Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

This is annoying


  • This topic is locked This topic is locked
2 replies to this topic

#1 dogman888

dogman888

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 03 March 2010 - 01:11 PM

I have used every MalWare tool known to man. Until I read about ComboFix here. So I ran it. The Log is below with a reference to a MBR Rootkit being found. What do I do Next. I ran it twice, the first time it removed RegGenie which is not indicated below.

ComboFix 10-03-03.02 - User Name 03/03/2010 12:26:10.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1288 [GMT -5:00]
Running from: c:documents and settingsUser NameMy DocumentsDownloadsComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-22 18:57 . 2010-02-22 18:57 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-02-22 18:57 . 2010-02-22 18:57 95024 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateDriversSBREDrv.sys
2010-02-22 18:57 . 2010-02-22 18:57 598368 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateEmailScanner.dll
2010-02-22 18:57 . 2010-02-22 18:57 566608 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdatesbap.dll
2010-02-22 18:57 . 2010-02-22 18:57 221408 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateVipreBridge.dll
2010-02-22 18:57 . 2010-02-22 18:57 1230160 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateSBTE.dll
2010-02-22 18:57 . 2010-02-22 18:57 247120 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateSBRE.dll
2010-02-22 18:57 . 2010-02-22 18:57 17480 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateEmailScannerBridge.dll
2010-02-22 18:54 . 2010-02-22 18:54 -------- dc-h--w- c:documents and settingsAll UsersApplication Data{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-22 18:54 . 2010-02-04 15:53 2954656 -c--a-w- c:documents and settingsAll UsersApplication Data{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}Ad-AwareInstaller.exe
2010-02-18 15:48 . 2008-04-14 00:12 26624 ----a-w- c:documents and settingsLocalServiceApplication DataMicrosoftUPnP Device Hostupnphostudhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 16:33 . 2008-04-04 20:52 -------- d-----w- c:documents and settingsUser NameApplication DataOpenOffice.org2
2010-02-26 14:17 . 2008-04-04 20:52 1 ----a-w- c:documents and settingsUser NameApplication DataOpenOffice.org2useruno_packagescachestamp.sys
2010-02-22 18:55 . 2008-03-27 20:15 -------- d-----w- c:program filesGoogle
2010-02-22 18:54 . 2010-01-04 14:51 -------- d-----w- c:program filesLavasoft
2010-02-17 21:31 . 2009-08-05 13:56 162048 ----a-w- c:windowssystem32driversWpsHelper.sys
2010-02-10 22:20 . 2009-12-31 18:40 -------- d-----w- c:program filesWindows Desktop Search
2010-02-04 15:53 . 2010-01-04 15:06 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-02-04 15:10 . 2010-01-20 15:06 3803208 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateAutoLaunch.exe
2010-01-29 14:54 . 2010-01-29 14:54 -------- d-----w- c:program filesTrustwave
2010-01-27 09:08 . 2010-01-04 15:48 8 ----a-w- c:documents and settingsAll UsersApplication DataLavasoftAd-AwareUpdateSavapibridge.dll
2010-01-24 08:13 . 2010-01-24 08:13 503808 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0541a209876-1326fc51-nmsvcp71.dll
2010-01-24 08:13 . 2010-01-24 08:13 499712 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0541a209876-1326fc51-njmc.dll
2010-01-24 08:13 . 2010-01-24 08:13 348160 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0541a209876-1326fc51-nmsvcr71.dll
2010-01-24 08:13 . 2010-01-24 08:13 61440 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0176d0ad391-52f4e3f3-ndecora-sse.dll
2010-01-24 08:13 . 2010-01-24 08:13 12800 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0176d0ad391-52f4e3f3-ndecora-d3d.dll
2010-01-20 18:21 . 2010-01-20 18:21 61440 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.046759e98ee-5ab495d9-ndecora-sse.dll
2010-01-20 18:21 . 2010-01-20 18:21 503808 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.046759e98ee-5ab495d9-nmsvcp71.dll
2010-01-20 18:21 . 2010-01-20 18:21 499712 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.046759e98ee-5ab495d9-njmc.dll
2010-01-20 18:21 . 2010-01-20 18:21 348160 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.046759e98ee-5ab495d9-nmsvcr71.dll
2010-01-20 18:21 . 2010-01-20 18:21 12800 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.046759e98ee-5ab495d9-ndecora-d3d.dll
2010-01-20 18:21 . 2010-01-20 18:21 -------- d-----w- c:program filesCommon FilesJava
2010-01-20 18:21 . 2010-01-20 18:21 20480 ----a-w- c:documents and settingsUser NameApplication DataSunJavaDeploymentSystemCache6.0454f710eed-7a4e6d00-ngluegen-rt.dll
2010-01-20 18:20 . 2010-01-05 20:54 -------- d-----w- c:program filesJava
2010-01-20 15:38 . 2008-12-18 19:35 -------- d-----w- c:program filesMicrosoft Silverlight
2010-01-12 20:20 . 2010-01-12 20:20 -------- d-----w- c:program filesTrend Micro
2010-01-07 22:26 . 2010-01-06 15:48 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-01-07 22:26 . 2010-01-07 22:26 5115824 ----a-w- c:documents and settingsAll UsersApplication DataMalwarebytesMalwarebytes' Anti-Malwarembam-setup.exe
2010-01-07 21:07 . 2010-01-06 15:48 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-01-07 21:07 . 2010-01-06 15:48 19160 ----a-w- c:windowssystem32driversmbam.sys
2010-01-06 15:48 . 2010-01-06 15:48 -------- d-----w- c:documents and settingsUser NameApplication DataMalwarebytes
2010-01-06 15:48 . 2010-01-06 15:48 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-01-05 20:54 . 2010-01-05 20:45 152576 ----a-w- c:documents and settingsUser NameApplication DataSunJavajre1.6.0_17lzma.dll
2010-01-05 20:53 . 2009-11-10 13:34 79488 ----a-w- c:documents and settingsUser NameApplication DataSunJavajre1.6.0_17gtapi.dll
2010-01-05 20:08 . 2010-01-05 14:56 -------- d-----w- c:documents and settingsAll UsersApplication DataNOS
2010-01-05 14:56 . 2010-01-05 14:56 1956528 ----a-w- c:documents and settingsAll UsersApplication DataNOSAdobe_Downloadsinstall_flash_player_ax.exe
2010-01-04 15:06 . 2010-01-04 14:51 -------- d-----w- c:documents and settingsAll UsersApplication DataLavasoft
2010-01-04 14:01 . 2010-01-04 14:01 -------- d-----w- c:program filesTeaTimer (Spybot - Search & Destroy)
2010-01-04 14:01 . 2010-01-04 14:01 -------- d-----w- c:program filesFile Scanner Library (Spybot - Search & Destroy)
2010-01-04 13:57 . 2010-01-04 13:57 -------- d-----w- c:documents and settingsUser NameApplication DataWindows Search
2009-12-31 18:13 . 2009-12-30 17:00 60800 ----a-w- c:windowssystem32S32EVNT1.DLL
2009-12-31 18:13 . 2009-12-30 17:00 123952 ----a-w- c:windowssystem32driversSYMEVENT.SYS
2009-12-31 17:44 . 2008-03-27 20:16 49456 ----a-w- c:documents and settingsAdministratorLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2004-08-11 23:00 353792 ----a-w- c:windowssystem32driverssrv.sys
2009-12-21 19:14 . 2004-08-11 23:00 916480 ------w- c:windowssystem32wininet.dll
2009-12-17 22:14 . 2009-03-16 18:53 411368 ----a-w- c:windowssystem32deploytk.dll
2009-12-16 18:43 . 2004-08-11 23:11 343040 ----a-w- c:windowssystem32mspaint.exe
2009-12-14 07:08 . 2004-08-11 23:00 33280 ----a-w- c:windowssystem32csrsrv.dll
2009-12-08 19:26 . 2004-08-11 23:00 2145280 ------w- c:windowssystem32ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:windowssystem32ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-11 23:00 455424 ----a-w- c:windowssystem32driversmrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-03_16.05.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 16:32 . 2010-03-03 16:32 16384 c:windowsTempPerflib_Perfdata_94c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2008-03-27 68856]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2006-06-01 7618560]
"IAAnotif"="c:program filesIntelIntel Matrix Storage ManagerIaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:program filesAnalog DevicesCoresmax4pnp.exe" [2007-09-12 1015808]
"ISUSPM Startup"="c:progra~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:program filesCommon FilesInstallShieldUpdateServiceissch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:program filesRoxioDrag-to-DiscDrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:program filesCyberLinkPowerDVD DXPDVDDXSrv.exe" [2007-09-17 124200]
"ECenter"="c:dellE-CenterEULALauncher.exe" [2008-01-18 17920]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 8.0ReaderReader_sl.exe" [2008-10-15 39792]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"eFax 4.3"="c:program fileseFax Messenger 4.3J2GDllCmd.exe" [2007-03-06 116224]
"ccApp"="c:program filesCommon FilesSymantec SharedccApp.exe" [2009-08-05 115560]
"SunJavaUpdateSched"="c:program filesCommon FilesJavaJava Updatejusched.exe" [2010-01-11 246504]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2006-06-01 86016]

