Member Avatar for Energy89

I have malware of some description on a laptop. The only utilities I can run are Defogger and GMER Rootkit Scanner. All the rest recommended here for scan results and removal produce errors basically stating that the executable is corrupt or missing files or "an unknown error occured" when launching. Specifically for Malwarebytes it fails to install the rules.ref and then if I ignore that zlib.dll and more. Renaming executables makes no difference.

I have attached the GMER One.log to this post.

Would really appreciate some suggestions for resolution steps.

Thanks in advance.

  • 2 Contributors
  • 14 Replies
  • 186 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by Energy89

Recommended Answers

All 14 Replies

Member Avatar for Energy89

Also I should mention that the malware breaks the event log service and internet access. I've manage to restore these with "netsh winsock reset" but IE shows a table in which "Access denied to system because of URL Filter Configuration"; however, I'm not sure where this filter is being applied and by what. I have disabled McAfee security centre as it detects nothing but the DAT files are a couple of months old.

Member Avatar for jholland1964

You forgot the GMER log. Please don't attach it, please copy/paste it. We don't like to open attachments from infected computers.

Member Avatar for Energy89

I've been able to update McAfee through removing a mystery IE proxy setting but it detects nothing on a quick scan. Running a full scan but it's found nothing yet.

Here's the GMER log.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-24 15:39:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.AD
Running: hki72fod.exe; Driver: C:\Users\SA\AppData\Local\Temp\kglcipog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F48179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F481738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F48174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F4817DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F48181F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F481710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F481724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F4817B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F481847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F481833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F48178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F481776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F48180B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F4817F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F4817C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F481762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

Member Avatar for jholland1964

Since you cannot run any of the needed utilities you probably are going to have to do most of these using a flash drive to take them to the infected computer and then running the programs offline. Do you have a flash drive?

Member Avatar for jholland1964

Using a flash drive and another computer, do the following:
These are instructions given on the MBA-M General Help Forum
http://forums.malwarebytes.org/index.php?showtopic=10138
You need to DISCONNECT the affected computer from the internet.
You will need to download required files to the flash drive. Take it to the infected computer and run them.

MBA-M removal utility; http://www.malwarebytes.org/mbam-clean.exe

Download the randomized renamed mbam.exe version from http://malwarebytes.org/mbam-download-exe-random.php
In some cases, it will be needed to rename the random named mbam.exe to explorer.exe
since you will have the computer off line you also won't be able to do the regular update so go here and download the manual update file
http://malwarebytes.gt500.org/

After you have all those files on the flash drive then go to the infected computer and transfer those files and follow steps below.
# Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
# Restart your computer (very important).
# Download and run this utility. mbam-clean.exe
# It will ask to restart your computer (please allow it to).
# After the computer restarts, Temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware that you brought on the flash drive and update it using the manual update files also from the flash drive.

Next run a Full Scan with MBA-M. Have it remove everything found. Reboot the computer and save the log to the flash drive and post back here with the MBA-M log

Member Avatar for Energy89

Thanks for your help. I am running Malwarebytes now and it's found one infection so far (5mins scanning).

Malwarebytes would still not install but it was only on the rules.ref this time for some reason. Went ahead and ignored then copied rules.ref from my other laptop but Malwarebytes errored on start-up. Rerunning the DB installer on the infected machine worked as I guess it found the rules.ref I had copied. Anyway Malwarebytes started after this. Hope this is clear.

Will post as soon as the scan finishes...

Member Avatar for Energy89

Here's the MBA-M log but looks like the DB wasn't up-to-date after all, so re-running as have updated from net now.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5184

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/25/2010 5:20:10 PM
mbam-log-2010-11-25 (17-20-10).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 460130
Time elapsed: 4 hour(s), 16 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apto6ko (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpqoko6 (Worm.KoobFace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c14e6230-757d-4246-81ce-b34e2940c722} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\tapisrvs (Worm.KoobFace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DH456JBJ\win_protection_update[1].exe (Rogue.ControlCenter) -> No action taken.
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DH456JBJ\win_protection_update[2].exe (Rogue.ControlCenter) -> No action taken.
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DH456JBJ\win_protection_update[3].exe (Rogue.ControlCenter) -> No action taken.
C:\Windows\System32\rar.exe (Trojan.Backdoor) -> No action taken.
C:\Windows\bk23567.dat (KoobFace.Trace) -> No action taken.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.
C:\Windows\ligh (Koobface.Trace) -> No action taken.
C:\Temp\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Member Avatar for jholland1964

Actually database wasn't that far off. But running again is a good idea because...you didn't have the program do any cleaning. Look at the log for all items found, -> No action taken.
Be absolutely certain you follow this part of the instructions;
* Be sure that everything is checked, and click Remove Selected if malware is found.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily.The log can be retrieved by opening up MBAM and clicking on the Logs Tab at the top of the program .

Reboot the computer this is VERY important as many infections cannot be fully cleaned by MBA-M until very early in the boot process when the infected files have not had a chance to activate. So you must always click that Remove Selected button and then reboot right then. Otherwise the tool won't be able to do it's full removal.

AFTER the computer reboots then open MBA-M again and go to the Logs Tab. It would be the bottom one you want, open it up and copy/paste it back here.
Then do the following:

Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You will need to allow an Active X to be installed or you may use Firefox if you have the IE tab add on.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Come back and post that log too.
Judy

Member Avatar for Energy89

log before choosing to remove the offending files and try keys. Now I'm familiar with the sequence of the log creation I'll send the post removal script once the second scan finishes.

Thanks for your diligence. :)

Member Avatar for jholland1964

That happens to a lot of people the first time they use it. Once they get the hang of it, no problem. This tool is top of the line, be sure to keep it and use it for Quick Scan at least once a week, be sure to update first. If Quick Scan finds something then of course remove, reboot, update again and run the full scan. Quick Scan doesn't scan as deeply as the normal scan so this is why a second run with full scan is recommended if something is found.

After these scans complete then also do a system scan with HiJackThis version 2.0.4 and save the log. Post that log here too.

http://free.antivirus.com/hijackthis/

Edited by jholland1964 because: n/a
Member Avatar for Energy89

Here's the latest log. Have discovered the executables I was trying to run, although downloaded from the vendor sites, had somehow become corrupt. Not sure if it was the trojan but don't see evidence of Koobface doing this. Seems to be sorted and downloading new copies of the exes.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5189

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/25/2010 9:01:10 PM
mbam-log-2010-11-25 (21-01-10).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 460272
Time elapsed: 3 hour(s), 26 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Member Avatar for Energy89

Many thanks for your help.

Member Avatar for jholland1964

Are all problems corrected?

Member Avatar for Energy89

Yes, everything is working now. Thanks.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.