Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection


  • Please log in to reply
3 replies to this topic

#1 PapaJohn57

PapaJohn57

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 October 2009 - 10:24 PM

Computer infected 9/4 and struggling to fix it ever since. Whatever it is it wiped out the eventslog and blocked everything from running. IE, firefox,Norton, Malwarebytes, Combofix etc wouldn't open. System Restore didn't work, etc. After reading many forums and threads and trying many things the machine is better but I'm not sure if it's clean. I have two computers so I am working on the infected machine without internet, AV software or firewalls turned on and I want to make sure it's clean before connecting again. Please check out the logs and let me know if I still have issues or what I should do.

The DDS LOG is below and I also have logs from ComboFix, Malwarebytes, HijackThis and Win32Diag if you want to see any of them.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Shawn at 22:13:01.85 on Thu 10/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\dell\E-center\gtb2.exe
C:\Documents and Settings\Shawn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ShowLOMControl] 1 (0x1)
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ECenter] "c:\dell\e-center\gtb.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\mw\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170249388109
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 BNPagent;Client Security Agent Service;c:\program files\bradford networks\client security agent\bndaemon.exe [2007-6-21 2653576]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-31 29744]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-6-3 120168]

=============== Created Last 30 ================

2009-10-14 02:57 <DIR> a-dshr-- C:\cmdcons
2009-10-14 02:55 236,544 a------- c:\windows\PEV.exe
2009-10-14 02:55 161,792 a------- c:\windows\SWREG.exe
2009-10-14 02:55 98,816 a------- c:\windows\sed.exe
2009-10-13 20:02 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-13 20:02 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-13 20:02 <DIR> --d----- C:\mw
2009-10-13 19:56 4,045,528 a------- C:\mw-setup2.exe
2009-10-13 19:55 3,337,810 a----r-- C:\cf2.exe
2009-10-08 07:47 <DIR> --d----- C:\ComboFix
2009-10-07 23:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 23:07 <DIR> --d----- c:\program files\VS Revo Group
2009-10-05 13:38 <DIR> --dsh--- c:\documents and settings\shawn\PrivacIE
2009-10-05 13:30 <DIR> --dsh--- c:\documents and settings\shawn\IETldCache
2009-10-05 13:10 <DIR> -cd-h--- c:\windows\ie8
2009-10-04 18:14 <DIR> --d----- c:\docume~1\shawn\applic~1\Malwarebytes
2009-10-04 18:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-04 17:50 <DIR> --d----- c:\program files\CCleaner
2009-10-04 17:47 <DIR> --d----- c:\program files\Yahoo!
2009-10-04 03:34 <DIR> --d----- c:\program files\Mozilla Firefox(3)
2009-10-04 03:18 <DIR> --d----- c:\docume~1\shawn\applic~1\Uniblue
2009-10-04 00:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-10-04 00:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-09-27 21:16 <DIR> --d----- c:\docume~1\shawn\applic~1\Mozilla(2)
2009-09-27 21:15 <DIR> --d----- c:\program files\Mozilla Firefox(2)

==================== Find3M ====================

2009-10-04 20:23 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-10-04 00:27 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-04 00:26 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-01-16 13:00 19,333,112 a------- c:\program files\DivXInstaller.exe
2008-08-07 23:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080720080808\index.dat

============= FINISH: 22:13:12.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:34 PM

Posted 26 October 2009 - 07:29 AM

Looks clean. Have you been able to run AV scans on it, or are you still having trouble doing so?

#3 PapaJohn57

PapaJohn57
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 26 October 2009 - 09:52 PM

Thanks for your help thus far. After running ComboFix and HijackThis, MalwareBytes etc. While in safe mode I was able to install Spybot, AdAware and lastly Norton 360 and run full scans that took hours each. Now the issue I have is that shortly after a normal startup the computer bluescreens with a bad_pool_header error. Not sure what to do now other than uninstall all the software i've added recently. With AdAware, ComboFix, HijackThis, Malwarebytes AM, Norton 360, leftover Mcafee files, Spybot, SpywareBlaster and SpywareGuard, and the normal windows security stuff I'm afraid things are tripping over each other. Obvious overkill, I know. Should I use something like Revo Uninstaller, also installed, to uninstall everything and just addback Norton 360. I have seen posts on the web stating that Norton 360 may be the issue or the memory may have gone bad.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:34 PM

Posted 27 October 2009 - 10:37 AM

Yeah its possible. From what I just researched, there does not appear to be a single answer as to how to resolve those bluescreens other than uninstall software. My suggestion would be to go into safe mode and uninstall some of the programs. Particular combofix, adaware, malwarebytes and norton 360. Then add them back one at a time.

To uninstall combofix you would use the following steps:


Let's uninstall ComboFix

Please navigate to, and delete the following:
  • Click on : Start >> Run...
  • Type: Combofix /u and hit Enter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users