Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

maccsnet.tmp BSOD cyclic reboot - rootkit?


  • Please log in to reply
1 reply to this topic

#1 concise

concise

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 October 2009 - 08:20 AM

System is running Windows XP Version 2002 SP2 build 2600.

While visiting an apparently dodgey website, Norton popped up a virus warning with the following (taken from quaratine history while viewing in safe mode)...

Filename:maccsnet.tmp
Type: Downloader.Misleadapp
Action taken: Quarantined
Original location: c:\docume~1\djconc~1\locals~1\temp

Then the system booted, and I'm currently presented with a flash of a BSOD and then the system immediately boots, and this cycle continues. Little slow motion photography reveals little useful information from the BSOD...

STOP 0x0000007E (xc0000005,0x82c35367,0xf794bba4,0xF794B8A0)

To get safe mode to boot, i have to press ESC to prevent d347bus.sys from loading, otherwise the system restarts.

I downloaded and installed MBAM in safe mode. Running a quickscan resulted in the following.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

17/10/2009 13:15:49
mbam-log-2009-10-17 (13-15-49).txt

Scan type: Quick Scan
Objects scanned: 112356
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\dj concise\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\dj concise\Local Settings\Temp\incosnet.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\dj concise\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


I removed the 5 offending entries.

I rebooted and the problem persisted.

I went back to safe mode and ran MBAM Quick scan again. The log is below, I removed the 3 offending entries.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

17/10/2009 13:59:49
mbam-log-2009-10-17 (13-59-39).txt

Scan type: Quick Scan
Objects scanned: 112379
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.


A RootRepeal scan while running in safe mode reveals nothing other than rootrepeal.sys running.

A 3rd MBAM scan results in no malicious items being found.

A further reboot and the problem still persists.

Hope MBAM was the right tool to try off the bat.

TIA.

BC AdBot (Login to Remove)

 


#2 concise

concise
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 17 October 2009 - 11:48 AM

Update: Renaming d347bus.sys allows me to boot normally... this is the SCSI driver for daemon tools. Not sure why this is supposedly causing problems... it's not a new install, and has run without issue on every system upon which I have ever installed it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users