Pc issues

RussJK

gnimia wrote: »

Sorry - i didnt catch what tdsskiller said it was. And cant seem to find a log?
Hijackthis is working, but again, i cant work out how to post a log - i seem to have downlaoded the micro version, if that makes a difference.
What kind of additional realtime protection would you recommend?

The TDSSkiller log will be on the start of Drive C. It'll be long, so use http://pastebin.com

In Hijackthis, when you press 'save log' down the bottom right it'll output it to notepad.

I meant that either Prevx or Panda would offer additional realtime protection. Both are relatively light, but all the same I'm only suggesting to have one or the other on for a week or 2. Alternatively, you could activate the Malwarebytes 14 day trial.

Dr Web is a long one I never trust one program to do everything.

gnimia

Dr Web took six hours - so glad i went to bed!
it found the following only: GTDownIN_119.ocx;C:\WINDOWS\system32;Adware.Gdown;Incurable.Deleted.;

Th TDSSkiller pastething is here - but i think this is the relelvant part?

1. 2011/07/09 22:39:36.0937 1868 MBR (0x1B8) (5ce25de9144b78b29414399fd0a79af9) \Device\Harddisk0\DR0
2. 2011/07/09 22:39:36.0953 1868 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

The Hijack this log, finally - no idea what i was doing wrong there!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:39, on 10/07/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\CleanMem\Mini_Monitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CleanMem Mini Monitor] C:\Program Files\CleanMem\Mini_Monitor.exe /startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless Client Utility.lnk = C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152532298703
O20 - AppInit_DLLs: WIKI.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 7164 bytes

RussJK

Yes that was the relevant part Thanks.

Might be worth re-running aswMBR and confirming that you have the normal MBR code now. Don't install the definitions when it asks.

Not sure what Wiki.dll is, even after a bit of searching. Usually when asked to upload it to www.virustotal.com, the file itself seems to be missing. See if you can buck the trend and upload it!

and also TICK and FIX it in Hijackthis:
O20 - AppInit_DLLs: WIKI.DLL

If you haven't already, I'd uninstall Java. If you do need it, then reinstall with a new version.

Lastly, it would be worth running Combofix before giving the all clear. It'll want you to disable all security (e.g. turn the Avast shields off for an hour, close Malwarebytes, etc). Afterwards it'll generate a log - if it doesn't come up in notepad, then it'll be on Drive C as Combofix.txt http://www.bleepingcomputer.com/combofix/how-to-use-combofix

gnimia

Good - well I've deleted Java, and ticked and fixed the wiki.dll bit. Afraid I can't work out how to upload it to virustotal.com, maybe I cant now I've deleted it?
aswMBR is running now, and I'll do the combofix after that - assume i should close internet pages whilst thats running to be ok?
Thanks again for being helpful and patient!

RussJK

You can try a search for wiki.dll, probably in the c:\windows\system folder. When you do virustotal.com, just browse to that folder. It might have been wiped by tdsskiller perhaps. When you FIXED it in Hijackthis, it just stops it loading with user32.dll, but won't wipe the file itself.

With aswMBR, I meant for you to skip the long & unncessary Avast file scan, as the MBR check part of it should only be a few seconds. Originally aswMBR was just a tool to check for a few kinds of rootkits - and would quickly scan the MBR, as well as a few drivers. Then they added the Avast virus scanner to it as well, which can take upwards of an hour to complete - no point if you already have Avast. You can cancel the Avast scan, and use this instead I suppose http://ad13.geekstogo.com/MBRCheck.exe or re-download aswMBR and just say No to the definitions.

Combofix will shut down browsers etc, the main thing are the security programs need to be manually shut down. You'll see what I mean

gnimia

Ah - i see. Still doing it wrong

Well the full aswmbr scan came back with this - which looks clear to me??
aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-10 16:43:38

---

16:43:38.953 OS Version: Windows 5.1.2600 Service Pack 3
16:43:38.953 Number of processors: 2 586 0x604
16:43:38.953 ComputerName: YOUR-21DD98D09D UserName: User
16:43:40.828 Initialize success
16:43:42.062 AVAST engine defs: 11071000
16:43:43.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:43:43.796 Disk 0 Vendor: Intel___ 1.0. Size: 476945MB BusType: 3
16:43:43.812 Disk 0 MBR read successfully
16:43:43.812 Disk 0 MBR scan
16:43:43.828 Disk 0 unknown MBR code
16:43:43.828 Disk 0 scanning sectors +976768065
16:43:43.843 Disk 0 scanning C:\WINDOWS\system32\drivers
16:44:04.234 Service scanning
16:44:05.234 Disk 0 trace - called modules:
16:44:05.234
16:44:06.953 AVAST engine scan C:\WINDOWS
17:20:40.578 AVAST engine scan C:\Documents and Settings\User
17:26:56.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\My Documents\MBR.dat"
17:26:56.296 The log file has been saved successfully to "C:\Documents and Settings\User\My Documents\aswMBR2.txt"

but the geeksto go MBR check has found "a non-standard or infected MBR"
Options are
1 dump mbr of a physical ddisk to file
2restore the mbr of a physical disk with a standard boot code
3 exit
I'm guessing its not cleared up after all?

RussJK

With either of the tools, do 'FixMBR' or restore standard code, then run both of them again to see if it has stuck - it should say "Default Windows XP code" or the like. When it finally does with both, run TDSSkiller again and make sure it's clear.

Then run Combofix.

RussJK

MBR infections are annoying to deal with inside Windows. The problem is that the infected MBR is only part of it, and it'll just pop back on. If the rootkit is loaded, you never know if the MBR the tools are reading is the real one - or a deception.

An alternative is to get in with a Windows recovery disk or XP setup disk, and run 'FIXMBR' from the recovery console, then replace some of the usual suspects that rootkits replace such as volsnap.sys, atapi.sys, etc., then run an antivirus rescue CD (e.g. https://forums.moneysavingexpert.com/discussion/comment/41653210#Comment_41653210). I've had 3 hours sleep due to my wife being unwell overnight, so I don't have the concentration to walk you through that sorry.

Another (better) way would be to either stick the hard drive in an external case, and scan it from a clean computer with multiple programs and fix the MBR from there. A similar way would be to use a Linux LiveCD, and share Drive C over a network, map the network drive from a clean computer and do the various scans.

My preferred method is using bootable versions of Windows that run from a CD, saves messing around with all the out-of-date anti-rootkit programs, and fix things quickly from there.

gnimia

Please don't apologise - you've been more than helpful and useful, and I'm really grateful - I'm sorry to have taken up so much of your time! Sorry to hear about your wife, and very much hope she improves.
I will keep running these until they look clear, and do the combofix, plus add the extra protection for a bit as you suggest. My housemate will be back in a few days, and hopefully he will be able to have a look for me
thanks again!