S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running

[JeffeVerde]

S&D, HJT, TrendMicro AV, RootkitBuster all abort and then are blocked from re-running

Windows XP SP3. Has TrendMicro anti-virus, but was unprotected for a week when subscription expired and wasn't immediately renewed.

=After renewing TM and attempting to run a scan, it repeatedly hung at the same point, scanning "HKLM\....507a01" (full path is too long to display in the app's window and is truncated).

=I found BRAVIAX.EXE in the \WINDOWS and \SYSTEM32 folders and deleted it (no affect) I also found a file on the desktop called CATCHME.TXT. It appeared to be a log file and had a single entry showing USER32.DLL being copied from \SYSTEM32 to \SYSTEM32\DLLCACHE

=Installed and ran HiJackThis - it shutdown while scanning HKLM... - leaving no log. After HJT aborts, it can't be re-run (no error - just won't open), or copied/renamed/moved (error message - access violation). The file can be deleted.

=Installed and ran TrendMicro's Rootkit Buster. It shutdown while scanning HKLM... - leaving no log. After abort, file can't be copied/renamed/moved. Once it's aborted, attempting to re-run in normal mode causes it to update it's driver and request a reboot - reboot and rerun, and same thing happens. Trying to re-run in safe mode, it generates an error about the TMCOMM service being unavailable.

=Installed and ran Search&Destroy. Started scan - it ran for a second, then SD shutdown and couldn't be re-opened. Launched SD via the .SCR file - same behavior - launched, then shutdown on start of scan, and now can't launch via the .SCR either.

So what next? This thing bug seems to recognize anything hunting it, and shuts it down. I've tried renaming the HJT, RKB and S&D exe's, but same behavior - they start to scan, shutdown, and then can't be launched again.

 

[Blade81]

Hi,

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

 

[JeffeVerde]

RSIT results

RSIT could not be run succesfully. On clicking "Continue" at the disclaimer screen, a progress bar window opens, and immediately an error message opens-
------------------------------------------
AutoIt Error
Line -1:
Error: Variable used without being declared
------------------------------------------

Tried it both with HJT already installed, and with HJT completely removed and internet access up. Keep in mind that one of the behaviors of this bug is that it blocks HJT from running a complete scan, and once a scan has been aborted, that specific install of HJT cannot be launched again (a clean copy in a new location or with a different name will run - but with the same results - first scan aborts and can't relaunch after that).

 

[JeffeVerde]

GMER results

GMER did run succesfully. Here's the log-

------------------------------------------------------

GMER 1.0.15.15011 [4rnpkv2m.exe] - http://www.gmer.net
Rootkit scan 2009-08-05 13:11:13
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 85329C40 ZwCreateKey
SSDT 85329140 ZwCreateProcess
SSDT 85329400 ZwCreateProcessEx
SSDT 8532AAA0 ZwCreateThread
SSDT 8532A1C0 ZwDeleteKey
SSDT 8532A480 ZwDeleteValueKey
SSDT 8532AC40 ZwLoadDriver
SSDT 853296C0 ZwOpenProcess
SSDT 85329F00 ZwSetValueKey
SSDT 85329980 ZwTerminateProcess
SSDT 8532A900 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805B1001 7 Bytes JMP 86DA67E0
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\eHome\ehSched.exe[1208] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] user32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1696] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] user32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[2724] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 100010AB C:\WINDOWS\system32\xwreg32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2948] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 100010AB C:\WINDOWS\system32\xwreg32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\6D051C22.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3104] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\6D051C22.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe[352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\eHome\ehSched.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[1692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[2724] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2948] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[3104] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\6D051C22.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[3104] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\6D051C22.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [284] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [340] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe [352] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [512] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [620] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [820] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\TmPfw.exe [920] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\BM\TMBMSRV.exe [1044] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1056] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [1168] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [1208] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1260] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1656] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Skype\Plugin Manager\skypePM.exe [1692] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1696] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe [1872] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [2448] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Skype\Phone\Skype.exe [2724] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2948] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2984] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3104] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3376] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3440] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3520] 0x35670000
Library \\?\globalroot\Device\__max++>\6D051C22.x86.dll (*** hidden *** ) @ C:\Program Files\PostgreSQL\8.3\bin\postgres.exe [3580] 0x35670000

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0062823.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063810.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP192\A0063868.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP193\A0063902.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP193\A0064021.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0064279.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0064448.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065376.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0065384.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0066388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP194\A0067392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069400.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069418.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069447.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0069458.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070458.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0068392.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070542.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070552.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070566.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070571.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070583.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{348DB8EC-73A3-48FB-ADE8-4BD3BBE539B1}\RP195\A0070589.sys:1 8192 bytes executable

---- EOF - GMER 1.0.15 ----

 

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

 

[JeffeVerde]

Dead in the water

I figured out how the virus is disabling HJT, etc after they're run once -- it changes the file access security. I can "revive" an app by re-enabling it's access rights.

