Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help with rootkit


  • This topic is locked This topic is locked
34 replies to this topic

#1 ac1dt3st

ac1dt3st

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 04:09 PM

looks like i have a rootkit; near as i can tell it arrived courtesy of my JRE. looking online, i found an identical post/issue under the name "Packed.monder". symptoms are the same: search results in IE and Firefox are hijacked to random adware sites.

i have run Spybot S&D, RootAlyzer, HijackThis, JavaRa, GMER and RootRepeal. i did exhaustive registry and file scans. Spybot, RootAlyzer and HijackThis found nothing. i'd be happy to post the full logs and results here, or you can trust me that following are the only interesting bits:

GMER reports:

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\Ide\IdePort3\pctqppfd\pctqppfd\tdlwsp.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [948] 0x10000000

and RootRepeal reports:

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 1024) Address: 0x10000000 Size: 28672

i need some help getting rid of this. the caveat is, system policy may prevent me from booting in safe mode. any help getting rid of this with haste would be greatly appreciated!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:54 AM

Posted 24 September 2009 - 04:29 PM

Hi, ac1dt3st :(

Welcome.

Please read and follow all these instructions very carefully.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 04:48 PM

JSntgRvr,

thanks for your prompt reply! i am carefully following your instructions. here is the first step, the info from GooredFix.txt

... ... ...

GooredFix by jpshortstuff (24.09.09.1)
Log created at 16:45 on 24/09/2009 (acid)
Firefox version 3.0.14 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [19:33 22/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:12 16/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:33 22/09/2009]

-=E.O.F=

#4 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 04:57 PM

here is the log from MAM. rebooting now.

... ... ...

Malwarebytes' Anti-Malware 1.41
Database version: 2856
Windows 5.1.2600 Service Pack 3

9/24/2009 4:55:59 PM
mbam-log-2009-09-24 (16-55-59).txt

Scan type: Quick Scan
Objects scanned: 112411
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort3\uqfvbjor\uqfvbjor\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort3\uqfvbjor\uqfvbjor\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sens32.dll.bak (Rootkit.TDSS) -> Quarantined and deleted successfully.

#5 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 05:43 PM

ComboFix run is complete. unfortunately, it could not download the recovery console, so i'm not sure if that affected the outcome. it was probably blocked by the network. i can probably figure out how to add the proxy server to my environment settings, if necessary, to let ComboFix get out. that is, if our work is not yet done. i'll post the log, and now i'm going to reboot and see where we're at. see you on the other side. ;)

... ... ...

ComboFix 09-09-23.02 - acid 09/24/2009 17:17.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2362 [GMT -5:00]
Running from: c:\documents and settings\acid\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Installer\a4201.msi

----- BITS: Possible infected sites -----

hxxp://itwsus01.<mydomain>.com <-- obscured for my protection... ;)
.
((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-24 21:49 . 2009-09-24 21:49 -------- d-----w- c:\documents and settings\acid\Application Data\Malwarebytes
2009-09-24 21:49 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-24 21:49 . 2009-09-24 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 21:49 . 2009-09-24 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-24 21:49 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-22 19:53 . 2007-04-05 17:16 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-09-22 19:33 . 2009-09-22 19:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-22 15:31 . 2009-09-22 15:31 -------- d-----w- c:\program files\Trend Micro
2009-09-22 15:26 . 2009-09-22 15:54 -------- d-----w- c:\temp\SSD
2009-09-22 15:11 . 2009-09-22 15:11 -------- d-----w- c:\documents and settings\acid\Local Settings\Application Data\Yahoo!
2009-09-21 22:16 . 2009-09-21 22:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 20:00 . 2009-09-22 20:21 -------- d-----w- c:\temp\BI design
2009-09-21 19:10 . 2009-09-22 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-21 18:53 . 2009-09-21 18:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-18 20:27 . 2009-09-18 20:27 -------- d-----w- c:\program files\Adobe Media Player
2009-09-18 20:19 . 2009-09-18 20:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-18 08:00 . 2009-09-18 08:00 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:36 . 2009-09-17 14:36 -------- d-sh--w- c:\documents and settings\acid\IECompatCache
2009-09-17 14:36 . 2009-09-17 14:36 -------- d-sh--w- c:\documents and settings\acid\PrivacIE
2009-09-17 14:31 . 2009-09-17 14:31 -------- d-sh--w- c:\documents and settings\acid\IETldCache
2009-09-17 08:11 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 08:11 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 08:11 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 08:09 . 2009-09-17 08:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 08:02 . 2009-09-17 08:03 -------- dc-h--w- c:\windows\ie8
2009-09-17 00:49 . 2009-09-18 15:38 -------- d-----w- c:\temp\PORTOID01
2009-09-16 21:21 . 2009-09-17 19:18 -------- d-----w- c:\temp\screenshots
2009-09-16 16:42 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-14 18:10 . 2009-09-21 16:48 -------- d-----w- c:\temp\production LDAP users
2009-09-11 20:22 . 2009-09-11 20:23 -------- d-----w- c:\temp\RDA
2009-09-11 15:25 . 2009-09-11 15:25 -------- d-----w- C:\share

