6 replies to this topic

[CaysE]

This is a WindowsXP system... I've noticed a persistent process called 2007516154:96229256.exe that cannot be terminated. Symptoms on the system include MS Security Essentials disabled, Windows Update disabled, Windows Firewall disabled, unable to re-enable any of these services, and Google search results redirect to liedersearch.net.

I was able to successfully run an MBAM scan in Safe Mode with Networking, while in every logon profile, which did detect a number of infections and cleaned them. However, when logging into Windows normally, the above process reappears and MBAM stops scanning and becomes disabled. The same happens with HiJack This. GMER installs but will not launch or scan, as errors pop up saying various system files are in use. Here are two of the errors that occured with GMER:

.
LoadDriver( "C:\DOCUME~1\Casey\LOCALS~1\Temp\pgpdafod.sys" ) error 0xC0000001: Cannot create a stable subkey under a volatile parent key.
.
C:\WINDOWS\system32\config\system: The process cannot access the file because it is being used by another process.
.


The only successful scan I've made in normal logon is DDS, which is below. I've also attached the attach.zip file from DDS. I have also run DeFogger with CD emulation currently disabled, and the log for that is at the bottom of this post. Thanks to this forum, I've managed to repair many rootkit infections, but this one eludes me. Please help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Casey at 11:53:44 on 2011-10-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.265 [GMT -4:00]
.
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\2007516154:96229256.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON Stylus C80 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C80 Series" /O6 "USB001" /M "Stylus C80"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoSetActiveDesktop =
uPolicies-system: DisableTaskMgr =
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198959242963
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 167.206.245.129 167.206.245.130
TCP: Interfaces\{EB2FDEA7-DE37-46CC-A115-C93C5C1461D7} : DhcpNameServer = 167.206.245.129 167.206.245.130
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 95.64.61.137 www.google.com
Hosts: 95.64.61.138 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-9-2 23624]
.
=============== Created Last 30 ================
.
2011-10-03 01:33:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-03 00:43:54 -------- d-sh--w- c:\documents and settings\casey\IECompatCache
2011-10-03 00:17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-02 23:15:03 -------- d-sh--w- c:\documents and settings\casey\PrivacIE
2011-10-02 19:10:55 -------- d-----w- c:\program files\ESET
2011-10-02 18:59:32 -------- d-----w- c:\windows\pss
2011-09-10 21:15:30 -------- d-----w- c:\documents and settings\all users.windows\application data\Trymedia
2011-09-10 21:15:25 -------- d-----w- c:\program files\Elf Bowling - Bocce Style!
2011-09-06 16:25:45 -------- d-----w- c:\program files\NortonInstaller
2011-09-06 16:25:45 -------- d-----w- c:\documents and settings\all users.windows\application data\NortonInstaller
2011-09-06 16:24:26 -------- d-----w- c:\documents and settings\all users.windows\application data\Norton
2011-09-06 15:53:17 21376 ----a-w- c:\windows\system32\drivers\3db8dd44562e7967.sys
.
==================== Find3M ====================
.
2011-09-03 00:28:33 43408 --sha-w- c:\windows\system32\c_73280.nl_
2011-09-03 00:28:22 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-02 20:17:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\gueg.exe
2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\glha.exe
2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\bacl.exe
2011-09-02 19:10:30 0 ----a-w- c:\documents and settings\all users.windows\application data\alal.exe
.
============= FINISH: 11:55:23.13 ===============





defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:53 on 03/10/2011 (Casey)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read 3db8dd44562e7967.sys
Unable to read tsbvcap.sys
Unable to read tunmp.sys
Unable to read uagp35.sys
Unable to read udfs.sys
Unable to read update.sys
Unable to read usb8023.sys
Unable to read usb8023x.sys
Unable to read usbcamd.sys
Unable to read usbcamd2.sys
Unable to read usbccgp.sys
Unable to read usbd.sys
Unable to read usbehci.sys
Unable to read usbhub.sys
Unable to read usbintel.sys
Unable to read usbport.sys
Unable to read usbprint.sys
Unable to read usbscan.sys
Unable to read usbstor.sys
Unable to read usbuhci.sys
Unable to read usbvideo.sys
Unable to read vdmindvd.sys
Unable to read vga.sys
Unable to read viaagp.sys
Unable to read videoprt.sys
Unable to read volsnap.sys
Unable to read wacompen.sys
Unable to read wadv01nt.sys
Unable to read wadv02nt.sys
Unable to read wadv05nt.sys
Unable to read wadv07nt.sys
Unable to read wadv08nt.sys
Unable to read wadv09nt.sys
Unable to read wadv11nt.sys
Unable to read wanarp.sys
Unable to read watv01nt.sys
Unable to read watv02nt.sys
Unable to read watv04nt.sys
Unable to read watv06nt.sys
Unable to read watv10nt.sys
Unable to read wch7xxnt.sys
Unable to read wdmaud.sys
Unable to read wmilib.sys
Unable to read wpdusb.sys
Unable to read ws2ifsl.sys
Unable to read wsiintxx.sys
Unable to read WudfPf.sys
Unable to read WudfRd.sys
Unable to read wvchntxx.sys


-=E.O.F=-

Attached Files

•  attach.zip   3.53K   20 downloads

[screen317]

Hi and welcome to Malwarebytes.

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).
The log is like UtilityName.Version_Date_Time_log.txt.
for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.


Please update MBAM, run a Quick Scan, and post its log.


Next, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[CaysE]

Thank you, screen317. Unfortunately I had to leave so I no longer have access to the computer for the time being, but I will post again when I return next month. My apologies.

[screen317]

Okay I will leave this topic open for you.

[screen317]

Any update?

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!