Nasty infestation. No Anti Virus will run. (Inactive)

N

_nicademas

New member
Hello!

I usually can take care of these myself, but this one is wicked. It lets me run any anti-virus software for a few moments then shuts them down and changes the permissions, whereby I cannot access them thereafter. I can't run HiJackThis, or anything else. Same scenario in Safe Mode. Running Win XP.

I was able to run GMER for awhile, and it detected something, but ultimately failed when checking the Windows directory. Attached is what it was able to gather before it failed. Please help..desperate here.

Thanks!

GMER 1.0.15.15011 [9gnv3ms9.exe] - http://www.gmer.net
Rootkit scan 2009-08-06 21:52:49
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateEvent [0xF76517AD]
SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateKey [0xF764F885]
SSDT spoz.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spoz.sys ZwEnumerateValueKey [0xF72A6030]
SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwOpenKey [0xF764F945]
SSDT spoz.sys ZwQueryKey [0xF72A6108]
SSDT spoz.sys ZwQueryValueKey [0xF72A5F88]
SSDT spoz.sys ZwSetValueKey [0xF72A619A]

INT 0x62 ? 89D97BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x82 ? 89D97BF8

---- Kernel code sections - GMER 1.0.15 ----

? spoz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F69758AC 5 Bytes JMP 89B041D8
? C:\WINDOWS\System32\drivers\aba3d60a.sys The system cannot find the file specified.
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\Explorer.exe[180] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] spoz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] spoz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] spoz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] spoz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] spoz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] spoz.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aba3d60a.sys
Device \FileSystem\Ntfs \Ntfs 89D961F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE2F6F90-17FF-4283-ACEC-64F3D76821CF} 898FA500
Device \Driver\Tcpip \Device\Ip aba3d60a.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\usbohci \Device\USBPDO-0 89B9B1F8
Device \Driver\usbohci \Device\USBPDO-1 89B9B1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89D2B1F8
Device \Driver\usbehci \Device\USBPDO-2 89AF81F8
Device \Driver\Tcpip \Device\Tcp aba3d60a.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 89D981F8
Device \Driver\Cdrom \Device\CdRom0 89AF41F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 898FA500
Device \Driver\NetBT \Device\NetbiosSmb 898FA500
Device \Driver\Tcpip \Device\Udp aba3d60a.sys
Device \Driver\Tcpip \Device\RawIp aba3d60a.sys
Device \Driver\usbohci \Device\USBFDO-0 89B9B1F8
Device \Driver\usbohci \Device\USBFDO-1 89B9B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898F3500
Device \Driver\usbehci \Device\USBFDO-2 89AF81F8
Device \Driver\Tcpip \Device\IPMULTICAST aba3d60a.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898F3500
Device \Driver\Ftdisk \Device\FtControl 89D981F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{287FE9F3-6724-4EFB-9965-F900D8BC2F37} 898FA500
Device \FileSystem\Cdfs \Cdfs 899A5500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [180] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [812] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1088] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1148] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1252] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1608] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1680] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\gmsmux\wrapper.exe [1868] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1944] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\jre\bin\java.exe [1976] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\bin\pmtad.exe [2068] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2096] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [4056] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\aba3d60a.sys (*** hidden *** ) [SYSTEM] aba3d60a <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Model 121
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Therad 26
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@MData 0x30 0x61 0x3C 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x3F 0x3E 0xD0 0x15 ...

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027083.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027088.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027187.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027301.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP196\A0027372.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027381.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027401.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027412.sys:1 8192 bytes executable
 
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
laechel.gif


Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



Download and Run ComboFix


Download Combofix from the link below. Save it to your desktop.

> Link Removed <

(I have renamed the file)


STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.


Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Click to expand...


Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\CleanMe.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.
 
Last edited:
Thank you very much for the assistance.

I did as you asked. ComboFix runs, I can see the status bar for it, and it appears to complete, but then everything just stops. No log is produced. It really seems just the other programs I have tried to run, where this infestation just shuts them down.

No other viral software was running.

I do see an mdm.exe running that looks suspicious. I stop it in task mgr though then run this program and it still is killed. Just to let you know, these programs are being stopped by this infection while in Safe Mode as well. It appears to be well attached to the system. Last night while observing this, I noticed the explorer.exe grab some cpu usage every time an anti-virus program was shut down.

I tried renaming HiJackThis too, and no help.
Don't know if this helps, but thought I'd send it out there.
 
Ok, we need some info before we can kill this nasty.


SysProt Antirootkit

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
 
Thanks for the quick response. I am stoked that something actually ran. Here are the results:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 676
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 736
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 936
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 980
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 992
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1148
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1160
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1256
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1304
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1468
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1520
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1880
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1964
Hidden: No
Window Visible: No

Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1976
Hidden: No
Window Visible: No

Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 2012
Hidden: No
Window Visible: No
 
Last edited by a moderator:
Use Windows explorer to open this folder
C:\Documents and Settings\All Users\Application Data

You may need to unhide files and folders ( see below )

Look for a folder that has all numbers in its name eg 12365489
If you find one, DRAG the entire folder to your desktop
Reboot the machine and then try Combofix again



Show All Files And Folders
Now you need to show all files and folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
 
Thank you for the follow-up.

I found two folders with all numbers in that diretory and did as you said, moving both to desktop, restarted, and then ran the CleanMe.exe again. Like before, it ran, appeared to complete, hour glasses and the whole nine, and then it just stopped - producing no log.
 
Katana...

