Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.pakes rootkit.agent..., too many to list!!!


  • This topic is locked This topic is locked
6 replies to this topic

#1 whatttup_G

whatttup_G

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 13 February 2009 - 05:33 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:21 AM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1234044720640
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5573 bytes


yep, here it is.. thanks!!

BC AdBot (Login to Remove)

 


#2 whatttup_G

whatttup_G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 16 February 2009 - 12:38 PM

hi all... saw the 5 day thread and judging by the number of posts today, i would probably still be in line tomorrow, so at the risk of offending i will pass on my request for help if nobody gets to me in the next 12 hrs or so

i have to get my system back up, so if fdisk is my only option i will need to start down that path... again, not meaning to be indignant, i am just in need of moving forward with repairs so if someone does have time, thank you... if not, thank you as well

#3 whatttup_G

whatttup_G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 16 February 2009 - 07:42 PM

welp, 5pm approaches here and i'm now armed with a bootable xpsp3 disk so i may just jump ship on this... if so, is there any interest in posting some of the tricks and tips i've gathered up across the web, including this site??

is a ton of info that others will not have to learn the hard way, but i'll leave it to the admin's of this bbs to decide if they need helpers... i'd guess not since you guys have your stuff so together, but let me know.. i've learned so much here i do not mind contributing back in the least

thanks

#4 whatttup_G

whatttup_G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 17 February 2009 - 01:24 PM

well my call for help didn't come.. i tried to install over top just to try, so i put xpsp3 back on lastnight and the minute i reattached the NIC's on my system, vundo and friends came out of the woodwork trying to overrun my system again... it saw the internet and went nuts

too bad i flipped the modem off and i had sysinternals process manager running waiting for this... the display was fourth of july like as this basket of junk went into hyperdrive trying to spawn itself all over my drive... this thing is either nested deep within the dll's of the system32 folder, or maybe it starts in teh controlset001..002..005 folders, hard to tell from what i saw, but it began to sprinkle the most random collection of crap i have ever seen... i believe part of its trickery is that it turns itself into something that a windows install will not question, so it must have a signature, or filesize or something that lets an install skip over it leaving it in place... not a big surprise, but dissapointing from a msoft standpoint, those guys are supposed to be experts in this field.. or one would think..

anyways i had tmp files going nuts, i had new executables like w.exe and 37.exe, i had bogus dlls that launch, rename, move and delete before you could even browse to them to kill them... it was very nearly an entertaining experience... and then there was fdisk

so its been 5 days, i now know others cannot post in my thread so if you are reading this and think what i have is what you have, PM me if you wish and i will share info... i will not usurp the help offered here, so if you are looking for that i will not comply... these guys appear to be slammed right now, so they are busy... i know a couple ppl that got hit with this, so it makes sense the help here is overwhelmed... anyhow i'm going to make my 5 day post, still looking for expertise here

thanks to all

#5 whatttup_G

whatttup_G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 18 February 2009 - 06:26 PM

looks to me like the executables hacked the ad aware installation i had on my PC and in thinking i was cleaning and scanning, i was double clicking myself into rootkit hell

its amateur hacking at best here, so make of it what you will, but i found a free hex viewer and dropped some of the quarantined files i saved on it and low and behold looky looky what's in the code

