Zentom System Guard - corrupted DLL's

Hi, I am coming to you guys for help after this nasty little malware program has corrupted some DLL's (I believe to be true) and unable to use programs such as outlook, as it cannot find the exchange server.


Background Info:

User downloaded Zentom System Guard, which I removed sucessfully with Malwarebytes in safe mode, full scan. Everything seems to be fine, but user is unable to use outlook.

When I try using command nslookup in command prompt, I am greeted with ordinal not found 1108 in wsock32.dll


User is on Windows XP 64-bit (god help us) so I cannot run ComboFix


I have done the following:

- Malwarebytes Full System Scan, Safe Mode. Nothing found at this point.
- Sophos Anti-Rootkit. No problems.
- Tweaking.com Fixes, no fix.
- SuperAntiSpyware full scan, now no problems detected on this scan.
- TDSS Killer
- sfc /scannow runs successfully, but immediately closes after the scan


I'm at a loss here. Everything else seems to work fine inlcuding browsers, just some odd error with WSOCK32.DLL and related system32 dll's. I cannot reformat this computer, not an option at this point...



Thanks for the help!

 

Attached is the logs from OTL, hopefully they help!

Thanks

 

Hi and welcome to Major Geeks, happycat!

Most likely caused by the ZeroAccess rootkit that is attached to the newer versions of Zentom Guard.

This can also be seen in your OTL log

I need to you to go through the following: READ & RUN ME FIRST Malware Removal Guide

Attach the following of what you have already completed:

• log from SAS
• log from MBAM
• log from TDSSKiller

You need to try to run MGtools.exe which is described in the above link.

I also want you to complete the following AFTER you have gone through the READ & RUN ME FIRST

Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://dus.x10.mx/canned/otlicon.gifPlease download OTL by Old Timer to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• In the Processes box, choose All.
• In the Services box, choose All.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

Thank you for the help, I will get back to you with this information tomorrow when I have access to the computer at work

 

Here is what I have so far...

attached is:

MBAM Log from cleaning the files up
TDSS Log from fresh scan
MBRCheck log from fresh scan

 

Attached is the new OTL.txt ... it didn't open up an Extras text file or save it where the OTL.txt was

 

Great, was MGtools.exe able to run? You did not mention nor attach MGlogs.zip

 

Ahh yes, it was able to run. Lot of "file not found" at the beginning but it succesfully made the .zip


thanks

 

Is I:\ an external drive? I kind of doubt the MBR is actually infected as it has never been the case with these type of infections.

Were all the above domains intended to be trusted?

MGtools.exe is supposed to be run from the root of C:\ (this is explained in the READ and RUN ME.)

This computer is infected with a Max++/Sirefef/ZeroAccess rootkit. Let's get started...

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 27 <-- outdated
• AVG Free 9.0 <-- outdated. Is this functioning? The rootkit will typically kill any Anti-Virus software. If it's still working, you can leave it alone.

http://img716.imageshack.us/img716/4756/msmsg.gif Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