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 22:04 . 2008-08-20 14:49 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-24 22:03 . 2009-09-21 19:43 4904 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-09-24 21:22 . 2009-01-08 15:47 -------- d-----w- c:\documents and settings\acid\Application Data\.purple
2009-09-23 13:34 . 2009-01-06 18:56 72160 ----a-w- c:\documents and settings\acid\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 21:19 . 2008-08-20 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-22 21:17 . 2008-08-20 15:10 -------- d-----w- c:\program files\Microsoft Works
2009-09-22 21:17 . 2008-08-20 15:10 -------- d-----w- c:\program files\MSBuild
2009-09-22 21:12 . 2008-08-20 15:08 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-09-22 20:16 . 2009-01-06 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-22 19:33 . 2008-08-18 21:20 -------- d-----w- c:\program files\Java
2009-09-22 18:10 . 2008-08-21 18:57 118784 ----a-w- c:\windows\SeaMonkeyUninstall.exe
2009-09-22 18:10 . 2008-08-21 18:57 8749 ----a-w- c:\windows\mozver.dat
2009-09-22 18:09 . 2008-08-21 18:57 118784 ----a-w- c:\windows\GREUninstall.exe
2009-09-18 20:28 . 2008-08-18 21:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-18 19:27 . 2009-01-22 19:34 -------- d-----w- c:\documents and settings\acid\Application Data\SQL Developer
2009-09-14 19:22 . 2009-01-08 15:49 -------- d-----w- c:\documents and settings\acid\Application Data\gtk-2.0
2009-08-21 16:38 . 2009-08-21 16:38 -------- d-----w- c:\program files\Xvid
2009-08-17 20:01 . 2009-08-17 20:01 -------- d-----w- c:\program files\Microsoft Visual Studio .NET
2009-08-14 19:49 . 2009-08-14 19:49 -------- d-----w- c:\documents and settings\acid\Application Data\WOLips
2009-08-07 00:24 . 2008-08-18 20:34 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2008-08-18 20:34 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-08-18 20:46 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2008-08-18 20:34 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2008-08-18 20:16 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2008-08-18 20:17 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2008-08-18 20:34 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-08-18 20:16 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-08-18 20:17 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2008-08-18 20:17 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2008-08-18 20:34 286208 ------w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-22 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-06-13 16871936]

c:\documents and settings\acid\Start Menu\Programs\Startup\
Shortcut to pageant.exe.lnk - c:\program files\PuTTY\pageant.exe [2008-8-21 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 I3UpdateSvc;I3 Update Service;c:\program files\Interactive Intelligence\I3UpdateSvcU.exe [8/20/2008 10:18 AM 184320]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [8/21/2008 10:30 PM 213504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 6:31 PM 102448]
S3 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
S3 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE [2/2/2006 12:49 AM 204800]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE --> c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\User_Feed_Synchronization-{B69E725B-8B4F-49B9-8466-B434E8012CC4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = sleestak:3128
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\acid\Application Data\Mozilla\Firefox\Profiles\ruhgolwj.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\acid\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphclx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\WININET.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-09-24 17:36
ComboFix-quarantined-files.txt 2009-09-24 22:36

Pre-Run: 222,697,013,248 bytes free
Post-Run: 222,722,273,280 bytes free

164 --- E O F --- 2009-09-18 08:00

#6 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 05:51 PM

crap! the problem persists after a reboot. this thing is tenacious!!!

next steps? try to run ComboFix with proxy settings in the ENV to let it download the recovery module...?

or something else?

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:54 AM

Posted 24 September 2009 - 06:03 PM

Hi, ac1dt3st :(

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 07:25 PM

i will do that first thing tomorrow when at my other system.

important note: if it helps, i can provide access to a defanged copy of what i believe to be the delivery mechanism, in the name of science and keeping one step ahead of these bastards.

i'm not going to post it here. if you'd like information and a location for the neutralized exploit, please private message me (if that's supported by these forums) or send me an email.

#9 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 07:41 PM

scratch that. did a remote desktop and ran the MBR.EXE. looks like there's a nasty in there.

... ... ...

C:\>MBR.EXE -t
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A4FAC1B]<<
kernel: MBR read successfully
user & kernel MBR OK

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:54 AM

Posted 24 September 2009 - 09:21 PM

Hi, ac1dt3st :(

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -f


The program will attempt to fix the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:54 AM

Posted 24 September 2009 - 09:31 PM

Hi, ac1dt3st :(

Let me add this. Since we are dealing with the MBR, the Recovery Console should be installed prior to the above fix.

You can use Combofix to install the Recovery Console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix(2).txt in your next reply.

Edited by JSntgRvr, 24 September 2009 - 09:33 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 10:20 PM

thanks, JSntgRvr.

i will try this first thing in the a.m.; i will need to be local to the system to do that, of course.

also, f.y.i., i received a private message from LonnyRJones, and by request i have just uploaded the presumed exploit under the name: neutralized.tar

i provided a full explanation and instructions to LonnyRJones and with the upload itself. please let me know if there are any questions. i think i was pretty clear...

#13 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 24 September 2009 - 10:23 PM

oh, to clarify... so i should:

1. download the Recovery Console
2. drag the Recovery Console onto ComboFix to initiate a full scan
3. run MBR.EXE -f when the ComboFix work is done

is this correct?

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:54 AM

Posted 24 September 2009 - 10:38 PM

oh, to clarify... so i should:

1. download the Recovery Console
2. drag the Recovery Console onto ComboFix to initiate a full scan
3. run MBR.EXE -f when the ComboFix work is done

is this correct?

Yes. Install the Recovery Console first, then run MBR.EXE -f

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 ac1dt3st

ac1dt3st
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 25 September 2009 - 09:49 AM

o.k., i want to absolutely clear on this. you wrote that i need to install the Recovery Console. the link you provided:

http://support.microsoft.com/kb/310994

leads to a page that says: How to obtain Windows XP Setup disks for a floppy boot installation

i followed the link for Service Pack 2, and it says: Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

i don't want to mess this up, so i want to confirm that "Setup Disks for Floppy Boot Install" is the same as "Recovery Console".

i have downloaded the file; once i get your confirmation i will run immediately.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users