Jump to content

Change Mode

Slow start-up and crashing system...


Recommended Posts

Heya.. A few days ago, Jan 21st to be exact, my pc was infected by a rootkit ( at least that's what Avast said). Ever since then, my system has been crashing and at times even just turning itself off as if the power had been cut. Starting up takes almost 5 mins and this, even when I put the computer to hibernate. I ran GMER and this is the results:

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-24 22:44:09

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF351C576]

SSDT \SystemRoot\System32\drivers\b071f4f9.sys ZwCreateEvent [0xF874D815] <-- ROOTKIT !!!

SSDT \SystemRoot\System32\drivers\b071f4f9.sys ZwCreateKey [0xF874B905] <-- ROOTKIT !!!

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF351C910]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF351C00A]

SSDT \SystemRoot\System32\drivers\b071f4f9.sys ZwOpenKey [0xF874B9B9] <-- ROOTKIT !!!

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF351BF4A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF351BFAE]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF351C62C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF351C5EC]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF351C76C]

 

---- Kernel code sections - GMER 1.0.14 ----

 

? System32\drivers\b071f4f9.sys The system cannot find the file specified. !

 

---- User IAT/EAT - GMER 1.0.14 ----

 

IAT C:\WINDOWS\system32\services.exe[1248] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002

IAT C:\WINDOWS\system32\services.exe[1248] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

 

Device \FileSystem\Fastfat \FatCdrom b071f4f9.sys

Device \Driver\Tcpip \Device\Ip 81521626

 

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip b071f4f9.sys

 

Device \Driver\aswTdi \Device\AswUdpFilter b071f4f9.sys

Device \Driver\Tcpip \Device\Tcp 81521626

 

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp b071f4f9.sys

 

Device \Driver\aswTdi \Device\ASWTDI b071f4f9.sys

Device \Driver\aswTdi \Device\AswTcpFilter b071f4f9.sys

Device \Driver\Tcpip \Device\Udp 81521626

 

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp b071f4f9.sys

 

Device \Driver\Tcpip \Device\RawIp 81521626

 

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp b071f4f9.sys

 

Device \Driver\Tcpip \Device\IPMULTICAST 81521626

Device \FileSystem\Fastfat \Fat b071f4f9.sys

 

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

 

---- Threads - GMER 1.0.14 ----

 

Thread 4:728 81519FEB

Thread 4:732 81519FEB

Thread 4:736 81519FEB

Thread 4:740 81519FEB

Thread 4:744 81519FEB

Thread 4:748 81519FEB

Thread 4:752 81519FEB

Thread 4:756 81519FEB

Thread 4:760 81519FEB

Thread 4:764 81519FEB

Thread 4:768 81519FEB

Thread 4:772 81519FEB

Thread 4:776 81519FEB

Thread 4:780 81519FEB

Thread 4:784 81519FEB

Thread 4:788 81519FEB

Thread 4:792 81519FEB

Thread 4:796 81519FEB

Thread 4:800 81519FEB

Thread 4:804 81519FEB

Thread 4:808 81519FEB

Thread 4:812 81519FEB

Thread 4:816 81519FEB

Thread 4:820 81519FEB

Thread 4:824 81519FEB

Thread 4:828 81519FEB

Thread 4:832 81519FEB

Thread 4:836 81519FEB

Thread 4:840 81519FEB

Thread 4:844 81519FEB

Thread 4:848 81519FEB

Thread 4:852 81519FEB

Thread 4:856 81519FEB

Thread 4:860 81519FEB

Thread 4:864 81519FEB

Thread 4:868 81519FEB

Thread 4:872 81519FEB

Thread 4:876 81519FEB

Thread 4:880 81519FEB

Thread 4:884 81519FEB

Thread 4:888 81519FEB

Thread 4:892 81519FEB

Thread 4:896 81519FEB

Thread 4:900 81519FEB

Thread 4:904 81519FEB

Thread 4:908 81519FEB

Thread 4:912 81519FEB

Thread 4:916 81519FEB

Thread 4:920 81519FEB

Thread 4:924 81519FEB

Thread 4:928 81519FEB

Thread 4:932 81519FEB

Thread 4:936 81519FEB

Thread 4:940 81519FEB

Thread 4:944 81519FEB

Thread 4:948 81519FEB

 

---- Services - GMER 1.0.14 ----

 

Service System32\drivers\b071f4f9.sys (*** hidden *** ) [sYSTEM] b071f4f9 <-- ROOTKIT !!!

