Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hacker controlling my PC, unknown virus, rootkit [Solved]

Started by trampas , Feb 03 2012 06:06 PM

This topic is locked

#16
trampas

Posted 17 February 2012 - 02:35 PM

Member

Topic Starter
Member
99 posts

Hi semp

I have a list of about 9 suspicious activities. Out of these maybe a couple will not be relevant but the others probably are. Most of them date from before 3 Feb which is when I posted my concerns on here.

The worst activities occur when the PC is connected to the internet (see original post) but one more point is perhaps relevant. The hacker is currently involved in trying to control the PC and may also be reading this forum. It would not be hard to search for my PC name and find this thread. But it would not be in the hacker's interest to prove his presence to you, though obviously he has done so to me. Otherwise I wouldn't be posting.

I'm a bit surprised that I have had so much difficulty in running GMER. It's completion rate is very poor, maybe 1 in 10. I ran it once and it was killed outright by 'something' on my desktop before it could do anything. That doesn't sound like a problem with GMER. And changing it's name has made a difference as well. That's very suspicious. (To confirm: all of the comments about GMER come from after I uninstalled ThreatFire).

From your question I'm thinking that there's a limit to how much more you can help. I guess some rootkits are virtually undetectable, apart from their activities. :(

In terms of unhooking the rootkit I had hoped that something else was available as a tool. IceSword highlights that the ZoneAlarm file vsdatant.sys as suspicious - I tend to ignore this. However it reports a further 12 suspicious instances of an 'unknown' KModule in the SSDT test.

The rootkit on my PC is hiding a virus but that rootkit/virus combo may not be designed to propogate across the internet so I don't necessarily think that the rootkit will become widely known. For this reason alone it might not be detectable by any virus signature. After all, how many PCs can a hacker take a personal interest in ? That seems to be the case here and I guess that's rare. I can discuss further on a private conversation.

trampas

Edited by trampas, 17 February 2012 - 03:52 PM.

#17
sempai

Posted 18 February 2012 - 11:43 AM

Trusted Helper

Malware Removal
785 posts

From your question I'm thinking that there's a limit to how much more you can help.

It's simply because nothing yet is showing in your logs and I cannot remove what I cannot see. This is why if you think that this system is compromise then you cannot trust this system anymore and you must wipe everything and start from scratch again.

Let's run Combofix, I don't expect it to find anything but it might reveal something.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE

Close any open windows, including this one.

Double click on ComboFix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.

When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.
ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Please do not mouseclick combofix's window while its running because it may call it to stall.
ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.

#18
sempai

Posted 18 February 2012 - 11:50 AM

Trusted Helper

Malware Removal
785 posts

Also, please run a scan with Rootkit Unhooker.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.
Click the Report tab, then click Scan.
Check Drivers, Stealth, and uncheck the rest.
Click OK.
Wait until it's finished and then go to File > Save Report.
Save the report to your Desktop.
Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

#19
trampas

Posted 18 February 2012 - 03:24 PM

Member

Topic Starter
Member
99 posts

Hi semp

Thanks for the 2 latest applications to run. RootkitUnhooker detected nothing for Drivers and Stealth. The report was very brief.

Here is the report for ComboFix :

trampas

ComboFix 12-02-17.02 - Owner 19/02/2012 7:04.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.276 [GMT 10:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-01-18 to 2012-02-18 )))))))))))))))))))))))))))))))
.
.
2012-02-18 00:44 . 2012-02-18 00:32 136504 ----a-w- c:\windows\system32\drivers\strings.exe
2012-02-03 22:21 . 2012-02-03 22:21 -------- d-----w- c:\program files\eSupport.com
2012-02-03 09:34 . 2012-02-03 09:34 -------- d--h--w- c:\windows\PIF
2012-02-03 09:01 . 2012-02-03 10:42 -------- d-----w- c:\program files\RkUnhooker
2012-02-01 20:23 . 2012-02-01 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-02-01 19:48 . 2012-02-01 19:48 -------- d-----w- c:\documents and settings\Administrator
2012-01-30 04:37 . 2012-01-30 23:42 -------- d-----w- c:\documents and settings\Unpriv\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-16 22:56 . 2011-11-02 07:20 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-03-06 . 1B4E3AF654F96D1689F9186F2BD26407 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\\NVMCTRAY.DLL" [2003-04-02 49152]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2011-11-02 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TCASUTIEXE"="TCAUDIAG.exe -on" [X]
"NvCplDaemon"="c:\windows\system32\\NVCpl.dll" [2003-04-02 4616192]
"nwiz"="nwiz.exe" [2003-04-02 323584]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-04-04 774144]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-17 1043968]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [3/6/2011 1:51 PM 73856]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [11/2/2011 5:20 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/2/2011 5:20 PM 86224]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [6/7/2000 4:08 AM 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [9/4/2001 9:22 PM 19534]
S0 NVDual;NVDual;c:\windows\system32\DRIVERS\nvDual.sys --> c:\windows\system32\DRIVERS\nvDual.sys [?]
S3 65300698;65300698; [x]
S3 AXHSXR;AXHSXR;c:\docume~1\Owner\LOCALS~1\Temp\AXHSXR.exe --> c:\docume~1\Owner\LOCALS~1\Temp\AXHSXR.exe [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-19 07:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\TCAUDIAG.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
.
**************************************************************************
.
Completion time: 2012-02-19 07:14:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-18 21:14
.
Pre-Run: 56,793,047,040 bytes free
Post-Run: 57,259,573,248 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6F73608C206BF58016FCF6C6392C0B88

#20
trampas

Posted 18 February 2012 - 03:52 PM

Member

Topic Starter
Member
99 posts

...a little more info...
ComboFix requested to install or update the Windows recovery console, so I opened up an internet connection for that.

Whilst the connection was open I had requests from the firewall to make a decision on whether to permit these requests :

NirCmd.3XE accesses
first time to : 127.0.0.? (I didn't record it in full)
second time to: 127.0.0.1:Port 135

pev.3XE requested access to 10.176.66.71:DNS

This may be normal but I thought it best to mention.

During the run ComboFix said it was deleting the Windows\WindowsUpdate.log file and then it rebooted. The current file with that name was generated today and is 2KB in size.

trampas

Edited by trampas, 18 February 2012 - 03:54 PM.

#21
sempai

Posted 19 February 2012 - 07:03 AM

Trusted Helper

Malware Removal
785 posts

Combofix uses those applications. Where is the resulting log of Rootkit Unhooker?

#22
trampas

Posted 19 February 2012 - 01:47 PM

Member

Topic Starter
Member
99 posts

Hi semp

Unless I'm mistaken, this is the Rootkit Unhooker log :
">Drivers
>Stealth
Nothing detected :("

Meanwhile, the attached log file was created by ComboFix:

trampas

2012-02-18 21:11:27 . 2012-02-18 21:11:27 53,402 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\_WindowsUpdate_.log.zip
2012-02-18 21:08:12 . 2012-02-18 21:08:12 7,050 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-02-18 20:55:52 . 2012-02-18 21:11:27 947 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-11-01 08:54:14 . 2012-02-18 21:10:11 328,585 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\WindowsUpdate.log.vir

#23
sempai

Posted 20 February 2012 - 08:57 AM

Trusted Helper

Malware Removal
785 posts

Can you please post the entire contents of Rootkit Unhooker log.

Please go to http://virscan.org/

Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\sfcfiles.dll
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#24
trampas

Posted 20 February 2012 - 02:21 PM

Member

Topic Starter
Member
99 posts

Hi semp

I will go in search of the rootkit unhooker log file. This application creates a working dircetory so maybe it's in there.

I'll get that file scanned.

trampas

#25
trampas

Posted 20 February 2012 - 04:11 PM

Member

Topic Starter
Member
99 posts

Hi Semp

The original instructions explain how to get the RKU log file. Oops. Attached :)

Here is the scan of sfcfiles.dll

trampas

Scanner results : Scanners did not find malware!
Time : 2012/02/21 07:58:43 (EST)

File Name : sfcfiles.dll
File Size : 1614848 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 1b4e3af654f96d1689f9186f2bd26407
SHA1 : 3a635368d5001045ec557a360c52b6db67a43256

Note: This file has been scanned before. Therefore, this file's scan result will not be stored in the database.

