possible w32/bagz, unk. rootkit reg entries

I have been having a little bit of trouble. I used UBCD4win boot cd to try and scan offline, testing. SAS found 8 registry entries, Rootkit.Unknown - usbhubb. SAS quarentined them so I guess they were deleted, being a boot cd.
After rebooting my computer I had a strange charcter entrie in HJT.
I tried Icesword, nothing important highlighted, except for Advanced scan, lots of inline hooks. I can't interpret it though.
I tried Driver detect, file scan showed ndisrd.sys Locked to the windows API!.
Google-ndisrd.sys, in cunjunction with syslogin.exe is W32.Bagz. So I Start/search for syslogin.exe, my search doesn't work. Doesn't even alert the dog.
Also my OA firewall is down and I can't re enable it. The icon is in the tray but when I right-click it, nothing. I had to disable it for combofix.

I included the SAS offline scan results, the combofix log is too big to post in one upload.
There may be other symptoms I'm just forgetting about at the moment.

 

Part 1 and 2 combofix.
I will post the other logs after the storm passes.

 

I must have been excited and not thinking clearly to convey my issues. I appologize.

I ran UBCD4Win first, before you guys were a thought. No other PC is involved. UBCD4Win is a version of BartPE. Like WinPE.
I was using this to learn more about alternate scanning methods for malware detection. The 6/6 SAS scan was while boot cd was active, HDD inactive.
Having been professionally cleaned (wipe and reinstall) of a subvirt type infection, February, I wanted to learn alternate techniques.
On May 6, Norman malware cleaner found W32/horst inside Explorer.exe and two OA drivers(W32/trojan.csqn) to be infected. It cured Explorer but not OA drivers, thought maybe false positive OA drivers.

I could not find it. It was getting past my bedtime. The next day I ran Malwarebytes again, checked the log tab, all files visible. Check with Start/search not visible, crazy. They are apparently being saved in application data, and is not visible to search. I have XP Pro.

And what if cf.exe is added to some malwares list? I then make 1 extra step of difficulty for malware. Sorry if this is an issue.

Was having trouble accessing your website the day of the storm. I didn't copy the command down so was kinda up shoots creek. Philadelphia lost a 6 inch underground electric supply cable do to the heat, before the storm.

(I am running on Limited User Account. If there are things that must be run as administrator, please say so.)

Combofix(konalite) would not run completely. Would close do to some error, I thought related to Online Armour. I disabled Firewall and Program protection of OA. It ran twice with same error. After disabling OA, I ran it a third time.
Was unsure what to do about errors.
Now I can not re-enable OA firewall and prog protection. I have tried it from both the Admin account and the Limited account, no luck.

Note: C:\WINDOWS\system32\Drivers\uzk0mtq0.sys *This belongs to AVZ 4.29 AVZGuard module.
C:\WINDOWS\system32\drivers\kxrmsghookdrv.sys *This belongs to KXray, an Anti-rootkit tool from YPT Pro site.

I have been away most of the day today.
I will reaquire the Mbam logs, my computer rebooted while away do to a win update. (Logs are in the Admin account, who woulda thunk)

I will follow your directions on the morrow. Thanks for your assistance.

Jersy

 

I can't uninstall combofix/konalite with the method you gave.
"%userprofile%\Desktop\konalite" /u
As Limited, I get "installation failed"
I have installed it as Limited user with run as...Administrator. Is there a way to do this with run as... administrator?

I have not downloaded the new combofix yet. Was trying to uninstall the old 1 first.

I did FIX the HJT you specified, but that is as far as I would go untill combofix issue is resolved.

I can't access, uninstall Online Armor, which I disabled to allow combofix to run.
I currently don't have a good firewall.

I have a picture of the Spybot S&D download updates issue, see below.

 

Changing the account to admin seems to have worked.
Followed the procedures and have attached the logs.
OA is still the same. Not working, but running.
I have recieve a "successfully added to the registry message".

Note: Typo: YPT Pro should read YTK Pro, sorry for any confusion.

 

Well, I guess performance has improved a little.
Also less quirkyness. I just cant tell if stuff is calling out when it shouldn't.

My AV detected bifrost, registry wget entries, and KaZaA registry entries after all of the procedures, just before posting this.
As for the bifrost, it detected two of them before the combofix session, but just one after. Not sure if it was a remainder or a reinfection, like reboot.

OA is running, so I can't uninstall it. I'm guessing that there are start up entries and/or services running preventing it from being uninstalled. I'll surf around and see what I dig up. I just didn't want to all out surf until the thumbs up.