Just an added notice, I looked at the properties of the folders that you mentioned herein and they were added on the same date that I had and attempted to remove some a.exe, b.exe, and msa.exe issues. I removed those apps and associated registry keys, as I could find them.

I'm starting to believe they are somehow associated now. I also recently had a bout with Windows Antivirus Pro that I believed Windows Defender had resolved.

Thanks again!
 
Yes, they are probably all related.

Please try the following

Click start > run then copy/paste the following into the run window

cacls C:\windows\system32\cmd.exe /G emh:F

Press enter.

A cmd window should come up asking you if you are sure, type 'y' then hit enter.

After that, delete your copy of combofix, re-download a new one and try to run it again.
 
Last edited:
Hello again.

When I enter

cacls C:\windows\system32\cmd.exe /G emh:F

into the Run box and hit Enter, the Command prompt comes up but is closed almost immediately to where I only see it briefly and can't even see what it says on the prompt.
 
That's fine, it should only takes a second.
If we are lucky, that should allow Combofix to run now.
 
Hi.

I'm telling you that it shut it down the command box before I could verify to commit the command. It didn't run, it didn't generate any log, it is still doing the same thing.
 
I'm sorry if I am not being clear.

I did as you said, and it didn't allow me to verify the command. When the command prompt opened, it then shut quickly without me being able to type 'y' or even see anything.

Now, I re-ran the combofix, which you renamed cleanme.exe, and it did the same thing as it has been doing.

Let me know if you need more info.

Thanks!!
 
Your logs show that you have at least two rootkits and at least one other infection ...they all prevent removal tools from running :sad:

This may take several tries, so please be patient.

Please try the following.

Click start > run then copy/paste the following into the run window

cacls C:\windows\system32\cmd.exe /G Owner:F

Press enter.

A cmd window should come up asking you if you are sure, type 'y' then hit enter.

try to run Combofix again.


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If requested, please reboot
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
 
Last edited:
Thanks for the follow-up!!

I tried what you said many, many times and neither comboFix nor MalwareBytes will run. The cacls command didn't seem to make any difference whatsoever. ComboFix has the task bar look like it completes...then there are some hourglasses, then it dies.

MalwareBytes will install and update, but very shortly after starting to run, it dies as well with the permissions changing to say "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I attempt to change the permissions, there is no security/permissions tab.
 
Katana...

Here is some more info that may be of use.

When comboFix attempts to run..watching task manager it appears to die while n.pif is running or immediately after it runs.

While I am in safe mode, this issue persists. I have seen it kill programs while I am in safe and trying to scan (previously did this). When windows launches, a winword.exe process runs - I'm almost sure that shouldn't be happening.

Here are the only processes running in safe when this still happens:
taskmgr.exe
svchost.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process

It appears to be attached to these processes.
What other info can I provide to assist you with the next steps?

Thanks again!!!!
 
I've not abandoned you, I'm doing some research :D:
Did you try the second Cacls instruction I posted, it was different from the first.

You don't happen to know where you got this infection do you ?

Please try the following


Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )
 
Hi Katana. Thanks for being persistent.

No, I don't know from where it reared. I got some stuff off Ares a little while back for my cousin's wedding and it very well may have showed from there. I don't keep it open and use it rarely.

I did run the other calcs command, many times before trying ComboFix & mbam, and had the same symptoms. At least when I ran the last command, the cmd prompt did open and ask me y/n.

Ok, I ran the RSIT and it got a little ways then was killed. Same scenario...permission denied now. It did save a little bit in the log file, which I am attaching below. As a sidenote, the two .jobs under windows/tasks are associated with a.exe and b.exe, I know that for sure. I found it in the event log associating those keys with those programs.

Just an opinion here, this infection is very efficient. My system is showing no signs of an issue. Running very fast. But when anything runs that appears to search certain areas or look like a Malware scanning program, it is nailed to the wall. Never seen anything work this well and not show any adverse symptoms at the system level.

Here is the log that was captured:


Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-08 11:18:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 8 GB (8%) free of 95 GB
Total RAM: 1918 MB (77% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-22 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ares"=C:\Program Files\Ares\Ares.exe [2008-12-16 887808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pevsystemstart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\pevsystemstart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE"="C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"D:\setup\HPZNUI01.EXE"="D:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65a12071-04f5-11de-9d93-0014a51fe469}]
shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7430667-d3ac-11dd-9d87-0014a51fe469}]
shell\AutoRun\command - E:\wd_windows_tools\WDSetup.exe


======List of files/folders created in the last 1 months======

2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
2009-08-08 11:18:53 ----D---- C:\rsit
2009-08-08 09:14:36 ----D---- C:\32788R22FWJFW
2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-08 08:51:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
2009-08-07 11:32
 
One more thing I should note for your info moving forward.

When this started happening, I recall Acrobat trying to open something and getting some notices - when I had not opened any pdf or Acrobat files. Also saw something in Re to Flash. Not sure what it was, but I was not using anything at the time that required the Flash Player.
 
It certainly is efficient, annoyingly so !!
You don't have an install disc do you ?
It may be easier if we can install the recovery console

You posted a list of files that were running, let's see if we can get Combofix to run by renaming it as one of those


Click start > run then copy/paste the following into the run window

cacls C:\windows\system32\cmd.exe /G Owner:F

Press enter.

A cmd window should come up asking you if you are sure, type 'y' then hit enter.

Download Combofix from the link below. Save it to your desktop.

Link 1

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click the file & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..
 
Last edited:
You must log in or register to reply here.
Back
Top