. At that point MBR.DAT is in the process list. I am unable to shut down dds so have to restart.

So I cant get dds working and I can't get malwarebytes working.

I did a rescan with AVG and the rootkits no longer showed up.

Also while avg was doing the last rootkit scan,(and while writing this post), a window popped up saying avg had blocked some kind of exploit called BOOBFACTORTHUMBLOGGER.INFO/?site=28. it also said it was an exploit blackhole expolit kit (type 2055).

Any help would be very much appreciated.

Thanks, Darren

ps. as I said no logs to upload but a couple of scrnshots of some of the above activity.

I promise to be checking here very often for any responses so I can reply asap. Thanks again.

post-95416-0-29223300-1317076135.jpg

post-95416-0-26286600-1317076146.jpg

Link to post
Share on other sites

Hello dazza6561 ! Welcome to Malwarebytes Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Whistler. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application.
    image000q.png
  • Click the Start Scan button.
    19695967.jpg
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Regards,

Georgi

Link to post
Share on other sites

Hello Darren,

We need to uninstall AVG because it will conflict with our tools.

You can reinstall it at the end of the cleaning process.

Click "start" on the taskbar and then click on the "Control Panel" icon.

Please doubleclick the "Add or Remove Programs" icon

A list of programs installed will be "populated" this may take a bit of time.

If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.

Next please download AVG Remover and save it to your desktop.

Run it to remove all leftovers from AVG. After this, please restart your computer.

Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Double click it & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Regards,

Georgi

Link to post
Share on other sites

Ok. I'm running combo fix but it seems to be hanging. its been going for around half an hour now.

I un-installed AVG and ran the AVG remover tool too.

The combo scan says it should take around 10 mins but could easily double for badly infected machines. I will leave it a bit longer. i'll do a screen shot too.

Thanks

post-95416-0-60453100-1317126487.jpg

Link to post
Share on other sites

Hi Georgi

I have run combofix a second time but it stills seems to be stuck, and just now, during the scan, my desktop has disappeared but the autoscan window is still there. it has been going for 40 mins solid now. is this too long?

Task manager showed combofix using a few different processes and it seems to be stuck on one called rmbr.3xe, with the auto scan window just hanging.

Thanks.

Darren

Link to post
Share on other sites

Ok I shut it down. it was running for 50 mins the second time and just seemed to be hanging all that time. the combofix programme would not end so I had to turn off the pc at the main switch.

So I can't seem to get combofix to work for me. It did download the recovery console thing and then I said to continue scanning. but nothing else happened. The recovery console option is now showing up when the pc starts, so it is installed.

Thanks Georgi.

Darren

Link to post
Share on other sites

Hi Darren, :)

Please don't do more then I ask you to.

Don't run combofix again unless instructed.

Doing so can severely cripple or render your computer. Please refrain from doing so.

Keep calm, removing malware isn't a quick process.

Please delete your copy of Combofix and download a fresh one from the link above.

Save it to your Desktop.

Click on your START button and choose Run. Then copy/paste the entire content of the following quotebox (Including the "" marks and the Symbols) into the run box.

"%userprofile%\desktop\ComboFix.exe" /nombr

Click OK and this will start ComboFix.

When finished, it will produce a log. Please post the log in your next reply.

Regards,

Georgi

Link to post
Share on other sites

Hi Darren,

Please download aswMBR.exe to your desktop.

  • Double click the aswMBR.exe icon to run it.
  • The program will offers to download the latest antivirus definitions from Avast servers. Click YES to agree.
  • When it's done in the AV Scan drop down options choose C:\
    unledyfm.png
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note - do NOT attempt any Fix or FixMBR yet.

Regards,

Georgi

Link to post
Share on other sites

Hi Darren,

Run Scan with Malwarebytes

I see you have Malwarebytes' Anti-Malware installed on your computer.

Please start the application by double-click on it's icon.

Once the program has loaded go to the UPDATE tab and check for updates.

When the update is complete, select the Scanner tab

Select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad.

