74 replies to this topic

[RetiredChief]

My wife's computer will not connect to any Microsoft Web Site to get updates or downloads. I keep getting cannot connect to server etc. but my laptop can connect. Her computer is connected directly to the wireless router while my lap top is roaming. She can access every other site but not a Microsoft site. Any clues? Thanks! Sorry, I forgot: HP Desktop, Windows XP Home, and it happens on both explorer and firefox. Firefox will not connect to any anti-virus web site, Microsoft, Symantec, Norton, or AVG but will connect to everything else. I checked Internet Explorer and it won't connect to the internet at all. I get the message: I.E. cannot display the Web Page. I clicked on the Diagnose Connections Problems tab and got the following result: Windows cannot connect to the internet via HTTP, HTTPS, FTP. This is probably caused by firewall settings yadda yadda yadda.... So I copied the file log results to a word doc and transferred it to my thumb drive. I put it into my laptop, which I am on now and right clicked it and scanned with Malwarebytes Anti-malware tool and it found the Conficker Worm. I removed it with the MBam tool and re-started my computer, but I forgot to remove the thumb drive first. Now it won't open. I am currently running AVG and MBam on my laptop to see if it has anything on it. What's next? Chief

[JonTom]

Hello RetiredChief and

My name is JonTom.

• Malware Logs can sometimes take a lot of time to research and interpret.
  
• Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  
• Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  
• PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

So I copied the file log results to a word doc and transferred it to my thumb drive. I put it into my laptop, which I am on now and right clicked it and scanned with Malwarebytes Anti-malware tool and it found the Conficker Worm.

If Conficker was detected on the thumb drive I would advise against using it again.


Before we begin I would like to take a look at your system with some scans. We will start with your Wifes machine first, and then we can check your laptop once we have finished.

• Please perform the following scan
  
  
  
  • Please download DDS from here and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
  • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
  
  
• DeFogger
  
  
  
  • Please download DeFogger to your desktop.
  • Click on DeFogger to run the tool.
  • The application window will appear.
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue.
  • A 'Finished!' message will appear.
  • Click OK.
  • DeFogger will now ask to reboot the machine - click OK.
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
    Do not re-enable these drivers until otherwise instructed.
  
  
• Please scan your system with GMER
  
  
  
  Download GMER Rootkit Scanner from here or here.
  
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
• Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please post the DDS logs and the GMER log in your next reply. If you encounter any difficulties with the scans just come back and let me know

[RetiredChief]

JonTom, Thanks very much. I have a couple of questions.... 1) Can the downloads you instructed for me to save to the desktop be saved to a disc incase my wife's computer will not connect/allow download of these files? (This way I can download them at work to a disc, my laptop is running slower than molasses in winter) 2) What course of action should I take if a scan fails to start/finish/or is somehow interrupted? 3) Can she still use the computer to send e-mails etc.? She'll ask me this I know...(I will make an attempt to do all this tonite, but I don't get home from football practice until after 8:00 PM. I may not be able to get to it until friday night or saturday morning.) Thanks again! Chief

[JonTom]

Hello RetiredChief

Can the downloads you instructed for me to save to the desktop be saved to a disc incase my wife's computer will not connect/allow download of these files?

Yes. If you have trouble downloading them using the infected system, you can use a clean machine to burn them to disk and transfer them to the infected machine.

Can she still use the computer to send e-mails etc.?

It would be better not to use the net at all until the system is clean - we don't know what else may be present. My advice (for now) would be to only connect to the net to post replies/download the tools we need (if you are able to).

What course of action should I take if a scan fails to start/finish/or is somehow interrupted?

If you have trouble getting any of the scans to complete, do not panic, just let me know and we will find a solution

I may not be able to get to it until friday night or saturday morning.

No problem. I will leave the thread open a good while to give you time to reply. Post when you can

[RetiredChief]

Will do and Thanks!

[RetiredChief]

Here is the first set of files run with DDS.

