Malware Infection

R

RFAKNO

New member
I have an ACER Travelmate 2304 with Win XP SP3 installed. Three days ago I started getting a message that Windows defender couldn't run and I noticed Avira AVGuard had switched off. I ran Avira and it crashed out prior to finishing. I ran SpyBot which reported Win32.AVKillSvc.e. It attempted to fix the problem. I then ran MalwareBytes which also stopped before completion. Trying to run it again gives a message that I don't have the permissions to run it. Looking in Task Manager there is an unknown process 2627817058:2645646947.exe. I tried to stop it without success. This service is run from HKLM\System\CurrentControlSet\Services\624ea19c. I've tried deleting this entry and deleting the file c:\windows\02627817058 & rebooting without success. I've tried running DDS, in both Normal & Safe Windows and it crashes after the 52nd #.

Any help would be most appreciated.

Regards

Roy
 
Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
 
Hi Jack&Jill,

Thanks for the response. I still have the problem!

The laptop has not been connected to the internet since the first sign of infection. DDS was transferred to the desktop via a CD. Does DDS require internet access to complete. If so, this could be the reason that it fails on the 52nd hash. I've tried both dds.com and dds.scr

I read somewhere on the forum that inherit.com would enable the me to run programs again. I've tried this but Avira and Malwarebytes still cease the scan before completion. By watching the progress it looks like it's scanning files in windows\system32\ when the scan window closes.

Spybot did run a scan to completion and reported a Win32.AVKillSvc.e virus in file c:\windows\temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}. Searching the drive other copies were found in

1. c:\Documents and Settings\RoyK\LocalSettings\Temp (my usarname in Normal mode)

2. c:\Documents and Settings\Administrator\LocalSettings\Temp

3. c:\Documents and Settings\Admin\LocalSettings\Temp (account I set up to see if virus was user specific)

4. c:\Documents and Settings\LocalService\LocalSettings\Temp

5. c:\Documents and Settings\NetworkService\LocalSettings\Temp

All but the NetworkService path could be deleted in Windows Explorer. Before I contacted you I tried NTFS4DOS and manually deleted all the {E9C1... files as well as the c:\windows\02627817058 but on rebooting the files reappear.

Hope you can help me..

Thanks

Roy
 
Hello RFAKNO :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Forum Rules.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Scan with RogueKiller
  • Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
    Link 1
    Link 2
  • Allow the download if prompted by your security software and please close all your programs.
  • Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
  • A program window will open. Type 1 for Scan and press Enter when prompted.
  • Once finished, Notepad will open with a log called RKreport.txt, located at the desktop.
  • Please copy and paste the contents of that log in your next reply.

--------------------

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.

--------------------

Please post back:
1. the RogueKiller log
2. aswMBR log
 
Last edited:
Hi Jack&Jill,

Thanks again for your help.

Rogukiller ran successfully and the log is attached below. aswMBR downloaded Avast and started scanning. After about 17 seconds the scan window showed File: C:\Windows\system32\drivers\redbook.sys **INFECTED** win32:Alureon-AJI [Rtk]. About 0.5 seconds after this the scan window disappeared.

Regards

Roy

RogueKiller V6.1.0 [09/22/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: RoyK [Admin rights]
Mode: Scan -- Date : 09/23/2011 12:32:40

Bad processes: 3
[SUSP PATH] 2627817058:2645646947.exe -- c:\windows\2627817058:2645646947.exe -> KILLED [TermProc]
[SUSP PATH] vsnphv71.exe -- c:\windows\vsnphv71.exe -> KILLED [TermProc]
[RESIDUE] 2627817058:2645646947.exe -- c:\windows\2627817058:2645646947.exe -> KILLED [TermProc]

Registry Entries: 2
[SUSP PATH] HKLM\[...]\Run : SNPHV71 (C:\WINDOWS\vsnphv71.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]
SSDT[258] : NtTerminateThread @ 0x80577F1F -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE492E9E)
SSDT[257] : NtTerminateProcess @ 0x805839B9 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE492E56)
SSDT[254] : NtSuspendThread @ 0x805E05AB -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE492F02)
SSDT[247] : NtSetValueKey @ 0x8057BC5B -> HOOKED (Unknown @ 0xF7C6B488)
SSDT[224] : NtSetInformationFile @ 0x8057C641 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493C40)
SSDT[213] : NtSetContextThread @ 0x8062E33F -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE492F66)
SSDT[204] : NtRestoreKey @ 0x8064FA19 -> HOOKED (Unknown @ 0xF7C6B497)
SSDT[193] : NtReplaceKey @ 0x8064FE82 -> HOOKED (Unknown @ 0xF7C6B49C)
SSDT[192] : NtRenameKey @ 0x8064F526 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4972F0)
SSDT[177] : NtQueryValueKey @ 0x8056A419 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE497386)
SSDT[137] : NtProtectVirtualMemory @ 0x80574E58 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493428)
SSDT[128] : NtOpenThread @ 0x8059323B -> HOOKED (Unknown @ 0xF7C6B465)
SSDT[122] : NtOpenProcess @ 0x80574AA9 -> HOOKED (Unknown @ 0xF7C6B460)
SSDT[116] : NtOpenFile @ 0x8056F7FF -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493B2C)
SSDT[98] : NtLoadKey @ 0x805AF5C3 -> HOOKED (Unknown @ 0xF7C6B492)
SSDT[65] : NtDeleteValueKey @ 0x80595C1A -> HOOKED (Unknown @ 0xF7C6B48D)
SSDT[63] : NtDeleteKey @ 0x80597FFA -> HOOKED (Unknown @ 0xF7C6B483)
SSDT[62] : NtDeleteFile @ 0x805D7A13 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493BD4)
SSDT[53] : NtCreateThread @ 0x80578803 -> HOOKED (Unknown @ 0xF7C6B474)
SSDT[41] : NtCreateKey @ 0x8057376F -> HOOKED (Unknown @ 0xF7C6B47E)
SSDT[37] : NtCreateFile @ 0x8056F864 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493A56)
SSDT[19] : NtAssignProcessToJobObject @ 0x805A2C27 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE492FC0)
S_SSDT[483] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE493F74)
S_SSDT[477] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4997E2)
S_SSDT[378] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE494000)
S_SSDT[298] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE49976A)
S_SSDT[292] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE499686)
S_SSDT[237] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE49972E)
S_SSDT[227] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4996E0)
S_SSDT[191] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE499654)
S_SSDT[13] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE499606)
S_SSDT[7] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4997A6)

HOSTS File:
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt
 
Hello RFAKNO :),

I take it you have Spybot's Teatimer active.

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.

First step:
  • Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
  • For version 1.6, the steps are similar to either one of the below.
  • If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
  • If you have Version 1.4, click on Exit Spybot S&D Resident.
Second step, for either version:
  • Open Spybot S&D.
  • Click Mode, choose Advanced Mode.
  • Go to the bottom of the vertical panel on the left, click Tools.
  • Then, also in left panel, click on Resident that shows a red/white shield.
  • If your firewall raises a question, say OK.
  • In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
  • OK any prompts.
  • Exit Spybot S&D and reboot your machine for the changes to take effect.
Remember to enable it after the fix.

--------------------

RogueKiller in action
  • Please rerun RogueKiller.
  • At the prompt,
    type 2 for Remove and press Enter.
  • Try a few times if it does not run.
  • Post back the new result.

--------------------

I want you to update MBAM and run a scan.
  • Open MBAM and click on the Update tab, then Check for Updates.
  • When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please run aswMBR again.
  • Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.

--------------------

Please post back:
1. RogueKiller result
2. MBAM report
3. aswMBR log
 
Hi Jack&Jill,

Spybot Teatimer was/is not active, Avira has the closed umbrella in the system tray and I've checked MalwareBytes and Protection is disabled.

I've re-run RogueKiller with option 2 and the report is below.

MBAM updated but still failed to run a scan to completion.

MBAM protection was switched off again and I re-run aswMBR. It still reported the same infection in my earlier entry but this time got as far as starting to scan services before the window closed without completion.

RogueKiller V6.1.0 [09/22/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: RoyK [Admin rights]
Mode: Remove -- Date : 09/23/2011 17:13:04

Bad processes: 3
[SUSP PATH] 2627817058:2645646947.exe -- c:\windows\2627817058:2645646947.exe -> KILLED [TermProc]
[SUSP PATH] vsnphv71.exe -- c:\windows\vsnphv71.exe -> KILLED [TermProc]
[RESIDUE] 2627817058:2645646947.exe -- c:\windows\2627817058:2645646947.exe -> KILLED [TermProc]

