Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit problem - I think - not sure


  • This topic is locked This topic is locked
3 replies to this topic

#1 MartinV

MartinV

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 04 May 2010 - 09:58 AM

I posted over in the "Am I Infected - What Do I Do?" forum with the title "What am I infected with?". I was told to generate some logs and post them here.

Here are the issues that I identified in the other forum that need addressed:

1. A couple of minutes after a fresh boot-up, there is a period of all-consuming disk activity for about 5 minutes. The disk activity light is on solidly and no program can be started. Then, after this occurs, one of the svchost processes consumes 50% of the CPU time - constantly - it never changes. And, this all happens even if I boot into Safe Mode.

2. I'm getting redirected to advertising sites. This is happening in FF as well as IE. I installed AdBlocker in FF. That seems to have helped but it still occasionaly pops open another tab and loads some advertising stuff.

3. I cannot do a Windows Update. When I try to do this, I get a message (in the browser) that it can't find the update web site. I've even tried manually keying in the update site URL (in both IE and FF) but it still can't find the site (it says there is no connection to the internet).

4. One more symptom that I hadn't noticed until later is that the CPU usage on the infected machine runs at a steady 50%.


---------------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Martin at 5:42:24.15 on Tue 05/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1884.1540 [GMT -7:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\Apache\bin\ApacheMonitor.exe
C:\Documents and Settings\Martin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://lenovo.live.com
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
StartupFolder: c:\docume~1\martin\startm~1\programs\startup\mailwa~1.lnk - c:\mailwasher\MailWasher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\apache\bin\ApacheMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://dot.pima.gov/gis/pictometry/viewer/ver30b/PictImageCtrl30.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://198.182.65.154/activex/AxisCamControl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\martin\applic~1\mozilla\firefox\profiles\seygeta9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 61440]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-4-14 2054680]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-4-14 144992]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-8-17 37184]
S0 kyfnntnt;kyfnntnt;c:\windows\system32\drivers\kyfnntnt.sys [2010-4-26 0]
S2 SessionLauncher;SessionLauncher;c:\docume~1\admini~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\admini~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2009-8-6 24645]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]

=============== Created Last 30 ================

2010-05-04 12:38:00 0 ----a-w- c:\documents and settings\martin\defogger_reenable
2010-04-30 14:26:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-30 14:26:12 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-30 14:26:12 0 d-----w- c:\docume~1\martin\applic~1\SUPERAntiSpyware.com
2010-04-30 14:25:20 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-30 04:16:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 21:40:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:40:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 21:40:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 16:26:31 0 d-----w- c:\program files\Trend Micro
2010-04-29 14:41:47 0 d-----w- c:\program files\CCleaner
2010-04-29 14:25:15 0 d-----w- c:\windows\SxsCaPendDel
2010-04-29 12:43:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 12:43:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-29 02:39:45 0 d-----w- c:\program files\SpywareBlaster
2010-04-29 01:45:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-28 01:52:50 0 d-----w- c:\windows\pss
2010-04-27 22:46:59 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-27 22:46:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 19:45:14 0 d-----w- c:\docume~1\martin\applic~1\Malwarebytes
2010-04-27 19:44:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-27 19:43:50 5918800 ----a-w- C:\mbam-setup.exe
2010-04-27 19:15:19 335 ----a-w- C:\FixExe.reg
2010-04-27 03:31:53 0 ----a-w- c:\windows\system32\drivers\kyfnntnt.sys
2010-04-27 03:31:16 0 d-----w- c:\docume~1\martin\applic~1\A17E80F4E3F132CB1CEF99523EAA71E2

==================== Find3M ====================

2010-05-03 16:54:45 324120 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-04-14 15:01:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-04-27 22:35:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042720090428\index.dat
2009-04-27 22:35:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-04-27 22:35:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-04-27 22:35:04 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 5:43:26.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 AM

Posted 04 May 2010 - 02:33 PM

Good evening. smile.gif

Your PC shows no active anti-virus or firewall security programs - how long has the system been without these?

So long, and thanks for all the fish.

 

 


#3 MartinV

MartinV
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 05 May 2010 - 06:36 AM

It has never had an anti-virus program or firewall program running on it.

Does this have any bearing on whether or not I get some assistance on resolving the problems?



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:21 AM

Posted 05 May 2010 - 02:03 PM

Good evening. smile.gif

Unfortunately it has a great bearing on matters. There is only so much that can be achieved with the tools available, and the potential for damage that having no security creates exceeds that.
It is possible that legitimate files have been replace and/or corrupted and security settings lowered to make reinfection more likely in the future, and this makes the best course of action a reformat and reinstall. The time that a reinstall would take is considerably less than you could spend trying unsuccessfully to resolve the PC's issues, so it seems wisest to me to go with the guaranteed cure.
While I can supply you with links to free software to secure your PC afterwards, they cannot be guaranteed to clean up and repair any damage that has already been caused and so starting afresh it is easiest, quickest and most certain option.

As it is your machine you are free to disregard this advice, but based on my experience it is the best advice that I can offer.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users