Please save it to a convenient location and post the results in your next reply.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

We need to run an OTL Custom Scan

  1. Please download OTL from the link below:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]OTL should now start. Change the following settings:

- Click on Scan All Users checkbox given at the top.46625204.png

- Under File Scans, change File age to 90

- On the upper right be sure Use Company-Name WhiteList, Skip Microsoft Files and Use No-Company-Name-Whitelist are checked

- Check the boxes beside LOP Check and Purity Check

[*]Copy and Paste the following code into the customFix.png textbox.


netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%USERPROFILE%\*.*
%USERPROFILE%\Application Data\*.*
%USERPROFILE%\Local Settings\Application Data\*.*
%AllUsersProfile%\*.*
%AllUsersProfile%\Application Data\*.*
%USERPROFILE%\My Documents\*.*
%CommonProgramFiles%\*.*
%PROGRAMFILES%\*.*
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
/md5start
hlp.dat
iexplore.exe
/md5stop

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi.

I said in my first post that Malwarebytes was unable to run, which was why I couldn't give you the log file from it. I have un-installed it and re-installed it but it still would not start.

RootKit Unhooker and OTL both worked though. Here are the logs.

Thanks.

Darren

RootKit Report

RkU Version: 3.8.389.593, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xF5F5D000 H:\WINDOWS\system32\DRIVERS\nv4_mini.sys 12546048 bytes (NVIDIA Corporation, NVIDIA Windows XP Miniport Driver, Version 280.26 )

0xBD012000 H:\WINDOWS\System32\nv4_disp.dll 4214784 bytes (NVIDIA Corporation, NVIDIA Windows XP Display driver, Version 280.26 )

0x804D7000 H:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2154496 bytes

0x804D7000 RAW 2154496 bytes

0x804D7000 WMIxWDM 2154496 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 H:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF2EB7000 H:\WINDOWS\system32\drivers\sthda.sys 1015808 bytes (SigmaTel, Inc., NDRC)

0xF2D3F000 H:\WINDOWS\System32\Drivers\sonypvf2.SYS 622592 bytes (Sony Corporation, File System Driver)

0xF730C000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF2B10000 H:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF2CAF000 H:\WINDOWS\System32\Drivers\sonypvt2.SYS 425984 bytes (Sony Corporation, File System Driver)

0xF5DC9000 H:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xF2C43000 H:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xB79D8000 H:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xBD417000 H:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xB7AF8000 H:\WINDOWS\system32\DRIVERS\atksgt.sys 274432 bytes

0xB740B000 H:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB782B000 H:\WINDOWS\system32\DRIVERS\ctoss2k.sys 204800 bytes (Creative Technology Ltd., Creative OS Services Driver (WDM))

0xF5E27000 H:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF7463000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF5EA2000 H:\WINDOWS\system32\DRIVERS\hcwPP2.sys 188416 bytes (Hauppauge Computer Works, Inc., WinTV PVR PCI II (v2) WDM Video Capture)

0xF5EF4000 H:\WINDOWS\system32\DRIVERS\e1e5132.sys 184320 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.1 deserialized driver)

0xF72DF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xB7110000 H:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xF2B80000 H:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB785D000 H:\WINDOWS\system32\drivers\ctusfsyn.sys 163840 bytes (Creative Technology Ltd., Creative SoundFont Synthesizer (32-bit))

0xF5F21000 H:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xF2C1B000 H:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB7804000 H:\WINDOWS\system32\DRIVERS\ctsfm2k.sys 159744 bytes (Creative Technology Ltd, SoundFont® Manager (WDM))

0xF740D000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF2BCD000 H:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xF33C5000 H:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF5ED0000 H:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF5E7F000 H:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF2BAB000 H:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E5000 ACPI_HAL 134400 bytes

0x806E5000 H:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF73D5000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF7433000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF33E9000 H:\WINDOWS\system32\drivers\nvhda32.sys 114688 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)

0xF72A0000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF73F5000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF2ABC000 H:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF73AC000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF5E68000 H:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xB799B000 H:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF2AFC000 H:\WINDOWS\system32\DRIVERS\ctxusbm.sys 81920 bytes (Citrix Systems, Inc., Citrix USB Filter Driver)

