TechSpot

BSDs, PC Beeps, and Phishing Creeps!

By jdematt
Jun 10, 2010
  1. Good Morning Fellow Techs,
    Well, my computer has had a rough run the past few weeks, and it's about time I calledi n some help. Here's the 411:
    Problems started with computer failing to boot due to missing SYSTEM file. I launched Hiren's Boot CD to run Mini-xp and replaced it with a backup, which at least got me back into XP. Now, the PC locks up often, throwing a sustained system beep from the motherboard. Also, I believe there's some rootkit infection due to search engine redirects and phishing attempts (false bank login pages). I had ran avast antivirus and removed several entries when the problems began, but this didn't solve the problem.

    Additionally, I couldn't run GMER as it would throw a BSD and crash upon launch, even with all of my firewall and antivirus software disabled. However, I have attached all other log files. Here's my system info:

    HP Elite 7000 MT
    Windows XP Pro SP3
    3 Gigs of RAM
    Intel i5 CPU running @ 2.7ghz

    Let me know what you guys come up with!
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your Host files have been hijacked. There are also extensive Relavant Knowledge files that are infected. If you downloaded that program, please uninstall it.

    I'd like you to run Combofix while I finish checking the logs. Also, please give GMER another try either on of these ways:
    1. Take 'Devices' of and see if it will run.
    2. Or try running the scan in Safe Mode.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Leave the logs in your next reply. I'll be preparing some script t be used after I see the Combofix report.

    Please do not use any other cleaning programs or scans while I'm helping you unless I direct you to. Do not use a Registry Cleaner or make changes in the Registrry.

    I recommend uninstalling uTrorrent. If you choose not to, please do not use it while I am helping you.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm checking the logs now and wanted to bring your attention to something I found:
    The IP 56.43.234.1 belongs to United States Postal Service.
    Hosts: 56.43.234.1 inwarez.com
    Hosts: 56.43.234.1 www.inwarez.com
    Hosts: 56.43.234.1 inwarez.net
    Hosts: 56.43.234.1 www.inwarez.net
    Hosts: 56.43.234.1 inwarez.org
    Hosts: 56.43.234.1 www.inwarez.org
    Hosts: 56.43.234.1 93.174.93.193>> This IP belongs to a site in the Netherlands:
    netname: NL-ECATEL
    descr: ECATEL LTD
    descr: Dedicated servers
    descr: http://www.ecatel.net/
    country: NL


    Checking on inwarez shows the "Website InWarez.org for SALE!"
    The Domain appears to have been:
    Since you mentioned this:
    IF you are en employee of the USPS, I would advise you to immediately contact the USPS IT.

    I'm still checking the logs you left and will be able to see more if you have run the scans I asked for. But if this is connected in any way to the USPS, this needs to be brought to their cyber crimes depratment.

    I'd like you to do the following: Please print directions for reference:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
     
  4. jdematt

    jdematt TS Rookie Topic Starter

    No, i don't work for USPS. I'm still running GMER (it's been about 4 hours!), and then I will run combofix and post logs upon completion. Thanks for the help in advance :)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Curious! I have to wonder what the USPS IP is doing on your system as host.
     
  6. jdematt

    jdematt TS Rookie Topic Starter

    That makes two of us! Here is the GMER log, running combofix after a reboot.
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You need to remove this now:
    Name: RelevantKnowledge
    Description: Add or Remove Programs entry for Marketscore.RelevantKnowledge. RelevantKnowledge is a MarketScore variant that monitors browsing habits and sends unsolicited advertisements. RelevantKnowledge is bundled in many freeware utilities. The related rlvknlg.exe file is a backdoor proxy component.


    Go to Start> Run> type in cmd> on the Command screen, copy and paste the following:
    %WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge

    Enter. When finished, reboot.
    This spyware is starting on boot. You can't do any cleaning while it does. After running the uninstall, check Add/Remove Programs. If it's still there, uninstall.
    The use Windows explorer: windows key + E: click on My Computer> double click Local Drive (C)> Programs> look for Relavant Knowledge or Marketscore. If folder is found, do a right click> Delete.

    If you get any error message doing this, boot into safe Mode to do it:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Then Please go ahead with Combofix and the Eset scan. GMER is clear.
     
  8. jdematt

    jdematt TS Rookie Topic Starter

    Here is the combofix log. I'm going to run Eset scan now. Relevant knowledge was not found on this computer, I did a deep scan of the hard drive in all locations to confirm (unless it changed the executables name)
     

    Attached Files:

    • log.txt
      File size:
      27.6 KB
      Views:
      2
  9. jdematt

    jdematt TS Rookie Topic Starter

    Oh, I also thought it might be helpful for you to known that I cannot use internet explorer at all, it hangs on startup and i must end the task within a few seconds or the whole pc shuts down with it!
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, right off let's try and pin down the problem with IE: Look at the time when it hang on the computer clock. Then see if there is an Error that corresponds to that time in the Event Viewer: The Event are time coded. If you have to force it to get a time check, do it:

    Check Applications first> look for something similar to this:
    Source: Application Hang
    Event ID:1002
    Category:(101)
    Hanging application IEXPLORE.EXE,version 6.0.2900.2180,hang module ???? hungapp,version 0.0.0.0,
    hang address,0x00000000


    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    If there isn't anything this obvious, check the System log also for corresponding time.
    =======================================
    I see at least 5 active antivirus programs running. Please run the following:

