ent

Infected; MBAM Being Deleted

72 posts in this topic

No, it doesn't get that far.

What does the XP repair install do?

Share this post


Link to post
Share on other sites

I suspected that there was something wrong with the Dr.Web LiveCD because it was acting inconsistently, so I burned another copy on another machine and was able to get further with it. Not all options seems to work, but I ran a scan and it found one potential trojan, which I told it to delete. Unforunately, I failed to note the name of it, but it didn't include the string "vundo".

But this doesn't change the blue screen symptoms. I'm not sure what else I can do with the LiveCD. Most of its options don't seem relevant. Do you have suggestions on what to do next?

I'm going to look around for more information on combofix, what it does, and how to undo it. Let me know if you have anything to suggest in this regard.

Share this post


Link to post
Share on other sites

I've put in a call for help. So hang in there for now on this.

Share this post


Link to post
Share on other sites

Couple questions and still getting info. on this.

Did you run MalwareBytes right before running combofix?

Also, when was the last update done on MBAM? As best as you can remember as I know you cannot access it but do you know the day?

Share this post


Link to post
Share on other sites

More questions ent...

Do you have another PC that you could remove this hard drive and slave it to? If so would you be comfortable doing that?

Share this post


Link to post
Share on other sites

I couldn't run Anti-Malware because the trojan was deleting mbam.exe. I would uninstall and reinstall AM and mbam.exe would vanish within seconds. I even tried a few times to quickly copy-and-paste mbam.exe to a different place or filename before it disappeared but I didn't succeed.

I really don't have a clue about how old the Anti-Malware installation was prior to the infection. It might have been pretty old.

Regarding moving the drive, you're talking about installing the infected drive as a secondary drive on another computer? I could do that. Presumably there's not much chance of the other computer catching the infection?

Share this post


Link to post
Share on other sites
I couldn't run Anti-Malware because the trojan was deleting mbam.exe. I would uninstall and reinstall AM and mbam.exe would vanish within seconds. I even tried a few times to quickly copy-and-paste mbam.exe to a different place or filename before it disappeared but I didn't succeed.

Okay understood.

I really don't have a clue about how old the Anti-Malware installation was prior to the infection. It might have been pretty old.

Also, okay.

Regarding moving the drive, you're talking about installing the infected drive as a secondary drive on another computer? I could do that. Presumably there's not much chance of the other computer catching the infection?

We can go 2 ways, either slaving the drive or using a boot CD, whichever you are more comfortable. I think as long as you have good protection on the PC you are slaving the drive to then we should be okay. We would mainly just be copying files from the good PC to the infected drive.

The theory is that the Malware has infected your low level hard drive drivers. The developer of combofix, sUBs, is looking in here to help guide me through trying to get you back up and running. So just let us know which way you want to go.

Share this post


Link to post
Share on other sites

I'm less comfortable with moving the hard drive only because if the other computer should become infected, then communicating with you would become very difficult.

By boot CD, you mean the Dr.Web LiveCD or something similar?

One caveat, the CD burner on my other, healthy computer is malfunctioning. I have to drive to work if I want to burn anything (or replace the drive).

(Would another option be to install a new drive in the infected computer, install Windows on it, and then plug the infected drive back in as a secondary drive? It seems like this might be a lot more trouble, but it would be another way of ensuring that my other computer doesn't get infected. It's just a thought -- I'm not sure if I have any SATA drives lying around.)

Share this post


Link to post
Share on other sites
I'm less comfortable with moving the hard drive only because if the other computer should become infected, then communicating with you would become very difficult.

Understood

By boot CD, you mean the Dr.Web LiveCD or something similar?

Something like it. Like a UBDC for Windows or similar.

One caveat, the CD burner on my other, healthy computer is malfunctioning. I have to drive to work if I want to burn anything (or replace the drive).

Bummer

(Would another option be to install a new drive in the infected computer, install Windows on it, and then plug the infected drive back in as a secondary drive? It seems like this might be a lot more trouble, but it would be another way of ensuring that my other computer doesn't get infected. It's just a thought -- I'm not sure if I have any SATA drives lying around.)

That would be even more work than just re-installing Windows and being done with it.

I guess the way to go would be the boot disk. Let me scrounge up a link to some instructions.

Share this post


Link to post
Share on other sites

Hi ent,

Haven't given up....just waiting on an approval for a file restore from the recovery console. Want to make sure we do the right thing.

Share this post


Link to post
Share on other sites

Those instructions for the Dell site must be obsolete. None of them make sense. I couldn't even find a search option.

But I did enter my service tag number and it showed me some SATA files that I can download for my particular system (which is a model E520, by the way). They are:

R158600.EXE Serial ATA: Intel Matrix Storage Manager, v.7.5.0.1017, A12 (19 MB)

R158601.EXE Serial ATA: Intel Matrix Storage Manager, v.7.5.0.1017, A08 (327 KB)

I downloaded the latter, but I can't tell if it is an self-extracting zip file, a simple executable, or if it might try to install the driver on the (wrong) computer if I run it.