Registry Entries: 2
[SUSP PATH] HKLM\[...]\Run : SNPHV71 (C:\WINDOWS\vsnphv71.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver: [LOADED]
SSDT[258] : NtTerminateThread @ 0x80577F1F -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E0E9E)
SSDT[257] : NtTerminateProcess @ 0x805839B9 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E0E56)
SSDT[254] : NtSuspendThread @ 0x805E05AB -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E0F02)
SSDT[247] : NtSetValueKey @ 0x8057BC5B -> HOOKED (Unknown @ 0xF7CD83E8)
SSDT[224] : NtSetInformationFile @ 0x8057C641 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1C40)
SSDT[213] : NtSetContextThread @ 0x8062E33F -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E0F66)
SSDT[204] : NtRestoreKey @ 0x8064FA19 -> HOOKED (Unknown @ 0xF7CD83F7)
SSDT[193] : NtReplaceKey @ 0x8064FE82 -> HOOKED (Unknown @ 0xF7CD83FC)
SSDT[192] : NtRenameKey @ 0x8064F526 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E52F0)
SSDT[177] : NtQueryValueKey @ 0x8056A419 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E5386)
SSDT[137] : NtProtectVirtualMemory @ 0x80574E58 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1428)
SSDT[128] : NtOpenThread @ 0x8059323B -> HOOKED (Unknown @ 0xF7CD83C5)
SSDT[122] : NtOpenProcess @ 0x80574AA9 -> HOOKED (Unknown @ 0xF7CD83C0)
SSDT[116] : NtOpenFile @ 0x8056F7FF -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1B2C)
SSDT[98] : NtLoadKey @ 0x805AF5C3 -> HOOKED (Unknown @ 0xF7CD83F2)
SSDT[65] : NtDeleteValueKey @ 0x80595C1A -> HOOKED (Unknown @ 0xF7CD83ED)
SSDT[63] : NtDeleteKey @ 0x80597FFA -> HOOKED (Unknown @ 0xF7CD83E3)
SSDT[62] : NtDeleteFile @ 0x805D7A13 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1BD4)
SSDT[53] : NtCreateThread @ 0x80578803 -> HOOKED (Unknown @ 0xF7CD83D4)
SSDT[41] : NtCreateKey @ 0x8057376F -> HOOKED (Unknown @ 0xF7CD83DE)
SSDT[37] : NtCreateFile @ 0x8056F864 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1A56)
SSDT[19] : NtAssignProcessToJobObject @ 0x805A2C27 -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E0FC0)
S_SSDT[483] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E1F74)
S_SSDT[477] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E77E2)
S_SSDT[378] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E2000)
S_SSDT[298] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E776A)
S_SSDT[292] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E7686)
S_SSDT[237] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E772E)
S_SSDT[227] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E76E0)
S_SSDT[191] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E7654)
S_SSDT[13] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E7606)
S_SSDT[7] : Unknown -> HOOKED (\??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys @ 0xEE4E77A6)

HOSTS File:
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
[...]


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Regards

Roy
 
Hello RFAKNO :),

Please download ComboFix from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Install Recovery Console and run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on ComboFix.exe and follow the prompts. Please run it in Normal Mode.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. ComboFix log
 
Hi Jack&Jill,

Thanks again for helping.

Downloaded Combofix to the desktop. It ran and I clicked on unblock for combofix. It backed up the registry, downloaded Recovery Console and installed it.

I clicked on Yes to continue the scan and after about 3 minutes a warning came up that it was infected with RootKitZeroAccess. I clicked on OK and the system hung. The combofix window and desktop were still visible but the system did not respond to either keyboard or mouse. I had to power down. Needless to say there was no log to post.

Regards

Roy
 
Hi Jack&Jill,

After my last post I noticed that the service 2627817058:2645646947.exe is no longer running. I tried running Combofix again but and now the window closes after file extraction and afterwards I noticed that a service sched.exe is consuming large amounts of CPU time.

I also tried to run aswMBR again with success... the log is below.

Hope this helps to narrow down the problem(s)

