Axis52401
asked on
How Can I remove this rootkit virus
My boss somehow managed to get a virus on the PC its a persistent one and even survived reloading Windows. I looked up the popup his AVG antivuris gives and there are some articles about rootkit viruses. I have tried AVG's scan, Malwarebytes some sort of Sophos task killer and still cannot get rid of it. its causing browser redirects etc. I even reloaded the PC and it somehow remained. Is there anything else I can do.
virus.doc.docx
virus.doc.docx
ASKER
I'd tried the TDSSkieer app with no success
@Jason0923 ...as your post mentioned you reloaded Windows I infer it's safe to assume you would be willing to do it again? If so, this time I would recommend that you actually write 0's to the entire drive prior to reloading the OS. After that I would ensure that you're reloading Windows with a legitimate Microsoft disc or ISO image. If you want to be really careful you could disconnect network access to the infected machine until you have time to create an clean image after the reinstall. DBAN will help you nuke the entire drive. While deeper hardware level root kits do exist, and reside within hardware firmware and/or special areas of your CPU, it's highly unlikely you have this type of infection as the general purpose of these types of root kits is being convert and not openly announcing itself by browser redirects, etc.
After you've created a clean image you can always revert back to it should infection occur again.
After you've created a clean image you can always revert back to it should infection occur again.
Ok- I'll try again
:)
Boot into Safe mode, once inside run rKill.exe . Hopefully that will run with results of stopping process. Then download and run TDSS Killer be sure to click on the more parameters select both boxes under additional options.
:)
Boot into Safe mode, once inside run rKill.exe . Hopefully that will run with results of stopping process. Then download and run TDSS Killer be sure to click on the more parameters select both boxes under additional options.
If you want to attempt the disinfection route (having no real guarantee the system is actually clean) I've had good results with GMER as well.
ASKER
I have the Windows OS cd that came with the laptop so yes its a legit copy. I used the format drive option before the reload you don't think that is enough? Its not connected to the company network yet.
At the end of the day it's more probable that it's not a root kit but malware, and your boss is inadvertently downloading and running after the system has been cleaned/restored... likely through a link obtained via email. After you've restored I recommend you use OpenDNS for all your DNS resolution (and block outbound packets to all other DNS servers) and install Spybot S&D on his PC or similar program.
ASKER
Now it shows this Trojan Horse backdoor (screen shot)
virus.doc.docx
virus.doc.docx
It depends if you only formatted one partition (and left another partition which may have contained malware and was executed later on) rather than using the install disc to delete all partitions first and then format the entire drive afterwards. I would also look at each program your boss wants to install after the fact... any installed by email links, etc. and scan with VirusTotal . It probably wouldn't hurt (technically) to only give him local Standard permissions rather than Administrator so you must be involved whenever he tries to install additional software, etc.
Jason-
Have you ran Spybot and or Malware Bytes?
If not try running rKill first and then the above programs.
Can you post that whole rKill log?
Have you ran Spybot and or Malware Bytes?
If not try running rKill first and then the above programs.
Can you post that whole rKill log?
ASKER
The rkill log
Rkill 2.3.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 08/22/2012 01:51:40 PM in x64 mode.
Windows Version: Windows 7 Service Pack 1
Checking for Windows services to stop.
* No malware services found to stop.
Checking for processes to terminate.
* No malware processes found to kill.
Possibly Patched Files.
* C:\Windows\system32\servic es.exe
Checking Registry for malware related settings.
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks.
* Windows Firewall Disabled
[HKLM\SOFTWARE\Policies\Mi crosoft\Wi ndowsFirew all\Standa rdProfile]
"EnableFirewall" = dword:00000000
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentContro lSet\Servi ces\Shared Access\Par ameters\Fi rewallPoli cy\Standar dProfile]
"EnableFirewall" = dword:00000000
* C:\Windows\assembly\GAC_32 \Desktop.i ni [ZA File]
* C:\Windows\assembly\GAC_64 \Desktop.i ni [ZA File]
Checking Windows Service Integrity:
* BFE (BFE) is not Running.
Startup Type set to: Manual
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* AppMgmt [Missing Service]
* BITS [Missing Service]
* CscService [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* PeerDistSvc [Missing Service]
* UmRdpService [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]
* SharedAccess [Missing ImagePath]
* BFE => . [Incorrect ImagePath]
Searching for Missing Digital Signatures:
* C:\Windows\System32\servic es.exe [NoSig]
+-> C:\Windows\winsxs\amd64_mi crosoft-wi ndows-s..s -serviceco ntroller_3 1bf3856ad3 64e35_6.1. 7600.16385 _none_2b54 b20ee6fa07 b1\service s.exe : 328,704 : 07/13/2009 08:39 PM : 24acb7e5be595468e3b9aa488b 9b4fcb [Pos Repl]
Rkill 2.3.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 08/22/2012 01:51:40 PM in x64 mode.
