also @ TechSpot: Jolla unveils first Sailfish OS smartphone, set to ship this year

System Check Trojan

Discussion in 'Virus and Malware Removal' started by Heavywood, Mar 21, 2012.

Post New Reply
Page 1 of 3

  1. Heavywood Newcomer, in training Posts: 29

    Had this Trojan pop up the other day after running Malwarebytes. Fortunately I was able to find this site. Thanks for all help in advance.

    Ran Avast first off. Ran Malware bytes again:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.19.05

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Robert Moulton :: GAMER [administrator]

    3/20/2012 5:12:34 PM
    mbam-log-2012-03-20 (17-12-34).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 489890
    Time elapsed: 1 hour(s), 39 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Documents and Settings\Robert Moulton\Desktop\setup_av_free.exe (PUP.BundleInstaller.OI) -> No action taken.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP112\A0031656.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP112\A0031657.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)
    Heavywood, Mar 21, 2012
    #1

  2. Heavywood Newcomer, in training Posts: 29

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-21 18:22:59
    Windows 5.1.2600 Service Pack 3
    Running: 4qi37m06.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\kxtdqpow.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x38 0x8F 0xBA 0x91 ...
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x38 0x8F 0xBA 0x91 ...

    ---- EOF - GMER 1.0.15 ----
    Heavywood, Mar 21, 2012
    #2

  3. Heavywood Newcomer, in training Posts: 29

    I tried running the DDS Script in safe mode, but got a blue screen about a Driver IRQL not less or equal. I'm unsure if that is related or not, but that pops up everytime I'm in standard windows mode.
    Heavywood, Mar 21, 2012
    #3

  4. Broni Malware Annihilator Posts: 39,312   +175

    Welcome aboard [IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    Any particular reason why you try to run all scans from safe mode?

    Your MBAM log says "No action taken".
    Re-run it, fix ALL issues and post new log.
    Broni, Mar 21, 2012
    #4

  5. Heavywood Newcomer, in training Posts: 29

    I didn't have the program delete the one file because I recognized it as the program I used to download Avast anti virus.

    I'm running all these in safe mode because normal Windows mode is crashing on me after 10-15 minutes with the same error I get when running DDS script.

    I'll run the scan again though and post up results. I suspect whatever I removed is back because my search engine results are being hijacked again.
    Heavywood, Mar 21, 2012
    #5

  6. Broni Malware Annihilator Posts: 39,312   +175

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    Broni, Mar 21, 2012
    #6
     

  7. Heavywood Newcomer, in training Posts: 29

    I've downloaded both tools, but I'm unable to get aswMBR to open. I've double clicked, hit enter, and tried right clicking and opening. Should I still run the Bootkit program?
    Heavywood, Mar 22, 2012
    #7

  8. Heavywood Newcomer, in training Posts: 29

    I ran the bootkit program, I didn't see what harm it would do. Results:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    Heavywood, Mar 22, 2012
    #8

  9. Broni Malware Annihilator Posts: 39,312   +175

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
    Broni, Mar 22, 2012
    #9

  10. Heavywood Newcomer, in training Posts: 29

    I've downloaded that program as well, and it won't run either. My system acts like it is trying to open it, but nothing ends up opening.

    I tried in safe mode and normal mode. I've actually veen in normal mode for 20 minues with no crash, though it is pretty slow going.
    Heavywood, Mar 22, 2012
    #10

  11. Broni Malware Annihilator Posts: 39,312   +175

    You may be not patient enough but let's check something else....

    Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

    Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
    Broni, Mar 22, 2012
    #11

  12. Heavywood Newcomer, in training Posts: 29

    I've run the 32 bit program. Windows told me the 64 bit isn't compatible.

    ListParts by Farbar Version: 12-03-2012 03
    Ran by Robert Moulton (administrator) on 22-03-2012 at 20:17:37
    Windows XP (X86)
    Running From: C:\Documents and Settings\Robert Moulton\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 50%
    Total physical RAM: 1022.09 MB
    Available physical RAM: 510.09 MB
    Total Pagefile: 2457.77 MB
    Available Pagefile: 1743.21 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1991.14 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:293.4 GB) (Free:19.02 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive e: (ROMETWBI) (CDROM) (Total:0.64 GB) (Free:0 GB) CDFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 47 MB 32 KB
    Partition 2 Primary 293 GB 47 MB
    Partition 3 Unknown 4754 MB 293 GB
    Partition 4 Unknown 2544 KB 298 GB
    ======================================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.
    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 C NTFS Partition 293 GB Healthy Boot
    ======================================================================================================

    Disk: 0
    Partition 3
    Type : DB
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.
    ======================================================================================================

    Disk: 0
    Partition 4
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.
    ======================================================================================================

    ****** End Of Log ******
    Heavywood, Mar 22, 2012
    #12

  13. Broni Malware Annihilator Posts: 39,312   +175

    It looks like we have a rootkited partition there.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 2 boot on
    • Press Enter
    • Type parted /dev/sda rm 4
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
    Broni, Mar 22, 2012
    #13

  14. Heavywood Newcomer, in training Posts: 29

    When you say clean computer, does that mean I have to do this on a different computer? I only have this rootkit-ed computer.
    Heavywood, Mar 22, 2012
    #14

  15. Broni Malware Annihilator Posts: 39,312   +175

    Go on and use this computer.
    Broni, Mar 22, 2012
    #15

  16. Heavywood Newcomer, in training Posts: 29

    Ok, wish me luck!
    Heavywood, Mar 22, 2012
    #16

  17. Heavywood Newcomer, in training Posts: 29

    Burned the iso to a DVD, booted from the disc, selected English and got an error,

    Cannot display this video mode
    Optimum resolution 1280x1024 60Hz

    Any way to change the resolution? I don't see anything on my monitor settings to change it.
    Heavywood, Mar 22, 2012
    #17

  18. Broni Malware Annihilator Posts: 39,312   +175

    I'm not familiar with this error.
    Possibly bad download, or bad burn.
    I'd also suggest CD-R not DVD.
    Broni, Mar 22, 2012
    #18

  19. Heavywood Newcomer, in training Posts: 29

    I think it is a monitor problem. It showed up where the monitor settings box appears, and had the same text. I'll dig out my user guide to check on switching the settings.
    Heavywood, Mar 22, 2012
    #19

  20. Broni Malware Annihilator Posts: 39,312   +175

    OK............
    Broni, Mar 22, 2012
    #20
Page 1 of 3

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.