http://dus.x10.mx/canned/otlicon.gifNow we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  O4 - HKU\S-1-5-21-2241476937-3934452380-2540491706-1257..\Run: [AdobeBridge]  File not found
  O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe File not found
  O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe File not found
  O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe File not found
  O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
  O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
  O20:[b]64bit:[/b] - AppInit_DLLs: (DAinit.dll) -  File not found
  O33 - MountPoints2\{6ac2f243-14c4-11de-84cf-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{6ac2f243-14c4-11de-84cf-806e6f6e6963}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{6ac2f243-14c4-11de-84cf-806e6f6e6963}\Shell\AutoRun\command - "" = D:\SETUP.EXE -- [2006/03/29 08:00:00 | 001,314,816 | R--- | M] (Microsoft Corporation)
  O33 - MountPoints2\{ad30350a-e41a-11de-84f9-0023ae6b9bb9}\Shell - "" = AutoRun
  O33 - MountPoints2\{ad30350a-e41a-11de-84f9-0023ae6b9bb9}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{ad30350a-e41a-11de-84f9-0023ae6b9bb9}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -a
  O33 - MountPoints2\{ca0b4d30-c7cc-11de-ae2f-0023ae6b9bb9}\Shell - "" = AutoRun
  O33 - MountPoints2\{ca0b4d30-c7cc-11de-ae2f-0023ae6b9bb9}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{ca0b4d30-c7cc-11de-ae2f-0023ae6b9bb9}\Shell\AutoRun\command - "" = E:\iStudio.exe
  [2011/10/13 15:47:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wmcgee\Application Data\DriverCure
  [2011/10/13 15:47:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ParetoLogic
  [2011/10/13 15:47:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
  [2011/10/19 14:02:25 | 000,000,313 | ---- | M] () -- C:\temp593.bat
  [2011/10/12 13:58:33 | 000,008,073 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
  [2011/10/19 14:10:42 | 000,004,096 | -HS- | M] () -- C:\WINDOWS\assembly\gac_32\Desktop.ini
  [2011/10/19 14:10:42 | 000,005,120 | -HS- | M] () -- C:\WINDOWS\assembly\gac_64\Desktop.ini
  [C:\WINDOWS\system64] -> \systemroot\system32 -> Mount Point
  @Alternate Data Stream - 60 bytes -> C:\Documents and Settings\wmcgee\My Documents\My eBooks:AFP_AfpInfo
  @Alternate Data Stream - 170 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5760A8B
  [COLOR="DarkRed"]:services [/COLOR]
  [COLOR="DarkRed"]:files[/COLOR]
  c:\WINDOWS\dbgfileedit.exe /D
  c:\WINDOWS\SysWOW64\bootactionntfs.exe /D
  c:\WINDOWS\system32\bootactionntfs.exe /D
  c:\documents and settings\wmcgee\local settings\Temp\*.tmp /S 
  dir "C:\Documents and Settings\wmcgee\My Documents\New Folder (2)\" /c
  dir "C:\Documents and Settings\LocalService\" /c
  dir "C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\" /c
  dir "C:\DOCUMENTS AND SETTINGS\wmcgee\START MENU\PROGRAMS\STARTUP\" /c
  dir "c:\documents and settings\wmcgee\application data\" /c
  dir "c:\documents and settings\wmcgee\local settings\Temp\" /c
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
  "AppInit_DLLs"=""
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  "*bootactionntfs.exe"=-
  "*dbgfileedit.exe"=-
  "bootactionntfs.exe"=-
  "dbgfileedit.exe"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the http://img683.imageshack.us/img683/4483/quickscanotl.png button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

Retry the Tweaking.com - Windows Repair utility with these actions:

• Reset Registry Permissions
• Reset File Permissions
• Register System Files
• Repair WMI
• Remove Policies Set By Infections

Reboot afterwards

http://img225.imageshack.us/img225/2641/win32diag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

Hi,

I'm about to start the steps you have listed, just wanted to say that the I: drive is indeed an external that he uses.

- The trusted domains, I have no idea what those links are for personally

- Do I need to re-run MGTools from the C: drive?

- Gonna start with the windows messenger thing, and move down from there. Thanks again!

 

No, just follow the steps, eventually I describe how I want you to get updated MGlogs.zip.

 

Gone through all the steps, attached is all the associated logs

Still have the problem with Ordinal 1108 cannot be found when running 'nslookup'

Same error occured when running MGTools at the DNS check

 

These logs look good. This rootkit can do a lot of damage to the OS which is what probably has happened to this PC. Actual malware is mostly gone though.

Can you go into this folder: c:\documents and settings\wmcgee\local settings\Temp

Locate the following .bat and .reg files:

• 10/19/2011 14:02 4,222 temp138.reg
• 10/19/2011 14:02 515 temp1a.bat
• 10/19/2011 14:02 2,897 temp278.bat
• 10/19/2011 14:02 204 temp399.bat
• 10/19/2011 14:02 185 temp660.bat
• 10/19/2011 14:02 7,136 temp698.bat
• 10/19/2011 14:02 181 temp705.bat
• 10/19/2011 13:50 190 temp885.bat
• 10/19/2011 14:02 3,044 temp995.bat

Can you either .zip all of these up and attach them to your next post?

While you are in that same folder, delete the below:

• 11223344556677889900112233445566 <-- file
• d960b647-fb61-11e0-9c79-0023ae6b9bb9 <-- folder (probably related to SAS)

You can also delete the below:

• C:\Documents and Settings\wmcgee\My Documents\New Folder (2) <-- folder (it's empty)
• C:\Documents and Settings\wmcgee\Application Data\ParetoLogic

Let me know if you had any trouble deleting these files/folders.

Now download LSP-Fix by Counterexploitation to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Extract its contents into its own folder entitled "lspfix" on your desktop.
• Double-click LSPFix.exe to run.
• I do NOT want you to attempt to remove anything from here. Just let me know if lspFix detects any problems. A screenshot is preferred.

Download Junction by Mark Russinovich to your desktop.

• Extract junction.exe to your desktop.
• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
  
• When it's finished, there will be a log called junction.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Did you run SUPERAntiSpyware. You haven't attached a log yet. Please attach it to your next post (Complete scan)

 

thanks! I'll try these new steps out tomorrow at work

 

Sorry I did not get to these new steps yet! I will try today or tomorrow