So - running GMER again, it kept aborting before completing it's scan. Monitoring GMER as it ran, the last folder I saw scanned was in C:\Windows\$hf_mig$\... Browsing that folder, along with the 100-odd KB##### folders, there was a folder with a long hex name, like {28f123d......}. Trying to open that folder, I got the same access error I'd get after the virus "disabled" any of the scanner/hunter apps I've been trying to use. So I opened the folders properties and granted full rights to admin.

As soon as I hit "apply", the system shutdown. On reboot, I got my wallpaper, but no desktop. Ctrl-Alt-Del brought up TaskManager, and I attempted to launch Explorer, but I got the same access error I've been getting after the virus disables the HJT --- and now I can't even bring up TaskMgr.

Any suggestions? Or is it time to FDISK?

 

[JeffeVerde]

Maybe not quite dead yet

I can still launch SafeMode-CommandPrompt. Is there a way to set access rights from the command prompt?

 

[JeffeVerde]

Figured it out -- was able to use CACLS to re-enable explorere.exe and taskmgr.exe, and at least I'm back to where we were. I'll get the DDS log up in a minute. But that \win\$hf_mig$\{1234...} folder certainly seems suspect.

 

[JeffeVerde]

I went back to look at the folders in $hf_mig$, and I can browse all the subfolders except the one with the long hex name. As soon as I click on it explorer shuts down (which I can now recover from by resetting the rights in cmd). Whatever that folder is, the virus is guarding it. The folder name is {29f8ddc1-9487-49b8-b27e-3e0c3c1298ff}

 

[JeffeVerde]

DDS logs

Attached are the DDS results

 

[Blade81]

Thanks for the logs.

Why have you run ComboFix there? I can't recall giving you any instructions related to it. Post contents of c:\ComboFix.txt file, please.

 

[JeffeVerde]

Sorry about that -- my daughter's boyfriend tried to "help" yesterday while I was at work -- I've told them hands-off till we're done.

I can't find combofix.txt - or .exe for that matter. I assume he deleted the files after he was done.

 

[Blade81]

Then we can do nothing else than run it again.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[JeffeVerde]

ComboFix log

ComboFix 09-08-07.09 - Owner 08/08/2009 2:03:21.4.1 - NTFSx86
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.

/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.

/wow section - STAGE 50
Access is denied.

 

[JeffeVerde]

