[jaydee77ca]

Hi,

I'm hoping someone can help me. I noticed odd behaviour with my PC a day or so ago. First it started freezing, then Windows Defender couldn't update, then Malwarebytes Anti-malware and Spybot S&D wouldn't run, then I couldn't access the internet. I managed to boot into safe mode, run some online scans from Trend Micro and Kaspersky, clean some stuff up, and then I managed to get Malwarebytes Anti-malware to run which found and removed more stuff, namely a trojan:dnschanger. Now Malwarebytes Anti-malware doesn't find anything but I'm still having problems. The computer still freezes and Spybot S&D still won't run. I ran RootAlyzer and RootRepeal and they've identified a driver and some files hidden from Win32. How can I remove these files and the driver? Would someone be able to help me get back to normal? Much thanks!

Here is the log from RootAlyzer:

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\ESQULijvfmysudmhuxxqgwhtbbsemvduaeddo.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULvtogviqwwgiaxeibmjnwbtyvblwhluic.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULzcounter"
File:"No admin in ACL","C:\WINDOWS\{00000005-00000000-00000007-00001102-00000008-10211102}.CDF"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULijvfmysudmhuxxqgwhtbbsemvduaeddo.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULvtogviqwwgiaxeibmjnwbtyvblwhluic.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULzcounter"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{1B2D3721-11d6-5795-D000-869CD73B8EB7}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{48FCFB81-480E-11d7-9C86-00D0B78E3BD7}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{59639116-11D1-D955-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{8C0F8B81-11D1-DE1A-4544-24B700005453}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{9D74D2A0-11D1-DAE5-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{B591EC40-11D1-DBC3-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Idea Spectrum\Realtime Landscaping Architect 2\code.dat"

RootRepeal also finds the following hidden driver:

Name: ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Address: 0xBA29C000 Size: 192512 File Visible: - Signed: -
Status: Hidden from the Windows API!

NOTE: I can't seem to scan for hidden files in RootRepeal because it gives a bunch of access errors. I'm guessing this might be because I'm running in safe mode?

[Advertisements]

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Rorschach112]

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[jaydee77ca]

Hi Rorschach,

Quick question: can I run Combo-Fix.exe in Safe Mode or do I have to be in Normal mode?

The reason I ask is that it seems I can only be in Normal mode for about a minute or so before my system freezes. I'm not sure if/how that will affect Combo-Fix if it does freeze while it's running. Safe mode appears to be ok as I've been booting in to it frequently since this happened and it hasn't frozen yet.

Thanks!

Edited by jaydee77ca, 16 July 2009 - 07:12 AM.

[Rorschach112]

try it in normal mode, if you cant get it working there try safe mode

[jaydee77ca]

Hi Rorschach,

I have to apologize. I also posted to other forums (Safer Networking and Sysinternals). It's since been pointed out to me that I shouldn't have done that. I am very sorry for any trouble it's caused. I have requested that the other forums close their threads and I'll only follow this one. I'll run ComboFix as soon as I get home tonight and post the results.

Thank you very much for your help!

[Rorschach112]

ok, make sure you tell them you are being helped here

[jaydee77ca]

Hi Rorschach,

I can't get ComboFix to run. I was trying to follow the instructions to install the Windows Recovery Console manually but it runs for a bit, opens a DOS window, and then I get a blue screen of death with the following error:

An attempt was made to write to read-only memory.

STOP: 0x000000BE (0x004E1161, 0xf78D2CCC, 0x0000000B)

This happens in both normal mode and safe mode. I've tried a couple of times.

I rebooted and now in Windows Explorer I see a Combo-Fix folder off of my C drive that looks like the My Computer icon and when I open the folder it contains the stuff that My Computer contains. If I go down to C:\Combo-Fix and open it again then I see the contents of My Computer again. It just keeps going on forever, but the path in the Address bar just shows one level. Very strange.

I've also noticed that my Google searches are getting redirected now. That wasn't happening before. Perhaps whatever I've got is spreading?

Initially ComboFix told me that Shaw Secure (based on F-Secure I believe) was still running even though it wasn't. I uninstalled Shaw Secure and then ComboFix didn't give that message anymore. I think I've disabled everything else (Malwarebytes, Windows Defender, Spyware Blaster). Also, I don't think they run in Safe Mode (at least I can't see any processes for them.