Again thanks

Roy

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-24 20:59:32
-----------------------------
20:59:32.586 OS Version: Windows 5.1.2600 Service Pack 3
20:59:32.586 Number of processors: 1 586 0xD06
20:59:32.586 ComputerName: ROYK-LAPTOP UserName: RoyK
20:59:39.957 Initialize success
21:11:36.767 AVAST engine defs: 11092401
21:11:46.451 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:11:46.451 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD4A Size: 57231MB BusType: 3
21:11:48.484 Disk 0 MBR read successfully
21:11:48.484 Disk 0 MBR scan
21:11:48.614 Disk 0 Windows XP default MBR code
21:11:48.624 Disk 0 scanning sectors +117210240
21:11:49.015 Disk 0 scanning C:\WINDOWS\system32\drivers
21:12:07.111 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
21:12:12.889 Service scanning
21:12:14.651 Modules scanning
21:12:23.925 Disk 0 trace - called modules:
21:12:23.945 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS BlackBox.sys tcpip.sys
21:12:23.945 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f2bab8]
21:12:24.355 3 CLASSPNP.SYS[f76a3fd7] -> nt!IofCallDriver -> \Device\0000008f[0x86f429e8]
21:12:24.365 5 ACPI.sys[f75ea620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f41940]
21:12:24.786 AVAST engine scan C:\WINDOWS
21:12:41.801 File: C:\WINDOWS\V26278:2645646947.exe **INFECTED** Win32:Tiny-AMB [Rtk]
21:12:43.894 AVAST engine scan C:\WINDOWS\system32
21:16:08.828 File: C:\WINDOWS\system32\wuauclt.exe **INFECTED** Win32:Patched-WQ [Trj]
21:16:17.300 AVAST engine scan C:\WINDOWS\system32\drivers
21:16:34.675 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
21:16:42.547 AVAST engine scan C:\Documents and Settings\RoyK
21:23:08.191 AVAST engine scan C:\Documents and Settings\All Users
21:25:04.529 Scan finished successfully
21:26:28.059 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\RoyK\Desktop\MBR.dat"
21:26:28.079 The log file has been saved successfully to "C:\Documents and Settings\RoyK\Desktop\aswMBR.txt"
 
Hello RFAKNO :),

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
  • Disconnect from the Internet and any network immediately.
  • Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
  • Change all your online passwords from a clean computer.
  • Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer. We can still attempt to clean it if you wish, but due to the severity of the infections, I cannot guarantee it will be safe or clean afterwards. It is up to you to decide. Please let me know which course of action you wish to take.

Here are some read to help you decide:
How to respond to possible ID theft and Internet fraud
When should I reformat?

--------------------

If you like to proceed, please continue below.

Please delete the ComboFix copy that you have and download a new copy. Save it as RFAKNOcf.exe to the desktop, then try running it. If it does not work, please move it to C:\ and try running from there.

Try DDS again too and post back its logs.

--------------------

Please post back:
1. how do you want to proceed
2. if you want to continue, the ComboFix log
3. DDS logs (DDS.txt and Attach.txt)
 
Hi Jack&Jill,

Bad news indeed. The problem is it's a laptop with preinstalled software that I no longer (if ever) have the Windows CD. Consequently I would like to continue with the attempt to clean.

I've tried running Combofix as per your instructions but it always hangs the system about 2-3 minutes after the scan starts. Similarly DDS still hangs the system (with the same symptons as Combofix) at the 52nd #.

Regards

Roy
 
Hello RFAKNO :),

Please download SystemLook© by jpshortstuff from one of the links below and save it to your desktop.

Link 1 - 32-bit version
Link 2 - 32-bit version

  • Double click on SystemLook.exe to run it.
  • Copy and paste the following text into the main textfield:
    Code: 
    :filefind 
redbook.*
wuauclt.*
  • Click the Look button to start the scan. This might take a while.
  • When finished, a Notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your desktop as SystemLook.txt.

--------------------

Run ComboFix via command line
  • Go to Start > Run.... Copy and paste the following text into the white box:
    Code: 
    RFAKNOcf.exe /nombr
  • Click OK.

ComboFix will now run a scan. If it still hangs, please let me know.

--------------------

Please post back:
1. SystemLook result
2. ComboFix log
 
Hi Jack&Jill,

Since my last post I've done some more research and found the hidden partition on the hard drive containing the original setup.

In view of your earlier recommendation I have decided to reformat.

One concern I have remaining is how the infection occurred. I'm very cautious about what I do and have always had Avira running. How did it get past Avira? Is Avira OK or should I adopt Avast or could you recommend another.

Your thoughts would be appreciated.

Thanks for your help.

Regards

Roy
 
Hello RFAKNO :),

A good decision. I would have done so myself.

One concern I have remaining is how the infection occurred. I'm very cautious about what I do and have always had Avira running. How did it get past Avira? Is Avira OK or should I adopt Avast or could you recommend another.
Click to expand...
Nowadays, malware is so advanced that any vulnerabilities will be exploited.

As for the details, please take a look at the articles after the security recommendations below. These recommendations will help you configure your computer after reformat to be in a better shape to stand against any infection attempts.

--------------------

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows XP to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials and Avast are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with MCShield, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

9. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor, Outpost and PC Tools. More information on firewalls. Please keep only one FW installed.

10. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

Your donation helps in improving Spybot-S&D!
 
Hello RFAKNO :),

You are most welcome. I will keep this topic open for another day in case you have any questions.
 
You must log in or register to reply here.
Back
Top