 

---- Registry - GMER 1.0.14 ----

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \SystemRoot\System32\drivers\b071f4f9.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037a1252a3

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \SystemRoot\System32\drivers\b071f4f9.sys

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1

Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1

Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037a1252a3

 

---- EOF - GMER 1.0.14 ----

 

This particular file keeps popping up as a rootkit infection( \SystemRoot\System32\drivers\b071f4f9.sys) but it can't seem to deleted. It just keeps returning and returning. I'm at my wits end here. Please help guys. It would be greatly appreciated.

Link to post
Share on other sites

Ok, so here's the results from the Sophos scan.

 

Area: Windows registry

Description: Hidden registry value

Location: \HKEY_USERS\S-1-5-21-1454471165-484061587-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream

Removable: No

Notes: (type 3, length 1045732) "\x14 \x05 \x01 \x01 \xc0\x03 \x14 IL \x06\xc0\x03\xc1\x03\x04 \x10 \x10 \xff\xff\xff\xff! \xff\xff\xff\xff\xff\xff\xff\xffBM6 6 ( \x10 \x10<" ... "\x80\x07 \xc0\x07 "

 

I also ran the AVG and the Rootkit Hook Analyzer, but nothing came up. Once the scans were all done I restarted the comp. I ran Sophos again and this time, surprisingly, my system came up clean. Anyways it still remains slow during start-ups, restarts and so on.. Any ideas what's wrong?

Edited by JeanneD
Link to post
Share on other sites

Sounds like you may have some other "Malware". Lets download Malwarebytes.

Use Malwarebytes this way:

# Double-click mbam-setup.exe and follow the prompts to install the program.

# At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

# If an update is found, it will download and install the latest version.

# Once the program has loaded, select Perform full scan, then click Scan.

# When the scan is complete, click OK, then Show Results to view the results.

# Be sure that everything is checked, and click Remove Selected.

 

Also get SUPERAntispyware. Install it, update it, and run a complete full scan.

 

Post back with the logfiles and let us know what you find. ;)

 

 

:geezer:

Link to post
Share on other sites

If you have a rootkit, IMHO...format your hard drive and do a clean install because the pc has been compromised and you'll never really know if it's clean or not

Link to post
Share on other sites

Thanks caintry_boy and Joe C for replying.

 

Ok, so before I decide to do a reformat (if it's really needed), I'll try caintry_boy's suggestions first. I'll post back asap. Thanks again guys! =)

 

PS- How do you reformat your hard drive? I've always been sending it to the 'experts' so far. I'm willing to learn how to do it myself though. It's so much more cost effective ;)

Edited by JeanneD
Link to post
Share on other sites

Ok so I ran the tests and boy are the results shocking! I didn't know my system was that badly infected..Phew! :blink:

 

Malwarebytes' Anti-Malware 1.33

Database version: 1702

Windows 5.1.2600 Service Pack 3

 

1/29/2009 5:07:29 AM

mbam-log-2009-01-29 (05-07-29).txt

 

Scan type: Full Scan (C:\|D:\|G:\|)

Objects scanned: 121054

Time elapsed: 1 hour(s), 13 minute(s), 8 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 6

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7d76d0eb-ae56-4df4-affc-20aff4344ac6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d76d0eb-ae56-4df4-affc-20aff4344ac6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d76d0eb-ae56-4df4-affc-20aff4344ac6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg914-k641-26sf-n31p (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13cfg914-k641-26sf-n33p (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

G:\System Volume Information\_restore{E3976F7E-85A7-481A-A761-2FCFB7A2654E}\RP120\A0042145.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

 

And here's the second one for spyware :-

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/29/2009 at 02:24 AM

 

Application Version : 4.25.1012

 

Core Rules Database Version : 3733

Trace Rules Database Version: 1702

 

Scan type : Complete Scan

Total Scan Time : 01:04:30

 

Memory items scanned : 633

Memory threats detected : 1

Registry items scanned : 6535

Registry threats detected : 16

File items scanned : 19371

File threats detected : 3

 

Trojan.Unclassified/Crypts

C:\WINDOWS\SYSTEM32\CRYPTS.DLL

C:\WINDOWS\SYSTEM32\CRYPTS.DLL

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\crypt

 

Adware.Vundo Variant

HKLM\Software\Classes\CLSID\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37566535-A634-5164-5467-5A56453BD4FA}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}

HKU\S-1-5-21-1454471165-484061587-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{37566535-A634-5164-5467-5A56453BD4FA}

HKU\S-1-5-21-1454471165-484061587-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}