By the way, I discovered how to access my Windows drives from a command line using the Dr.Web LiveCD. I also discovered that I can transfer files from my other computer to the sick one via a thumb drive. The thumb drive shows up under Dr.Web.

So if you still think we're on the right track, let me know if I should run this executable.

Share this post


Link to post
Share on other sites

Okay you're pretty close here. You won't be able to, and shouldn't need to run the installer. Hopefully it is just one file that was infected.

The second download you mentioned, R158601.EXE, contains the file we need. iastor.sys

Run the .exe from Dell and extract the files on your good PC. Then copy over iastor.sys to the infected PC. Use whatever way is easiest for you. The DrWeb CD is fine if it will allow you to access your USB ports.

You need to copy it to the c:\windows\system32\drivers directory.

Reboot and hopefully things come to life. :crossing fingers:

Share this post


Link to post
Share on other sites

I'm happy to report that extracting and installing the iastor.sys driver made my computer bootable again!

Almost as soon as I rebooted, I started getting malware intrusions. In particular, a fake malware program called Personal Guard 2009 kept popping up. I could delete all of its files and kill the process, but it would come back. I was able to stop this cycle by copying a random .exe file into the Personal Guard directory and renaming it to personalguard.exe. This kept it from running.

Then I tried reinstalling MBAM and got the same symptoms as before -- an mbam.exe file that would disappear within seconds of its creation. To combat this, I tried going to the Windows command line and quickly running a copy command to copy mbam.exe to another file name, while MBAM was in the process of installing. I was thinking that I might be able to run MBAM via this other executable. Not sure why, but the copying alone seemed to stop mbam.exe from being deleted, so then I was able to run a scan.

On a quick scan, MBAM found 43 infected objects!

Memory Processes Infected:

C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:

c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{81ccb0cf-1404-4b92-aaf2-090ba3b6d4d5} (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\personal guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surezadil (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\heramineh (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysnet (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalguard (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\q (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Microsoft AData (Rogue.SmartProtector) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Delete on reboot.

C:\WINDOWS\Temp\7E9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt57.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\config.scf (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\mmbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\personalguard.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\q.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\queue.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\uninstalls.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Program Files\Personal Guard 2009\vvbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Microsoft AData\t.sid (Rogue.SmartProtector) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\diwunawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\Microsoftdef.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

I removed these, rebooted and re-quick-scanned and it found 2 infected objects:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I removed them, rebooted and they came back. I removed them and ran a full scan and it found 5 items:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025338.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025341.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025346.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AE1PGLU0\load-full[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\spool\prtprocs\w32x86\7E7.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

I removed them, rebooted and re-full-scanned and it only found the 2 objects -- the other 5 did not come back.

I also noticed that something is hijacking the Windows Update feature. Every couple of minutes or so, it disables the automatic update feature. So I can't say for sure whether or not I am up to date with the Windows security updates. I might be -- I was able to circumvent this by running services.msi, waiting for the status to flip to Disabled, then quickly re-enabling it and running the next step of the update process.

I tried booting to safe mode to run the updates, but I still get the blue screen of death when I do.

By the way, somewhere in the middle of all this, I also updated and ran Windows Defender and it found and removed:

Trojan:Win32/Vundo.LP

I rebooted and ran it again, and it did not seem to come back.

So, in summary, I still have these three known symptoms:

* the two infected objects that keep coming back

* the disabling of the Windows update process

* the inability to run in safe mode.

Thanks.

Share this post


Link to post
Share on other sites

Nice work!!! :) Some really nasty stuff you picked up there...

Obviously still more work to do. But since we got it running I'd like to do some scans before we make any changes.

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

~~~~~~~~~~~~~~~~~~~

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

Hello ent,

A favor to ask please...

Did you rename the old iastor.sys when you copied the new one over, or did you just copy over it? If you renamed it could you please upload the renamed file to the following link:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Also, could you upload the following file to the same place.

C:\Qoobox\Quarantine\C\Windows\System32\Drivers\iastor.sys.vir

Thank you.

Share this post


Link to post
Share on other sites

I did save a copy and I have uploaded the requested files to Bleeping Computer.

By the way, this morning (before you left your reply), I ran Spybot to see what it would turn up and it found and deleted several objects. I'm just mentioning it in case it might provide some more diagnostic info. Anyway, Spybot turned up several infections. I couldn't find a log file to paste in here, but they included references to:

Microsoft.WindowsSecurityCenter.FirewallBypass

Microsoft.WindowsSecurityCenter_disabled

Virtumonde.sdn

Virtumonde.atr

Virtumonde.dll

After rebooting, some of the Virtumonde objects came back. But it seems to have fixed the automatic disabling of Windows updates. I successfully did a Windows update, although I'm not real confident that I can trust that it worked.

I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow.

Share this post


Link to post
Share on other sites
I did save a copy and I have uploaded the requested files to Bleeping Computer.

Thank you, we appreciate it.

I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow.

No problem, whenever you can get to it. We don't want to see any heads rolling around... :)

Share this post


Link to post
Share on other sites

Here is the DDS.txt and Attach.txt as a zip file (per DDS's instructions). I assume that you want me to continue with the rest of the steps.

DDS (Ver_09-10-26.01) - NTFSx86

Run by Bill Entwistle at 19:13:59.23 on Wed 11/18/2009

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.140 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

svchost.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\PROGRA~1\RCrawler\RCrawler.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\Program Files\CapsUnlock\CapsUnlock.exe

C:\Program Files\FlashTray Pro\FlashTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\SNDVOL32.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRunOnce: [spybotDeletingB2949] command.com /c del "c:\windows\system32\jibikupa.dll_old"

uRunOnce: [spybotDeletingD613] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe

mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [surezadil] Rundll32.exe "c:\windows\system32\jibikupa.dll",a

mRunOnce: [spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck

mRunOnce: [spybotDeletingA4277] command.com /c del "c:\windows\system32\jibikupa.dll_old"

mRunOnce: [spybotDeletingC3045] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old"

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: netflix.com\www

Trusted Zone: pandora.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = scecli diwunawo.dll

mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-14 38224]

S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]

S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]

S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?]

S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys

2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe

2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe

2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe

2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe

2009-11-08 23:54:08 0 d-s---w- C:\ComboFix

2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll

2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll

2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll

2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll

2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys

2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys

2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:15:17.95 ===============

Attach.zip

Share this post


Link to post
Share on other sites

I'm not sure if I ran it right, but here's my GMER log.

GMER 1.0.15.15227 - http://www.gmer.net

Rootkit scan 2009-11-18 21:23:34

Windows 5.1.2600 Service Pack 3

Running: 11lrt2zh.exe; Driver: C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\uftdipoc.sys

---- System - GMER 1.0.15 ----

SSDT 860F8380 ZwConnectPort

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA6F83350]

SSDT 862B5A90 ZwQueryValueKey

SSDT 861960B8 ZwResumeThread

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA6F83580]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Processes - GMER 1.0.15 ----

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\PROGRA~1\RCrawler\RCrawler.exe [264] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [300] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Dell Support\DSAgnt.exe [492] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [516] 0x009A0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [604] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [848] 0x00AF0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\hkcmd.exe [1256] 0x00EB0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxpers.exe [1312] 0x00F60000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\stsystra.exe [1384] 0x014F0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [1416] 0x010E0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [1444] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [1500] 0x00940000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [1912] 0x00FB0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe [1944] 0x02410000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1984] 0x00D50000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [2044] 0x00AA0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2344] 0x009E0000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\CapsUnlock\CapsUnlock.exe [2448] 0x00880000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\FlashTray Pro\FlashTray.exe [2604] 0x10000000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [2868] 0x00A70000

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3256] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

You're still heavily infected here. :)

MBAM was able to get part of it, but not all. This is where combofix does its' best work. Would you object to running combofix again? Delete the version you have now if you haven't already done so and download a fresh copy. I'm not exactly sure what happened the first time you ran cf but iastor.sys was definitely infected at the time. Being such a low level driver it can be difficult to remove without having any issues. I don't think it's infected at this point (no guarantees but...) so I think we're in better shape to make a run at it with combofix. Worst case? We now know how to get it running again. But I don't think that's going to happen this time.

Let me know.

Share this post


Link to post
Share on other sites

I've had an interesting development. Let me know what you think.

I've been trying lots of things and running some scans. I had been avoiding rebooting because this is when malware seems to reinstall itself. I realized that the malware had done a good job of deactivating all of my virus protection. I was able to turn Symantec back on and it immediately detected and stopped a real-time intrusion from something, I think it was a Virtumonde trojan. I did a scan with Spybot and I think it found nothing, so I decided I would risk rebooting.

I've never seen this before, but when it started up, Spybot started running before the desktop displayed. On a blank background, it ran a full scan. I don't recall seeing any results, but when it finished booting, I found that I could enable all of my malware protection (Symantec, Spybot, Malwarebytes, Windows Defender). I updated all of them to their latest versions. My Windows security seems to be up to date, as well.

I can now run a full scan with all four products and none of them turn up anything. Also, all of the telltale signs of being highjacked seem to be gone (odd blinking of the task manager display, a window that blinks open and closed on boot, an error message about failure to load a driver on boot, etc). They're gone and the system seems to be operating OK.

So I am a little hesitant to re-run combofix. Would it make sense to go back to square one and generate a HijackThis log? Or re-run some of these other less intrusive diagnostics, maybe the live CD?

Share this post


Link to post
Share on other sites

Okay great. Let's get another scan with DDS and post the logs.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.