    Security Check

    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
     
  11. jdematt

    jdematt TS Rookie Topic Starter

    Eset scan got up to 47%, showing 12 infections then the computer froze. However, now I can use internet explorer.... WEIRD.
    I did find this around the time of the crash however:

    Event Type: Error
    Event Source: Application Error
    Event Category: None
    Event ID: 1000
    Date: 6/10/2010
    Time: 9:43:48 AM
    User: N/A
    Computer: JIM
    Description:
    Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x01ec8264.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 46 61 69 6c ion Fail
    0010: 75 72 65 20 20 69 65 78 ure iex
    0018: 70 6c 6f 72 65 2e 65 78 plore.ex
    0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
    0028: 30 31 2e 31 38 37 30 32 01.18702
    0030: 20 69 6e 20 75 6e 6b 6e in unkn
    0038: 6f 77 6e 20 30 2e 30 2e own 0.0.
    0040: 30 2e 30 20 61 74 20 6f 0.0 at o
    0048: 66 66 73 65 74 20 30 31 ffset 01
    0050: 65 63 38 32 36 34 0d 0a ec8264..

    Security Check Log:

    Results of screen317's Security Check version 0.99.4
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    avast! Pro Antivirus
    ESET Online Scanner v3
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java DB 10.5.3.0
    Java(TM) 6 Update 20
    Java(TM) SE Development Kit 6 Update 18
    Adobe Flash Player 10.0.42.34
    Mozilla Firefox (3.5.9) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamservice.exe
    Alwil Software Avast5 AvastSvc.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you aware that in addition to the multiple AV programs, you are also running the F-Secure BlackLight Beta Engine Driver in the background?

    Clearly this is not the average home computer of members who seek help. In addition to the IP for the USPS and inwarez, I have also found:
    IP 99.52.142.169>> ZEBRA IMAGING INC,Private Address, Plano, TX.
    IP 255.255.255.255>> sub-net mask
    IP 172.16.101.1>> Private


    Plus there are multiple directories on the C drive containing 'mystery' names such as:
    C:\ccJobMgr.dat 6/2/2010
    C:\SWSETUP 6/10/2010
    C:\found.000
    C:\987629bfefd58cb45b
    C:\GOTSent24b7>> beta version of GOTSent
    C:\windows-fix 5/26/2010
    C:\NeroAACCodec


    And other downloads with 'mystery' names such as:
    Mystery program or process names:
    c:\program files\Charles 2/19/2010
    c:\program files\MarkAny (5/25/2010)


    I do realize you have or had malware, but these don't appear to be malware.
    What's going on please?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please print the instructions below for this program. You will not have access to the directions once you have started

    Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop
    • Close out all other open programs and windows.
    • Double-click on it to run the tool and follow any prompts.
    • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.
    In the event the tool does not detect an mbr infection and completes, do this:
    • Go to > Run> in the Open dialog box type: mbr -f
    • Click OK or press Enter.
    • Now, please do the Start > Run > mbr -f command a second time.
    • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
    • After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
      Make sure you leave a space between helpasst and -mbrt.
    • Click OK or press Enter.
    • HelpAsst fix will create and open a log when done.
    • Copy and paste the contents of that log into your next reply.

    -- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
    Source: BleepingComputer
    =============================
    Unfortunately, that Event doesn't give us any useful info.

    Guess I'm going to have to find another security program scanner!
    It missed:
    c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert

    6/2,6/3/2010
    c:\program files\1261582753
    c:\program files\Norton Internet Security
    c:\documents and settings\All Users\Application Data\NortonInstaller
    c:\program files\NortonInstaller
    c:\windows\system32\drivers\NIS(2)
    c:\documents and settings\All Users\Application Data\Norton

    5/25/2010
    c:\documents and settings\All Users\Application Data\PC Suite
    c:\documents and settings\Administrator\Application Data\PC Suite
    F-Secure BlackLight Beta Engine Driver

    Question also:
    Trusted Zone: autotask.com
    Trusted Zone: autotask.net

    Did you put these in the Trusted Zone?
     
  14. jdematt

    jdematt TS Rookie Topic Starter

    Yes, the autotask entries I did enter. I'll let you know what happens after your next suggested test!
     
  15. jdematt

    jdematt TS Rookie Topic Starter

    Where did you find this?
    These were created by me, except for the found.000 and ccJobmgr.dat

    I uninstalled charles becuase I also had no idea WTF it was, MarkAny I will have to look into.
     
  16. jdematt

    jdematt TS Rookie Topic Starter

    HelpAsst found and fixed potential rootkits. Here's the log file.
     

    Attached Files:

  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- don't know why you got so far down on the page!

    About the c:\ entries I asked about. As you probably know, they are Directories. I have to be able to identify the contents in order to determine if they can be allowed to remain or should be removed. If you recognize the title and set them up, that's fine- just be sure you know what files are in them. Malware can hide all over!

    Are you asking where I found the information about the IP? Combofix report, Reply #8.
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
    "99.52.142.169,255.255.255.255,172.16.101.1,1"=""


    What is the status now regarding the original malware problems?
    Please rescan with Combofix to see if any entries remain that need to be moved.
     
  18. jdematt

    jdematt TS Rookie Topic Starter

    After listening to your advice, in addition to deleting those C: entries that were unnecessary, my pc seems to be back to normal finally. I really appreciate all of your help Bobeye!! You've been a huge aid in solving this problem :)
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should finish up. But I will close the thread as requested.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...