What should I try next?

Thanks.

Also, I forgot to mention before that I ran RootRepeal and it found some MBR Rootkit stuff in the File scan. I've attached the log. I don't know if it helps.

Attached Files

•  rootrepeal_filescan.txt   10.35KB   147 downloads

Edited by jaydee77ca, 16 July 2009 - 06:03 PM.

[jaydee77ca]

Hi again,

Just to update, I tried running the recovery console by booting from the Windows XP CD however that doesn't work either. After I press "R" to run the Recovery Console the screen changes to black and hangs. Normally it should ask which installation I want to log in to, but that prompt never appears. I let it sit there for quite some time but nothing happens. I think the CD might be pre-SP2, I don't know if that matters. I read online somewhere that it shouldn't. *shrug*

Thanks

[jaydee77ca]

Hi,

Another update. I have been trying to get the Windows Recovery Console to install/run thinking that might fix the issues with ComboFix. I finally got the RC to install by integrating SP2 and SP3 to my XP install media using Microsoft's instructions. Now the Recovery Console shows up as an option when I boot but it still won't run. When I press "R" it just goes to a black screen with a blinking cursor and sits there. No prompt comes up and the computer isn't doing anything. I tried booting into the Recovery Console from both Normal mode and Safe mode and neither works. I'm not sure how to get it to run.

Since I managed to get the Recovery Console to install I thought I'd try ComboFix again but it still doesn't work. It runs for a little bit, then a blue DOS window pops up and says something like "Preparing to run" and then I get the blue screen error I mentioned earlier. When I boot up again I have another C:\Combo-Fix folder that shows the contents of My Computer recursively as I mentioned before. Interestingly, when I do a "dir" of the C:\Combo-Fix directory in a command prompt window it shows the ComboFix files and folders. It's only when viewing through Windows Explorer that it shows the My Computer contents recursively.

A couple of other things (that you probably already know about ), I noticed that RootRepeal gives some options when right-clicking on the ESQU*.sys driver file in the Drivers listing (Wipe, Force Delete, Neutralize) but I'm not sure what those do. Also, I found an app called MBR Fix that says it can modify/repair the Master Boot Record. Maybe that's an option if the Recovery Console won't work? It has to be run within Windows though so I guess that doesn't help if the system gets really messed up and won't boot.

Not sure what to do next...

Thanks!

[Rorschach112]

hi

Open the Start > run box
type cmd hit the ok button.

At the DOS promt type mbr.exe -f (make sure you have a space before the -f)

hit the enter key.

Type exit at the prompt and hit the enter key.

Restart the computer normally.



Then try Combofix again

[jaydee77ca]

Hi Rorschach,

So I ran mbr.exe -f and it said everything was ok:

C:\>mbr.exe -f
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I ran Combo-Fix.exe again and got the BSOD error about writing to read only memory again.

I have another recursive directory at C:\Combo-Fix too (I renamed the previous ones to Combo-Fix2, Combo-Fix3, etc. as I didn't want to delete them).

The Windows Recovery Console is also still exhibiting the same behaviour.

RootAlyzer and RootRepeal are still showing the same "ESQUL*" files hidden from Win32. Also RootRepeal gives an error about "Could not read the Boot sector" when I start it up and/or try to do a Files scan. It also says the following at startup:

22:30:40: Warning - could not read Windows kernel using raw-disk reading!
22:30:40: Could not find module file on disk!
22:30:41: Could not find module file on disk!
22:30:41: Could not find module file on disk!

I couldn't find any kind of log from Combo-Fix.

[Rorschach112]

hi

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[jaydee77ca]

Hi Rorschach,

Below are the results of the scans. Note that the MBAM log says No Action Taken but the file is in the MBAM Quarantine tab. Also, I did have RAdmin installed at one point for remote administration, but not any longer. The files that are showing up are likely the old install files. I don't need them anymore. Finally, I've noticed that I'm now getting popup ads from "http://pop.doubleclick.net" in addition to the redirection of links from Google search results. :/

Thanks!

