This is a fun one...

**asheatl26** · 2009-10-23, 07:29

I have had alot of fun tonight trying to fix my PC. MY fiance was on thesuperficialdotcom website and was prompted to scan the pc by a scamprog, etc. and closed it, well something managed to download b/c it completely locked me down on my PC once I tried to get on. I couldn't open taskman, regedit, msconfig, I cant even open a folder options window to reenable view of hidden files/folders (which normally I can always see) I can't run hijackthis, it says I dont have access as I am not the administrator, which I am, and I cant run spybot either... I fixed 2 of the issues. To get Taskmanager to work I did both of these: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
and
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

I then closed out some weird programs (something with antivirus system pro) and sysguard... I was then able to delete the folders from ProgFiles and a few from sys32. I then fixed the registry issue by doing this so I could access it:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

I went to HKLM\Soft\Micro\Win\CurVer\Run and deleted some of the weird startup processes that I had just killed via Taskman. I did the same under HKCU.

I still get redirected to weird sites though when browsing and I am still getting popups, but at least it isnt naked people like it was earlier... I think it has something to do with the HOST stuff but I cant get Hijackthis to work to be sure. I tried renaming it, downloading the exe (3 times) each time it opens, runs, and disappears, no log file to be seen anywhere. I was able to get to my temp to check there by typing in the location (I cant see my "hidden files/folders" currently) and there wasnt a log in there either. Once it shuts the prog down, I have no access to it "You may not have the appropriate permissions to access the item" it says upon trying to reopen it.

I need help guys. I need to be able to run these programs, I need to be able to see folder options, I need to submit my eCore assignment for school and I cant b/c I keep getting redirected to sites that arent the same links I am clicking on...

Please let me know what I should do.
Thanks in advance!
Ashley

I tried doing a bit of research myself. I can't get rsit.exe to do anything other than a quick flicker of the black dos screen. No EULA or anything. Also, no matter how many times I delete a few of the malicious startup entrys in the registry, once I click off the folder and go back, they are there again. C:/Win/Sys32/zevububu.dll and C:/Win/ecigihaj.dll and C:/Win/Sys32/calc.dll I know these are contributing to the issues but I cant delete them under HKLM..Run or HKCU...run. Also, everytime I boot in safe mode I get the blue screen of death. Something is blocking me from running in safe mode and that is a first for me.

Any ideas are appreciated on what I can do...

Thanks again,
ashe

PS: I will update this is I get anything resolved.

**ken545** · 2009-10-24, 13:35

Hello ashe

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

First thing I am going to ask you to do is not to make any more changes to your system.

Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here

Open on your desktop.
Click the tab.
Click the button.
Check just these boxes:
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

**asheatl26** · 2009-10-24, 15:49

I downloaded RootRepeal, opened it, and all I got was the quick flash of the cmd prompt and then nothing. I tried to rename it as well and it did the same thing. Any other ideas?

Other things I tried before I got your post was to change the startup stuff in msconfig, wouldnt let me as it says I dont have access. I tried to delete them in registry, HKLM/.../Run but once I click off and then go back they are there again. So it must be some permissions thing as well.

I also tried booting in safe mode 3 times to see if I could kill it that way but each time I got the blue screen of death and had to do a hard boot... Odd.

Any other help y'all can provide is appreciated!
Thanks,
Ashley

**ken545** · 2009-10-24, 17:07

Hi Ashley,

Lets try GMER if it works post the log. If it does not than run this program.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Download and run Win32kDiag:

Download Win32kDiag from any of the following locations and save it to your Desktop.
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

**asheatl26** · 2009-10-26, 04:38

This is ridiculous! So I tried the first program. Was able to save the zip to my desktop. However now my zip program is no where to be found?? So I try to download WinZip. (Which I had at one point in time) Can't run the install... That black cmd box pops up for a seconds and then go away. I tried it again... same thing. Which leads me to believe something is preventing me from installing any programs on my PC. How, I don't know... But it is. Is there anything in the registry that could have been modified? That I can go in and change? I already ran those 2 commands to give me access to regedit and taskman, and changed the Hiddenfiles value to 1 from 0 so I could view those as well... So I would be willing to manually change something in the registry if anyone knows where I should look to see what is preventing me from installing programs.

So then I tried the second suggestion. The first link let me download the program. I go to run it and I get a box that says:
C:\[FileLocation on desktop]
The NTVDM CPU has encountered an illegal instruction.
CS:0d0 IP:0111 OP:63 72 69 70 74 Choose 'Close' to terminate the application.
Then my choices are Close and Ignore... and ignores closes it as well.

The other 2 links didn't work either. They pulled up a bunch of binary? data on a web page.

