Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER reports rootkit activity


  • This topic is locked This topic is locked
3 replies to this topic

#1 Ralph5

Ralph5

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 28 February 2010 - 07:14 AM

Hi, I am worried I might have a root kit on my home laptop, because
  • I certainly have rootkit on another laptop and I had shared USB-drives between them.
  • The laptop feels pretty slow at startup and in general use.

So I did the following things:
  1. Remove any unused programs to make more space on C:\.
  2. Run a full scan with AVG, which did not report anything.
  3. Run a scan with GMER, which did report rootkit activity.

Two items were marked red in the GMER report. They were related to OpenOffice.org. I uninstalled OOO shortly before. Could this be some leftover? Or do I need to worry? Thanks alot, Ralph.

Here is the DDS log:
CODE
DDS (Ver_09-12-01.01) - NTFSx86  
Run by hab at 19:38:10,48 on 28.02.2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.1271.558 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\basfipm.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\D-Tools\daemon.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\AVG\AVG9\avgwdsvc.exe
C:\Programme\AVG\AVG9\avgnsx.exe
C:\Programme\AVG\AVG9\avgemc.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgchsvx.exe
C:\Programme\AVG\AVG9\avgrsx.exe
C:\Programme\AVG\AVG9\avgcsrvx.exe
C:\Programme\AVG\AVG9\avgtray.exe
C:\Programme\Mozilla Firefox\firefox.exe
d:\emacs-21.3\bin\emacs.exe
D:\Downloads\ngjxq1gr.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\hab\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/countries/at/dea/gen/default.htm
uInternet Settings,ProxyOverride = fritz.box
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programme\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\programme\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell QuickSet] c:\programme\dell\quickset\quickset.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\programme\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [SynTPLpr] c:\programme\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
mRun: [DAEMON Tools-1033] "c:\programme\d-tools\daemon.exe"  -lang 1033
mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:A
mRun: [ElbyCheckElbyCDFL] "c:\programme\elaborate bytes\clonecd\ElbyCheck.exe" /L ElbyCDFL
mRun: [NeroFilterCheck] c:\programme\gemeinsame dateien\ahead\lib\NeroCheck.exe
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [MSKDetectorExe] c:\programme\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [CarboniteSetupLite] "c:\programme\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\programme\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adobeg~1.lnk - c:\programme\gemeinsame dateien\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\digita~1.lnk - c:\programme\digital line detect\DLG.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\programme\gemeinsame dateien\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programme\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\programme\intel\wireless\bin\LgNotify.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programme\gemeinsame dateien\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\hab\anwend~1\mozilla\firefox\profiles\029gokbv.default\
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:de-DE:official
FF - component: c:\programme\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: c:\programme\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-7-3 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-7-3 5248]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-28 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\programme\avg\avg9\avgemc.exe [2010-2-28 906520]
R2 avg9wd;AVG Free WatchDog;c:\programme\avg\avg9\avgwdsvc.exe [2010-2-28 285392]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\drivers\avmunet.sys [2005-11-21 15104]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\drivers\maxidemo.sys --> c:\windows\system32\drivers\maxidemo.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================


==================== Find3M  ====================

2010-02-27 10:50:47    99344    ----a-w-    c:\windows\system32\perfc007.dat
2010-02-27 10:50:47    498532    ----a-w-    c:\windows\system32\perfh007.dat
2010-01-19 16:52:45    63111    -c--a-w-    c:\windows\fonts\AdobeFnt.lst
2010-01-19 13:04:44    33512    ---ha-w-    c:\windows\system32\mlfcache.dat
2010-01-08 22:42:58    3366912    ----a-w-    c:\windows\system32\GPhotos.scr
2009-12-31 16:50:03    353792    ----a-w-    c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03    353792    ------w-    c:\windows\system32\dllcache\srv.sys
2009-12-21 19:05:02    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-12-21 19:05:02    916480    ------w-    c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:05:02    12800    ------w-    c:\windows\system32\dllcache\xpshims.dll
2009-12-21 19:05:01    1208832    ------w-    c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:05:00    5942784    ------w-    c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:05:00    206848    ------w-    c:\windows\system32\dllcache\occache.dll
2009-12-21 19:04:56    594432    ------w-    c:\windows\system32\dllcache\msfeeds.dll
2009-12-21 19:04:56    55296    ------w-    c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-21 19:04:55    25600    ------w-    c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:04:54    1985536    ------w-    c:\windows\system32\dllcache\iertutil.dll
2009-12-21 19:04:53    246272    ------w-    c:\windows\system32\dllcache\ieproxy.dll
2009-12-21 19:04:53    184320    ------w-    c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:04:52    11070464    ------w-    c:\windows\system32\dllcache\ieframe.dll
2009-12-21 19:04:49    387584    ------w-    c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:18:55    173056    ------w-    c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 07:40:01    346624    ----a-w-    c:\windows\system32\mspaint.exe
2009-12-17 07:40:01    346624    ------w-    c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:20    33280    ----a-w-    c:\windows\system32\csrsrv.dll
2009-12-14 07:08:20    33280    ------w-    c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 10:06:03    2191488    ----a-w-    c:\windows\system32\ntoskrnl.exe
2009-12-09 10:06:03    2191488    ------w-    c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-09 10:06:03    2068352    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:06:03    2068352    ------w-    c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-09 10:05:52    2147840    ------w-    c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-09 10:05:51    2026496    ------w-    c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-09 05:53:44    726528    ----a-w-    c:\windows\system32\dllcache\jscript.dll
2009-12-08 09:23:28    474624    ------w-    c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22    455424    ------w-    c:\windows\system32\dllcache\mrxsmb.sys
2005-07-25 19:45:30    421888    ----a-w-    c:\programme\putty.exe

============= FINISH: 19:39:23,60 ===============



And here is the GMER log:
CODE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 19:24:31
Windows 5.1.2600 Service Pack 3
Running: ngjxq1gr.exe; Driver: C:\DOKUME~1\hab\LOKALE~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwClose [0xF75BD818]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwCreateKey [0xF75BD7D0]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwEnumerateKey [0xF75B22A8]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwEnumerateValueKey [0xF75BD910]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwOpenKey [0xF75BD794]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwQueryKey [0xF75B22C8]
SSDT            d347bus.sys (PnP BIOS Extension/ )                                              ZwQueryValueKey [0xF75BD866]

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                          8A4BE3B8
Device          \FileSystem\Fastfat \FatCdrom                                                   8A1B01C8

AttachedDevice  \Driver\Tcpip \Device\Ip                                                        avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                         SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                         SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                       avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \FileSystem\Rdbss \Device\FsWrap                                                89837290
Device          \FileSystem\Srv \Device\LanmanServer                                            8A19B7A8

AttachedDevice  \Driver\Tcpip \Device\Udp                                                       avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                               89834D38
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                     89834D38
Device          \FileSystem\Npfs \Device\NamedPipe                                              89836A58
Device          \FileSystem\Msfs \Device\Mailslot                                               898A3850
Device          \FileSystem\Fastfat \Fat                                                        8A1B01C8

AttachedDevice  \FileSystem\Fastfat \Fat                                                        fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device          \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer                              8A394380
Device          \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer                               8A394380
Device          \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer                                   8A394380
Device          \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer                                8A394380
Device          \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer                               8A394380
---- Processes - GMER 1.0.15 ----

Library         C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356]  0x61310000                                                                
Library         C:\Programme\OpenOffice.org (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2356]  0x60E20000                                                                

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40                        
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh                  0x20 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41                        
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@khjeh                  0x20 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41@hj34z0                 0xBC 0x6B 0xA0 0xA5 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42                        
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@khjeh                  0x20 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42@hj34z0                 0x8A 0xE3 0x1E 0xED ...

---- EOF - GMER 1.0.15 ----




BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:37 AM

Posted 05 March 2010 - 02:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Ralph5

Ralph5
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 09 March 2010 - 08:32 AM

I have cleaned up further and now GMER does not report any problems anymore. thumbup2.gif
Sorry for wasting your time.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 AM

Posted 09 March 2010 - 09:17 PM

Since this topic appears to be resolved, I will now close it.
If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users