Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can NOT receive WAN requests--LAN is OK

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » June 2nd, 2011, 5:34 pm

Hi Askey127,

I'm not so sure the server is out of the woods yet. I just ran another DDS scan and found a "ROOTKIT" entry.

If it can't be fixed, how can I cold start the drives and be sure to wipe it out?

Here is the latest scan..


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by buzz at 14:16:52 on 2011-06-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1442 [GMT -7:00]
.
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Outpost Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DLinkMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\GEEK SQUAD UPS\pppeuser.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Super Controler\DUSuperControler.exe
C:\Program Files\DU Meter\DUMeter.exe
D:\Lists\Animal-List\SVList-Animal-List.exe
D:\Lists\UNJO\SVList-UNJO.exe
D:\Lists\WhiteGold-List\SVList-WhiteGold-List.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\GEEK SQUAD UPS\ppped.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\VServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link\D-Link USB VoIP Adapter\DPH-50U Utility.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
D:\_downloads\2011\110602\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\geek squad ups\pppeuser.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ServUTrayIcon] c:\program files\rhinosoft.com\serv-u\Serv-U-Tray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Dimension4] c:\program files\d4\D4.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [DLinkMonitor.exe] c:\program files\d-link\d-link usb voip adapter\DLinkMonitor.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [OutpostMonitor] "c:\progra~1\agnitum\outpos~1\op_mon.exe" /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite free\feedback.exe" /dump:os_startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstall ... AA4ADYARwA"&"inst=NwA3AC0ANgAzADgANQA1ADUAMQA5ADMALQBGAEwAKwA5AC0AWABPADkAKwAxAC0AWABPADMANgArADEA"&"prod=90"&"ver=9.0.901
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\d4exe~1.lnk - c:\program files\d4\D4.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\dumeter.lnk - c:\program files\du meter\DUMeter.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~2.lnk - d:\lists\animal-list\SVList-Animal-List.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~3.lnk - d:\lists\unjo\SVList-UNJO.exe
StartupFolder: c:\docume~1\buzz\startm~1\programs\startup\svlist~1.lnk - d:\lists\whitegold-list\SVList-WhiteGold-List.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoexec.lnk - c:\autoexec.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dusupe~1.lnk - c:\program files\du super controler\DUSuperControler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\buzz\application data\mozilla\firefox\profiles\bpgjtaxx.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 TLRecAgent;TLRecAgent;c:\windows\system32\drivers\TLRecAgent.sys [2007-1-2 37208]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-30 11608]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-5-31 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-5-31 2072592]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-30 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-30 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-30 61960]
R2 hMailServer;hMailServer;c:\program files\hmailserver\bin\hmailserver.exe runasservice --> c:\program files\hmailserver\bin\hMailServer.exe RunAsService [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-2 366640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R2 VService;VService;c:\program files\d-link\d-link usb voip adapter\VServ.exe [2007-1-2 105208]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-5-31 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-5-31 267624]
R3 HomeQOS;HomeQOS Miniport;c:\windows\system32\drivers\homeqos.sys [2004-1-20 36096]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-2 22712]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
R3 slusbvip;SL3800 USB Driver;c:\windows\system32\drivers\slusbvip.sys [2007-1-2 591832]
R3 SLVAD_simple;D-Link Virtual Audio Device;c:\windows\system32\drivers\slvad.sys [2007-1-2 85656]
S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2011-5-31 72352]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2011-5-31 242040]
S3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2011-5-31 36288]
.
=============== File Associations ===============
.
txtfile=c:\pfiles\editpad\EditPad.exe "%1"
.
=============== Created Last 30 ================
.
2011-06-02 17:56:02 -------- d-----w- c:\documents and settings\buzz\application data\Malwarebytes
2011-06-02 17:55:53 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-02 17:55:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-02 17:55:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-02 17:55:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 18:26:31 -------- d-sha-r- C:\cmdcons
2011-05-31 18:25:14 98816 ----a-w- c:\windows\sed.exe
2011-05-31 18:25:14 518144 ----a-w- c:\windows\SWREG.exe
2011-05-31 18:25:14 256512 ----a-w- c:\windows\PEV.exe
2011-05-31 18:25:14 208896 ----a-w- c:\windows\MBR.exe
2011-05-31 07:33:59 1025824 ----a-w- c:\windows\system32\drivers\vbcorent.sys
2011-05-31 07:21:59 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-05-31 07:21:59 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-05-31 07:21:48 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-05-31 07:21:17 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-05-31 07:21:07 -------- d-----w- c:\windows\system32\Filt
2011-05-31 07:21:07 -------- d-----w- c:\documents and settings\buzz\application data\Agnitum
2011-05-31 07:21:06 -------- d-----w- c:\program files\Agnitum
2011-05-31 07:20:14 -------- d-----w- c:\documents and settings\all users\application data\Agnitum
2011-05-30 22:32:21 -------- d-----w- c:\windows\system32\NtmsData
2011-05-30 22:31:20 -------- d-----w- c:\documents and settings\buzz\application data\Avira
2011-05-30 22:26:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-30 22:26:39 -------- d-----w- c:\program files\Avira
2011-05-30 22:26:39 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-05-30 21:36:10 -------- d-----w- C:\$AVG
2011-05-27 10:35:00 -------- d-----w- c:\documents and settings\all users\application data\avg9
2011-05-27 09:50:43 -------- d-----w- c:\documents and settings\buzz\application data\GlarySoft
2011-05-27 09:50:42 -------- d-----w- c:\program files\Absolute Uninstaller
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-27 07:12:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-27 05:41:16 -------- d-----w- c:\program files\Trend Micro
2011-05-24 03:18:42 -------- d-----w- c:\documents and settings\all users\application data\Common Files
2011-05-24 03:17:33 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-24 03:17:10 -------- d-----w- c:\program files\AVG
2011-05-24 03:03:30 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-05-26 09:29:24 298016 ----a-w- c:\windows\system32\drivers\yk51x86.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2504C rev.VT100-33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A708AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8A7249E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP2T0L0-7[0x8A6A4940]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 14:17:29.49 ===============


Let me know what you'd do next, OK? I found the network drivers for this motherboard and reinstalled them. Still bad news.

I see that there are others on this forum with the same rootkit listing. There must be a way to dump this sucker!

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA
Advertisement
Register to Remove

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 2nd, 2011, 6:58 pm

The ONLY way to remove the bootkit is the way I showed.
Please review what I instructed, and do it again if you wish.

There are no other remedies.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby a1sound » June 3rd, 2011, 12:31 am

Hi askey127,

Sorry--I didn't see that you had answered my last post. Oh, well..

Cheers,
Buzz.
User avatar
a1sound
Regular Member
 
Posts: 39
Joined: April 18th, 2007, 10:19 pm
Location: Mojave CA

Re: Can NOT receive WAN requests--LAN is OK

Unread postby askey127 » June 3rd, 2011, 6:58 pm

As this issue will need to be resolved by removing and re-installing all partitions, and reformatting the drive, this thread is closed.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware