Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible rootkit


  • This topic is locked This topic is locked
2 replies to this topic

#1 LadyButterfly

LadyButterfly

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 20 June 2010 - 05:43 PM

I have problems in pc , I can't update my anti-virus, new folders popping in my hd, I can't use any spyware program ( every attempt is following by an error message) I can't even play any game I used to, so I formatted and reinstalled system, again problems, I got a message at boot saying " no NTLDR detected", then I just copied NTdetect and NTLDR files from another hd, and the system boot up but my main drive is no longer C:, now it is D:! I don't know whats happening, I ran Combofix and it detected MBR rookit hooks. So I now have no idea how to fix the MBR or how to get rid of this rootkit infection. The forums say dont post the Combofix log until asked to do so but I have it ready if anyone wants a look.

Thanks in advance
LB

DDS (Ver_10-03-17.01) - NTFSx86
Run by Edna at 17:08:32,71 on dom 20/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1022.727 [GMT -3:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Arquivos de programas\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Edna\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - d:\arquivos de programas\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\arquivos de programas\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - d:\arquivos de programas\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - d:\arquivos de programas\avg\avg9\toolbar\IEToolbar.dll
mRun: [NvCplDaemon] "RUNDLL32.EXE" d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [DAEMON Tools-1033] "d:\arquivos de programas\d-tools\daemon.exe" -lang 1033
mRun: [AVG9_TRAY] d:\arquiv~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\arquivos de programas\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {677EB4D4-7C86-4A65-B3CD-71368B8D34C0} = 208.67.222.222,208.67.220.220
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - d:\arquivos de programas\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\arquivos de programas\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\edna\dadosd~1\mozilla\firefox\profiles\olpvufpc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1750559&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-BR.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-BR:official
FF - component: d:\arquivos de programas\avg\avg9\firefox\components\avgssff.dll
FF - component: d:\arquivos de programas\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: d:\arquivos de programas\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: d:\arquivos de programas\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: d:\arquivos de programas\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: d:\arquivos de programas\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\arquivos de programas\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\arquivos de programas\k-lite codec pack\real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
d:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2010-6-20 29512]
R1 AvgTdiX;AVG Free Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2010-6-20 242896]
R3 slnt;Kaiomy KM8139D 10/100Mbps PCI Fast Ethernet Adapter;d:\windows\system32\drivers\slnt.sys [2010-6-16 17972]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2010-6-20 216200]
S2 avg9emc;AVG Free E-mail Scanner;d:\arquivos de programas\avg\avg9\avgemc.exe [2010-6-20 916760]
S2 avg9wd;AVG Free WatchDog;d:\arquivos de programas\avg\avg9\avgwdsvc.exe [2010-6-20 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;d:\arquivos de programas\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-20 430152]
S4 d347bus;d347bus;d:\windows\system32\drivers\d347bus.sys [2010-6-18 155136]
S4 d347prt;d347prt;d:\windows\system32\drivers\d347prt.sys [2010-6-18 5248]

=============== Created Last 30 ================

2010-06-20 20:03:58 52 ----a-w- d:\documents and settings\edna\defogger_reenable
2010-06-20 19:38:11 0 d-sha-r- D:\cmdcons
2010-06-20 19:30:56 98816 ----a-w- d:\windows\sed.exe
2010-06-20 19:30:56 77312 ----a-w- d:\windows\MBR.exe
2010-06-20 19:30:56 256512 ----a-w- d:\windows\PEV.exe
2010-06-20 19:30:56 161792 ----a-w- d:\windows\SWREG.exe
2010-06-20 16:42:25 0 d-----w- D:\$AVG
2010-06-20 16:21:12 12464 ----a-w- d:\windows\system32\avgrsstx.dll
2010-06-20 16:21:09 242896 ----a-w- d:\windows\system32\drivers\avgtdix.sys
2010-06-20 16:21:03 216200 ----a-w- d:\windows\system32\drivers\avgldx86.sys
2010-06-20 16:21:00 0 d-----w- d:\windows\system32\drivers\Avg
2010-06-20 16:20:59 0 d-----w- d:\docume~1\alluse~1\dadosd~1\AVG Security Toolbar
2010-06-20 16:20:48 0 d-----w- d:\arquivos de programas\AVG
2010-06-20 05:23:36 0 d-sh--w- d:\documents and settings\edna\IECompatCache
2010-06-20 05:02:07 73728 ----a-w- d:\windows\system32\javacpl.cpl
2010-06-20 02:36:43 0 d-----w- d:\docume~1\edna\dadosd~1\Malwarebytes
2010-06-20 02:36:37 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 02:36:36 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-06-20 02:36:36 0 d-----w- d:\docume~1\alluse~1\dadosd~1\Malwarebytes
2010-06-20 02:36:36 0 d-----w- d:\arquivos de programas\Malwarebytes' Anti-Malware
2010-06-20 01:53:12 0 d-----w- d:\arquivos de programas\arquivos comuns\mssoap
2010-06-19 02:31:57 0 d-----w- d:\docume~1\edna\dadosd~1\BitTorrent
2010-06-19 02:31:51 0 d-----w- d:\arquivos de programas\BitTorrent
2010-06-18 21:20:19 0 d-----w- d:\arquivos de programas\Microsoft Games
2010-06-18 20:58:41 5248 ----a-w- d:\windows\system32\drivers\d347prt.sys
2010-06-18 20:58:41 155136 ----a-w- d:\windows\system32\drivers\d347bus.sys
2010-06-18 20:58:38 0 d-----w- d:\arquivos de programas\D-Tools
2010-06-18 20:58:17 0 d-----w- d:\windows\Downloaded Installations
2010-06-18 14:55:45 0 d-----w- d:\arquivos de programas\Marcos Velasco Security
2010-06-18 14:35:00 0 d-----w- d:\docume~1\edna\dadosd~1\Uniblue
2010-06-18 02:38:09 0 d-----w- d:\arquivos de programas\arquivos comuns\DirectX
2010-06-16 13:13:40 251696 ------w- D:\NTLDR
2010-06-16 12:12:56 0 d-----w- d:\arquivos de programas\BS_Player
2010-06-16 12:12:51 0 d-----w- d:\docume~1\edna\dadosd~1\BSplayer Pro
2010-06-16 12:12:51 0 d-----w- d:\docume~1\edna\dadosd~1\BSplayer
2010-06-16 12:12:50 0 d-----w- d:\arquivos de programas\Webteh
2010-06-16 12:08:04 0 d-----w- d:\arquivos de programas\K-Lite Codec Pack
2010-06-16 12:01:55 0 d-----w- d:\arquivos de programas\VideoLAN
2010-06-16 10:42:53 0 d-----w- d:\docume~1\edna\dadosd~1\VitySoft
2010-06-16 08:30:42 411368 ----a-w- d:\windows\system32\deployJava1.dll
2010-06-16 08:06:53 0 d-----w- d:\docume~1\alluse~1\dadosd~1\Blizzard
2010-06-16 06:57:30 0 d-----w- d:\docume~1\alluse~1\dadosd~1\Alwil Software
2010-06-16 06:41:11 164 ----a-w- d:\windows\install.dat
2010-06-16 06:31:57 0 d-----w- d:\docume~1\alluse~1\dadosd~1\avg9
2010-06-16 06:07:20 0 d-----w- D:\backupsu
2010-06-16 06:03:25 17972 ----a-r- d:\windows\system32\drivers\slnt.sys
2010-06-16 06:01:58 7552 -c--a-w- d:\windows\system32\dllcache\mskssrv.sys
2010-06-16 06:00:45 180224 ----a-w- d:\windows\system32\nvudisp.exe
2010-06-16 06:00:45 16356 ----a-w- d:\windows\system32\nvdisp.nvu
2010-06-16 06:00:45 0 d-----w- d:\windows\nview
2010-06-16 05:57:09 0 d-----w- d:\windows\NV952964.TMP
2010-06-16 05:51:26 17505 ----a-r- D:\DBI.EXE
2010-06-16 05:47:44 0 d-----w- d:\windows\pss
2010-06-15 21:20:43 0 d-----w- d:\arquivos de programas\arquivos comuns\InstallShield
2010-06-15 21:09:56 0 d-----w- d:\arquivos de programas\Windows Media Connect 2
2010-06-15 21:08:48 0 d-sh--w- d:\documents and settings\all users\DRM
2010-06-15 21:08:30 0 d--h--w- d:\arquivos de programas\WindowsUpdate
2010-06-15 21:08:27 0 d-----w- d:\arquivos de programas\Servišos on-line
2010-06-15 21:07:58 0 d-----w- d:\arquivos de programas\arquivos comuns\Servišos
2010-06-15 21:06:15 0 d-----w- d:\arquivos de programas\Messenger
2010-06-15 21:06:10 0 d-----w- d:\arquivos de programas\MSN Gaming Zone
2010-06-15 21:05:46 0 d-----w- d:\arquivos de programas\Windows NT
2010-06-15 17:59:19 0 d-----w- d:\arquivos de programas\arquivos comuns\ODBC
2010-06-15 17:59:06 0 d-----w- d:\arquivos de programas\arquivos comuns\SpeechEngines
2010-06-15 17:57:58 0 d--h--w- d:\documents and settings\all users\Modelos
2010-06-15 17:57:58 0 d-----w- d:\documents and settings\all users\Favoritos
2010-06-15 17:57:58 0 d-----r- d:\documents and settings\all users\Menu Iniciar
2010-06-15 17:57:58 0 d-----r- d:\documents and settings\all users\Documentos
2010-06-15 17:55:44 0 d--h--r- d:\documents and settings\all users\Dados de aplicativos

==================== Find3M ====================

2010-06-16 16:51:27 48628 ----a-w- d:\windows\system32\perfc016.dat
2010-06-16 16:51:27 344380 ----a-w- d:\windows\system32\perfh016.dat
2010-06-15 21:06:46 21844 ----a-w- d:\windows\system32\emptyregdb.dat

============= FINISH: 17:08:45,48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 26 June 2010 - 06:35 AM

Do you still desire help? If so please clearly describe what you have done so far and the current problems your experiencing.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:34 PM

Posted 30 June 2010 - 06:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users