a-squared 5.1.0.4 20120220220421 2012-02-20
-
0.361
AhnLab V3 2012.02.20.01 2012.02.20 2012-02-20
-
1.926
AntiVir 8.2.8.44 7.11.21.199 2012-01-27
-
0.187
Antiy 2.0.18 2.0.18. 0002-18-00
-
0.331
Arcavir 2011 201202170436 2012-02-17
-
3.813
Authentium 5.1.1 201202201039 2012-02-20
-
1.457
AVAST! 4.7.4 120220-1 2012-02-20
-
0.419
AVG 10.0.1405 2090/4821 2012-02-20
-
0.240
BitDefender 7.90123.7515050 7.41074 2012-02-20
-
3.827
ClamAV 0.97.3 14486 2012-02-21
-
0.361
Comodo 5.1 11560 2012-02-20
-
2.248
CP Secure 1.3.0.5 2012.02.21 2012-02-21
-
0.680
Dr.Web 7.0.0.11250 2012.02.20 2012-02-20
-
11.929
F-Prot 4.6.2.117 20120220 2012-02-20
-
0.876
F-Secure 7.02.73807 2012.02.07.03 2012-02-07
-
2.129
Fortinet 4.3.388 15.230 2012-02-20
-
0.252
GData 22.3930 20120221 2012-02-21
-
5.631
Ikarus T3.1.32.20.0 2012.02.20.80527 2012-02-20
-
4.847
JiangMin 13.0.900 2012.02.20 2012-02-20
-
2.374
Kaspersky 5.5.10 2012.02.20 2012-02-20
-
0.276
KingSoft 2009.2.5.15 2012.2.20.18 2012-02-20
-
0.977
McAfee 5400.1158 6626 2012-02-20
-
9.932
Microsoft 1.8101 2012.02.20 2012-02-20
-
3.629
NOD32 3.0.21 6841 2012-01-30
-
0.166
nProtect 20120220.01 11464755 2012-02-20
-
1.545
Panda 9.05.01 2012.02.20 2012-02-20
-
4.073
Quick Heal 11.00 2012.02.20 2012-02-20
-
1.974
Rising 20.0 23.98.00.03 2012-02-20
-
2.905
Sophos 3.28.1 4.74 2012-02-21
-
5.125
Sunbelt 3.9.2527.2 11570 2012-02-20
-
1.172
Symantec 1.3.0.24 20120219.016 2012-02-19
-
0.161
The Hacker 6.7.0.1 v00403 2012-02-19
-
0.721
Trend Micro 9.500-1005 8.790.05 2012-02-20
-
0.237
VBA32 3.12.16.4 20120220.1041 2012-02-20
-
3.243
ViRobot 20120220 2012.02.20 2012-02-20
-
0.425
VirusBuster 5.4.1.7 14.1.227.0/7905365 2012-02-20
-
0.240

#26
trampas

Posted 20 February 2012 - 04:17 PM

Member

Topic Starter
Member
99 posts

Let's try attaching the log again ...

#27
trampas

Posted 20 February 2012 - 04:45 PM

Member

Topic Starter
Member
99 posts

...with scripts turned on...

#28
trampas

Posted 20 February 2012 - 05:04 PM

Member

Topic Starter
Member
99 posts

this time

Attached Files

Report-RKU.txt 21.61KB 150 downloads

#29
sempai

Posted 22 February 2012 - 09:21 AM

Trusted Helper

Malware Removal
785 posts

Please go to http://virscan.org/

Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\drivers\viaraid.sys [3/6/2011 1:51 PM 73856]
c:\windows\system32\TCAICCHG.SYS
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#30
trampas

Posted 22 February 2012 - 05:56 PM

Member

Topic Starter
Member
99 posts

In both cases the result was 0/36.

Scanner results : Scanners did not find malware!
Time : 2012/02/23 08:42:07 (EST)
File Name : TCAICCHG.act
File Size : 21233 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : f57be20500b7413bbe242393e067755e
SHA1 : 56cbb9fb7e6b5ae99ea2af6dafcdc4b4716a7ea3

Scanner results : Scanners did not find malware!
Time : 2012/02/23 08:59:03 (EST)
File Name : viaraid.act
File Size : 73856 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 533ec6163444aded26b48ae53fb3b5ff
SHA1 : 27380a171f870f3c304c4899923fb5aef6408f65

Edited by trampas, 22 February 2012 - 05:58 PM.