Seth Posted November 27, 2007 As I write this, I have a lappy in my shop that is undergoing disinfection. It was running Avast which is soon to be removed. It would start in Safe Mode, but Normal Mode gave a brief BSOD and restarted. I slaved the drive and ran sas. Check this out (note the rootkits and driver infection): SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 11/27/2007 at 11:32 AM Application Version : 3.9.1008 Core Rules Database Version : 3351 Trace Rules Database Version: 1350 Scan type : Complete Scan Total Scan Time : 00:16:24 Memory items scanned : 437 Memory threats detected : 0 Registry items scanned : 4862 Registry threats detected : 0 File items scanned : 15204 File threats detected : 42 Trojan.IBM/Shell D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00001.DLL D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL D:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00003.DLL Trojan.Downloader-Gen/WinAble-Installer D:\PROGRAM FILES\TEMPORARY\WININSTALL.EXE Trojan.Net-Winable D:\PROGRAM FILES\WINABLE\WINABLE.EXE Rootkit.Rustock/Arp1349 D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0018295.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0019299.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0021295.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0023285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0025285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0027285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0029285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0031285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0033285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0035285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0037285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0039285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0041285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0043285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0045285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0047285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0049285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0051285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0053285.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0056294.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0058298.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0059298.SYS D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0061298.SYS D:\WINDOWS\SYSTEM32\DRIVERS\ASWTDI.SYS Trojan.Downloader-Gen/MROFINU D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0018304.EXE D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0019301.EXE D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0021298.EXE D:\SYSTEM VOLUME INFORMATION\_RESTORE{60329CE7-09B1-413E-91ED-A884652D5989}\RP11\A0054291.EXE D:\WINDOWS\MROFINU390.EXE.TMP Trojan.Downloader-Gen/Installer D:\WINDOWS\B122.EXE Trojan.Downloader-Gen/MROFIN D:\WINDOWS\MROFINU390.EXE Trojan.Downloader-2JZ/Slow D:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME.SYS Rootkit.RunTime2 D:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME2.SYS Trojan.XPDX-Rootkit D:\WINDOWS\SYSTEM32\XPDX.SYS Trojan.Net-StartDrv/DH D:\WINDOWS\TEMP\STARTDRV.EXE Trojan.Downloader-Gen/WSUSUPD D:\WSUSUPD.EXE Trace.Known Threat Sources D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UN2DOT6B\17PHolmes[2].cmd I just installed the drive back into the lappy and it boots up now. I'm currently running a new scan. BTW- I disinfect anywhere from 6 to 10 computers a week using SAS. Of those, the majority are running Norton, AVG, or Mcafee. _________________ Proud SAS reseller. Share this post Link to post Share on other sites
fatdcuk Posted November 27, 2007 Hey Seth , IBM0000(1-3).DLL is a Sinowal trojan.It is a password logger You will need to advise your client to change all PW's across the board.Both on the computer and in general PC use if they do anything data sensitive from that machine. Share this post Link to post Share on other sites
Seth Posted November 27, 2007 Hey Seth ,IBM0000(1-3).DLL is a Sinowal trojan.It is a password logger You will need to advise your client to change all PW's across the board.Both on the computer and in general PC use if they do anything data sensitive from that machine. Already done Thanks for the reply fatdcuk. Share this post Link to post Share on other sites
char971 Posted April 5, 2008 I downloaded the free version of SAS and found it to find more things than other software. However, I just recently found malware on my computer. The two files I know of are "mrofinu1001186.exe" and "17PHolmes1001186.exe". I did extensive research online and found this post that specifically states that the "mrofinu*.exe" and the "17PHolmes*.exe" were found using SAS (as stated above). So I did a full scan with SAS and it did not detect either. Mind you, this scan took over 6 hours. I figured I had to buy the full version because I did a full scan and SAS still did NOT DETECT them!!!! Was this post just a trick to get people to purchase the software? The only other information I can find on these files is that there is no use trying to recover anything and I need to reformat my hard drive & reload WinXP. Please, any advise would be greatly appreciated. Share this post Link to post Share on other sites
fatdcuk Posted April 6, 2008 No tricks here but hold the phone on the R&R as there is no need SAS free has the identical detection and removal abilities of SAS Pro.They use the same scanning engine and same target definitions;) Nowadays when malware files are imported from their source the md5 checksum is altered regulary(some cases each unique download and others daily/couple of days)but net result is a *new* file=new variant This the causes the age old problem for md5 scanners when they don't know new variant,they won't detect or remove it despite the filename being a known offender or at least a rehash of known bad file name. Next up i would suggest contacting SAS support they will have you run their diagnostic tool to lift these unknown variants and subsequently update their target definitions to detect and remove your variants https://www.superantispyware.com/csrcreateticket.html *Leave a link back to this topic in your support ticket so SAS hq have background information* HTH:) Share this post Link to post Share on other sites
char971 Posted April 6, 2008 Thanks for the information. I did sent a ticket. I just checked & did gete the response to run the online tool to send the information. I'll repost once I have more info. Thanks! Share this post Link to post Share on other sites