0xF5F49000 H:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xF2C9C000 H:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF72CC000 sfvfs02.sys 77824 bytes (Protection Technology, StarForce Protection VFS Driver)

0xF7399000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)

0xBD000000 H:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF72BA000 sfdrv01.sys 73728 bytes (Protection Technology, StarForce Protection Environment Driver)

0xF73C3000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF7452000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF5E57000 H:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF7712000 H:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF77F2000 H:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF7662000 H:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF7802000 H:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xB7B8B000 H:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF7672000 H:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF75D2000 H:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF75F2000 H:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF75B2000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF7612000 H:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF76F2000 H:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF77E2000 H:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF75A2000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF7602000 H:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF7592000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF7642000 H:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF7632000 H:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF2E07000 H:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)

0xF75C2000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF7722000 H:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xF77D2000 H:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF7732000 H:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys 36864 bytes (Windows ® Codename Longhorn DDK provider, KMWDFilter Driver from UASSOFT.COM)

0xF7622000 H:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF76C2000 H:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xF76B2000 H:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF7992000 H:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7832000 sfhlp02.sys 32768 bytes (Protection Technology, StarForce Protection Helper Driver)

0xF7932000 H:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF797A000 H:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF7812000 H:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF799A000 H:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)

0xF7952000 H:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF795A000 H:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF792A000 H:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF7982000 H:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF78CA000 H:\WINDOWS\system32\DRIVERS\lirsgt.sys 20480 bytes

0xF798A000 H:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF781A000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF7942000 H:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF7822000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF794A000 H:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF782A000 sonypvl2.sys 20480 bytes (Sony Corporation, FS Filter Driver)

0xF793A000 H:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF785A000 H:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF7260000 H:\WINDOWS\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xF6B6C000 H:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xB7D63000 H:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF79A2000 H:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF2D2F000 H:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF5545000 H:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xF725C000 H:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xF71FF000 H:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF7230000 H:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF720B000 H:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)

0xF7AD8000 H:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7A96000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF7AFE000 H:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF7AD6000 H:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7A92000 H:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7B56000 H:\WINDOWS\System32\Drivers\MASPINT.SYS 8192 bytes (MicroStaff Co.,Ltd., Aspi32 Driver)

0xF7ADA000 H:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7ADC000 H:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7ACA000 H:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7AD0000 H:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7A94000 H:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7CD9000 H:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7CD6000 H:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7C30000 H:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7B5A000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

Nothing detected :(

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Hi Darren,

I said in my first post that Malwarebytes was unable to run, which was why I couldn't give you the log file from it. I have un-installed it and re-installed it but it still would not start.

I saw that. However I wanted to give it a try as we cured the MBR infection.

Let's do a few more investigations.

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-1275210071-436374069-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    @Alternate Data Stream - 55920 bytes -> H:\Documents and Settings\All Users\Desktop:$SS_DESCRIPTOR_MVPUV9PFSVXJKX69UK1CWPP0DTVNYKM1UVXPJCEPP4DMJ3K1XYE7LRJEM53EPPJCFLPXB564BPLBB5N14D0B8F0LFUTVLJVMVFVV14TE
    :commands
    [reboot]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.

Double click aswMBR.exe to start the tool. At this time, select No when prompted to download the Avast database.

  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix or FixMBR yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Please delete your copy of TDSSKiller and download the latest version from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application.
  • Click the Start Scan button.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

I said in my first post that Malwarebytes was unable to run, which was why I couldn't give you the log file from it. I have un-installed it and re-installed it but it still would not start.

Did you get some error messages ? Also did you try the latest version ?

We need to scan the system with this special tool.

  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi. Sorry for the delay. The scanning took an extremely long time yesterday and had one or two problems.

First, I did the OTL fix and it seemed to run ok. Log attached.

aswMBR.exe took a very long time and eventually failed so no log for that.

TDSSKiller seemed to work ok, log attached.

