Solved BSDs, PC Beeps, and Phishing Creeps!

[jdematt]

Good Morning Fellow Techs,
Well, my computer has had a rough run the past few weeks, and it's about time I calledi n some help. Here's the 411:
Problems started with computer failing to boot due to missing SYSTEM file. I launched Hiren's Boot CD to run Mini-xp and replaced it with a backup, which at least got me back into XP. Now, the PC locks up often, throwing a sustained system beep from the motherboard. Also, I believe there's some rootkit infection due to search engine redirects and phishing attempts (false bank login pages). I had ran avast antivirus and removed several entries when the problems began, but this didn't solve the problem.

Additionally, I couldn't run GMER as it would throw a BSD and crash upon launch, even with all of my firewall and antivirus software disabled. However, I have attached all other log files. Here's my system info:

HP Elite 7000 MT
Windows XP Pro SP3
3 Gigs of RAM
Intel i5 CPU running @ 2.7ghz

Let me know what you guys come up with!

 

[Bobbye]

Your Host files have been hijacked. There are also extensive Relavant Knowledge files that are infected. If you downloaded that program, please uninstall it.

I'd like you to run Combofix while I finish checking the logs. Also, please give GMER another try either on of these ways:
1. Take 'Devices' of and see if it will run.
2. Or try running the scan in Safe Mode.

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the logs in your next reply. I'll be preparing some script t be used after I see the Combofix report.

Please do not use any other cleaning programs or scans while I'm helping you unless I direct you to. Do not use a Registry Cleaner or make changes in the Registrry.

I recommend uninstalling uTrorrent. If you choose not to, please do not use it while I am helping you.

 

[Bobbye]

I'm checking the logs now and wanted to bring your attention to something I found:
The IP 56.43.234.1 belongs to United States Postal Service.
Hosts: 56.43.234.1 inwarez.com
Hosts: 56.43.234.1 www.inwarez.com
Hosts: 56.43.234.1 inwarez.net
Hosts: 56.43.234.1 www.inwarez.net
Hosts: 56.43.234.1 inwarez.org
Hosts: 56.43.234.1 www.inwarez.org
Hosts: 56.43.234.1 93.174.93.193>> This IP belongs to a site in the Netherlands:
netname: NL-ECATEL
descr: ECATEL LTD
descr: Dedicated servers
descr: http://www.ecatel.net/
country: NL

Checking on inwarez shows the "Website InWarez.org for SALE!"
The Domain appears to have been:

Warez-Host.com is the place for cheap and reliable offshore Web Hosting services including Offshore Web Hosting with Shared and Reseller Hosting,

Since you mentioned this:

search engine redirects and phishing attempts (false bank login pages).

IF you are en employee of the USPS, I would advise you to immediately contact the USPS IT.

I'm still checking the logs you left and will be able to see more if you have run the scans I asked for. But if this is connected in any way to the USPS, this needs to be brought to their cyber crimes depratment.

I'd like you to do the following: Please print directions for reference:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

 

[jdematt]

No, i don't work for USPS. I'm still running GMER (it's been about 4 hours!), and then I will run combofix and post logs upon completion. Thanks for the help in advance

 

[Bobbye]

Curious! I have to wonder what the USPS IP is doing on your system as host.

 

[jdematt]

That makes two of us! Here is the GMER log, running combofix after a reboot.

 

[Bobbye]

You need to remove this now:
Name: RelevantKnowledge
Description: Add or Remove Programs entry for Marketscore.RelevantKnowledge. RelevantKnowledge is a MarketScore variant that monitors browsing habits and sends unsolicited advertisements. RelevantKnowledge is bundled in many freeware utilities. The related rlvknlg.exe file is a backdoor proxy component.

Go to Start> Run> type in cmd> on the Command screen, copy and paste the following:
%WinDir%\rlvknlg.exe -bootremove -uninst:RelevantKnowledge

Enter. When finished, reboot.
This spyware is starting on boot. You can't do any cleaning while it does. After running the uninstall, check Add/Remove Programs. If it's still there, uninstall.
The use Windows explorer: windows key + E: click on My Computer> double click Local Drive (C)> Programs> look for Relavant Knowledge or Marketscore. If folder is found, do a right click> Delete.

If you get any error message doing this, boot into safe Mode to do it:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Then Please go ahead with Combofix and the Eset scan. GMER is clear.

 

[jdematt]

Here is the combofix log. I'm going to run Eset scan now. Relevant knowledge was not found on this computer, I did a deep scan of the hard drive in all locations to confirm (unless it changed the executables name)

 

[jdematt]

Oh, I also thought it might be helpful for you to known that I cannot use internet explorer at all, it hangs on startup and i must end the task within a few seconds or the whole pc shuts down with it!

 

[Bobbye]

Okay, right off let's try and pin down the problem with IE: Look at the time when it hang on the computer clock. Then see if there is an Error that corresponds to that time in the Event Viewer: The Event are time coded. If you have to force it to get a time check, do it:

Check Applications first> look for something similar to this:
Source: Application Hang
Event ID:1002
Category101)
Hanging application IEXPLORE.EXE,version 6.0.2900.2180,hang module ???? hungapp,version 0.0.0.0,
hang address,0x00000000

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

If there isn't anything this obvious, check the System log also for corresponding time.
=======================================
I see at least 5 active antivirus programs running. Please run the following:

Security Check

Download Security Check and save it to your Desktop.