infosponge Posted April 6, 2008 Hi char971, What I noticed is that your definitions 3351 (core) and 1351 (trace) are ancient. Current definitions are 3432 / 1424 You might also like tto upgrade the program itself to version 4.01154 as the new one is significantly superior to V3.9. Hope this helps. Share this post Link to post Share on other sites
infosponge Posted April 6, 2008 Sorry char971, I meant to respond to Seth's post. Seth, I think you know what you're doing so I suppose you have your reasons for running 3.9 and the old definitions. I would be interested in knowing what your strategy is. Share this post Link to post Share on other sites
infosponge Posted April 6, 2008 Seth, Forget it! I see I was referencing an old post from last November. Sorry about that REALLY! I wasn't paying attention, this is probably an SAS first! Share this post Link to post Share on other sites
char971 Posted April 7, 2008 I'm running the most recent core & trace, but I'm having a problem downloading the very newest version. It keeps hanging. However, I did another scan and it found them, said it removed them, rebooted, and they are back. Now I have two instances of 17PHolmes1001186.exe running. I'm running yet another scan. I could live with it right now, but it has destroyed my printers. I cannot print anything. I have 3 printers (Brother MFC-7220, Epson CX-4600, HP Photosmart). I use the Brother EVERY DAY as this is my laser. I have deleted all my printers & drivers, and tried to reinstall my Brother from CD, but it will not print. It was working fine up until 4/4 when I noticed the malware and tried to manually delete it. Any suggestions on my printer???? I found another web site that specifically stated that since this malware attacks all files, I have to reformat & reload windows. I bought this laptop used and do not have ANY cds, so I'd have to go out & buy WinXP. I don't have a current backup of my data files, and I prepare taxes. I have not finished printing my clients tax files yet, and am running out of time. I don't want to print them to pdf & print them somewhere else as this might infect another computer. Also, after I read that post, I did a search for files that were modified/created on 4/5/08-4/5/08. I finally stopped the search after it found 15,000 + files. I am desparately in need of advise. Can this malware be removed, or do I need to reformat my drive & loose all my data? Also, does anyone know the origin? Is it attached to an email attachment, to software? If so, what? My daughter (12) gets on my laptop every know and then so I just want to see if this may have been a culprit of something she did, or myself. Thanks! Share this post Link to post Share on other sites
SUPERAntiSpy Posted April 7, 2008 Submit a support request here and we can run a custom diagnostic and find out what the problem is: https://www.superantispyware.com/support.html Share this post Link to post Share on other sites
char971 Posted April 8, 2008 Ok. I did the diagnostis 3 days ago (Saturday) and it says to wait 24 hours for a response. I have received NO response. I'm getting a little upset. I have tried several "removal" procedures including downloading all kinds of software (CWShredder, Spybot, Ad-Aware, RogueRemover, AVG Anti-Spyware, AVG Anti-Virus Software, plus the full version of SAS) and now I can no longer log into my computer in regular mode, only safe mode. Can I post a "HiJack This" log and get some help? As stated, its been 3 DAYS since I did the diagnostic & have received NO response from tech support yet. Share this post Link to post Share on other sites
SUPERAntiSpy Posted April 8, 2008 Ok. I did the diagnostis 3 days ago (Saturday) and it says to wait 24 hours for a response. I have received NO response. I'm getting a little upset. I have tried several "removal" procedures including downloading all kinds of software (CWShredder, Spybot, Ad-Aware, RogueRemover, AVG Anti-Spyware, AVG Anti-Virus Software, plus the full version of SAS) and now I can no longer log into my computer in regular mode, only safe mode. Can I post a "HiJack This" log and get some help? As stated, its been 3 DAYS since I did the diagnostic & have received NO response from tech support yet. You submitted your diagnostic SUNDAY at 6:25 AM (Pacific Standard Time) - our technicians analyzed the diagnostic yesterday and updated our definitions to remove the few traces you had left over from the Vundo infection - your real-time protection was also turned OFF, and that's likely why you got infected in the first place. Before you post statements like "It's been 3 DAYS", etc. - make sure you have your facts straight -it's been under 48 hours - we analyzed your diagnostic within 24 hours of you submitting it. Check for definition updates and re-scan your system. Share this post Link to post Share on other sites
char971 Posted August 4, 2008 Ok. I thought I got rid of 17PHolmes, etc., but it is now back. I think there were still traces that were dormant on my computer. My niece has been on it and ever since she was "playing" with her myspace, etc,. etc., I started getting all kinds of pop ups which I was not getting. Next thing you know, I do a control+alt+del to see what's running & there they are! 17pholmes1001186.exe is back. I tried running SAS but when I reloaded everything on my computer, I apparently only have the free version again and need my license number. I sent a request for it last night and am awaiting a response. However, my email is changed. It USED to be char971@comcast.net, but I am switching to verizon. In the meantime, I'm using a yahoo account which is outdoorgirl971@yahoo.com. I need some help again to try to get this thing off my computer. I did what was said before, with no luck. Last time I couldn't get into windows except for safe mode and it appeared that after running all the anti-spyware & anti-virus programs that it was gone so I just reloaded windows. But my computer has never been right since. So I don't think it actually got rid of it the first time. BIG PROBLEM I HAVE is that my laptop does not have any CD/DVD or floppy drives, only USB so I CANNOT BOOT FROM a CD or floppy. I would love to reformat my hard drive and just start over, but I cannot boot from an external drive apparently. Even if I select in my BIOS to run from USB storage, it does not recognize it. HELP Share this post Link to post Share on other sites
Pandato Posted August 4, 2008 Please do not double post if you have already submitted a support request as it doubles our work to respond to both. It sounds like this may be a re-infection if your niece has been on your machine. As it has been since April, the infection may have changed. Check that the version you are using is the latest and that the definitions are current. Provide that information in your support ticket, thanks Share this post Link to post Share on other sites