Virus help

[Krilus]

Looking for help with a nasty infestation that I just can't seem to get a handle on

My proceess after bootin into safe mode:
1)Rkill
2)HMP
3)MBAM
4)TDSSKILLER
5)JRT
6)COMBOFIX
7)Rogue Killer


here is the results from Rogue killer:



RogueKiller V9.2.8.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : msmattieu@hotmail.ca [Admin rights]
Mode : Remove -- Date : 08/26/2014 10:13:31

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 125 (Driver: NOT LOADED [0xc000035f]) ¤¤¤
[EAT:Addr] (explorer.exe) WINTRUST.dll - AddGadgetMessageHandler : C:\Windows\system32\DUser.dll @ 0x7478152c
[EAT:Addr] (explorer.exe) WINTRUST.dll - AttachWndProcA : C:\Windows\system32\DUser.dll @ 0x7478c80a
[EAT:Addr] (explorer.exe) WINTRUST.dll - AttachWndProcW : C:\Windows\system32\DUser.dll @ 0x7477dd2c
[EAT:Addr] (explorer.exe) WINTRUST.dll - AutoTrace : C:\Windows\system32\DUser.dll @ 0x74787041
[EAT:Addr] (explorer.exe) WINTRUST.dll - BeginTransition : C:\Windows\system32\DUser.dll @ 0x7478c9a7
[EAT:Addr] (explorer.exe) WINTRUST.dll - BuildAnimation : C:\Windows\system32\DUser.dll @ 0x74781135
[EAT:Addr] (explorer.exe) WINTRUST.dll - BuildDropTarget : C:\Windows\system32\DUser.dll @ 0x74787131
[EAT:Addr] (explorer.exe) WINTRUST.dll - BuildInterpolation : C:\Windows\system32\DUser.dll @ 0x7478118c
[EAT:Addr] (explorer.exe) WINTRUST.dll - CreateAction : C:\Windows\system32\DUser.dll @ 0x74777339
[EAT:Addr] (explorer.exe) WINTRUST.dll - CreateGadget : C:\Windows\system32\DUser.dll @ 0x74775197
[EAT:Addr] (explorer.exe) WINTRUST.dll - CreateTransition : C:\Windows\system32\DUser.dll @ 0x7478c83a
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserBuildGadget : C:\Windows\system32\DUser.dll @ 0x7478b7e8
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserCastClass : C:\Windows\system32\DUser.dll @ 0x7478c776
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserCastDirect : C:\Windows\system32\DUser.dll @ 0x7478c7b9
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserCastHandle : C:\Windows\system32\DUser.dll @ 0x7478b81e
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserDeleteGadget : C:\Windows\system32\DUser.dll @ 0x7478b9c1
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserFindClass : C:\Windows\system32\DUser.dll @ 0x7478c6e7
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserFlushDeferredMessages : C:\Windows\system32\DUser.dll @ 0x74780020
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserFlushMessages : C:\Windows\system32\DUser.dll @ 0x74780096
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserGetAlphaPRID : C:\Windows\system32\DUser.dll @ 0x747878fd
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserGetGutsData : C:\Windows\system32\DUser.dll @ 0x7478c7c9
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserGetRectPRID : C:\Windows\system32\DUser.dll @ 0x74787908
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserGetRotatePRID : C:\Windows\system32\DUser.dll @ 0x74787913
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserGetScalePRID : C:\Windows\system32\DUser.dll @ 0x7478791e
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserInstanceOf : C:\Windows\system32\DUser.dll @ 0x7478c735
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserPostEvent : C:\Windows\system32\DUser.dll @ 0x7477630f
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserPostMethod : C:\Windows\system32\DUser.dll @ 0x7478b639
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserRegisterGuts : C:\Windows\system32\DUser.dll @ 0x7477a5b1
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserRegisterStub : C:\Windows\system32\DUser.dll @ 0x74779f93
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserRegisterSuper : C:\Windows\system32\DUser.dll @ 0x7477b046
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserSendEvent : C:\Windows\system32\DUser.dll @ 0x74773258
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserSendMethod : C:\Windows\system32\DUser.dll @ 0x7478b5b0
[EAT:Addr] (explorer.exe) WINTRUST.dll - DUserStopAnimation : C:\Windows\system32\DUser.dll @ 0x747884e4
[EAT:Addr] (explorer.exe) WINTRUST.dll - DeleteHandle : C:\Windows\system32\DUser.dll @ 0x74773ef8
[EAT:Addr] (explorer.exe) WINTRUST.dll - DetachWndProc : C:\Windows\system32\DUser.dll @ 0x7477657d
[EAT:Addr] (explorer.exe) WINTRUST.dll - DllMain : C:\Windows\system32\DUser.dll @ 0x747776f9
[EAT:Addr] (explorer.exe) WINTRUST.dll - DrawGadgetTree : C:\Windows\system32\DUser.dll @ 0x7478c646
[EAT:Addr] (explorer.exe) WINTRUST.dll - EndTransition : C:\Windows\system32\DUser.dll @ 0x7478ca90
[EAT:Addr] (explorer.exe) WINTRUST.dll - EnumGadgets : C:\Windows\system32\DUser.dll @ 0x7478c30f
