Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC Anti-spyware 2010 infection

Started by sspeed , Aug 24 2009 10:27 PM

  • Please log in to reply

#1
sspeed
Posted 24 August 2009 - 10:27 PM

sspeed

    Member

  • Member
  • PipPip
  • 18 posts
TFC - Successful

Malwarebyte's Anti-malware - runs for a minute, then the process is killed and security is taken away from the executable. This also happens to TrendMicro Housecall, HiJackThis, AdAware, Spybot S&D, and Symantec.

RootRepeal - locks hard

OTL - Gets shut down within a minute of running it.

Somehow PC Anti-Spyware got on my machine. It changed DNS entries, removed me from the Administrator group, installed other spyware, took away folder options and hid files, took away access to the registry, seems to have attached to lsass.exe, login.exe, services.exe. Continually changed registry entries under Run until I took away access to my temp folder under my Profile. It also kept running braviax.exe and b.exe...

It no longer reinstalls itself or populates the registry, but I can't run any type of spyware/anti-virus program, it simply shuts them down and then takes away permission.

I was able to get one decent log from GMER by renaming the executable, however that does not work for the anti-virus programs. The hidden dll seems to change names frequently and it can't be unloaded with regsvr32.

GMER 1.0.15.15077 [melissa.exe] - http://www.gmer.net
Rootkit scan 2009-08-24 22:24:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86096B08 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xED2D6DC0]
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xED2D7020]

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
.text C:\WINDOWS\Explorer.EXE[3284] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\Program Files\LogMeIn\x86\LogMeIn.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\WINDOWS\Explorer.EXE[3284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll
IAT C:\WINDOWS\Explorer.EXE[3284] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [304] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Executive Software\Diskeeper\DkService.exe [444] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [732] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1044] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1140] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1212] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1276] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\LogMeIn\x86\LogMeIn.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\Rtvscan.exe [1576] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [2032] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2224] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3284] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [3656] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [3664] 0x35670000
Library \\?\globalroot\Device\__max++>\D23AB2CA.x86.dll (*** hidden *** ) @ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [3692] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c4276e
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000272c4276e@0007e09fc77a 0x10 0x19 0x82 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272c4276e (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000272c4276e@0007e09fc77a 0x10 0x19 0x82 0xB1 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}
Reg HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer@ ole2disp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{44CECEEC-F47D-9002-D416-624F05A5775D}\InprocServer32@InprocServer32 ,(GnBmGFa=nZ7]6MJA+rGIANT_AntiSpyware_Files>M5KDYSUnf(HA*L[xeX)y?=ouZR)rmr9,WgJMaGmi0SAVMain>M5KDYSUnf(HA*L[xeX)y?Z~kh3YoA$AuPrr=9NVP+>M5KDYSUnf(HA*L[xeX)y?B0JbNJ^1@9GyZx5Y[jne>M5KDYSUnf(HA*L[xeX)y?4LbmQhlx~@{QYCY]4.0H>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\AutoConvertTo@ {00020906-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\Ole1Class@ WordDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{6B3E8B2C-F9E4-BE0E-6899-812928D55F1B}\ProgID@ WordDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{BFF999F3-9FC2-E2A7-1D90-EF423684D808}\InprocServer32@ %SystemRoot%\System32\msoeacct.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{BFF999F3-9FC2-E2A7-1D90-EF423684D808}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}
Reg HKLM\SOFTWARE\Classes\CLSID\{D891502B-DC36-B293-121D9D2985957827}\{239EA7E9-C7D1-EF13-CC952A60F4AD7A0B}\{9E7939D5-CFE3-7B10-257B198232E2E5B7}@SE4K5INHHR1EDZYY15BVZC6TKG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}
Reg HKLM\SOFTWARE\Classes\CLSID\{EDCF6AC6-CDE0-1F6D-043771A983FAB740}\{0B884C8F-0AAB-F925-A63B97C7F3A43931}\{965D33BD-6599-2D1D-7E8A152D666CAEE5}@SE4K5INHHR1EDZYY15BVZC6TKG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}
Reg HKLM\SOFTWARE\Classes\CLSID\{F2F43379-985D-E7AE-2F5BD6B18999A07F}\{64C9A7C2-676E-3AEC-13AF6B278F65FD89}\{7B815B3C-162E-096A-EBEBEFD33B1AE416}@XOGCPEUPGZA3BTOUPKIJ6FJXTE1 0x01 0x00 0x01 0x00 ...
  • 0

Advertisements

#2
sspeed
Posted 25 August 2009 - 06:31 AM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
And:

Tuesday, August 25, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 25, 2009 05:40:10
Records in database: 2685560


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\
X:\
Z:\

Scan statistics
Objects scanned 141274
Threats found 10
Infected objects found 16
Suspicious objects found 0
Scan duration 07:03:23

File name Threat Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01E00000.VBN Infected: Backdoor.Win32.UltimateDefender.igv 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C880000.VBN Infected: Trojan-Downloader.Win32.Agent.clvx 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00002.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00004.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00006.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00008.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE0000A.VBN Infected: not-a-virus:AdWare.Win32.Aureate.a 1

C:\Documents and Settings\scott\Desktop\work hard drive\copy\scripts\scripts.zip Infected: not-a-virus:RiskTool.Win32.PsKill.k 1

C:\Documents and Settings\scott\Desktop\work hard drive\copy\scripts\Siebel\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1

C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HWFOEXXC\error87[1].pdf Infected: Exploit.Win32.Pidief.bjx 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LKHHAT9O\bbsuper1[1].htm Infected: Trojan-Downloader.Win32.Small.amed 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\atdhuv[1].htm Infected: Trojan-Downloader.Win32.Small.amcm 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\livwja[1].htm Infected: Packed.Win32.TDSS.y 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W0A3Q2ZK\nkkllpu[1].htm Infected: Trojan.Win32.Crot.v 1

Selected area has been scanned.
  • 0

#3
kahdah
Posted 25 August 2009 - 12:14 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello sspeed

Welcome to G2Go. :)
=====================
Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  • 0

#4
sspeed
Posted 25 August 2009 - 02:20 PM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks kahdah! This is as far as I got before, wouldn't you guess it, something killed it....

Log file is located at: C:\Documents and Settings\larry\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7D6.tmp\ZAP7D6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7FD.tmp\ZAP7FD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP829.tmp\ZAP829.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\FLASHKSK.INI

[1] 2009-08-24 06:22:23 22 C:\WINDOWS\FLASHKSK.INI ()



Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\inf\oem64.inf

[1] 2009-07-03 08:49:08 3250 C:\WINDOWS\inf\oem64.inf ()



Cannot access: C:\WINDOWS\inf\oem64.PNF

[1] 2009-08-23 17:34:55 8216 C:\WINDOWS\inf\oem64.PNF ()



Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\90A2CC5A3D9ECE9429D33078B4DBC4C2\1.20.0\1.20.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PEV.exe

[1] 2009-08-23 03:09:13 229376 C:\WINDOWS\PEV.exe ()



Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cadf7c8240793a561791dc3bd3e91a5e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system\hpsysdrv.DAT

[1] 2009-08-24 06:22:16 178 C:\WINDOWS\system\hpsysdrv.DAT ()



Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-4176020971-612729734-1821085249-1003\S-1-5-21-4176020971-612729734-1821085249-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CBA\CBA

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\CF20187.exe

[1] 2009-08-23 23:04:27 389120 C:\WINDOWS\system32\CF20187.exe ()



Cannot access: C:\WINDOWS\system32\CF21830.exe

[1] 2009-08-23 23:12:49 389120 C:\WINDOWS\system32\CF21830.exe ()



Cannot access: C:\WINDOWS\system32\CF6152.exe

[1] 2009-08-23 21:52:49 389120 C:\WINDOWS\system32\CF6152.exe ()



Cannot access: C:\WINDOWS\system32\CF6299.exe

[1] 2009-08-23 21:53:34 389120 C:\WINDOWS\system32\CF6299.exe ()



Cannot access: C:\WINDOWS\system32\CF6413.exe

[1] 2009-08-23 21:54:09 389120 C:\WINDOWS\system32\CF6413.exe ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\7K3EDAB8\7K3EDAB8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{42B61E98-3EA4-4171-9489-6DE0F49472BA}\{42B61E98-3EA4-4171-9489-6DE0F49472BA}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InterTrust\ReceiptRepository\ReceiptRepository

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView\SampleView

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Color\ACECache6.lst

[1] 2009-08-23 16:01:10 43811 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Color\ACECache6.lst ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\.google.com\257410557684771
  • 0

#5
kahdah
Posted 25 August 2009 - 04:55 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you have a nasty rootkit installed.
Before proceeding it can be killed but I want to warn you of the dangers associated with this type of infection:

One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
==================
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • 0

#6
kahdah
Posted 25 August 2009 - 04:55 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Yes you have a nasty rootkit installed.
Before proceeding it can be killed but I want to warn you of the dangers associated with this type of infection:

One or more of the identified infections is a backdoor trojan or rootkit.

This can allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
==================
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
  • 0

#7
sspeed
Posted 25 August 2009 - 08:51 PM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
It might be a lost cause... tonight the virus took away permissions on Explorer.exe... I could do Ctrl-Alt-Del, go to Task Manager at first, do new task, browse, and give myself permission back, but now that doesn't even work. I connected to it from a remote computer on a different subnet so it couldn't get on the internet, I can see the C: drive but if I try to give permissions back it blue screens on me.

I think I got this due to an old .net installation that was on the computer. Even though I had several newer frameworks installed, the old one was still there.

I also ran Malwarebyte's anti-Malware on the drive from another machine connected remotely, but it didn't find much just looking at the drive.

Any ideas before I call it a lost cause and reinstall Windows?
  • 0

#8
sspeed
Posted 25 August 2009 - 09:20 PM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Since I can't get on the machine anymore from the console, I tried putting the win32kdiag command you gave me in to the Run portion of the Registry, but it doesn't appear to have run, at least I don't see a log.

But I did find this little tidbit that may help others, this is one reason why I couldn't run anti-virus.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\ESQUL]

[HKEY_LOCAL_MACHINE\SOFTWARE\ESQUL\disallowed]
"avp.exe"=hex(0):
"klif.sys"=hex(0):
"mrt.exe"=hex(0):
"spybotsd.exe"=hex(0):
"sasdifsv.sys"=hex(0):
"saskutil.sys"=hex(0):
"sasenum.sys"=hex(0):
"superantispyware.exe"=hex(0):
"szkg.sys"=hex(0):
"szserver.exe"=hex(0):
"mbam.exe"=hex(0):
"mbamswissarmy.sys"=hex(0):
"pctssvc.sys"=hex(0):
"pctcore.sys"=hex(0):
"mchinjdrv.sys"=hex(0):
"avgfwdx.sys"=hex(0):
"avgldx86.sys"=hex(0):
"avgmfx86.sys"=hex(0):
"avgrkx86.sys"=hex(0):
"avgtdix.sys"=hex(0):
  • 0

#9
sspeed
Posted 25 August 2009 - 11:59 PM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
So an update... I brought up an XP VM and painfully ran Sysinternals Filemon to see what files and dlls are called when New Task in Task Manager is run (see prior thread). I restored them by hand remotely on the infected machine and then ran Explorer on a New Task. Win32kdiag then ran from the registry entry I had put in and removed pages and pages of mount points to which I didn't get a log for.

At that point I installed Avast anti-virus and SuperAntiSpyware. Avast stayed up long enough to say THREAT" ESQUL**** and then get disabled. SuperAntiSpyware is running now and so far has found Trojan.Unclassified/BraviaX and Rogue.PCAntiSpyware2010. I hope it can clean those and I'll be done with this piece of crap virus.
  • 0

#10
kahdah
Posted 26 August 2009 - 06:02 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try to follow only my instructions please doing otherwise can undo what we have done.
Running the program I asked you to from the registry will not work correctly.
Please delete the win32kdiag.exe from your desktop and download and run it again just like this please:
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r I need to see that log.
  • 0

Advertisements

#11
sspeed
Posted 26 August 2009 - 06:51 AM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Sorry, it's only coming back with this now...

Log file is located at: C:\Documents and Settings\larry\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!
  • 0

#12
kahdah
Posted 26 August 2009 - 07:06 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great that is what we needed to see.

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
===================Combofix=================
Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------
Temporarily disable any antivirus program or any real time shields that are present:
If you do not know how then you can refer to this link:
http://www.bleepingc...opic114351.html

Double click on kahdah.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

  • 0

#13
sspeed
Posted 26 August 2009 - 08:38 AM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Here is Avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#14
kahdah
Posted 26 August 2009 - 12:16 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great now proceed with Combofix and post that log when you are done.
  • 0

#15
sspeed
Posted 26 August 2009 - 01:28 PM

sspeed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks kahdah, I ran it and had to go to work, so I'll probably post the log later tonight... Does ComboFix clear it out?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP