Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

some sort of a rootkit


  • This topic is locked This topic is locked
4 replies to this topic

#1 lankanbg

lankanbg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 26 October 2009 - 10:23 PM

Hi Guys,
It looks like I got some sort of a root kit. See Root Reveal log below. Thanks in advance for your help!!


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 22:48
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9F75000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA88BB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\program files\iss\proventia desktop\log002.tcp
Status: Size mismatch (API: 414447, Raw: 409998)

Path: D:\Profiles\y17454\Local Settings\Apps\2.0\BT7BCXNV.C9M\Y467P3JH.MBV\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: D:\Profiles\y17454\Local Settings\Apps\2.0\BT7BCXNV.C9M\Y467P3JH.MBV\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x898a6158

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\isskboep.sys" at address 0xa9131c05

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\RapDrv.sys" at address 0xa9a31ea8

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\isskboep.sys" at address 0xa9131c0c

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\isskboep.sys" at address 0xa9131c13

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\RapDrv.sys" at address 0xa9a3184a

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaa4becc0

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\RapDrv.sys" at address 0xa9a31ff2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\RapDrv.sys" at address 0xa9a3185c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x89bd3280

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x898c9830

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Symantec\SYMEVENT.SYS" at address 0xaa4bef20

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\drivers\RapDrv.sys" at address 0xa9a316ec

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1780) Address: 0xe8586020 Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1780) Address: 0xe142a020 Size: -

Object: Hidden Handle [Index: 4100, Type: UnknownType]
Process: svchost.exe (PID: 1780) Address: 0xe14ae7c8 Size: -

==EOF==


Unfortunately, Win32kDiag does not give much (log below).
Running from: D:\Profiles\y17454\desktop\Win32kDiag.exe

Log file at : D:\Profiles\y17454\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 02 November 2009 - 03:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 lankanbg

lankanbg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 06 November 2009 - 09:28 AM

Thanks for getting back to me. Sorry, I didn't respond sooner - thought I would get an email when a reply is posted. I have Symantec Antivirus and autoprotect is disabled and I have no control of it. So I am sure I still have the problem.

Results of DDS:



DDS (Ver_09-10-26.01) - NTFSx86
Run by y17454 at 9:23:25.38 on Fri 11/06/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1166 [GMT -5:00]

AV: ISS Proventia 9.0.226.2212 *On-access scanning enabled* (Outdated) {5B16F554-69DD-430B-BCFA-5E6935C4BB28}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ISS Proventia 9.0.226.2084 *enabled* {C5E5F6F7-B4AE-413B-A527-81298AA970D9}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\SupportSoft_Amer_Motorola\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SupportSoft_Amer_Motorola\bin\tgsrvc.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\RSA Security\RSA SecurID Software Token\SecurID.exe
D:\Profiles\y17454\Application Data\Juniper Networks\Setup Client\JuniperSetupClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Profiles\y17454\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.mot.com/
uInternet Connection Wizard,ShellNext = hxxp://my.mot.com/
uInternet Settings,ProxyOverride = *.mot.com;*.gi.com; access.motorola.com; 10.32.*.*;<local>
uInternet Settings,ProxyServer = wwwgate0.mot.com:1080
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe" /background
uRun: [Google Update] "d:\profiles\y17454\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CSCAdvantage] "c:\program files\help desk\CSCAdv.exe" /s
mRun: [SupportSoft_Amer_Motorola] "c:\program files\supportsoft_amer_motorola\bin\sprtcmd.exe" /P SupportSoft_Amer_Motorola
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_02\bin\jusched.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: d:\profiles\y17454\startm~1\programs\startup\google~1.lnk - d:\profiles\y17454\local settings\application data\google\google talk, labs edition\GoogleTalkLabsEdition.exe
StartupFolder: d:\profiles\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: d:\profiles\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = scecli ASWLNPkg
mASetup: {0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} - "c:\program files\microsoft office communicator\MotIM-default.EXE" /s
mASetup: {BAFC1927-A731-4c34-829B-47EE05ADD199} - "c:\windows\regedit.exe" /s "c:\windows\mot-wmp9.reg"
mASetup: {C10BF3A1-3FEC-4a94-AAAF-9D6A4B522F63} - "c:\program files\winzip\wzusr90.exe" /NOICON /NOTRAY
mASetup: >{Z99999999-999-9999-9999-MOT-2K3} - c:\windows\2k3_USR.EXE

================= FIREFOX ===================

FF - ProfilePath - d:\profiles\y17454\applic~1\mozilla\firefox\profiles\me47475j.default\
FF - plugin: d:\profiles\y17454\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2008-4-26 251842]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-22 28544]
R1 SASDIFSV;SASDIFSV;d:\profiles\y17454\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;d:\profiles\y17454\locals~1\temp\sas_selfextract\SASKUTIL.sys [2009-9-4 74480]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-4-26 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-4-26 14336]
R2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2008-10-23 2093322]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-8-3 115952]
R2 sprtsvc_supportsoft_amer_motorola;SupportSoft Sprocket Service (supportsoft_amer_motorola);c:\program files\supportsoft_amer_motorola\bin\sprtsvc.exe [2006-7-12 196608]
R2 tgsrvc_supportsoft_amer_motorola;SupportSoft Repair Service (supportsoft_amer_motorola);c:\program files\supportsoft_amer_motorola\bin\tgsrvc.exe [2006-7-12 139264]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\Vpatch.exe [2008-10-23 405770]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-10-23 9049]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-4-26 41216]
R3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2008-10-23 80512]
R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-10-23 50163]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2008-10-23 47616]
R4 black;black;c:\windows\system32\drivers\Blackcat.sys [2008-10-23 205938]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-10-23 115008]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\motorola mvp\Extranet_serv.exe [2008-10-23 626688]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-1-12 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-12 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-1-12 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2009-1-12 23680]
S3 SASENUM;SASENUM;\??\d:\profiles\y17454\locals~1\temp\sas_selfextract\sasenum.sys --> d:\profiles\y17454\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2009-11-05 22:26:28 0 d-----w- C:\My Music
2009-11-05 22:26:19 0 d-----w- c:\program files\AudioConverter Studio
2009-11-04 04:46:56 0 d--h--w- c:\windows\PIF
2009-11-01 16:43:00 0 d-----w- c:\windows\usb-audio.deNumarkNS7
2009-11-01 16:42:34 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-11-01 16:42:34 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-11-01 16:33:17 0 d-----w- c:\windows\Downloaded Installations
2009-10-26 23:04:21 0 d-----w- d:\profiles\y17454\applic~1\SUPERAntiSpyware.com
2009-10-26 23:04:21 0 d-----w- d:\profiles\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-26 22:58:33 55808 ----a-w- c:\windows\eventlog.dll

==================== Find3M ====================

2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 9:23:59.39 ===============

Attached Files


Edited by lankanbg, 06 November 2009 - 09:30 AM.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 06 November 2009 - 10:11 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either ISS or Symantec.

==========

:( P2P Warning :(

Your log indicates that you have uTorrent installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Unfortunately, Win32kDiag does not give much (log below).

Its short because you do not have that particular rootkit!

==========

It looks like I got some sort of a root kit. See Root Reveal log below.

What are the symptoms that lead you to believe you are infected? You are infected by the way. I just want to know what problems your specifically experiencing.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen with briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Which AV did you uninstall?
* Answer to question about problems
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 14 November 2009 - 01:59 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users