new DDS log

DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Administrator at 19:41:30.15 on Thu 08/06/2009
Internet Explorer: 7.0.5730.13
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRunOnce: [SPRTRA] iexplore https://www.tmremote.com/sdcxuser/r...-1b4c-4555-b847-8bbbfcf253ff&mode=2&op=reboot
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\owner.your-25a3bd3417\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.tmremote.com/sdccommon/download/tgctlcm.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-06 14:37 <DIR> --ds---- C:\test
2009-08-06 14:37 389,120 a------- c:\windows\system32\CF18593.exe
2009-08-06 12:49 389,120 a------- c:\windows\system32\CF30086.exe
2009-08-06 12:43 <DIR> --d----- C:\RootkitBuster2.52.0.1013
2009-08-06 12:42 0 a------- C:\settings.dat
2009-08-06 12:42 1,055,676 a------- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 12:33 <DIR> --d----- C:\Autoruns
2009-08-06 12:33 576,280 a------- C:\Autoruns.zip
2009-08-06 12:20 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-06 12:15 <DIR> --d----- c:\windows\system32\Service
2009-08-06 12:06 219,648 a------- c:\windows\PEV.exe
2009-08-06 12:06 161,792 a------- c:\windows\SWREG.exe
2009-08-06 12:06 98,816 a------- c:\windows\sed.exe
2009-08-06 12:04 <DIR> --d----- c:\docume~1\admini~1\applic~1\SupportSoft
2009-08-06 11:07 <DIR> --d----- c:\program files\tmRemoteProdPID
2009-08-06 11:07 <DIR> --d----- c:\program files\common files\supportsoft
2009-08-05 11:52 <DIR> --d----- C:\Pesticide
2009-08-03 17:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-03 17:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-02 00:50 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-02 00:49 <DIR> --d----- c:\windows\ERUNT
2009-08-02 00:35 <DIR> --d----- C:\SDfix
2009-08-01 15:28 153,104 a------- c:\windows\system32\tmcomm.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmevtmgr.sys
2009-08-01 15:28 50,192 a------- c:\windows\system32\tmactmon.sys
2009-08-01 11:59 <DIR> --d----- c:\windows\LocalSSL
2009-08-01 11:48 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-07-31 08:50 17,446 a------- c:\docume~1\alluse~1\applic~1\ukeginyzal.sys
2009-07-31 08:50 15,603 a------- c:\docume~1\alluse~1\applic~1\relu.com
2009-07-31 08:50 13,422 a------- c:\program files\common files\zojytamy.vbs
2009-07-31 08:50 13,415 a------- c:\program files\common files\lodydob.bin
2009-07-31 08:49 <DIR> --d----- c:\program files\HomeAntivirus2010
2009-07-24 23:51 <DIR> --d----- c:\program files\Hero Editor
2009-07-24 23:51 249,856 -------- c:\windows\Setup1.exe
2009-07-24 23:51 73,216 a------- c:\windows\ST6UNST.EXE
2009-07-24 21:55 <DIR> --d----- c:\program files\Shared
2009-07-20 10:41 <DIR> --d----- c:\program files\DoylesRoom
2009-07-13 12:16 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-07-13 12:16 17,212 a------t c:\windows\system32\SIntf32.dll
2009-07-13 12:16 12,067 a------t c:\windows\system32\SIntf16.dll
2009-07-13 11:55 35,715 a------- c:\windows\DIIUnin.dat
2009-07-13 11:55 94,208 a------- c:\windows\DIIUnin.exe
2009-07-13 11:55 2,829 a------- c:\windows\DIIUnin.pif
2009-07-13 11:43 <DIR> --d----- c:\program files\Diablo II
2009-07-13 10:26 <DIR> --d----- c:\program files\Poker Pal Pro Edition
2009-07-11 14:55 139,264 a------- c:\windows\system32\igfxres.dll
2009-07-10 09:04 126,976 a------- c:\windows\W3DemoUnin.exe
2009-07-10 09:04 12,692 a------- c:\windows\W3DemoUnin.dat
2009-07-10 09:04 2,829 a------- c:\windows\W3DemoUnin.pif
2009-07-10 09:04 <DIR> --d----- c:\program files\Warcraft III Demo
2009-07-08 11:28 <DIR> --d----- c:\program files\Gateway

==================== Find3M ====================

2009-07-05 17:29 102,400 a------- c:\windows\DIIDUnin.exe
2009-07-05 17:29 19,143 a------- c:\windows\DIIDUnin.dat
2009-07-05 17:29 2,829 a------- c:\windows\DIIDUnin.pif
2009-06-29 09:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 09:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 09:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 19:41:44.43 ===============

 

[Blade81]

Hi,

See if you're able to run ComboFix in safe mode.

 

[JeffeVerde]

ComboFix - SafeMode

ComboFix 09-08-07.09 - Administrator 08/08/2009 9:18:58.6.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
Command switches used :: C:\CFIx\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
/wow section - STAGE 32A
Access is denied.

/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.

/wow section - STAGE 50
Access is denied.

 

[JeffeVerde]

Watching the screen as ComboFix runs, when it first starts, I see "access denied" twice, and then at the end of the scan, after the line about "the system will restart don't restart manually", I again see "access denied" three more times

 

[Blade81]

Hi,

Try running ComboFix thru in safe mode with command prompt. Here are steps to follow (print/save these since you won't be able to access them while in safe mode):
Press F8 before Windows' loading screen and select safe mode with command prompt -option.
Then write following commands (I assume you have ComboFix.exe in C:\CFIx folder):

• cd\CFIx
• ComboFix.exe

When ComboFix reboots select safe mode with command prompt again so that ComboFix will finish there.

 

[JeffeVerde]

Here's ComboFix run from SafeMode-CommandPrompt. Watch it run, I'm still seeing two "Access denied" when it first opens, and three more after the "rebooting system" message.

=====================================
ComboFix 09-08-07.09 - Administrator 08/08/2009 20:30:30.7.1 - NTFSx86 MINIMAL
Running from: C:\CFIx\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 32A
Access is denied.

/wow section - STAGE 48
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.
Access is denied.

/wow section - STAGE 50
Access is denied.