Windows Version: Windows 7 Service Pack 1
Checking for Windows services to stop.
* No malware services found to stop.
Checking for processes to terminate.
* No malware processes found to kill.
Possibly Patched Files.
* C:\Windows\system32\servic
Checking Registry for malware related settings.
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks.
* Windows Firewall Disabled
[HKLM\SOFTWARE\Policies\Mi
"EnableFirewall" = dword:00000000
* Windows Firewall Disabled
[HKLM\SYSTEM\CurrentContro
"EnableFirewall" = dword:00000000
* C:\Windows\assembly\GAC_32
* C:\Windows\assembly\GAC_64
Checking Windows Service Integrity:
* BFE (BFE) is not Running.
Startup Type set to: Manual
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* AppMgmt [Missing Service]
* BITS [Missing Service]
* CscService [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* PeerDistSvc [Missing Service]
* UmRdpService [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]
* SharedAccess [Missing ImagePath]
* BFE => . [Incorrect ImagePath]
Searching for Missing Digital Signatures:
* C:\Windows\System32\servic
+-> C:\Windows\winsxs\amd64_mi
I'm still new here at EE so i'm not sure if I can ask this- But can you post the log of Malwarebytes and Spybot when completed?
I think it might also be a good idea to run a HiJackthis report also.
But like x66 said- If you did a complete re-install and it came back, then someone probably re-downloaded on the computer. BUT- we can still get it off. :-)
I think it might also be a good idea to run a HiJackthis report also.
But like x66 said- If you did a complete re-install and it came back, then someone probably re-downloaded on the computer. BUT- we can still get it off. :-)
ASKER
Malwarebyets
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.07.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
kombat :: KOMBAT-PC [administrator]
Protection: Enabled
8/7/2012 1:33:44 PM
mbam-log-2012-08-07 (13-33-44).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 314737
Time elapsed: 29 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\Users\kombat\Downloads\ 7zip_insta ller_1650. exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b2 0d08-4db2- 569a-2381- 22ac965db0 cb}\U\0000 0008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b2 0d08-4db2- 569a-2381- 22ac965db0 cb}\U\0000 00cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\Installer\{97b2 0d08-4db2- 569a-2381- 22ac965db0 cb}\U\8000 0032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.07.06
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
kombat :: KOMBAT-PC [administrator]
Protection: Enabled
8/7/2012 1:33:44 PM
mbam-log-2012-08-07 (13-33-44).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 314737
Time elapsed: 29 minute(s), 46 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 5
C:\Users\kombat\Downloads\
C:\Windows\Installer\{97b2
C:\Windows\Installer\{97b2
C:\Windows\Installer\{97b2
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
ASKER
hijack this
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:06:36 PM, on 8/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Users\kombat\AppData\Ro aming\Drop box\bin\Dr opbox.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray. exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.e xe
C:\Windows\SysWOW64\Macrom ed\Flash\F lashPlayer Plugin_11_ 3_300_271. exe
C:\Windows\SysWOW64\Macrom ed\Flash\F lashPlayer Plugin_11_ 3_300_271. exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.millhisersmith.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank. htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D 30E9A66B6B A} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex .dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0 BBC1D38A37 E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShel lExtension s.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-7 3684A93323 3} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-7 3684A93323 3} - C:\Program Files (x86)\AVG Secure Search\12.1.0.21\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMoni tor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Chicony_OSD] "C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe "
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray. exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeA RM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm in.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm in.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = kombat\AppData\Roaming\Dro pbox\bin\D ropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~2\MICROS~2\Offic e12\ONBttn IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\PROGRA~2\MICROS~2\Offic e12\ONBttn IE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-8 7ECBFC19D1 6} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex .dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~2\MICROS~2\Offic e12\REFIEB AR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2 185BBCEB40 9} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-F FDE2BAC296 7} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-2 81AF26A8D1 C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=928
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3 CB6248B04C D} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSyst emServices .dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dl l
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6 C0C227862A 9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller \12.1.5\Vi Protocol.d ll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc .exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc ) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macrom ed\Flash\F lashPlayer UpdateServ ice.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AE RTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg .exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.ex e (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atasho st.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsag ent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc .exe
O23 - Service: BFE - Unknown owner - C:\Windows\.