HKCR\CLSID\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}

HKCR\CLSID\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}\ProgID

HKCR\CLSID\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}\Programmable

HKCR\CLSID\{7D76D0EB-AE56-4DF4-AFFC-20AFF4344AC6}\VersionIndependentProgID

 

Rootkit.Dopper/ETH

HKLM\System\ControlSet001\Services\ethcitwe

C:\WINDOWS\SYSTEM32\DRIVERS\ETHCITWE.SYS

HKLM\System\ControlSet001\Enum\Root\LEGACY_ethcitwe

HKLM\System\ControlSet003\Services\ethcitwe

HKLM\System\ControlSet003\Enum\Root\LEGACY_ethcitwe

HKLM\System\CurrentControlSet\Services\ethcitwe

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ethcitwe

 

Adware.Tracking Cookie

C:\Documents and Settings\USER\Cookies\[email protected][2].txt

 

I followed everything you suggested and had the files deleted. Are they really gone though? Please advise.. =) Shall I run the tests again just to make sure my system is clean?

PS- Can I delete the AVG Rootkit Scanner & Rootkit Hook Analyzer? I have Sophos already...

Edited by JeanneD
Link to post
Share on other sites

Wow JeanneD, lots of *baddies* there!!

Go to Start/Control Panel/Add Remove and uninstall AVG Rootkit Scanner & Rootkit Hook Analyzer.

While in Control Panel go to System/System Restore tab and turn off System Restore, then run the scans again. After they finish, restart the PC, then go back and turn System Restore back on.

 

If it seems o.k., you're probably good to go. If not, download HiJackThis install it to it's own folder and run. Select to *Scan and save logfile*, copy the logfile and post it here: http://forums.pcpitstop.com/index.php?showforum=25

Don't tell HJT to fix anything until you receive word from a trusted advisor.

Please include the logs of Malwarebytes and SUPERAntispyware also.

 

Let us know how you make out. ;)

 

:geezer:

Edited by caintry_boy
Link to post
Share on other sites

Alleluia!! The scans came up clean caintry_boy! It seems ok now...Oh the joy!!

 

Here are the logs:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 01/29/2009 at 10:39 AM

 

Application Version : 4.25.1012

 

Core Rules Database Version : 3733

Trace Rules Database Version: 1702

 

Scan type : Complete Scan

Total Scan Time : 01:14:42

 

Memory items scanned : 522

Memory threats detected : 0

Registry items scanned : 6521

Registry threats detected : 0

File items scanned : 16595

File threats detected : 0

 

Malwarebytes' Anti-Malware 1.33

Database version: 1702

Windows 5.1.2600 Service Pack 3

 

1/29/2009 10:29:00 AM

mbam-log-2009-01-29 (10-29-00).txt

 

Scan type: Full Scan (C:\|D:\|G:\|)

Objects scanned: 115126

Time elapsed: 1 hour(s), 5 minute(s), 45 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

Ok ,so now that we're done with this, I've got just one more thing to ask. Since I already have Avast and Ad-Aware running on my comp, should I delete them? Cause now, I have Sophos, Malwarebytes and Super Spyware... I think that's a bit to much anti solutions isn't?

 

Pls advise as to which one to keep and which to delete. Thank you so much for all the guidance you've given me caintry_boy, Joe C & law993. I really appreciate it! =)

Edited by JeanneD
Link to post
Share on other sites

:rocks:

 

JeanneD, I'd keep them all and add these two with the others.

SpywareGuard runs in the background. Update it once and forget it, it just runs and keeps *nasties* away. I run it on all my comps.....

 

SpywareBlaster also runs in the background. You will want to check for updates every week or two. I also run it on all my comps to keep *nasties* away.

 

Keep your Avast updated, it's a good antivirus, which I also run. Sophos, and Malwarebytes you can keep and run periodically (every month or so or when you think you may have a problem). Keep SUPERAntispyware and update it weekly and scan with it weekly; it may only find "tracking cookies", but it also finds other things sometimes. It's also one that runs on all my PC's.

 

Luck to ya', and keep up *the good fight against Malware*!!!

 

 

:geezer:

Edited by caintry_boy
Link to post
Share on other sites

Caintry is a gteat adviser.

 

Super & MBAM are manual scanners doing nothing untill you update an run them. They are thought to be better than AdAware now. Blaster & Guard do not cause any problems in the background. One more active antyspyware might be good Spybot (Teatimer & Immunize)?????

Link to post
Share on other sites

Thanks again guys! Really really appreciate all the help and advise you've given. Caintry, I can't even begin to thank you. *Cheers* and keep up the good work with PC Pitstop forums!

 

JeanneD

Edited by JeanneD
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...