[Essexboy]

I have just uploaded the agent to my files here
If this version does not work let me know as I have a later version available

[Advertisements]

ok, I got to your first one to download and ran it...What a mess.....Attached is the malware log..I had so many virus's it wasn't funny. Shut down and restarted and everything seemd ok, except I can't turn on my Windows firewall and I still can't get to windows update, it still goes to MSN.com. I tried to download your second one and run it and It said that there was no need to load it because it already exsisted.

 mbam_log_2008_11_08__11_52_50_6.txt   4.1KB   408 downloads

Do you think it's possible that the infected file could be in the BIOS System????

[mscobra]

ok, I got to your first one to download and ran it...What a mess.....Attached is the malware log..I had so many virus's it wasn't funny. Shut down and restarted and everything seemd ok, except I can't turn on my Windows firewall and I still can't get to windows update, it still goes to MSN.com. I tried to download your second one and run it and It said that there was no need to load it because it already exsisted.

 mbam_log_2008_11_08__11_52_50_6.txt   4.1KB   408 downloads

Do you think it's possible that the infected file could be in the BIOS System????

[Essexboy]

Well you had a whole slew of new infections there that were not present the other day. I believe that there is something deep rooted so I would like you to run dr web cureit as that has the ability to detect MBR infections

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

[mscobra]

 DrWeblog.txt   2.35KB   447 downloads couldn't get cvs to upload..hope you can read this

Found Lots of virus" and either deleted or removed....But still can't get to windows update...

[Essexboy]

OK lets try a rootkit search, although this one is really well hidden whatever it is

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

[mscobra]

ok,,I have all the info you requested, but I can't upload them...gtg says i am not permitted to upload this type of file. Now what?

[Essexboy]

Either upload to Mediafire or copy to a text file

[mscobra]

Process:

System Idle Process
System
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\IceSword122en\IceSword122en\IceSword.exe
C:\Program Files\MSN Messenger\msnmsgr.exe


Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:aswUpdSv Display Name:avast! iAVS4 Control Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:avast! Mail Scanner Display Name:avast! Mail Scanner
Service Name:avast! Web Scanner Display Name:avast! Web Scanner
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LexBceS Display Name:LexBce Server
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SimpTcp Display Name:Simple TCP/IP Services
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:usnjsvc Display Name:Messenger Sharing Folders USN Journal Reader service
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dell AIO Printer A920
"C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Dell AIO Printer A920
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Owner\Start Menu\Programs\Startup
Ultimate Mail Manager Event Reminder.LNK
C:\Program Files\Common Files\Broderbund\UMM\Crdmind.exe (Remark£ºShortcut to Event Reminder (CRDMIND.EXE))

SSDT
\systemroot\system32\drivers\aswSP.SYS - Ntclose
\systemroot\system32\drivers\aswSP.SYS -
\systemroot\system32\drivers\aswSP.SYS - Ntdeletevaluekey
\systemroot\system32\drivers\aswSP.SYS - NtduplicateObject
\systemroot\system32\drivers\aswSP.SYS - Ntopenkey
\systemroot\system32\drivers\aswSP.SYS - Ntopenprocess
\systemroot\system32\drivers\aswSP.SYS - Ntopenthread
\systemroot\system32\drivers\aswSP.SYS - Ntquaryvaluekey
\systemroot\system32\drivers\aswSP.SYS - Ntrestorekey
\systemroot\system32\drivers\aswSP.SYS - Nrsetvaluekey

Message Hooks

C:\windows\explorer.exe
C:\windows\system32\ctfmon.exe
C:\windows\explorer.exe
C:\windows\exployer.exe
C:\progra~1\alwils~\avast4\ashdisp.exe
C:\progra~1\alwils~\avast4\ashdisp.exe
C:\programfiles\msnmessenger\msnmsgr.exe
C:\programfiles\msnmessenger\msnmsgr.exe
C:\programfiles\msnmessenger\msnmsgr.exe
C:\programfiles\msnmessenger\msnmsgr.exe
C:\windows\explorer.exe
C:\windows\explorer.exe

Hope this is right!!!

[Essexboy]

Hmm that shows the square root of nothing in the rootkit department

I would like to re-run combofix again so I can compare files and drivers with the last run, but first I will uninstall the old version

Go to Start > Run - then type ComboFix /u

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[mscobra]

 log.txt   191.11KB   260 downloads

Well, there was a problem with the recovery console...I couldn't install it...Couldn't find an internet connection...I'm conncected 24/7 !!! OH, another windows application,,there's the problem....I still can't get to any Windows applications...I see that this is part of the windows installation cd, I'll try tonight when I get home to re-install it from the cd that I have and try again.

Edited by mscobra, 10 November 2008 - 08:11 AM.

[Essexboy]

Could you bear with me for a bit as I need to do some more research

[mscobra]

ok I un-installed Win sp2 and tried the recovery console. It's there now, I ran Combo-fix and the attachment is with this.. But I've incountered some problems: One - What is "SPOOLER SUB SYSTEM APP"? It pops up and say it needs to close...There are some weird things going on with my Print Shop and my Husband can't even get to his email at MSN...
 log3.txt   338.89KB   158 downloads

I'm re-installing winxp sp2 to see if that clears up anything...
Waiting for reply and thanks for everything

[Essexboy]

What is "SPOOLER SUB SYSTEM APP"? It pops up and say it needs to close

This is usually to do with your printer drivers, have you recently added a printer or updated the drivers ? More information here

All I can see is one file that is problematic, we are starting to run out of suggestions here. This is definitely a unique problem

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\tempbmm.iss

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[mscobra]

the only thing I did with the printer was to have my laptop print to it, but no updated drivers or anything.

Here's the files that I ran..
 log5.txt   315.79KB   188 downloads
 hijackthis2.txt   3.74KB   138 downloads

hope this gives us some answers....
I appreciate all the help that you have given over the last couple of days, but if I can't get this problem fixed by this weekend, I'm afraid I am gonna have to format the Hard drive again to get me back, so I can at least use my Print Shop that is all screwed up now, and I need it for my Veterans Organization..

Awaiting your reply

[Essexboy]

To be honest that is where I am starting to go now as I can see no rhyme nor reason for this problem. All the analysis tools have drawn a blank along with the cleaning tools. You do not appear to have a rootkit or MBR virus, there are no known malware files or even non standard files that I can see. Everything appears legitimate, but that does not explain why the repair tools that should have cured the problem do not work. SFC checked out your files as good. I am sorry that I have been unable to cure this problem. This is the first time I have had to recommend a reformat.

There is a reformating tutorial here