GMER took a very long time (7-8hrs) mainly because of all my game files. It failed so I ended up running it in safe mode with the devices checkbox unchecked. Log attached. Gmer showed up some files that I had problems with in the past. The problem is because they have very long file/path names which exceed the character limit, so I don't think those files are malicious.

I could not get the Junction thing to work. Possibly because my hard drive is called H: and not C: I did change the C: to a H in your command text but it still did not run properly, although a CMD box did open up but nothing happened.

Thanks very much Georgi.

Darren

otl2.log

TDSSKiller.2.6.2.0_28.09.2011_18.01.06_log.txt

gmerlog.log

Link to post
Share on other sites

Sorry Georgi, I forgot to say about Malwarebytes. I downloaded it from these forums. It installs no problem but it fails to run. There is no error message, just nothing. at all. Nothing appears in the task manager either. I did an un-install and re-install but still the same.

Thanks again friend

Link to post
Share on other sites

Hello Darren,

I would like to take a look at your MBR before we continue.

Please go to this site and download MBRFix.exe.

Scroll down to locate mbrfix.exe, and in the lower right corner of the tool info, you'll see the Download link. Save it directly to the H:\ drive and extract all files there.

Next, click Start => Run and copy/paste the following into the Run box and click OK:

cmd /c MbrFix /drive 0 savembr H:\darrenmbr

You should now see the darrenmbr on your H:\ drive.

Please zip that file and attach in your next reply.

About the Malwarebytes issue please do this:

Click "start" on the taskbar and then click on the "Control Panel" icon.

Please doubleclick the "Add or Remove Programs" icon

A list of programs installed will be "populated" this may take a bit of time.

If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Windows Defender

Malwarebytes' Anti-Malware

Additional instructions can be found here if needed.

Next please:

Download the MBAM Cleanup Utility from here.

Double-click on mbam-clean.exe to start the utility.

When the cleanup routine has finished, it will ask to reboot your computer. Please allow it to do so very important.

After the computer restarts, please download Malwarebytes Anti-Malware 1.51.2.1300 Final and save it to your desktop.

Install it and see if will start now.

Keep me posted about the results.

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi.

No success there I'm afraid. I downloaded the mbrfix and then pasted the code in as you said but nothing happened and no darrenmbr file appeared.

I removed malwarebytes and re-installed but the same thing happens, nothing. Its as though something has told the registry never to run malwarebytes or something. It installs no problem and ask to update but when I agree, its as though I closed the programme. If I then doubleclick its icon, nothing happens. Same if I choose it from the start-all programmes menu. Nothing happens at all.

Thanks for sticking with it this long.

Darren

Link to post
Share on other sites

Hello Darren,

Did you uninstalled Windows Defender as I described in my previous post ?

Please navigate to C:\Qoobox and attach the "Add-Remove programs.txt" in your next reply.

Do you use dual boot system?

Please download BootCheck.exe to your desktop.

  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with a report
  • Please copy and paste the contents of this report in your next reply

Next please

Click Start => Run and type in cmd to open the command window.

A black windows will appear on the screen where you must enter the commands.

Type in the following and press Enter:

MbrFix /drive 0 savembr H:\darrenmbr

There should be darrenmbr on the H:\ drive. Zip it up and attach it in your next reply.

Regards,

Georgi

Link to post
Share on other sites

Hello Georgi.

Yes, I uninstalled windows defender.

Qoobox and Bootcheck logs attached.

I clicked start - Run and then typed cmd. I typed your command into the box and it said -- MbrFix is not recognised as an internal or external command.

I'm an not sure what a "dual boot system is" so if I am using one it is used by default, tho I have not seen any reference anywhere to dual boot system.

Thanks very much.

Darren

Add-Remove Programs.txt

bootcheck.txt

Link to post
Share on other sites

Hi Darren,

MbrFix is not recognised as an internal or external command

Where did you extracted the MBRFIX archive ?

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    mbrfix.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please note - all text entries are case sensitive (spacing is extremely important in typing the command or you'll get that message).

Regards,

Georgi

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.