Page 1 of 4 1234 LastLast
Results 1 to 10 of 39

Thread: Nasty infestation. No Anti Virus will run. (Inactive)

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default Nasty infestation. No Anti Virus will run. (Inactive)

    Hello!

    I usually can take care of these myself, but this one is wicked. It lets me run any anti-virus software for a few moments then shuts them down and changes the permissions, whereby I cannot access them thereafter. I can't run HiJackThis, or anything else. Same scenario in Safe Mode. Running Win XP.

    I was able to run GMER for awhile, and it detected something, but ultimately failed when checking the Windows directory. Attached is what it was able to gather before it failed. Please help..desperate here.

    Thanks!

    GMER 1.0.15.15011 [9gnv3ms9.exe] - http://www.gmer.net
    Rootkit scan 2009-08-06 21:52:49
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateEvent [0xF76517AD]
    SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateKey [0xF764F885]
    SSDT spoz.sys ZwEnumerateKey [0xF72A5CA2]
    SSDT spoz.sys ZwEnumerateValueKey [0xF72A6030]
    SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwOpenKey [0xF764F945]
    SSDT spoz.sys ZwQueryKey [0xF72A6108]
    SSDT spoz.sys ZwQueryValueKey [0xF72A5F88]
    SSDT spoz.sys ZwSetValueKey [0xF72A619A]

    INT 0x62 ? 89D97BF8
    INT 0x63 ? 89B04BF8
    INT 0x63 ? 89B04BF8
    INT 0x63 ? 89B04BF8
    INT 0x63 ? 89B04BF8
    INT 0x82 ? 89D97BF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spoz.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload F69758AC 5 Bytes JMP 89B041D8
    ? C:\WINDOWS\System32\drivers\aba3d60a.sys The system cannot find the file specified.
    ? win32k.sys:1 The system cannot find the file specified. !
    ? win32k.sys:2 The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\Explorer.exe[180] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] spoz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] spoz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] spoz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] spoz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] spoz.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] spoz.sys

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aba3d60a.sys
    Device \FileSystem\Ntfs \Ntfs 89D961F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{CE2F6F90-17FF-4283-ACEC-64F3D76821CF} 898FA500
    Device \Driver\Tcpip \Device\Ip aba3d60a.sys

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

    Device \Driver\usbohci \Device\USBPDO-0 89B9B1F8
    Device \Driver\usbohci \Device\USBPDO-1 89B9B1F8
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 89D2B1F8
    Device \Driver\dmio \Device\DmControl\DmConfig 89D2B1F8
    Device \Driver\dmio \Device\DmControl\DmPnP 89D2B1F8
    Device \Driver\dmio \Device\DmControl\DmInfo 89D2B1F8
    Device \Driver\usbehci \Device\USBPDO-2 89AF81F8
    Device \Driver\Tcpip \Device\Tcp aba3d60a.sys
    Device \Driver\Ftdisk \Device\HarddiskVolume1 89D981F8
    Device \Driver\Cdrom \Device\CdRom0 89AF41F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 898FA500
    Device \Driver\NetBT \Device\NetbiosSmb 898FA500
    Device \Driver\Tcpip \Device\Udp aba3d60a.sys
    Device \Driver\Tcpip \Device\RawIp aba3d60a.sys
    Device \Driver\usbohci \Device\USBFDO-0 89B9B1F8
    Device \Driver\usbohci \Device\USBFDO-1 89B9B1F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898F3500
    Device \Driver\usbehci \Device\USBFDO-2 89AF81F8
    Device \Driver\Tcpip \Device\IPMULTICAST aba3d60a.sys
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 898F3500
    Device \Driver\Ftdisk \Device\FtControl 89D981F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{287FE9F3-6724-4EFB-9965-F900D8BC2F37} 898FA500
    Device \FileSystem\Cdfs \Cdfs 899A5500
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [180] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [812] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [944] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1088] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1148] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1252] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1608] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1652] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1680] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\gmsmux\wrapper.exe [1868] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1944] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1960] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\jre\bin\java.exe [1976] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\bin\pmtad.exe [2068] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2096] 0x35670000
    Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [4056] 0x35670000

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\System32\drivers\aba3d60a.sys (*** hidden *** ) [SYSTEM] aba3d60a <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ErrorControl 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
    Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ErrorControl 1
    Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Model 121
    Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Therad 26
    Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@MData 0x30 0x61 0x3C 0x66 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x3F 0x3E 0xD0 0x15 ...

    ---- Files - GMER 1.0.15 ----

    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027083.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027088.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027187.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027301.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP196\A0027372.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027381.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027388.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027401.sys:1 8192 bytes executable
    ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027412.sys:1 8192 bytes executable

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please note that all instructions given are customised for this computer only,
    the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.


