Network Problems And Extra Volume

The log is clean !

Hmm, thanks! Guess I will work to fix the windows network problem...and the weird disk volume. Appreciate your looking at my data!

jfs

Addendum after I thought about this. It is possible that my desktop problem came from running combofix in safe mode. Because when it cleared the desktop, the safe mode alert about running in safe mode came up. Usually you have to hit okay at that point and then windows loads the desktop. But the combofix instructions state you shouldn't do anything while combofix is doing its thing, so I didn't hit okay. And the desktop was black at the end, no icons, until I restarted.

Seems to me there might be an ambiguity in the combofix instructions. Not your fault, obviously.

So now, I have desktop icons or taskbar when in safe mode, but no icons or taskbar in normal mode. And I am not sure if this is due to the malware or due to combofix behavior when run in safe mode.

If you can help me get the icons and taskbar back in normal mode, I can run combofix again in normal mode and we can see if there are differences.

Thanks for the help!

Thank you Niels and Crysty2k5!

I will try that tonight. I do have control of the task mgr window.

I'm slowly chipping away at the malware's defenses that keep me from installing superantispyware. After I found the extra user in the registry (named S-1-5-21- with a long string of numbers following), I deleted that in the registry and restored my own rights I had lost. But from my quick look this morning I will have to drill down thru the disk volumes and folders to restore rights along the way. That's a project for tonight, as well as re-establishing the desktop and running combofix. BTW combofix did not restart my machine when I ran it in safe mode. Will run it in normal mode when I get the desktop back.

And with any luck I'll get superantispyware on the machine as well.

Here is combofix log from running it with windows in normal mode. The recovery console somehow got uninstalled, and so I had to run it again after reinstalling.

Combofix seems to run normally but hangs after it opens the log. To get the computer back, I have to open the task manager and do a restart off the menu, and it takes several minutes to get a desktop in normal mode...it used to take only a few seconds.

And thanks for the help!

ComboFix 08-06-04.1 - Julius 2008-06-06 6:20:55.3 - NTFSx86

Running from: E:\Documents and Settings\Julius\Desktop\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))

.

2008-06-03 17:30 . 2008-06-03 17:30 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware

2008-06-03 17:30 . 2008-06-03 17:30 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-06-03 17:30 . 2008-06-03 17:30 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-06-03 17:30 . 2008-05-30 01:06 34,296 --a------ E:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-06-03 17:30 . 2008-05-30 01:06 15,864 --a------ E:\WINDOWS\system32\drivers\mbam.sys

2008-06-03 06:27 . 2008-06-03 06:27 <DIR> d---s---- E:\Documents and Settings\Administrator\UserData

2008-05-30 20:49 . 2008-05-30 20:49 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy

2008-05-30 20:49 . 2008-05-30 21:11 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-05-30 20:26 . 2008-05-30 20:26 <DIR> d-------- E:\Program Files\Windows Defender

2008-05-29 20:16 . 2008-05-29 20:16 <DIR> d-------- E:\Program Files\Lavasoft

2008-05-29 20:16 . 2008-05-29 20:17 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Lavasoft

2008-05-29 20:10 . 2008-06-02 19:20 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard

2008-05-26 12:42 . 2008-05-26 12:42 <DIR> d--hs---- E:\WINDOWS\ftpcache

2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ E:\WINDOWS\system32\lsdelete.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-06 00:00 --------- d-----w E:\Documents and Settings\All Users\Application Data\SiteAdvisor

2008-05-28 23:57 --------- d-----w E:\Program Files\Mozilla Thunderbird

2008-05-25 13:03 --------- d-----w E:\Program Files\Java

2008-05-24 18:51 --------- d-----w E:\Program Files\SiteAdvisor

2008-05-10 16:38 --------- d-----w E:\Documents and Settings\Julius\Application Data\SiteAdvisor

2008-05-03 19:28 --------- d-----w E:\Documents and Settings\All Users\Application Data\Maxtor

2008-05-03 19:26 --------- d-----w E:\Program Files\Maxtor

2008-05-03 19:25 --------- d--h--w E:\Program Files\InstallShield Installation Information

2008-04-29 15:20 15,648 ----a-w E:\WINDOWS\system32\drivers\NSDriver.sys

2008-04-29 15:19 15,648 ----a-w E:\WINDOWS\system32\drivers\Awrtrd.sys

2008-04-29 15:19 12,960 ----a-w E:\WINDOWS\system32\drivers\Awrtpd.sys

2008-04-12 19:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\Apple Computer

2008-04-11 00:02 --------- d-----w E:\Program Files\NetWaiting

2008-04-10 23:47 --------- d-----w E:\Program Files\Hayes

2008-03-27 08:12 151,583 ----a-w E:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w E:\WINDOWS\system32\win32k.sys

.