Any other suggestions? I am beyond lost, and I have never been one to format a PC for a virus as I have always gotten it fixed until now... Format is not really an option either. I use to use Radmin and PCAnywhere at my last job and would not have an issue with someone dialing in to my PC if anyone is willing... I don't know if I still have Radmin on my box though and I don't think I would be able to install it at this point. But in any case, if anyone knows of a way I would be willing.

Thanks in advance for any suggestions!
Ashley

**ken545** · 2009-10-26, 09:11

You can try running those programs in Safemode.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

You have done so much fiddling with the registry , not sure what you have done. I think at this point doing a system repair would be an option and then we can check for viruses when your done.

**asheatl26** · 2009-10-26, 09:22

OK, so why I did this I don't know but I'm glad I did. (Typically I hate anti-virus progs like AVG or Norton as they are resource hogs) but... as a last ditch effort I created a new user, test with admin rights. Upon first logon, I went to my install folder and found an old install file for avg from like 2 years ago. I installed it and obviously it forced me to update. Upon update it auto downloaded the new versions install file and ran that. After installation I ran the update... and rebooted. After logging in again it was popping up virus warnings left and right. SHeur2.BMZG and Win32/Cryptor were the repeat offenders.

It found and fixed all the .dll issues thank god so I am now able to run some fix programs. I was able to run rootrepeal and Win32Diag although the later didn't provide much info in the txt file on the desktop. Below are the logs... I redownloaded gmer and Winzip, Winzip is working and associating properly but gmer is giving an invalid archive error.

So, I still can't run Hijackthis, nor can I delete the old icons off the desktop (Access denied). I would love to be able to run this as I use HJ all the time. Another biggy is that I still can't boot in safe mode. After all this I tried and I am still getting the blue screen so something has messed with safe mode settings as well. Something is still screwy with my permissions as well. A small issue--no folder options under tools... not super important, but I think it has something to do with not being able to run some programs. When AVG was running after reboot I got several popup stating things couldnt be loaded.

A few that might have caused the permissions issues:
rundll32.exe Bad Image
The app or DLL C:\Doc*\Networ*\ntuser.dll is not a valid win image.

The rest of these are error loading...access denied.
C:\Win*\kbcstwz1.dll
C:\Win*\Doc\Network*\ntuser.dll %1 not a valid Win32 app.
C:\Win*\Sys32\calc.dll
C:\Win*\ecigihaj.dll
C:\Win*\Sys32\jeberuhe.dll

Any other ideas? I remember a long time ago, (the last time Rod broke the PC) I had to get some help and did something with ComboFix and/or DDS? I think? Anyhow, I won't do anything else until I hear from someone on here. I promise.

Logs below, sorry for the delay.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 03:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9EB1B000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9DF14000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86651da

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86657ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86671ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668b7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86655ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8669084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86650a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8666d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86669f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664ab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86653b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668ba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86652fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8665178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664c5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86645d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8667a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668f56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86643d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866708c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86656ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866871a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668bd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8664b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668cb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa8668de0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866854c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa866547e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xa86654f0

==EOF==

Running from: C:\Documents and Settings\ashe\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ashe\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

This is all the log had on the Win32 prog... I waited until it said Finished hit any key so do I do it again for good measure? I dunno. Again, I will just wait to see what you say. Thanks for your help so far!! ~ ashe

**asheatl26** · 2009-10-26, 09:28

I just saw your previous post. I didn't see it while I was typing mine obviously. I will say that I cannot boot in safe mode. I get the blue screen of death everytime. I have not done anything with the registry that I haven't done before and the few things I have done I have told you about. But as far as a restore goes, I also cant do that. I tried that before contacting y'all and that is something else this virus disabled. It says it has been turned off for group policy and to contact my administrator. The only group on my PC is administrator and I haven't dealt with any user groups in a long time, plus that was on NT servers (LOOOOONG time ago)

Also I am running XP Home and I may be wrong in saying this, but I don't have group policies on here as far as I know...

Thanks again!
ashe

**ken545** · 2009-10-26, 09:38

Good Morning Ashley,

RootRepeal ran just fine and gave us all the info we needed, your infected with the Max++ rootkit thats preventing you from running any security scans.

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9F085000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA56AD000 Size: 61440 File Visible: No Signed: -

Make sure Win32kdiag.exe is still on your desktop

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

**asheatl26** · 2009-10-26, 14:56

Win32kDiag.exe is clearly visible on my desktop... But when I paste that into Start-Run I get an error:

Windows cannot find '*"C:\Documents and Settings\ashe\desktop\win32kdiag.exe"'. Make sure you typed the name correctly, and then try again.

It is definitely there so I don't know what the deal with this is...

Thanks again!
I'm glad you know what I am infected with!
ashe

Thread: This is a fun one...

Thread Tools

Display

This is a fun one...

RootRepeal must be blocked as well...

Grrrrrrrr!

Getting better!

Sorry!

Weird

Posting Permissions