<bh:1d><bh:06><bh:03>U
<bh:04><bh:0b><bh:13><bh:16>VeriSign Trust Network1;09
<bh:06><bh:03>U<bh:04><bh:0b><bh:13>2Terms of use at hXXps://www.verisign.com/rpa ©041.0,
<bh:06><bh:03>U<bh:04><bh:03><bh:13>%VeriSign Class 3 Code Signing 2004 CA0
<bh:1e><bh:17>081010000000Z
<bh:17>111011235959Z0
<bh:81><bh:c6>1<bh:0b>0
<bh:09><bh:06><bh:03>U
<bh:04><bh:06><bh:13><bh:02>SE1
<bh:1a>0<bh:18><bh:06><bh:03>U
<bh:04><bh:08><bh:13><bh:11>Vaestra Goetaland1
<bh:13>0<bh:11><bh:06><bh:03>U
<bh:04><bh:07><bh:13>Gothenburg1
<bh:14>0<bh:12><bh:06><bh:03>U
<bh:04><bh:14><bh:0b>Lavasoft AB1>0\
<<bh:06><bh:03>U
<bh:04><bh:0b><bh:13>5Digital ID Class 3 - Microsoft Software Validation v21
<bh:1a>0<bh:18><bh:06><bh:03>U
<bh:04><bh:0b><bh:14><bh:11>Security Division1
<bh:14>0<bh:12><bh:06><bh:03>U
<bh:04><bh:03><bh:14><bh:0b>Lavasoft AB0
<bh:81><bh:9f>0
<bh:06><bh:09>*
<bh:00>RtlCreateHeap
<bh:00>T
<bh:01>NtTerminateProcess
<bh:00><bh:00>@
<bh:02>RtlFreeHeap
<bh:00>v
<bh:02>RtlInitUnicodeString
<bh:00><bh:00><bh:fc><bh:01>RtlDestroyHeap
<bh:00><bh:00><bh:93><bh:00>NtDisplayString
<bh:00><bh:98><bh:03>ZwClose
<bh:00><bh:bb><bh:03>ZwDelayExecution
<bh:00><bh:00><bh:f2><bh:04>memcpy
<bh:00><bh:00><bh:13><bh:05>wcscat
<bh:00><bh:00>9<bh:04>ZwReadFile
<bh:00><bh:00><bh:18><bh:05>wcslen
<bh:00><bh:00>c<bh:04>ZwSetInformationFile
<bh:00><bh:00><bh:f4><bh:04>memset
<bh:00><bh:00><bh:8e><bh:01>RtlAllocateHeap
<bh:00><bh:be><bh:03>ZwDeleteFile
<bh:00><bh:00><bh:f4><bh:03>ZwOpenFile
<bh:00><bh:00><bh:18><bh:04>ZwQueryInformationFile
<bh:00><bh:00><bh:16><bh:05>wcscpy
<bh:00><bh:00><bh:00><bh:01>NtQuerySystemTime
<bh:00><bh:bd><bh:04>_snwprintf
<bh:00><bh:00><bh:00><bh:05>strlen
<bh:00><bh:00><bh:fe><bh:04>strcpy
<bh:00><bh:00>E
<bh:03>RtlUnicodeStringToAnsiString
<bh:00><bh:00><bh:a4><bh:03>ZwCreateFile
<bh:00><bh:00>6<bh:03>RtlTimeToTimeFields
<bh:00><bh:96><bh:04>ZwWriteFile
<bh:00><bh:fb><bh:04>strcat
<bh:00><bh:00>ntdll.dll
<bh:00><bh:00><bh:00>RSDSLU_
<bh:8f><bh:bd><bh:08><bh:fb>L
<bh:a5><bh:04><bh:09><bh:93><bh:da>
<bh:c3><bh:9d><bh:1f><bh:03><bh:00><bh:00><bh:00>f:\\dev_new\\new_aaw_gen3\\Bin\\Release\\32\\lsdelete.pdb



check the verisign stuff.. lol, like they'd sign this crap
the microsoft validation for lavasoft... suspicious isn't it
string.. heap.. memcopy.. unicode to ansi... this must be where the virus writes back to the hdd
finally some write file stuff, and a phantom f: drive which must have written the cracked adaware back to its home

yeah, this is just one chunk of one file, so the bottom line as i see it, adaware is a liability not an asset.. and thinking back, the stuff sort of hit the fan one night after i left adaware scanning my box overnight... only to find nothing wrong... yeah, thats the night surprise = 0

hope this is helpful to someone, nobody here has had the time to help me yet so i've set out alone..

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 20 February 2009 - 04:26 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 07 March 2009 - 04:34 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users