c:documents and settingsUser NameStart MenuProgramsStartup
OpenOffice.org 2.4.lnk - c:program filesOpenOffice.org 2.4programquickstart.exe [2008-1-21 393216]

c:documents and settingsAll UsersStart MenuProgramsStartup
TrustKeeper Agent Status.lnk - c:windowsInstaller{1961F1D2-A639-49DB-9909-22153B7F4A26}Icon9B6790CD.exe [2010-1-29 43520]
VPN Client.lnk - c:windowsInstaller{4C271126-C295-4828-A901-5910AE0C258B}Icon3E5562ED7.ico [2009-3-12 6144]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalLavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSymantec Antivirus]
@="Service"

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.3.lnk]
backup=c:windowspsseFax 4.3.lnkCommon Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"gupdate"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:Program FilesUltraVNCwinvnc.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [1/4/2010 10:06 AM 64288]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:program filesBroadcomASFIPMonAsfIpMon.exe [6/20/2007 2:30 PM 79168]
R2 DLPortIO;DLPortIO;c:windowssystem32driversDLPortIO.sys [8/22/2008 1:19 PM 3584]
R2 vnccom;vnccom;c:windowssystem32driversvnccom.SYS [3/12/2009 3:23 PM 6016]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filesCommon FilesSymantec SharedEENGINEEraserUtilRebootDrv.sys [1/18/2010 9:21 AM 102448]
S2 gupdate;Google Update Service (gupdate);c:program filesGoogleUpdateGoogleUpdate.exe [1/13/2010 9:34 AM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program filesLavasoftAd-AwareAAWService.exe [2/4/2010 10:52 AM 1229232]
S2 tkagent;TrustKeeper Agent;c:program filesTrustwaveAgenttkagent.exe [11/13/2008 5:38 PM 145408]
S3 COH_Mon;COH_Mon;c:windowssystem32driversCOH_Mon.sys [8/5/2009 8:56 AM 23888]
S3 DASyncService;HD-DASyncService;c:program filesScriptLogicHDAuthorityDASyncService.exe [7/13/2009 4:29 PM 19968]
S3 HDAuditService;HDAsset;c:program filesScriptLogicHDAuthorityHDAuditService.exe [7/13/2009 4:29 PM 26624]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:windowsTasksAd-Aware Update (Weekly).job
- c:program filesLavasoftAd-AwareAd-AwareAdmin.exe [2010-02-04 18:57]

2010-03-03 c:windowsTasksGoogleUpdateTaskMachineCore.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2010-01-13 14:34]

2010-03-03 c:windowsTasksGoogleUpdateTaskMachineUA.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2010-01-13 14:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: Google Sidewiki... - c:program filesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {F5B89188-953F-4B9B-B374-A5F16236BCE2} = 64.238.96.12,66.180.96.12
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89125210]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xba0ecf28
DriverACPI -> ACPI.sys @ 0xb9f7fcb8
DriveriaStor -> 0x89125210
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
DeviceHarddisk0DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0x88b4d690
PacketIndicateHandler -> NDIS.sys @ 0xb9d65a21
SendHandler -> NDIS.sys @ 0xb9d4387b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2160)
c:windowssystem32WININET.dll
c:windowssystem32ieframe.dll
c:windowssystem32webcheck.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2010-03-03 12:34:42
ComboFix-quarantined-files.txt 2010-03-03 17:34
ComboFix2.txt 2010-03-03 16:06

Pre-Run: 55,489,064,960 bytes free
Post-Run: 55,437,746,176 bytes free

- - End Of File - - E26D920600D48A0D29668915DA23E0BA


Any Suggestions?

OOPS... Guess I broke the rules by running ComboFix without permission. Well it's too late now so I apologize, let's move on.

Edited by Pandy, 03 March 2010 - 01:25 PM.
Merged and edited and moved from AII Code box removed for ease of viewing ~Pandy


BC AdBot (Login to Remove)

 


#2 dogman888

dogman888
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 03 March 2010 - 05:06 PM

This issue has been resolved.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:23 PM

Posted 05 March 2010 - 08:08 AM

Since this issue seems to be resolved, this topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users