TechSpot

Websites redirected, can't run Windows Update, can't install Malwarebytes

Inactive
By weety
Oct 3, 2012
  1. weety

    weety TS Rookie Topic Starter Posts: 60

    ESET scan now finished -- no threats found.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  3. weety

    weety TS Rookie Topic Starter Posts: 60

    I followed the steps and ran the repair overnight... but all the problems still seem to remain.
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me see a scan from this tool, and also let me know if it helps...

    RogueKiller Scan

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  5. weety

    weety TS Rookie Topic Starter Posts: 60

    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : hmc05 [Admin rights]
    Mode : Scan -- Date : 10/11/2012 10:19:20

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
    [HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A103C80)
    SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A0CB910)
    IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_POWER] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_PNP] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[DriverStartIo] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E07864)

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINNT\system32\drivers\etc\hosts

    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD2500AAJS-60M0A0 +++++
    --- User ---
    [MBR] 2b43a5f16e59551b19a2a7ead171c7e1
    [BSP] 1c79d55edf5a9913ab060845cb2c75e5 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
  6. weety

    weety TS Rookie Topic Starter Posts: 60

    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : hmc05 [Admin rights]
    Mode : Remove -- Date : 10/11/2012 10:19:43
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 2 ¤¤¤
    [HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
    [HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    SSDT[31] : NtConnectPort @ 0x805A45D8 -> HOOKED (Unknown @ 0x8A103C80)
    SSDT[206] : NtResumeThread @ 0x805D4A18 -> HOOKED (Unknown @ 0x8A0CB910)
    IRP[IRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_POWER] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[IRP_MJ_PNP] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E09B40)
    IRP[DriverStartIo] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xB9E07864)
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\WINNT\system32\drivers\etc\hosts
    127.0.0.1 localhost
    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: WDC WD2500AAJS-60M0A0 +++++
    --- User ---
    [MBR] 2b43a5f16e59551b19a2a7ead171c7e1
    [BSP] 1c79d55edf5a9913ab060845cb2c75e5 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238464 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
  7. weety

    weety TS Rookie Topic Starter Posts: 60

    RogueKiller V8.1.1 [10/03/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User : hmc05 [Admin rights]
    Mode : Shortcuts HJfix -- Date : 10/11/2012 10:32:43
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 0 / Fail 0
    Quick launch: Success 0 / Fail 0
    Programs: Success 1 / Fail 0
    Start menu: Success 0 / Fail 0
    User folder: Success 11 / Fail 0
    My documents: Success 13 / Fail 13
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 35 / Fail 0
    Backup: [NOT FOUND]
    Drives:
    [C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
    [D:] \Device\CdRom0 -- 0x5 --> Skipped
    [H:] \Device\WinDfs\H:000000000002db57 -- 0x4 --> Skipped
    [L:] \Device\LanmanRedirector\;L:000000000002db57\icnfs-ee.cc.ic.ac.uk\hmc05 -- 0x4 --> Skipped
    [V:] \Device\LanmanRedirector\;V:000000000002db57\skynet.ee.ic.ac.uk\udrc -- 0x4 --> Skipped
    [W:] \Device\LanmanRedirector\;W:000000000002db57\skynet.ee.ic.ac.uk\shared -- 0x4 --> Skipped
    [Y:] \Device\LanmanRedirector\;Y:000000000002db57\skynet.ee.ic.ac.uk\hcomminweb -- 0x4 --> Skipped
    [Z:] \Device\LanmanRedirector\;Z:000000000002db57\skynet.ee.ic.ac.uk\hcommin -- 0x4 --> Skipped
    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  8. weety

    weety TS Rookie Topic Starter Posts: 60

    Websites still being blocked... but I just noticed that the Windows Update icon has popped up in the system tray asking to reboot. (Haven't seen that in a while... will see if there are any changes after reboot).

    EDIT: Windows Update failed... but I seem to remember this happening a while ago, so it may be a separate problem. The failed update was: Security Update for Windows XP (KB2724197).
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    Check Partitions

    Please download Listparts
    Run the tool,
    check the "list BCD" box
    click "Scan" and post the log (Result.txt) it makes.
  10. weety

    weety TS Rookie Topic Starter Posts: 60

    Farbar Service Scanner Version: 07-10-2012
    Ran by hmc05 (administrator) on 11-10-2012 at 15:48:46
    Running from "C:\Documents and Settings\hmc05\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is set to Disabled. The default start type is Auto.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINNT\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINNT\system32\Drivers\afd.sys => MD5 is legit
    C:\WINNT\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINNT\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINNT\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINNT\system32\dnsrslvr.dll => MD5 is legit
    C:\WINNT\system32\ipnathlp.dll => MD5 is legit
    C:\WINNT\system32\netman.dll => MD5 is legit
    C:\WINNT\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINNT\system32\srsvc.dll => MD5 is legit
    C:\WINNT\system32\Drivers\sr.sys => MD5 is legit
    C:\WINNT\system32\wscsvc.dll => MD5 is legit
    C:\WINNT\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINNT\system32\wuauserv.dll => MD5 is legit
    C:\WINNT\system32\qmgr.dll => MD5 is legit
    C:\WINNT\system32\es.dll => MD5 is legit
    C:\WINNT\system32\cryptsvc.dll => MD5 is legit
    C:\WINNT\system32\svchost.exe => MD5 is legit
    C:\WINNT\system32\rpcss.dll => MD5 is legit
    C:\WINNT\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(8) Tcpip(3)
    0x080000000400000001000000020000000300000008000000050000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
  11. weety

    weety TS Rookie Topic Starter Posts: 60

    ListParts by Farbar Version: 02-10-2012
    Ran by hmc05 (administrator) on 11-10-2012 at 15:50:48
    Windows XP (X86)
    Running From: C:\Documents and Settings\hmc05\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 27%
    Total physical RAM: 3017.17 MB
    Available physical RAM: 2184.25 MB
    Total Pagefile: 4902.21 MB
    Available Pagefile: 4246.68 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1999.68 MB

    ======================= Partitions =========================

    1 Drive c: (EE-HMC05) (Fixed) (Total:232.88 GB) (Free:186.71 GB) NTFS ==>[Drive with boot components (Windows XP)]
    2 Drive d: (XP32PSP3_US) (CDROM) (Total:0.6 GB) (Free:0 GB) CDFS
    3 Drive h: (hmc05) (Network) (Total:8 GB) (Free:6.93 GB) NTFS
    4 Drive l: (hmc05) (Network) (Total:0.38 GB) (Free:0.19 GB) NTFS
    5 Drive v: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    6 Drive w: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    7 Drive y: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    8 Drive z: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 32 KB
    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C EE-HMC05 NTFS Partition 233 GB Healthy System (partition with boot components)
    ======================================================================================================

    ****** End Of Log ******
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Do these look familiar?

    5 Drive v: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    6 Drive w: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    7 Drive y: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS
    8 Drive z: (New Volume) (Network) (Total:90.45 GB) (Free:27.99 GB) NTFS

    They're all network drives, is this computer on a business or educational network?


    Go to Start > Run, type in cmd and hit OK.

    Copy and paste this phrase in to the Command Prompt line:

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt


    If you have troubles pasting it, right click on the Command Prompt window and click Paste. Then, hit Enter.

    Post the log that launches.
  13. weety

    weety TS Rookie Topic Starter Posts: 60

    Yes, those drives are familiar (they're on a server at work, but I can happily unmap them, as I hardly ever use them).

    I'm not at the infected computer now, but will post the log as soon as possible. Thanks again!
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Will wait for log. :)
  15. weety

    weety TS Rookie Topic Starter Posts: 60

    The log file which popped up at the end was empty.


    In case it's helpful, here's a copy of the command window:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    H:\>cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print)
    >log.txt&log.txt
    Server: dns0.ic.ac.uk
    Address: 155.198.142.7

    Non-authoritative answer:
    Name: google.com
    Addresses: 173.194.41.72, 173.194.41.73, 173.194.41.78, 173.194.41.64
    173.194.41.65, 173.194.41.66, 173.194.41.67, 173.194.41.68, 173.194.41
    .69
    173.194.41.70, 173.194.41.71


    Pinging google.com [173.194.41.136] with 32 bytes of data:

    Reply from 173.194.41.136: bytes=32 time=3ms TTL=53
    Reply from 173.194.41.136: bytes=32 time=3ms TTL=53

    Ping statistics for 173.194.41.136:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 3ms, Average = 3ms

    Manipulates network routing tables.

    ROUTE [-f] [-p] [command [destination]
    [MASK netmask] [gateway] [METRIC metric] [IF interface]

    -f Clears the routing tables of all gateway entries. If this is
    used in conjunction with one of the commands, the tables are
    cleared prior to running the command.
    -p When used with the ADD command, makes a route persistent across
    boots of the system. By default, routes are not preserved
    when the system is restarted. Ignored for all other commands,
    which always affect the appropriate persistent routes. This
    option is not supported in Windows 95.
    command One of these:
    PRINT Prints a route
    ADD Adds a route
    DELETE Deletes a route
    CHANGE Modifies an existing route
    destination Specifies the host.
    MASK Specifies that the next parameter is the 'netmask' value.
    netmask Specifies a subnet mask value for this route entry.
    If not specified, it defaults to 255.255.255.255.
    gateway Specifies gateway.
    interface the interface number for the specified route.
    METRIC specifies the metric, ie. cost for the destination.

    All symbolic names used for destination are looked up in the network database
    file NETWORKS. The symbolic names for gateway are looked up in the host name
    database file HOSTS.

    If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
    (wildcard is specified as a star '*'), or the gateway argument may be omitted.

