Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Win32.Olmarik, Keylogger, unknown rootkit infections


  • This topic is locked This topic is locked
2 replies to this topic

#1 Fungus02

Fungus02

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 16 January 2010 - 03:45 AM

I'm at my wits end on this... I got a laptop from a friend and it's infected with a couple rootkits, and various other things.

I've already cleaned most of it out with Spybot Search and Destroy, Nod32, and MalwareBytes.

I am left with a keylogger/trojan and 2 rootkits that I know of... as per topic title. I could really use some assistance cleaning this up as it has an OEM version of XP Media Center and no reinstall disc or partition.

logs as follows...

Thank you in advance kind people =]

DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian Jones at 0:26:10.18 on Sat 01/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.475 [GMT -8:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian Jones\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263615430468
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263615747421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brianj~1\applic~1\mozilla\firefox\profiles\x2kan2ub.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows media player\divx content uploader\npUpload.dll
FF - plugin: c:\program files\windows media player\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\windows media player\divx web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2010-01-16 07:20:02 0 d-sha-r- C:\cmdcons
2010-01-16 07:11:25 98816 ----a-w- c:\windows\sed.exe
2010-01-16 07:11:25 77312 ----a-w- c:\windows\MBR.exe
2010-01-16 07:11:25 261632 ----a-w- c:\windows\PEV.exe
2010-01-16 07:11:25 161792 ----a-w- c:\windows\SWREG.exe
2010-01-16 04:20:13 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-01-16 04:10:43 0 d-----w- c:\windows\system32\Adobe
2010-01-16 03:48:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-16 03:48:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-16 02:36:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-16 02:36:21 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-01-16 02:36:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-01-16 02:36:20 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-16 02:36:20 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-01-16 02:36:19 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-01-16 02:36:13 0 d-----w- c:\windows\ie8updates
2010-01-16 02:35:57 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-16 02:33:46 0 dc-h--w- c:\windows\ie8
2010-01-16 01:21:27 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-16 01:21:25 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-01-16 01:19:34 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-16 01:11:43 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-01-16 01:11:42 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-16 01:11:41 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-16 01:11:41 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-16 01:11:40 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-16 01:11:39 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-16 01:11:38 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-16 01:11:37 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-16 01:11:00 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-01-16 01:10:06 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-01-16 00:52:08 0 d-----w- C:\VundoFix Backups
2010-01-16 00:13:06 0 d-----w- c:\program files\ESET
2010-01-16 00:12:09 0 d-----w- c:\program files\TrendMicro
2010-01-15 23:50:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 23:50:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-15 23:11:25 0 d-----w- c:\program files\Unlocker
2010-01-15 22:28:37 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-01-15 22:28:16 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\wininet.dll
2009-10-29 03:54:17 26792 -c--a-w- c:\docume~1\brianj~1\applic~1\wklnhst.dat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2007-03-14 00:55:49 113060248 ----a-w- c:\program files\Flash8-en.exe

============= FINISH: 0:27:02.50 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/16 00:31
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9B89000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BE6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA88AC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\brian jones\local settings\application data\mozilla\firefox\profiles\x2kan2ub.default\cache\_cache_001_
Status: Size mismatch (API: 257392, Raw: 238414)

Path: c:\documents and settings\brian jones\local settings\application data\mozilla\firefox\profiles\x2kan2ub.default\cache\_cache_002_
Status: Size mismatch (API: 181303, Raw: 161850)

Path: c:\documents and settings\brian jones\local settings\application data\mozilla\firefox\profiles\x2kan2ub.default\cache\_cache_003_
Status: Size mismatch (API: 512067, Raw: 504167)

Path: C:\Documents and Settings\Brian Jones\Local Settings\Application Data\Mozilla\Firefox\Profiles\x2kan2ub.default\Cache\3F8CB62Fd01
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85d488a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85d47cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85d480d0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85d486d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85d484f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85d47ee0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85d48310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x85b18be8]
Process: System Address: 0x85d46930 Size: 1000

==EOF==

Attached File  Attach.zip   3.57KB   17 downloads



BC AdBot (Login to Remove)

 


#2 Fungus02

Fungus02
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 19 January 2010 - 03:25 AM

This topic can be closed, I managed to replace atapi.sys and http.sys with good copies from a fresh install. I also realized catchme.sys was the gmer driver.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:31 AM

Posted 22 January 2010 - 08:52 AM

Topic closed at users request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users