[EAT:Addr] (explorer.exe) WINTRUST.dll - FindGadgetFromPoint : C:\Windows\system32\DUser.dll @ 0x74776da8
[EAT:Addr] (explorer.exe) WINTRUST.dll - FindGadgetMessages : C:\Windows\system32\DUser.dll @ 0x7478c19d
[EAT:Addr] (explorer.exe) WINTRUST.dll - FindStdColor : C:\Windows\system32\DUser.dll @ 0x7477dc66
[EAT:Addr] (explorer.exe) WINTRUST.dll - FireGadgetMessages : C:\Windows\system32\DUser.dll @ 0x7478c06b
[EAT:Addr] (explorer.exe) WINTRUST.dll - ForwardGadgetMessage : C:\Windows\system32\DUser.dll @ 0x74781cb5
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetActionTimeslice : C:\Windows\system32\DUser.dll @ 0x7478cb05
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetDebug : C:\Windows\system32\DUser.dll @ 0x7478705d
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadget : C:\Windows\system32\DUser.dll @ 0x7478c527
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetAnimation : C:\Windows\system32\DUser.dll @ 0x74777083
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetBufferInfo : C:\Windows\system32\DUser.dll @ 0x74782d45
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetCenterPoint : C:\Windows\system32\DUser.dll @ 0x7478be6f
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetFocus : C:\Windows\system32\DUser.dll @ 0x7477ce28
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetMessageFilter : C:\Windows\system32\DUser.dll @ 0x7478c5ba
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetProperty : C:\Windows\system32\DUser.dll @ 0x74777135
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetRect : C:\Windows\system32\DUser.dll @ 0x74772d8e
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetRgn : C:\Windows\system32\DUser.dll @ 0x7477540a
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetRootInfo : C:\Windows\system32\DUser.dll @ 0x7478bfbb
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetRotation : C:\Windows\system32\DUser.dll @ 0x7478bd35
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetScale : C:\Windows\system32\DUser.dll @ 0x7478bbe9
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetSize : C:\Windows\system32\DUser.dll @ 0x7478c3ca
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetStyle : C:\Windows\system32\DUser.dll @ 0x7478232c
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetGadgetTicket : C:\Windows\system32\DUser.dll @ 0x7477c94f
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetMessageExA : C:\Windows\system32\DUser.dll @ 0x7477f459
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetMessageExW : C:\Windows\system32\DUser.dll @ 0x7478b6c3
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorBrushF : C:\Windows\system32\DUser.dll @ 0x7478cbea
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorBrushI : C:\Windows\system32\DUser.dll @ 0x74772c3b
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorF : C:\Windows\system32\DUser.dll @ 0x7478ce45
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorI : C:\Windows\system32\DUser.dll @ 0x7477faf7
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorName : C:\Windows\system32\DUser.dll @ 0x7478cd46
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorPenF : C:\Windows\system32\DUser.dll @ 0x7478ccd2
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdColorPenI : C:\Windows\system32\DUser.dll @ 0x7478cc5e
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetStdPalette : C:\Windows\system32\DUser.dll @ 0x7478b82e
[EAT:Addr] (explorer.exe) WINTRUST.dll - GetTransitionInterface : C:\Windows\system32\DUser.dll @ 0x7478c933
[EAT:Addr] (explorer.exe) WINTRUST.dll - InitGadgetComponent : C:\Windows\system32\DUser.dll @ 0x7478b8be
[EAT:Addr] (explorer.exe) WINTRUST.dll - InitGadgets : C:\Windows\system32\DUser.dll @ 0x7477e373
[EAT:Addr] (explorer.exe) WINTRUST.dll - InvalidateGadget : C:\Windows\system32\DUser.dll @ 0x74773de5
[EAT:Addr] (explorer.exe) WINTRUST.dll - IsGadgetParentChainStyle : C:\Windows\system32\DUser.dll @ 0x7478ba7f
[EAT:Addr] (explorer.exe) WINTRUST.dll - IsInsideContext : C:\Windows\system32\DUser.dll @ 0x7478b56c
[EAT:Addr] (explorer.exe) WINTRUST.dll - IsStartDelete : C:\Windows\system32\DUser.dll @ 0x7478121d
[EAT:Addr] (explorer.exe) WINTRUST.dll - LookupGadgetTicket : C:\Windows\system32\DUser.dll @ 0x7478cdbc
[EAT:Addr] (explorer.exe) WINTRUST.dll - MapGadgetPoints : C:\Windows\system32\DUser.dll @ 0x74783861
[EAT:Addr] (explorer.exe) WINTRUST.dll - PeekMessageExA : C:\Windows\system32\DUser.dll @ 0x7478b710
[EAT:Addr] (explorer.exe) WINTRUST.dll - PeekMessageExW : C:\Windows\system32\DUser.dll @ 0x7478b75e
[EAT:Addr] (explorer.exe) WINTRUST.dll - PlayTransition : C:\Windows\system32\DUser.dll @ 0x7478c8b0
[EAT:Addr] (explorer.exe) WINTRUST.dll - PrintTransition : C:\Windows\system32\DUser.dll @ 0x7478ca1c
[EAT:Addr] (explorer.exe) WINTRUST.dll - RegisterGadgetMessage : C:\Windows\system32\DUser.dll @ 0x74777ba3
[EAT:Addr] (explorer.exe) WINTRUST.dll - RegisterGadgetMessageString : C:\Windows\system32\DUser.dll @ 0x7478c149
[EAT:Addr] (explorer.exe) WINTRUST.dll - RegisterGadgetProperty : C:\Windows\system32\DUser.dll @ 0x74777d5d
[EAT:Addr] (explorer.exe) WINTRUST.dll - RemoveGadgetMessageHandler : C:\Windows\system32\DUser.dll @ 0x7478c21a
[EAT:Addr] (explorer.exe) WINTRUST.dll - RemoveGadgetProperty : C:\Windows\system32\DUser.dll @ 0x74780dee
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetActionTimeslice : C:\Windows\system32\DUser.dll @ 0x7478cb82
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetBufferInfo : C:\Windows\system32\DUser.dll @ 0x74782c09
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetCenterPoint : C:\Windows\system32\DUser.dll @ 0x7478bf0a
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetFillF : C:\Windows\system32\DUser.dll @ 0x7478bb47
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetFillI : C:\Windows\system32\DUser.dll @ 0x74782149
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetFocus : C:\Windows\system32\DUser.dll @ 0x7477cebb
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetFocusEx : C:\Windows\system32\DUser.dll @ 0x74783188
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetMessageFilter : C:\Windows\system32\DUser.dll @ 0x74775a70
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetOrder : C:\Windows\system32\DUser.dll @ 0x7478c45d
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetParent : C:\Windows\system32\DUser.dll @ 0x747755f8
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetProperty : C:\Windows\system32\DUser.dll @ 0x74781284
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetRect : C:\Windows\system32\DUser.dll @ 0x74775305
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetRootInfo : C:\Windows\system32\DUser.dll @ 0x7477e857
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetRotation : C:\Windows\system32\DUser.dll @ 0x7478bdc9
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetScale : C:\Windows\system32\DUser.dll @ 0x7478bc84
[EAT:Addr] (explorer.exe) WINTRUST.dll - SetGadgetStyle : C:\Windows\system32\DUser.dll @ 0x74774c48
[EAT:Addr] (explorer.exe) WINTRUST.dll - UninitGadgetComponent : C:\Windows\system32\DUser.dll @ 0x7478b93f
[EAT:Addr] (explorer.exe) WINTRUST.dll - UnregisterGadgetMessage : C:\Windows\system32\DUser.dll @ 0x7478c171
[EAT:Addr] (explorer.exe) WINTRUST.dll - UnregisterGadgetMessageString : C:\Windows\system32\DUser.dll @ 0x7478c149
[EAT:Addr] (explorer.exe) WINTRUST.dll - UnregisterGadgetProperty : C:\Windows\system32\DUser.dll @ 0x7478c2e3
[EAT:Addr] (explorer.exe) WINTRUST.dll - UtilBuildFont : C:\Windows\system32\DUser.dll @ 0x7478b83a
[EAT:Addr] (explorer.exe) WINTRUST.dll - UtilDrawBlendRect : C:\Windows\system32\DUser.dll @ 0x7478b84a
[EAT:Addr] (explorer.exe) WINTRUST.dll - UtilDrawOutlineRect : C:\Windows\system32\DUser.dll @ 0x7478b85a
[EAT:Addr] (explorer.exe) WINTRUST.dll - UtilGetColor : C:\Windows\system32\DUser.dll @ 0x7478b86a
[EAT:Addr] (explorer.exe) WINTRUST.dll - UtilSetBackground : C:\Windows\system32\DUser.dll @ 0x7478cd78
[EAT:Addr] (explorer.exe) WINTRUST.dll - WaitMessageEx : C:\Windows\system32\DUser.dll @ 0x7478b7ac
[EAT:Addr] (explorer.exe) davclnt.dll - AdviseHook : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc2af09
[EAT:Addr] (explorer.exe) davclnt.dll - DllCanUnloadNow : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc21a6f
[EAT:Addr] (explorer.exe) davclnt.dll - DllGetClassObject : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc29cd3
[EAT:Addr] (explorer.exe) davclnt.dll - DllRegisterServer : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc38625
[EAT:Addr] (explorer.exe) davclnt.dll - DllUnregisterServer : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc38649
[EAT:Addr] (explorer.exe) davclnt.dll - EndCaretTracking : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc38cb9
[EAT:Addr] (explorer.exe) davclnt.dll - ProcessCaretEvents : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc21b73
[EAT:Addr] (explorer.exe) davclnt.dll - ProcessCiceroCaretEvent : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc2b7f3
[EAT:Addr] (explorer.exe) davclnt.dll - StartCaretTracking : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc2af76
[EAT:Addr] (explorer.exe) davclnt.dll - UnadviseHook : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll @ 0x6fc323f6

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3250310AS ATA Device +++++
--- User ---
[MBR] e2b4eb461d3fc23c487c0af864a15619
[BSP] cbe1a3892920c024e3e7b9efc684338e : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 227198 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 465302880 | Size: 11273 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: JetFlash Transcend 16GB USB Device +++++
--- User ---
[MBR] 345dbaa7ac01d596f06271b6778e3671
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 48 | Size: 15479 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_DEL_08262014_064030.log - RKreport_SCN_08262014_063806.log - RKreport_SCN_08262014_064332.log - RKreport_SCN_08262014_100928.log
RKreport_DEL_08262014_101033.log - RKreport_SCN_08262014_101308.log

 

[MikeLierman]

What makes you think the machine is still infected? What happens when you boot normally?

 

[ohio_grad_06]

If you have run all that, I'd say you might want to try a bootable AV scan.

 

[Mr.Mike]

Try to be more forthcoming in your description of how it's actually behaving so you can get more help. If you suspect a rootkit, you might want to run MBAR. Seems to work where TDSS Killer doesn't.

There's a ton more AV's out there for you to find and use. Look in these forums.

 

[altrenda]

Have you tried looking at it with Process Explorer to see what's out of place or doesn't look right?
A lot of times it is much faster to suspend a process and see what the effect is than sitting around waiting for scans to complete.

 

[Markverhyden]

If you have run all that, I'd say you might want to try a bootable AV scan.

Yep. In my book that is the very first step.

 

[Larry Sabo]

What makes you think the machine is still infected? What happens when you boot normally?

+1. Geez, posts logs of misc. scanners with nothing extraordinary showing (versus posting just errors/diagnostic lines) and expects us to guess what the issue is with no symptoms mentioned at all

 

[discipulus]

First, give us some symptoms. Second, download and run FRST and post the logs. Both of them. I will take a look and let you know what I think. Run the scan in regular windows, not safe mode.

 

[Krilus]

Hey all,

Apologies in the delay on responding to the thread, and thank you all for your help.

1) I'll take markverhyden advice and add this as my first step

2) The main symptom left was that google.com would not resolve, plus it would not let me into any security sites such as bleeping computer. The internet itself was acting wonky and Windows update wouldn't work.

3) I posted that log as it was my last step and everything was going well, I assumed it wouldn't be alot of sense posting logs from previous steps.

4) I did use process explorer and found some out of place processes; however I could not kill the process and I forget off hand which one it was.

After alot of personal fustration, I emailed the client and explained the situation and explained that if she wanted, I could backup her data. Reformat and reinstall windows and then restore everything back and so I did that this morning.

Apologies if I have waisted anyones time; but time itself was becoming an issue as the client needed the computer back and so I took the easy route out.

Normally I do prefer the remove the problem instead of reinstalling windows - it just became my best option at this point.

Cheers o7

 

[atlanticjim]

This is a little late response but I wanted to point out for the readers a flaw.
The OP said he started in safe mode, it is best to try not to run scans in safe mode since they may miss processes that have been bypassed. Instead start in safe mode and put a few rkill chameleons on the desktop, reboot in normal mode then use those to gain better control, then run your scans. Alternately safe mode and use msconfig to start in diagnostic mode, reboot and run the scans.

I welcome any comments on my method.


BTW: I also dumped TDSS killer in favor of MBAR.