Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware/Rootkit infection associated with Stat.tmp

  • This topic is locked This topic is locked
3 replies to this topic

#1 stephen14


  • Members
  • 2 posts
  • Local time:01:05 PM

Posted 29 October 2009 - 07:26 AM

Hi there, would be very grateful for any assistance you could offer.

I think a malware downloader hi-jacked my system last week. Rendering certain programs inoperable. hxxp://www.prevx.com/filenames/X626953142161594042-X1/STAT.TMP.html

I thought the problem had been dealt with but I'm now having problems with browser redirection.
Spybot found some issues relating to Win32Agent, but this hasn't solved the problem.

I'm not technically minded, but I've tryed to follow the instructions from this sites preparation guide.

When trying to run RootRepeal an error message says "invalid PE image found" when I continue with the scan, The PC would reboot. I've just tried again and will add the ark.txt file.

I'm posting the DDS reports:

DDS (Ver_09-10-26.01) - NTFSx86
Run by user at 11:30:58.09 on 29/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.542 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\l758mibs.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 is-VCHVLdrv;is-VCHVLdrv;c:\windows\system32\drivers\76651156.sys [2009-8-24 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-6 92296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]
S2 gupdate1c9c29646dfb51e;Google Update Service (gupdate1c9c29646dfb51e);c:\program files\google\update\GoogleUpdate.exe [2009-4-21 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-7-10 11904]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\47.tmp --> c:\windows\system32\47.tmp [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 100488]

=============== Created Last 30 ================

2009-10-21 11:36:02 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-10-20 13:50:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 13:49:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 13:49:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 09:18:27 0 d-----w- c:\program files\common files\ChessBase
2009-10-18 23:04:39 0 d-s---w- C:\ComboFix

==================== Find3M ====================

2009-10-29 11:15:49 477501472 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-29 00:59:07 5595368 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-16 09:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 18:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44:46 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 11:33:54.25 ===============

ROOTREPEAL AD, 2007-2009
Scan Start Time: 2009/10/29 15:37
Program Version: Version
Windows Version: Windows XP SP3

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAFA4E000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_dusthwtpfdgbcea
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_zahnqqapdrgnkge
Status: Allocation size mismatch (API: 4096, Raw: 0)

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb08280b0


Appreciate any time you give to this, thanks!

Attached Files

Edited by Orange Blossom, 29 October 2009 - 08:39 PM.
Deactivate link. ~ OB

BC AdBot (Login to Remove)


#2 Blade81


    Bleepin' Rocker

  • Malware Response Team
  • 6,465 posts
  • Gender:Male
  • Location:Finland
  • Local time:04:05 PM

Posted 04 November 2009 - 12:58 PM


Please visit this webpage for download links, and instructions for running ComboFix tool:


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

#3 stephen14

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:05 PM

Posted 05 November 2009 - 06:11 AM

Hi thanks for getting back to me.

I ended up having to re-install windows. When Combofix went to reboot after identifying a rootkit, Windows crashed - the driver Windows\system32\NTABUS.sys was missing or corrupt. I have a partitioned hard drive so I didn't lose too much.

I wasn't able to get back online till recently, or I would have posted that there was a resolution.

Please close the topic. I'll start a new post should I need to. Thanks


#4 Blade81


    Bleepin' Rocker

  • Malware Response Team
  • 6,465 posts
  • Gender:Male
  • Location:Finland
  • Local time:04:05 PM

Posted 05 November 2009 - 08:33 AM

Ok. Thanks for letting us know.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users