Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Likely rootkit infection (per garmanma)

  • This topic is locked This topic is locked
2 replies to this topic

#1 MrSly


  • Members
  • 32 posts
  • Local time:05:02 PM

Posted 29 November 2009 - 01:07 AM

Good evening,

My computer has been playing random sound bytes and redirecting my browser all over the place, even when I'm not using IE. I can just boot the computer and hear sounds within 30 seconds or so, usually. I'm using XP SP3 + IE7.

Thank you for your time.

Here is the RootRepeal log I was asked to include, followed by the HJT log:

ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2009/11/27 18:53
Program Version: Version
Windows Version: Windows XP SP3

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xABE06000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
Path: c:\documents and settings\all users\application data\symantec\liveupdate\log.liveupdate
Status: Allocation size mismatch (API: 851968, Raw: 585728)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080213.036\EraserUtilDrv10741.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\symantec\liveupdate\downloads\1239049317jtun_nco2718.zip.seg1.zip
Status: Size mismatch (API: 1757184, Raw: 1492992)

Path: C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\Updt16
Status: Locked to the Windows API!

#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a867ad0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a8bcc00

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a85aba0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a882568

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb01c1eb0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8a89f370

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a877a10

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a819878

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb01c2130

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb01c2690

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a9277b0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a89f440

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a867a10

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a9276d0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a8296d8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a877998

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a829558

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8a86ee30

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a8803e0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a857978

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8a86ef00

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a8578a8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb01c28e0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a829618

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a8bccc8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a809998

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a8bcd88

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a86efd0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a85aad0



DDS (Ver_09-11-29.01) - NTFSx86
Run by Sherri at 23:56:01.60 on Sat 11/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2159 [GMT -6:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Rubber Ducky\RubberDucky.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sherri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bnsfinancial.com/fam/Sherri.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MimarSinan Rubber Ducky] "c:\program files\rubber ducky\RubberDucky.exe"
uRun: [Directory Opus Desktop Dblclk] "c:\program files\gpsoftware\directory opus\dopusrt.exe" /dblclk
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [IE7-11] rundll32 advpack.dll,LaunchINFSection NR_IE7en.inf,AfterUserStart
StartupFolder: c:\docume~1\sherri\startm~1\programs\startup\automa~1.lnk - c:\troopmaster software\automailer\AutoMailer.exe
StartupFolder: c:\docume~1\sherri\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238780007687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238779998343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files\cozi express\CoziProtocolHandler.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: pxod13 - pxod13.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-31 64160]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Poweroff;Poweroff;c:\windows\system32\poweroff.exe [2009-9-30 172032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091127.022\NAVENG.SYS [2009-11-27 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091127.022\NAVEX15.SYS [2009-11-27 1323568]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-11-27 1245064]

=============== Created Last 30 ================

2009-11-27 23:32:31 0 d-----w- c:\program files\Norton 360
2009-11-27 23:31:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-27 23:31:25 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-27 23:31:25 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-27 23:31:25 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-27 23:31:17 0 d-----w- c:\program files\Symantec
2009-11-27 15:28:46 0 d-----w- c:\docume~1\sherri\applic~1\Malwarebytes
2009-11-27 15:28:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 15:28:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 15:28:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 15:28:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 18:51:36 5136 ----a-w- c:\windows\system32\pxod13.dll
2009-11-24 02:24:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PBGsavesDirectory
2009-11-23 21:39:19 0 d-----w- c:\program files\Snood
2009-11-23 21:17:15 0 d-----w- c:\program files\ReflexiveArcade
2009-11-23 21:16:34 0 d-----w- c:\program files\The Princess Bride Game

==================== Find3M ====================

2009-11-29 05:42:32 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-09-12 19:48:01 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-03-30 21:26:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033020090331\index.dat

============= FINISH: 23:57:01.84 ===============

Attached Files

BC AdBot (Login to Remove)


#2 MrSly

  • Topic Starter

  • Members
  • 32 posts
  • Local time:05:02 PM

Posted 08 December 2009 - 12:39 PM

Nevermind, I think I got it myself. You can close this topic.

#3 garmanma


    Computer Masochist

  • Staff Emeritus
  • 27,809 posts
  • Location:Cleveland, Ohio
  • Local time:07:02 PM

Posted 08 December 2009 - 06:30 PM

Topic closed per member's request
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users