((((((((((((((((((((((((((((( snapshot@2008-06-04_18.22.20.78 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-06-04 22:08:45 2,048 --s-a-w E:\WINDOWS\bootstat.dat

+ 2008-06-06 09:55:38 2,048 --s-a-w E:\WINDOWS\bootstat.dat

+ 2008-06-06 09:55:43 16,384 ----atw E:\WINDOWS\TEMP\Perflib_Perfdata_770.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="sttray.exe" []

"IntelAudioStudio"="E:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-02 18:17 9134080]

"DiskeeperSystray"="E:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 20:29 196709]

"farstone"="" []

"RestoreIT!"="E:\Program Files\FarStone\RestoreIT\RestoreIT_XP\VBPTASK.exe" [2005-04-30 01:09 122880]

"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-05-11 07:03 8429568]

"nwiz"="nwiz.exe" [2007-05-11 07:03 1626112 E:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-05-11 07:03 81920]

"ipTray.exe"="E:\Program Files\Intel\IDU\iptray.exe" [2006-11-24 13:26 2209792]

"SiteAdvisor"="E:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-12-04 17:03 36640]

"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"BitDefender Antiphishing Helper"="E:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]

"BDAgent"="E:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-22 19:33 360448]

"XboxStat"="e:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]

"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"IntelliPoint"="E:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 21:09 842584]

"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"MaxtorOneTouch"="E:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]

"mxomssmenu"="E:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\

NaturalColorLoad.lnk - E:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2008-02-23 15:20:53 155715]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= E:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"E:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\setup.exe /autorun

\Shell\directx\command - G:\DirectX\dxsetup.exe

\Shell\setup\command - G:\setup.exe

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-06-06 09:58:42 E:\WINDOWS\Tasks\MP Scheduled Scan.job"

- E:\Program Files\Windows Defender\MpCmdRun.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-06 06:22:29

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-06-06 6:23:02

ComboFix-quarantined-files.txt 2008-06-06 10:22:58

ComboFix2.txt 2008-06-05 23:47:26

ComboFix3.txt 2008-06-04 22:22:33

Pre-Run: 239,047,184,384 bytes free

Post-Run: 239,035,551,744 bytes free

114 --- E O F --- 2008-05-15 18:51:11

Niels,

Thanks, I will try that (not at that computer at the moment). Is there any way to delete the unknown user from all the security tabs? It has embedded itself all over the place. I don't think it is controlling anything other than the superantivirus, but would like to clear it out anyway.

Also, should I be worried that the windows recovery console got somehow uninstalled? I reinstalled it and it seems stable now, but never saw that happen before.

jfs

Also I note that when I boot in normal mode. BitDefender launches but the neat little windows that show disk and network traffic do not open on the desktop.

And in normal mode, the machine is unbelievably slow. Used to boot to normal mode in <30 seconds, now take literally minutes, and if I put any mouse click or command in, it takes as much as a minute for the machine to respond.

So there are still things going on that need attention.

And thanks again for the help!

crysty2k5's EDIT: posts merged

Hi,

I am fast losing hope that I will be able to recover this machine. It is running slower and slower. The only thing I am able to do in normal mode is open the task manager. If I try to restart from task manager, explorer.exe hangs and I have to manually kill it. The performance tab shows virtually no CPU activity but the machine is not responding to anything right now. In the processes tab I can look at priority for each app, but when I try to set affinity I get an access denied error. This used to be a very fast machine (2ghz Core 2 Duo)

BD is disabled and I am unable to reenable it. Needless to say the machine is disconnected from the network and will remain so for now. Writing this on a different machine.

I was interested to learn that in normal mode, windoze adds a "disable" selection to applications that is not visible in safe mode. Why they would do it that way is beyond me. But anyway, on superantispyware the malware used this button to disable the installer. However the malware seems to have done the same thing to the installer, because it still will not install. The problem is that the machine is now essentially frozen and I can't get to msiexec.exe to check if it was disabled the same way.

I can try to download autoruns.zip, burn it to a CD and run it on the infected machine. I will have to do this from safe mode, because normal mode has become pretty much useless.

Is it a waste of time to run autoruns in safe mode? Any other ideas on getting enough control back that I can at least try?

If I do have to reinstall I wll lose some data, but not much. I back data up to an external hard drive that is turned off except when I am running backups so it is safe. I don't trust windoze to completely clean the drives. I'll wipe the drives clean using ultimate boot CD, one drive at a time with others disconnected so they can't reinfect each other. The main thing is that it is such a pain to reinstall everything.

And thanks again for all your help.

Hi Niels.

Diagnostic startup brought normal mode up very quickly. I will download the BD rescue disk and work to get my firewall back. Unfortunately I don't have a CD of the version of BD that I am running. A few months ago I had a massive crash due to hardware issues, and then I couldn't get BD to install properly from the CD, so the nice folks at BD authorized me to download the Internet Security 2008 version. But I never got a CD of it. Lesson learned.