-----

Malwarebytes' Anti-Malware 1.39
Database version: 2468
Windows 5.1.2600 Service Pack 3

7/21/2009 9:39:42 AM
mbam-log-2009-07-21 (09-39-36).txt

Scan type: Quick Scan
Objects scanned: 98443
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\CoreAVC.ax (Backdoor.Bot) -> No action taken.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 22, 2009 02:46:01
Records in database: 2509757
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 366819
Threat name: 3
Infected objects: 17
Suspicious objects: 0
Duration of the scan: 14:24:21


File name / Threat name / Threats count
D:\Apps\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
F:\Installs\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
F:\M120A2_VOL2\Apps\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
F:\M120A2_VOL2\Apps\mIRC2\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
F:\M120A2_VOL2\Installs\mIRC\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
F:\M120A2_VOL2\Installs\RAdmin\RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
F:\M120A2_VOL2\Installs\RAdmin\radmin22.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
F:\Users\JL\My Documents\TravelDrive\Installs\RAdmin\RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3
F:\Users\JL\My Documents\TravelDrive\Installs\RAdmin\radmin22.zip Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 3

The selected area was scanned.

Edited by jaydee77ca, 22 July 2009 - 04:13 PM.

[Rorschach112]

hi

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[jaydee77ca]

Here you go:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 18:48:34
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF74EF0D0]
SSDT sptd.sys ZwEnumerateKey [0xF74F4E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xF74F51BA]
SSDT sptd.sys ZwOpenKey [0xF74EF0B0]
SSDT sptd.sys ZwQueryKey [0xF74F5292]
SSDT sptd.sys ZwQueryValueKey [0xF74F5112]
SSDT sptd.sys ZwSetValueKey [0xF74F5324]

Code 8A420720 ZwFlushInstructionCache
Code 8A36F6E6 IofCallDriver
Code 8A5E9EE6 IofCompleteRequest
Code 8A42172D ZwSaveKey
Code 8A42272D ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A36F6EB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A5E9EEB
.text ntoskrnl.exe!ZwSaveKey 804E42AE 5 Bytes JMP 8A421732
.text ntoskrnl.exe!ZwSaveKeyEx 804E42C2 5 Bytes JMP 8A422732
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A420724
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload BA6C88AC 5 Bytes JMP 8A6531C8
? System32\Drivers\ayq1bg9w.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F7505886] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7505832] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7527892] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7505886] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74EFAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74EFC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74EFB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74F0748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74F061E] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7531E8
Device \FileSystem\Fastfat \FatCdrom 89D821E8
Device \Driver\usbohci \Device\USBPDO-0 8A6D37A0
Device \Driver\usbehci \Device\USBPDO-1 8A6547A0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7551E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7551E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7551E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7551E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B78E9A1D-FE91-479E-91D7-CF828E6CEF43} 89D931E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7C61E8
Device \Driver\PCI_NTPNP5534 \Device\00000064 sptd.sys
Device \Driver\PCI_NTPNP5534 \Device\00000064 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7C61E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7C61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F09A914E-FDD7-4126-A375-1EEC91EF7F6C} 89D931E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D931E8
Device \Driver\nvata \Device\00000084 8A7541E8
Device \Driver\nvata \Device\00000085 8A7541E8
Device \Driver\NetBT \Device\NetbiosSmb 89D931E8
Device \Driver\nvata \Device\00000088 8A7541E8
Device \Driver\usbohci \Device\USBFDO-0 8A6D37A0
Device \Driver\nvata \Device\NvAta0 8A7541E8
Device \Driver\usbehci \Device\USBFDO-1 8A6547A0
Device \Driver\nvata \Device\NvAta1 8A7541E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D911E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D911E8
Device \Driver\nvata \Device\NvAta2 8A7541E8
Device \Driver\Ftdisk \Device\FtControl 8A7C61E8
Device \Driver\ayq1bg9w \Device\Scsi\ayq1bg9w1 8A5E51E8
Device \Driver\ayq1bg9w \Device\Scsi\ayq1bg9w1Port3Path0Target0Lun0 8A5E51E8
Device \FileSystem\Fastfat \Fat 89D821E8
Device \FileSystem\Cdfs \Cdfs 89D841E8

---- EOF - GMER 1.0.15 ----