    If Dest contains a * or ?, it is treated as a shell pattern, and only
    matching destination routes are printed. The '*' matches any string,
    and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.
    Diagnostic Notes:
    Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
    Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
    The route addition failed: The specified mask parameter is invalid.
    (Destination & Mask) != Destination.

    Examples:

    > route PRINT
    > route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
    destination^ ^mask ^gateway metric^ ^
    Interface^
    If IF is not given, it tries to find the best interface for a given
    gateway.
    > route PRINT
    > route PRINT 157* .... Only prints those matching 157*
    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

    CHANGE is used to modify gateway and/or metric only.
    > route PRINT
    > route DELETE 157.0.0.0
    > route PRINT

    H:\>
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

    Note: please close all other applications running on your system.

    Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

    Click the Settings button.[​IMG]

    [​IMG]

    Set the slider to Maximum.

    [​IMG]

    IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.


    [​IMG]

    On the General tab, make sure all of the boxes are checked.


    [​IMG]

    On the Misc tab, make sure all the checkboxes are checked.

    Then, click OK on the windows that you launched.


    [​IMG]
    Click Create Report to run it.

    [​IMG]
    It will begin scanning.

    It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

    It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

    It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.
  17. weety

    weety TS Rookie Topic Starter Posts: 60

  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download 7-Zip and install it. If you already have it, no need to reinstall.

    Then, download RootkitUnhooker and save the setup to your Desktop.

    • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
    • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
    • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
    • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
    • Once inside the interface, do not fix anything. Click on the Report tab.
    • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
    • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
    • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.
  19. weety

    weety TS Rookie Topic Starter Posts: 60

    The link for RootkitUnhooker is broken... looking for alternatives......
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  21. weety

    weety TS Rookie Topic Starter Posts: 60

    Thanks for that! The scan is now finally starting (after 2 hours of checking the directory list of C:\). Looks like this one will have to run overnight and I'll post the log tomorrow.

    Thanks again!
  22. weety

    weety TS Rookie Topic Starter Posts: 60

    >SSDT State
    NtConnectPort
    Actual Address 0x89B24820
    Hooked by: Unknown module filename

    NtCreateKey
    Actual Address 0xB9EB50E0
    Hooked by: spxp.sys

    NtEnumerateKey
    Actual Address 0xB9ECDDA4
    Hooked by: spxp.sys

    NtEnumerateValueKey
    Actual Address 0xB9ECE132
    Hooked by: spxp.sys

    NtOpenKey
    Actual Address 0xB9EB50C0
    Hooked by: spxp.sys

    NtQueryKey
    Actual Address 0xB9ECE20A
    Hooked by: spxp.sys

    NtQueryValueKey
    Actual Address 0xB9ECE08A
    Hooked by: spxp.sys

    NtResumeThread
    Actual Address 0x8A339108
    Hooked by: Unknown module filename

    NtSetValueKey
    Actual Address 0xB9ECE29C
    Hooked by: spxp.sys

    >Shadow
    >Processes
    >Drivers
    >Stealth
    >Files
    Suspect File: C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS1B7CC.log Status: Hidden
    Suspect File: C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7DC76035.TMP Status: Hidden
    Suspect File: C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\000000BC.msg Status: Hidden
    Suspect File: C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\000000BC.que Status: Hidden
    Suspect File: C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\ProxyMaintenanceEndpoint\000000AH.msg Status: Hidden
    Suspect File: C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\ProxyMaintenanceEndpoint\000000AH.que Status: Hidden
    >Hooks
    [3548]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
    [820]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump at address 0x7C810E27 hook handler located in [mssrch.dll]
    [820]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2C hook handler located in [unknown_code_page]
    [820]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH at address 0x7C810E2D hook handler located in [unknown_code_page]
    !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    There are only so many scans we can do, and no malware so far has evaded this well.

    Have you contacted the network administrator about this? Has anyone else been experiencing similar symptoms, or is it just your machine?

    I don't know if you said before or not, but what browsers does this affect? All? The only other option I can see fit is to reset or reinstall what browsers are causing issue...
  24. weety

    weety TS Rookie Topic Starter Posts: 60

    No one else is having these problems. I run two computers side-by-side and only one has issues.

    It was affecting Chrome with respect to blocked websites. I had a very outdated version of Internet Explorer, which just seemed to crash all the time. I have uninstalled both and reinstalled Chrome. The problem remains. (And I still can't install Malwarebytes).

    So the rootkit activity from the last scan was a false positive?
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Yes it was... whenever that tool detects any of the things that it did, it puts that at the end of the log. Security tools or antivirus software commonly create similar driver settings, which can show up on rootkit scanners.

    Sadly, none of the tools caught this, but I did as I ran back through ALL of the logs above. What I found were fake SQL injections, CcmFramework.

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)
    Once again, let me know how it works out...If it doesn't work out, open OTL, press Quick Scan and post new log, please.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.