• Double-click SecurityCheck.exe to run.
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

 

[jdematt]

Eset scan got up to 47%, showing 12 infections then the computer froze. However, now I can use internet explorer.... WEIRD.
I did find this around the time of the crash however:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 6/10/2010
Time: 9:43:48 AM
User: N/A
Computer: JIM
Description:
Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x01ec8264.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 38 2e 30 2e 36 30 e 8.0.60
0028: 30 31 2e 31 38 37 30 32 01.18702
0030: 20 69 6e 20 75 6e 6b 6e in unkn
0038: 6f 77 6e 20 30 2e 30 2e own 0.0.
0040: 30 2e 30 20 61 74 20 6f 0.0 at o
0048: 66 66 73 65 74 20 30 31 ffset 01
0050: 65 63 38 32 36 34 0d 0a ec8264..

Security Check Log:

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Pro Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java DB 10.5.3.0
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 18
Adobe Flash Player 10.0.42.34
Mozilla Firefox (3.5.9) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Alwil Software Avast5 AvastSvc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[Bobbye]

Are you aware that in addition to the multiple AV programs, you are also running the F-Secure BlackLight Beta Engine Driver in the background?

Clearly this is not the average home computer of members who seek help. In addition to the IP for the USPS and inwarez, I have also found:
IP 99.52.142.169>> ZEBRA IMAGING INC,Private Address, Plano, TX.
IP 255.255.255.255>> sub-net mask
IP 172.16.101.1>> Private

Plus there are multiple directories on the C drive containing 'mystery' names such as:
C:\ccJobMgr.dat 6/2/2010
C:\SWSETUP 6/10/2010
C:\found.000
C:\987629bfefd58cb45b
C:\GOTSent24b7>> beta version of GOTSent
C:\windows-fix 5/26/2010
C:\NeroAACCodec

And other downloads with 'mystery' names such as:
Mystery program or process names:
c:\program files\Charles 2/19/2010
c:\program files\MarkAny (5/25/2010)

I do realize you have or had malware, but these don't appear to be malware.
What's going on please?

 

[Bobbye]

Please print the instructions below for this program. You will not have access to the directions once you have started

Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop

• Close out all other open programs and windows.
• Double-click on it to run the tool and follow any prompts.
• If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
• Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
  Make sure you leave a space between helpasst -mbrt.
• Click OK or press Enter.
• HelpAsst fix will create and open a log when done.
• Copy and paste the contents of that log into your next reply.

In the event the tool does not detect an mbr infection and completes, do this:

• Go to > Run> in the Open dialog box type: mbr -f
• Click OK or press Enter.
• Now, please do the Start > Run > mbr -f command a second time.
• Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
• After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
  Make sure you leave a space between helpasst and -mbrt.
• Click OK or press Enter.
• HelpAsst fix will create and open a log when done.
• Copy and paste the contents of that log into your next reply.

-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Source: BleepingComputer
=============================
Unfortunately, that Event doesn't give us any useful info.

Guess I'm going to have to find another security program scanner!
It missed:
c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert

6/2,6/3/2010
c:\program files\1261582753
c:\program files\Norton Internet Security
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\program files\NortonInstaller
c:\windows\system32\drivers\NIS(2)
c:\documents and settings\All Users\Application Data\Norton

5/25/2010
c:\documents and settings\All Users\Application Data\PC Suite
c:\documents and settings\Administrator\Application Data\PC Suite
F-Secure BlackLight Beta Engine Driver

Question also:
Trusted Zone: autotask.com
Trusted Zone: autotask.net
Did you put these in the Trusted Zone?

 

[jdematt]

Yes, the autotask entries I did enter. I'll let you know what happens after your next suggested test!

 

[jdematt]

Clearly this is not the average home computer of members who seek help. In addition to the IP for the USPS and inwarez, I have also found:
IP 99.52.142.169>> ZEBRA IMAGING INC,Private Address, Plano, TX.
IP 255.255.255.255>> sub-net mask
IP 172.16.101.1>> Private

Where did you find this?

Plus there are multiple directories on the C drive containing 'mystery' names such as:
C:\ccJobMgr.dat 6/2/2010
C:\SWSETUP 6/10/2010
C:\found.000
C:\987629bfefd58cb45b
C:\GOTSent24b7>> beta version of GOTSent
C:\windows-fix 5/26/2010
C:\NeroAACCodec

These were created by me, except for the found.000 and ccJobmgr.dat

And other downloads with 'mystery' names such as:
Mystery program or process names:
c:\program files\Charles 2/19/2010
c:\program files\MarkAny (5/25/2010)

I uninstalled charles becuase I also had no idea WTF it was, MarkAny I will have to look into.

 

[jdematt]

HelpAsst found and fixed potential rootkits. Here's the log file.

 

[Bobbye]

Sorry- don't know why you got so far down on the page!

About the c:\ entries I asked about. As you probably know, they are Directories. I have to be able to identify the contents in order to determine if they can be allowed to remain or should be removed. If you recognize the title and set them up, that's fine- just be sure you know what files are in them. Malware can hide all over!

Are you asking where I found the information about the IP? Combofix report, Reply #8.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
"99.52.142.169,255.255.255.255,172.16.101.1,1"=""

What is the status now regarding the original malware problems?
Please rescan with Combofix to see if any entries remain that need to be moved.

 

[jdematt]

After listening to your advice, in addition to deleting those C: entries that were unnecessary, my pc seems to be back to normal finally. I really appreciate all of your help Bobeye!! You've been a huge aid in solving this problem

 

[Bobbye]

You should finish up. But I will close the thread as requested.