Attached Files

•  Attach.txt   10.78KB   216 downloads
•  DDS.txt   8.6KB   188 downloads

[RetiredChief]

I have an error message when I try to run Defogger that says: Defogger - Error Unable to create log. Now what do I do? Do I continue with the the GMER scan?

[JonTom]

Hello RetiredChief

Thank you for the DDS logs.

Do I continue with the the GMER scan?

Yes please. There is no need to attach it, just paste it directly into your reply

[RetiredChief]

JonTom,

Here is the GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-04 20:53:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\uwtdqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7BF8814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00DD000A
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[968] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 01DD9D64
.text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1296] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00A59DC4
.text C:\Program Files\Mozilla Firefox\firefox.exe[3336] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0132000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3336] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0133000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3336] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0131000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3556] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Cdfs \Cdfs B1234400
Device -> \Driver\atapi \Device\Harddisk0\DR0 862ABEE4

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] etsphuhvj <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] gagbecgy <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@DisplayName Security Universal
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj@Description Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\etsphuhvj\Parameters@ServiceDll C:\WINDOWS\system32\kqjulx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@DisplayName cjbdflyul
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy@Description Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\gagbecgy\Parameters@ServiceDll C:\WINDOWS\system32\kqjulx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@DisplayName Security Universal
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj@Description Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\etsphuhvj\Parameters@ServiceDll C:\WINDOWS\system32\kqjulx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@DisplayName cjbdflyul
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy@Description Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gagbecgy\Parameters@ServiceDll C:\WINDOWS\system32\kqjulx.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I attached it as well cause I thought it got messed up copying it. Standing by for further instructions.

Attached Files

•  Gmer.txt   10.19KB   210 downloads

[JonTom]

Hello RetiredChief

Thank you for the logs.

Your machine is heavily infected. It will take several rounds of treatment to fix.

It appears from your logs that you do not have a real time antivirus installed. It would be unwise to try and install a security application onto an infected machine, so for the time being please stay off net until you are clean (only connect to run scans/post replies).


Please work your way through the following steps:

• Please download SystemLook by JPShortstuff
  
  
  
• Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
• Double click SystemLook.exe to run the program.
• Copy the content of the following codebox into the main textfield:

:filefind
*pciide.sys*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
• Note: The log can also be found on your Desktop entitled SystemLook.txt

[RetiredChief]

I am not exactly sure what you mean by: "Copy the content of the following codebox into the main textfield:"

[JonTom]

Hello RetiredChief

I am not exactly sure what you mean by:
"Copy the content of the following codebox into the main textfield:"

No problem I should have explained it a little more clearly.

In the Codebox in my previous reply you will see the following text:


:filefind
*pciide.sys*

Place your cursor in front of the ":" and highlight all of the text by dragging your cursor across it so that it appears in a blue highlight box.

Once all of the text is highlighted, click on "Edit" and select "Copy".

Next, open the SystemLook program by double clicking on the SystemLook icon.

Place your cursor in the central text box (plain white box in the centre of the SystemLook program window), click on "Edit" and select "Paste".

The text you highlighted will be automatically pasted into the SystemLook text box.

Click on the "Look" button found beneath the text box.

SystemLook will do its job and produce a log.

Copy and Paste the contents of the log in your next reply.


If you run into any problems, just come back and let me know

[RetiredChief]

OK I got it! I'll do that when I get home this afternoon.

[JonTom]

[RetiredChief]

Here ya go: SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 21:46 on 05/08/2010 by HP_Administrator (Administrator - Elevation successful) ========== filefind ========== Searching for "*pciide.sys*" C:\WINDOWS\system32\dllcache\pciide.sys --a--- 3328 bytes [12:00 10/08/2004] [04:51 18/08/2001] CCF5F451BB1A5A2A522A76E670000FF0 C:\WINDOWS\system32\drivers\pciide.sys --a--- 3328 bytes [12:00 10/08/2004] [04:51 18/08/2001] CCF5F451BB1A5A2A522A76E670000FF0 -=End Of File=-