O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAg ent.exe
O23 - Service: @%SystemRoot%\system32\efs svc.dll,-1 00 (EFS) - Unknown owner - C:\Windows\System32\lsass. exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEn g.exe
O23 - Service: @%systemroot%\system32\fxs resm.dll,- 118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc .exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass. exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.e xe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice .exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc. exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDh cpDns.exe
O23 - Service: @%SystemRoot%\System32\net logon.dll, -102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass. exe (file missing)
O23 - Service: ChiconyOSDService (OSDSvc) - Chicony - C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\OSDSrv.exe
O23 - Service: @%systemroot%\system32\psb ase.dll,-3 00 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass. exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon \RegSrvc.e xe
O23 - Service: @%systemroot%\system32\Loc ator.exe,- 2 (RpcLocator) - Unknown owner - C:\Windows\system32\locato r.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sam srv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass. exe (file missing)
O23 - Service: @%SystemRoot%\system32\snm ptrap.exe, -3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptr ap.exe (file missing)
O23 - Service: @%systemroot%\system32\spo olsv.exe,- 1 (Spooler) - Unknown owner - C:\Windows\System32\spools v.exe (file missing)
O23 - Service: @%SystemRoot%\system32\spp svc.exe,-1 01 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc .exe (file missing)
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\ TeamViewer _Service.e xe
O23 - Service: @%SystemRoot%\system32\ui0 detect.exe ,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Det ect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vau ltsvc.dll, -1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass. exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds .exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.ex e (file missing)
O23 - Service: @%systemroot%\system32\vss vc.exe,-10 2 (VSS) - Unknown owner - C:\Windows\system32\vssvc. exe (file missing)
O23 - Service: vToolbarUpdater12.1.5 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12. 1.5\Toolba rUpdater.e xe
O23 - Service: @%SystemRoot%\system32\Wat \WatUX.exe ,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\Wa tAdminSvc. exe (file missing)
O23 - Service: @%systemroot%\system32\wbe ngine.exe, -104 (wbengine) - Unknown owner - C:\Windows\system32\wbengi ne.exe (file missing)
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel(R) Corporation - C:\Program Files\Intel\WiMAX\Bin\AppS rv.exe
O23 - Service: @%Systemroot%\system32\wbe m\wmiapsrv .exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\W miApSrv.ex e (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 10939 bytes
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:06:36 PM, on 8/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal
Running processes:
C:\Users\kombat\AppData\Ro
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.e
C:\Windows\SysWOW64\Macrom
C:\Windows\SysWOW64\Macrom
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThi
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-7
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMoni
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Chicony_OSD] "C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\LaunchOSDSrv.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeA
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadm
O4 - Startup: Dropbox.lnk = kombat\AppData\Roaming\Dro
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-8
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {C861B75F-EE32-4AA4-B610-2
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AE
O23 - Service: @%SystemRoot%\system32\Alg
O23 - Service: WebEx Service Host for Support Center (atashost) - Cisco WebEx LLC - C:\Windows\SysWOW64\atasho
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsag
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc
O23 - Service: BFE - Unknown owner - C:\Windows\.
O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAg
O23 - Service: @%SystemRoot%\system32\efs
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEn
O23 - Service: @%systemroot%\system32\fxs
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.e
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDh
O23 - Service: @%SystemRoot%\System32\net
O23 - Service: ChiconyOSDService (OSDSvc) - Chicony - C:\Program Files (x86)\Dell\Dell KM632 Wireless Keyboard Caps Lock Indicator\OSDSrv.exe
O23 - Service: @%systemroot%\system32\psb
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon
O23 - Service: @%systemroot%\system32\Loc
O23 - Service: @%SystemRoot%\system32\sam
O23 - Service: @%SystemRoot%\system32\snm
O23 - Service: @%systemroot%\system32\spo
O23 - Service: @%SystemRoot%\system32\spp
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\
O23 - Service: @%SystemRoot%\system32\ui0
O23 - Service: @%SystemRoot%\system32\vau
O23 - Service: @%SystemRoot%\system32\vds
O23 - Service: @%systemroot%\system32\vss
O23 - Service: vToolbarUpdater12.1.5 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.