Now when I try to install superantispyware I get a different error, which is that the installer service could not be accessed. I'm assuming that it should work in diagnostic mode, so I will attempt to re-register it.

Will get back to you with success or fail on BD rescue and superantispyware.

jfs

Hello jfs_1950,

Follow these instructions for how to re register windows installer. But I suppose that you know how to do that because you already mentioned it.

It could be that superantispyware installation needs a reboot. But because of the diagnostic startup the superantispyware service will not be started. To solve that press the windows button together with r now type services.msc press enter. Now search for services that have superantispyware in the name left click on them and choos start. Keep diagnostic support enabled as long as possible because it's going to be easier for superantispyware and other malware removal tools to remove infections. I advise that you also run a full (deep) scan of superantispyware also in safe mode and normal mode.

I will wait how it's going.

Best regards

Niels

Hi Niels, the problem with superantispyware isn't the service, because I have never been able to install it. The malware has kept me from doing that. But now, the installer itself doesn't want to respond. However the reboot suggestion is worth a try before I re-register it.

Thanks.

Hi Niels.

Well, I finally got superantispyware installed. Turns out that I did have to re-register the installer, but also had to turn it on using the windows diagnostic settings. I did that with BitDefender also, but cannot make changes to reactivate the firewall and the virus checker.

Tried the rescue disk, both my BD version 9 CD and a downloaded image from the link you sent. Both crash with an error that says that Linux cannot find the Knoppix file system. Sheesh.

Any ideas about how to fix that? In the meantime, I am running a deep scan with superantispyware.

Deep scan in safe mode and diagnostic mode revealed no problems. Also did a manual scan with bitdefender, nothing identified.

So looking for more ideas...thanks for helping me.

crysty2k5's EDIT: posts merged

Niels and crysty2k5, thanks for all the help.

Neither knoppix nodma nor failsafe helped with the bitdefender rescue disk. I did uninstall bitdefender though.

I got autoruns installed. I hadn't forgotten about it. Just hadn't run it yet. I ran it...and now I cannot connect to the internet to send the log!!!! Nor can I connect a USB flash drive to move it (reluctantly, since I don't know how safe it is) to another computer to send it!

I tried establishing a new network connection in safe mode with networking and also in diagnostic mode. No joy either way.

So any more ideas? Personally I'm getting closer to a complete reinstall if only because (1) then I'm done with the hassle, and (2) then I can trust the machine as much as I have ever trusted windoze and Bill Gates.

BTW windoze now is telling me that I have made significant hardware changes (which is complete BS, all problems are OS-related software) and I must re-activate in 3 days. Maybe this is the cause of no connectivity. Wouldn't surprise me.

Hey Bill Gates, how about coming to my house and fixing my computer??

Hello jfs_1950,

Personnally if I see that you now even got more problems it's better to restore a previous back-up.The infection might have caused some serious damage. Did Superantispyware detected something?

Or you can still try this put in the windows installation cd-rom. After that press the windows button together with r now type cmd press enter. Afterwards type this sfc /scannow and press enter.

Best regards,

Niels

Hi Niels.

Sorry about the outburst in my last post. But I feel like I'm playing whack-a-mole. In any event, tonight I will try the windows installation CD stuff.

To answer your question, no, superantispyware did not reveal anything. Presumably either the malware is something too new for it to recognize, or it got wiped out along the way but trashed the OS before it died.

Even if I restore from backup I'd like to get an autoruns log to you so we can see what is going on.

jfs

Hi Niels.

I ran SDFix and the log showed nothing unusual. I cannot upload the log because the network connections have disappeared from the infected machine. If I try to open the network connections icon, control panel freezes and I have to kill it in the task manager. Also I can no longer reach the device manager. Maybe that is why windoze thinks the hardware configuration is changed.

explorer.exe is no longer stable even in safe mode and I cannot shut down with the start button (an oxymoron, anyway) and must use task manager to restart.

If I could figure out how to send you the logs from SDFix and Autoruns I would, but the machine seems to have permanently isolated itself from the rest of the universe. I am mildly surprised it still accepts a connection to power.

I tried the windows installation disk scan (sdf /scannow) of the protected files. No improvement to the network connection or to to the device manager regardless of boot mode.

Between inability to fix the OS, and Bill Gates pestering me to reactivate which would put a 3 month timer on other major system changes, I can only conclude that it is time for an OS reinstall.

I will wipe the drives down to bare metal with Ultimate Boot CD, one at a time with the others disconnected, so they cannot reinfect each other.

Gonna be a long week as I reinstall everything. At least the vast majority of my data is backed up to an external hard drive which has been shut down through this entire adventure. The lesson to anyone else who reads this is: Back Up Your Data! (To a place where malware CANNOT find it)

I really appreciate both you and crysty2k5 working with me on this. Thanks so much.

jfs