    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. Please Read All Instructions Carefully
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you
    4. Failure to reply within 5 days will result in the topic being closed.
    5. Please continue to respond until I give you the "All Clear"
      (Just because you can't see a problem doesn't mean it isn't there)

    If you can do those few things, everything should go smoothly

    Some of the logs I request will be quite large, You may need to split them over a couple of replies.

    Please Note, your security programs may give warnings for some of the tools I will ask you to use.
    Be assured, any links I give are safe

    ----------------------------------------------------------------------------------------



    Download and Run ComboFix


    Download Combofix from the link below. Save it to your desktop.

    > Link Removed <

    (I have renamed the file)


    STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.


    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

    "%userprofile%\desktop\CleanMe.exe" /killall

    When finished, it shall produce a log for you. Post that log in your next reply.
    Last edited by katana; 2009-08-08 at 14:08.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Thank you very much for the assistance.

    I did as you asked. ComboFix runs, I can see the status bar for it, and it appears to complete, but then everything just stops. No log is produced. It really seems just the other programs I have tried to run, where this infestation just shuts them down.

    No other viral software was running.

    I do see an mdm.exe running that looks suspicious. I stop it in task mgr though then run this program and it still is killed. Just to let you know, these programs are being stopped by this infection while in Safe Mode as well. It appears to be well attached to the system. Last night while observing this, I noticed the explorer.exe grab some cpu usage every time an anti-virus program was shut down.

    I tried renaming HiJackThis too, and no help.
    Don't know if this helps, but thought I'd send it out there.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Ok, we need some info before we can kill this nasty.


    SysProt Antirootkit

    Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

    http://sites.google.com/site/sysprotantirootkit/

    Unzip it into a folder on your desktop.
    • Double click Sysprot.exe to start the program.
    • Click on the Log tab.
    • In the Write to log box select all items.
    • Click on the Create Log button on the bottom right.
    • After a few seconds a new window should appear.
    • Select Scan Root Drive. Click on the Start button.
    • When it is complete a new window will appear to indicate that the scan is finished.
    • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Thanks for the quick response. I am stoked that something actually ran. Here are the results:

    SysProt AntiRootkit v1.0.1.0
    by swatkat

    ******************************************************************************************
    ******************************************************************************************

    Process:
    Name: [System Idle Process]
    PID: 0
    Hidden: No
    Window Visible: No

    Name: System
    PID: 4
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\smss.exe
    PID: 676
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\csrss.exe
    PID: 736
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\winlogon.exe
    PID: 936
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\services.exe
    PID: 980
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\lsass.exe
    PID: 992
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\ati2evxx.exe
    PID: 1148
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1160
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1256
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1304
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1468
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1520
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\spoolsv.exe
    PID: 1780
    Hidden: No
    Window Visible: No

    Name: C:\WINDOWS\system32\svchost.exe
    PID: 1880
    Hidden: No
    Window Visible: No

    Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    PID: 1964
    Hidden: No
    Window Visible: No

    Name: C:\Program Files\Bonjour\mDNSResponder.exe
    PID: 1976
    Hidden: No
    Window Visible: No

    Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    PID: 2012
    Hidden: No
    Window Visible: No
    Last edited by katana; 2009-08-08 at 18:42. Reason: Removed useless info to shorten log

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Use Windows explorer to open this folder
    C:\Documents and Settings\All Users\Application Data

    You may need to unhide files and folders ( see below )

    Look for a folder that has all numbers in its name eg 12365489
    If you find one, DRAG the entire folder to your desktop
    Reboot the machine and then try Combofix again



    Show All Files And Folders
    Now you need to show all files and folders
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck Hide file extensions for known file types
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Thank you for the follow-up.

    I found two folders with all numbers in that diretory and did as you said, moving both to desktop, restarted, and then ran the CleanMe.exe again. Like before, it ran, appeared to complete, hour glasses and the whole nine, and then it just stopped - producing no log.

  8. #8
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Katana...

    Just an added notice, I looked at the properties of the folders that you mentioned herein and they were added on the same date that I had and attempted to remove some a.exe, b.exe, and msa.exe issues. I removed those apps and associated registry keys, as I could find them.

    I'm starting to believe they are somehow associated now. I also recently had a bout with Windows Antivirus Pro that I believed Windows Defender had resolved.

    Thanks again!

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Yes, they are probably all related.

    Please try the following

    Click start > run then copy/paste the following into the run window

    cacls C:\windows\system32\cmd.exe /G emh:F

    Press enter.

    A cmd window should come up asking you if you are sure, type 'y' then hit enter.

    After that, delete your copy of combofix, re-download a new one and try to run it again.
    Last edited by katana; 2009-08-07 at 23:07.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  10. #10
    Junior Member
    Join Date
    Aug 2009
    Posts
    28

    Default

    Hello again.

    When I enter

    cacls C:\windows\system32\cmd.exe /G emh:F

    into the Run box and hit Enter, the Command prompt comes up but is closed almost immediately to where I only see it briefly and can't even see what it says on the prompt.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •