BleepingComputer.com: Malware - Rootkit Zero Access?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Malware - Rootkit Zero Access? Assitance required

#1 User is offline   doucas 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 21-June 10

Posted 08 January 2012 - 06:02 PM

Hello,

My windows profile is completely corrupted. At this time, I am able to logon; however, the start menu and my documents contain no shortcuts/data. I managed to use Hirens Boot CD to backup my important data. HIrens was able to pickup the data in my documents...

I managed to run COmbo-Fix/Malwarebytes in safe-mode, however, the issue remains.

Here is the latest Combo Fix Report:

ComboFix 12-01-07.03 - Alexandra 01/08/2012 16:08:11.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2940.2430 [GMT -5:00]
Running from: E:\Apps to Install\Virus_2011\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\ProgramData\~LWDqIwZLBDpgEi
C:\ProgramData\~LWDqIwZLBDpgEir
C:\ProgramData\BgIjsbGlNfxPqP.exe
C:\ProgramData\LWDqIwZLBDpgEi
C:\ProgramData\LWDqIwZLBDpgEi.exe
C:\Users\Public\Documents\~WRL0001.tmp
C:\Users\Public\Documents\~WRL0002.tmp
C:\Users\Public\Documents\~WRL0003.tmp
C:\windows\$NtUninstallKB53058$
C:\windows\$NtUninstallKB53058$\3176821272\@
C:\windows\$NtUninstallKB53058$\3176821272\cfg.ini
C:\windows\$NtUninstallKB53058$\3176821272\Desktop.ini
C:\windows\$NtUninstallKB53058$\3176821272\L\xadqgnnk
C:\windows\$NtUninstallKB53058$\968303983
C:\windows\system32\Thumbs.db

Infected copy of C:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)

((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))


2012-01-08 18:59:04 . 2012-01-08 18:59:36 -------- d-----w- C:\Users\Duke
2012-01-06 15:05:48 . 2011-11-21 10:47:38 6823496 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{11E30992-233E-481A-9158-0C66ABC3BF06}\mpengine.dll
2011-12-14 01:38:40 . 2011-10-15 05:48:52 534528 ----a-w- C:\windows\system32\EncDec.dll
2011-12-14 01:38:21 . 2011-10-26 04:25:28 38912 ----a-w- C:\windows\system32\csrsrv.dll
2011-12-14 01:38:15 . 2011-10-26 04:42:38 3901808 ----a-w- C:\windows\system32\ntoskrnl.exe
2011-12-14 01:38:14 . 2011-10-26 04:42:37 3957104 ----a-w- C:\windows\system32\ntkrnlpa.exe
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 13:14:36 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\windows\system32\igfxtray.exe" [2009-09-02 22:41:42 141848]
"HotKeysCmds"="C:\windows\system32\hkcmd.exe" [2009-09-02 22:41:30 174104]
"Persistence"="C:\windows\system32\igfxpers.exe" [2009-09-02 22:41:38 151064]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 05:12:56 7625248]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 01:46:40 1545512]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2008-09-25 23:49:00 195080]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 22:18:08 476512]
"TWebCamera"="C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 19:37:50 2446648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2010-02-16 02:10:13 949376]
"BlackBerryAutoUpdate"="C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 19:25:16 623960]
"UpdateReminder"="C:\Program Files\Eset\UpdateReminder.exe" [2011-07-18 18:38:21 462848]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 16:44:34 31072]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 16:31:24 236016]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 19:39:32 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
2009-08-05 22:04:54 738616 ----a-w- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10:28 35696 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 15:58:34 611712 ----a-w- C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44:34 31072 ----a-w- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HSON]
2009-03-09 23:51:46 55160 ----a-w- C:\Program Files\TOSHIBA\TBS\HSON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39:32 1090952 ----a-w- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartFaceVWatcher]
2009-07-29 16:19:44 163840 ----a-w- C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2009-07-28 22:00:10 460088 ----a-w- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teco]
2009-08-12 00:09:38 1324384 ----a-w- C:\Program Files\TOSHIBA\TECO\TEco.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2009-08-17 18:48:46 1294136 ----a-w- C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosNC]
2009-08-06 21:06:58 466792 ----a-w- C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosReelTimeMonitor]
2009-08-06 23:02:02 29528 ----a-w- C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosSENotify]
2009-08-04 02:17:06 611672 ----a-w- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
2009-08-07 01:05:42 611672 ----a-w- C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 17:16:28 130384]
R3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 12:49:20 227232]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;C:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 22:02:51 4231168]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys [2009-08-06 03:04:04 171520]
R3 RtsUIR;Realtek IR Driver;C:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 18:48:42 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 02:16:32 111960]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 01:04:56 685424]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe [2010-05-07 16:37:55 1343400]
S1 nod32drv;nod32drv;C:\windows\system32\drivers\nod32drv.sys [2010-02-16 02:10:12 15424]
S1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 23:52:04 48128]
S2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 03:55:46 185712]
S2 ConfigFree Service;ConfigFree Service;C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 02:51:20 46448]
S2 RSELSVC;TOSHIBA Modem region select service;C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 17:37:32 62832]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-08-12 00:09:54 185712]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 03:31:08 12920]
S3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 16:53:06 7680]
S3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 01:04:58 24064]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-31 03:58:26 187392]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys [2009-09-09 19:11:34 860160]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 23:52:10 14336]



------- Supplementary Scan -------

uStart Page = hxxp://yahoo.ca/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSCA&bmod=TSCA
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
LSP: C:\windows\system32\imon.dll
FF - ProfilePath -

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKCU-Run-BgIjsbGlNfxPqP.exe - C:\ProgramData\BgIjsbGlNfxPqP.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-TOSHIBA Software Modem - C:\windows\agrsmdel



--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Program Files\Eset\nod32krn.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\conhost.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\\?\C:\windows\system32\wbem\WMIADAP.EXE
C:\windows\system32\taskhost.exe

**************************************************************************

Completion time: 2012-01-08 16:24:56 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-08 21:24:56

Pre-Run: 239,170,408,448 bytes free
Post-Run: 239,178,547,200 bytes free

- - End Of File - - FA241DA8A0B9A7D433F149058DF4EE14

Attached File(s)


#2 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,527
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 13 January 2012 - 03:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
safebootminimal
activex
drivers32
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
wininit.exe
hlp.dat
/md5stop

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized


In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

#3 User is offline   myrti 

  • bleepin' _temp_
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,527
  • Joined: 25-January 08
  • Gender:Female
  • Location:At home

Posted 29 January 2012 - 09:07 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!

Posted Image
Please don't send help request via PM, unless I am already helping you. Use the forums!

I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones. ~ Albert Einstein
Heroism on command, senseless violence, and all the loathsome nonsense that goes by the name of patriotism -- how passionately I hate them! ~ Albert Einstein

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users