[offtopic]
Would sc query be helpful in determing the presence of a rootkit or malware item?
Example:
sc query type= driver group= ""
and
sc queryex group= ""
[/offtopic]

End Report

 

As far as OA, I had to go into safe mode to uninstall. There must have been some clash between combofix and OA. I'll check out their forums for these clashes.

My AV doesn't produce log files, at least not that I can find. I have included cropped desk images. The first image contains 3 entries, the bottom one (highlighted) is from after the completion of all of the procedures.
Labled: bifrost.png

The second image is of the Quarantine list so you can see it's order and dates of discovery.
Labled: quarantine14.png

Something has been calling out on connect to internet. It changes ports and programs that call out. This behavior has occurred before the cleaning. It has only been noticeable since installing OA, though it may have happened even before that.
The ports involved are 53; 67; and 1900; 53 may be OA.
The programs calling out vary from services to each installed program.
This activity occurs after physically plugging in cable and before browser loads its default web page. I'm using Netscape 7.2

I tried to disable TCP/IP Netbios in admintools/services.msc. Disabling it prevents me from connecting to the internet. Also, it is password protected title=NT Authority/ Local service. I don't recall setting a password for this or know how to set a password for this. I poked around inside gpedit once.

[offtopic]
I found out tonight that sc query enumerates the results and that hxrdefender can bypass enumeration. So I guess that is why specialty tools are important.
Thanks for your input.
[/offtopic]

Your help has been excellent so far, even though I bungled up the cleansing process somewhat.

 

How is my computer acting, strange.
I have successfully uninstalled and installed my OA.
Now I tried to download regrun from technet. I had been redirected. Eventually downloaded it.
Now, tried to DL superscan4 from foundstone. I get redirected to main page. I tried manually typing dl address, redirected. Same thing with Scanline, redirected.
So I first disabled realtime protection of the AV, attempted the dl's, redirected.
Enabled rtAV, now disabled OA by shutdown and close.
Attempt dl, redirected still.
When I tried to reenable OA it will not start. I recieve an error message.

C:\Program files\ Tall Emu\Online Armor\oaui.exe
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I installed it as SuperAdmin and cannot enable it with same run as...credentials. After installin OA I reenabled Limited account.

I don't know if this behavior is maliciousness or clashes of competing softwares.
It is most definately not cool regardless.

What is desktop icon refreshing indicative of?
It does this at irregular times and usally related to program accesses.

Just more brainstorming.

 

I am reporting to you redirected web sites.
What does it matter what the content entails.
I can't even get to the software. I am redirected away from the download.
Bells and whistles should be saying redirection.
Can this be malware behaviour?
I guess if the tools listed here don't show an infection it must not occur.
Your are obviously overlooking the meat in the sandwhich, but I don't know why.
2. OA gets disabled after I disable it, could this be malware related?
It would be in the malwares advantage to disable OA. If not while running then wait for a user to shut it down, then lock it in a box.
It could also be a software conflict.

Have you found a Rustock.C infection yet? Have you cleaned any video type rootkits? Have you cleaned anything that might have a non standard loading point? MBR, Reassigned blocks, cmos or any other firmware? What if malware is loaded ahead of everything?
Which of the tools listed on your forum will discover any issues in non standard loading points or inactive malware?

My Subvirt infection was only visible with VM discovery tools, like Scoopydoo.
All other tools came up empty. Which of the tools on your forum would discover this?

Are you really a malware expert, or are you a forum only tools expert?
I am sure you have a Knoppix/Slax/Backtrac cd in your desk for emergencies.


I've been following your pages of tools, Panda on demand scanner, quick remove, doesn't run, it just hangs for hours. 8 to be exact, until I shut it down.

Yeah, prevention of tools from running what might clean malware is probably just software conflicts. And if the tool can't clean the malware, malware wouldn't prevent it from running.

Regrun, by the way, is a microsoft product. I guess you would have something agianst Malicious Removal Tool as well.

You sound a little perturbed, and it is a little unpleasant. You are very busy, so I am trying to discover ways so I don't have to bother with you anymore.
:cry
I guess if you think this is dragging out too long, and you think I am chasing shadows, you are cutting it short, which is more about your attitude than me.
:cry

There is no bifrost folder so I don't know where this was coming from. Current scans show no bifrost.
I have disabled teatimer. I don't know how to uninstall it. I tried the method suggested in your links, as it was already installed before I knew you existed, and that would not disable it. I went to the Spybot site and they said to rename teatimer. That will prevent it from starting up.
But I guess this is not good enough for your all seeing eye.
rolleyes

If you are really busy, you may need a break sometimes.
I suggest not touching a computer for an entire day. See how that goes.
If you have anxieties about leaving your computer alone, you might be too attached.

Might have to call for help.:major:-D

As long as you do the best that you can and I listen the best that I can, it will all be alright.:cool