Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkitted


  • This topic is locked This topic is locked
6 replies to this topic

#1 Clowntoon

Clowntoon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 06 May 2010 - 11:27 AM

This is the one that worries me:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a87b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
user & kernel MBR OK

DDS (Ver_10-03-17.01) - NTFSx86
Run by MAIN at 15:10:33.18 on Thu 05/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.987 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\UDir\TMVirus\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\main\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org1.1.4\program\quickstart.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Links.txt
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\start3~1.lnk - c:\program files\3dconnexion\3dconnexion 3dxware\3dxsrv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startw~1.lnk - c:\windows\downlo~1\mywebex\419\mwmPad.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - c:\windows\downlo~1\mywebex\419\mwmie.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3141534D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/2/D/E/2DEBCF8D-AB67-4EFB-A96D-9F297F4129DD/scdec.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237691893375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237691871781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://10.10.200.23/XUpload.ocx
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-20 3712]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-8-30 87936]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\main\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\main\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\main\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\main\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r101342\ATIXPGAA.SYS [2007-8-30 12032]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SASENUM;SASENUM;\??\c:\docume~1\main\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\main\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S4 AI;AI;c:\docume~1\main\locals~1\temp\ai.exe --> c:\docume~1\main\locals~1\temp\AI.exe [?]
S4 brfgxw;brfgxw; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-05-06 10:15:46 0 d-s---w- C:\FixboCom32146F
2010-05-06 08:41:48 47 ----a-w- c:\windows\wininit.ini
2010-05-05 20:37:04 0 d-----w- C:\FixboCom
2010-05-04 21:09:45 0 d-----w- c:\documents and settings\main\DoctorWeb
2010-05-02 16:54:27 0 d-sha-r- C:\cmdcons
2010-05-02 16:50:00 98816 ----a-w- c:\windows\sed.exe
2010-05-02 16:50:00 161792 ----a-w- c:\windows\SWREG.exe
2010-05-02 01:39:40 0 ----a-w- c:\documents and settings\main\defogger_reenable
2010-05-01 15:28:35 0 d-----w- c:\docume~1\main\applic~1\SUPERAntiSpyware.com
2010-05-01 15:28:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-01 15:25:15 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-30 15:26:39 8 ----a-w- c:\documents and settings\main\pol-ntuser.vir
2010-04-30 15:15:52 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-29 02:43:43 0 d-----w- c:\program files\TrendMicro
2010-04-12 12:46:47 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2008-03-07 03:58:43 14290 ----a-w- c:\program files\settings.dat
2008-07-07 04:40:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070620080707\index.dat

============= FINISH: 15:11:08.15 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-04 11:13:15
Windows 5.1.2600 Service Pack 3
Running: isp3vtt9(remgr).exe; Driver: C:\DOCUME~1\MAIN\LOCALS~1\Temp\pxtdapog.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA1CC380, 0x22091D, 0xE8000020]
? C:\DOCUME~1\MAIN\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\Combo-Fix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbhub \Device\00000091 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000093 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000095 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000097 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAvstiwuycye <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c67ed041
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstiwuycye
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c67ed041 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstiwuycye (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:22 AM

Posted 06 May 2010 - 02:15 PM

Good evening. smile.gif

Download Sec-Info.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Sec-info.vbs to run it and a text file called Sec-Info.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 Clowntoon

Clowntoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 06 May 2010 - 05:46 PM

I see the vbs file is trying to use Windows Management Instrumentation to look at anti-virus and firewall products installed. The script produced an empty text file. The machine is running Windows Defender and the Windows XP firewall. It also has Malwarebytes on it. It seems like there is some install of ComboFix that wouldn't uninstall, also. There is a folder in the root of C: that has an icon that looks a little like the My Computer icon and having a name like the name of the ComboFix file I saved to followed by a hex string. Don't know what's going on with that. Thanks in advance for your offer of help. This thing is driving me nuts and I'm about ready to see if I can lay hands on a disk sector editing program so I can do a brute force restoration of the master boot record. I'll try to respond a little quicker as we go along. If I had confidence the computer store (CompUSA, MicroCenter, Best Buy, etc.) could fix it, I'd probably just run it over there. Do you have any experience in that realm?

Edited by Clowntoon, 06 May 2010 - 05:49 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:22 AM

Posted 07 May 2010 - 02:09 PM

Good evening. smile.gif

Unfortunately Windows Defender isn't an anti-virus program and this, along with an adequate firewall which the SP2 one isn't, is the minimum protection your PC needs. How long as the system been without an anti-virus program?

So long, and thanks for all the fish.

 

 


#5 Clowntoon

Clowntoon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 07 May 2010 - 02:35 PM

I believe this machine is running XP Pro SP3. It may have had AVG on it at one time, but I disabled that quite a while back. It may have been a year or more without anti-virus software running. I prefer the approach of avoiding infection in the first place. We run Symantec at the office and there have been a large number of rogue anti-malware infections there lately. So I really don't see that much difference between having AV or not having it. If I thought one existed that was actually effective, I would have it.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:22 AM

Posted 07 May 2010 - 07:59 PM

The firewall you have came originally with SP2 and as far as i'm aware hasn't been upgraded since then.

While I agree with the philosophy of avoiding infections rather than hoping that resident security blocks them, and also accept that such security isn't perfect, it does offer a degree of protection that you are unwise to dismiss. Given the increased likelihood, through having no resident AV, that malware has corrupted and/or replace legitimate files and lowered security setting making infection more likely in the future, my best advice is to back up any important files and then reformat and reinstall.

So long, and thanks for all the fish.

 

 


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:22 AM

Posted 19 May 2010 - 02:13 PM

As this issue has been resolved, or thereabouts, this topic is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users