O23 - Service: @%SystemRoot%\system32\Wat
O23 - Service: @%systemroot%\system32\wbe
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel(R) Corporation - C:\Program Files\Intel\WiMAX\Bin\AppS
O23 - Service: @%Systemroot%\system32\wbe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 10939 bytes
Inside HiJackThis-
O23 - Service: BFE - Unknown owner - C:\Windows\.
Check that one for sure
If you don't know these URL's- Check them. (If you don't use Cisco)
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2 185BBCEB40 9} (Cisco Systems WebVPN Relay Loader) - https://ssl.axisbu.com/+CSCOL+/relayp.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-F FDE2BAC296 7} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
O16 - DPF: {C861B75F-EE32-4AA4-B610-2 81AF26A8D1 C} - https://ssl.axisbu.com/+CSCOL+/cscopf.cab
Are you still getting the AVG pop up warning?
O23 - Service: BFE - Unknown owner - C:\Windows\.
Check that one for sure
If you don't know these URL's- Check them. (If you don't use Cisco)
O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {C861B75F-EE32-4AA4-B610-2
Are you still getting the AVG pop up warning?
ASKER
What should I do about
O23 - Service: BFE - Unknown owner - C:\Windows\
The SSL.axis....etc ones are from our office. I'm not famaliar with the middle one
O16 - DPF: {4871A87A-BFDD-4106-8153-F FDE2BAC296 7} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab
Is it something I shoudl remove, if so how?
O23 - Service: BFE - Unknown owner - C:\Windows\
The SSL.axis....etc ones are from our office. I'm not famaliar with the middle one
O16 - DPF: {4871A87A-BFDD-4106-8153-F
Is it something I shoudl remove, if so how?
When you do a scan on HiJackThis is pops up that log report, but click back on the actual program.
You will see almost the same data as the report, but there will be little boxes infront of each line. Just check that box.
**ONLY CHECK THE BOXES THAT YOU WANT STUFF REMOVED. CLICKING THE WRONG BOXES CAN HURT YOUR COMPUTER.**
Once you have the items you want to removed checked click the button at the bottom of the screen that says "Fix Checked"
About O16-DPF...etc......If you don't know what it is, I would get rid of it. I'm not excited about the folder, file or what it is.
You will see almost the same data as the report, but there will be little boxes infront of each line. Just check that box.
**ONLY CHECK THE BOXES THAT YOU WANT STUFF REMOVED. CLICKING THE WRONG BOXES CAN HURT YOUR COMPUTER.**
Once you have the items you want to removed checked click the button at the bottom of the screen that says "Fix Checked"
About O16-DPF...etc......If you don't know what it is, I would get rid of it. I'm not excited about the folder, file or what it is.
ASKER
I followed that and rebooted and as soon as I opened the browser got this (screenshot attached) Trojan Horse patched_c.txt AVG error
virus.doc.docx
virus.doc.docx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The combo fix doesnt install Like malwarebytes it seems to run and then go away there is no log I can find to attach
When you double click combofix and start the process a windows pops up and extracts all files and then should keep running the background and eventually pop up with a blue screen and letters. I tell people once you start the process don't do anything to your computer for about 15-20 minutes, if it doesn't pop up the blue screen you have something stopping combofix from running.
Jason0923,
Advice above from Vic would do the trick and you may be able to run Combofix.
However if that fails then try to rename the Combofix.exe to iexplore.exe or explorer.com and try running it.
Once you are able to run it post the logs, which you could find in C:\
Advice above from Vic would do the trick and you may be able to run Combofix.
However if that fails then try to rename the Combofix.exe to iexplore.exe or explorer.com and try running it.
Once you are able to run it post the logs, which you could find in C:\
ASKER
Combofix seemed to have worked. I reloaded windows, ran combofix, went through the prompts and its all working.
Root kits are a pain.
Did you format the drives when you re-installed windows?
Here is how I attack a root kit-
Boot into TDSS KILLER and delete or quarantine any win32.rootkit or TDSS.filesystem.
Boot into windows in safe mode and run TDSS KILLER again to delete/cure anything that pops up. The reason I run in MiniXP fist is to put it in quarantine so it can't run in the windows environment. I just removed a rootkit yesterday that stopped TDSSkiller from running...it was fun.
Once completed- Reboot back into safe mode and run Spybot+Malwarebytes at the same time (its how I roll). Remove anything selected and reboot again.
If its still there- post back here- if not continue below.
Depending on which root kit you removed (please post), it may corrupt or drop a browser hijack/redirect or even damage your winsock/lsp. Lets hope it didn't do the dirty on the way out.