Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 North Florida IT

North Florida IT

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 23 June 2010 - 03:22 PM

I know this forum states to not run Combofix until told - however I use combofix to remove virus for my clients and am aware of the consequenses. It just seems to be a quick fix for most simple viruses - I don't need someone to tell me the ins and outs of why I shouldn't - I just help on this one virus. I ran combofix and the log is attached. This client of mine has had repetative viruses, while my other client hardly call me on virus issues anymore. The first time I worked on his system it was infected with a very nasty rootkit that took complete control over his computer. We desided to format since he didn't have much data anyway. For awhile he had no issues - a simple SysGuard virus was found on his system a couple of months ago that I removed. Now he has another virus that seems to be a rootkit again.

We originally had him using AVG Free for awhile. I showed him the linkscanner feature and showed him how to avoid harmful websites. However since this issue, I desided to run combofix which seemed to resolve the issue. I removed AVG and then installed ESET 32NOD which I here is pretty good. After combofix and this software being installed, it found 6 trogan infections which is quarentined. After this, it kept notifying me of a blocked connection every time I searched something on Google, the adresses were:

213.163.89.106:80
78.47.248.117:80

I noticed a specific script you guys use after a the first combofix is ran. If you can, please help me at this point to fix his system. I have remote access and will be awaiting an answer soon. Thanks!

- Steve

Attached Files



BC AdBot (Login to Remove)

 


#2 North Florida IT

North Florida IT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 23 June 2010 - 04:49 PM

This is strange beause I already removed this before - I removed AVG and AdAware and installed ESET NOD32. It was picking up on some viruses and continual threats from these IPs:

213.163.89.106:80
78.47.248.117:80

However when I called my client today to remote in - he said the icon for the software was missing. I tried working with him to find the program file but it too was missing. I got him to get his IP and I remoted in using windows RDP. I noticed ESET NOD32 wasn't installed anymore - but strangly AVG and AdAware was. It looks like the client ran a restore point without my consent - but I'm not sure. I'd have to ask. These attachements are the current state of the machine. Please help ASAP. Thanks!

- Steve

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:37:18.35 on Wed 06/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1263.694 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257308934500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257343368734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-2 64160]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-4 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\avg\avg9\avgemc.exe" --> c:\program files\avg\avg9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 gupdate1ca5bf69784ca28;Google Update Service (gupdate1ca5bf69784ca28);c:\program files\google\update\GoogleUpdate.exe [2009-11-2 133104]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2010-06-23 19:01:19 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-06-23 19:01:19 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-06-23 18:59:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-23 18:59:02 0 d-----w- c:\program files\Lavasoft
2010-06-23 18:58:59 0 d--h--w- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2010-06-22 20:44:34 0 d-----w- c:\program files\TeamViewer
2010-06-22 20:26:04 0 d-----w- C:\ComboFix(2)
2010-06-22 19:31:25 0 d-----w- c:\program files\ESET
2010-06-22 18:00:55 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-06-22 18:00:48 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-06-20 18:55:19 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-17 15:51:01 45056 ----a-w- c:\windows\system32\7267Y0B5.dll
2010-06-17 14:03:38 112 ----a-w- c:\docume~1\alluse~1\applic~1\io2guibM.dat

==================== Find3M ====================

2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe

============= FINISH: 16:38:32.35 ===============

Attached Files


Edited by Orange Blossom, 23 June 2010 - 08:39 PM.
For the sake of continuity and completeness, topics merged. ~ OB


#3 North Florida IT

North Florida IT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 June 2010 - 01:19 PM

Thanks for merging the two - I started the new one because my client ran System Restore without notifying me and it caused it to go back to the original state. I'm going to install ESET and run a scan, after the scan I'll repost the attachements. Please get back to me ASAP on this - this is time sensitive - I know you guys are busy. I'd do it myself but there is no public database with the info you guys know - I assume because of security reasons. Please get to this soon. Thanks!

#4 North Florida IT

North Florida IT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 June 2010 - 03:47 PM

I found a similar issue from this post:

http://www.bleepingcomputer.com/forums/lof...hp/t317939.html

I ran TDLfix.exe on perc2hib.sys - this resolved the IE issue with the software trying to connect.

I ran TDLFix.exe mbr - here are the results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys PCIIDE.SYS PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

- I will run TDLFix del, and run Comboxfix /Uninstall

I hope all malware has been removed - but please check over the attached files.

Should I run TDLFix.exe on atapi.sys? It was found as a suspicious file on my first run of GMER - it didn't show on the next run. I'll attach that file as soon as it is finished. Please try to get to this post soon. Thank!

- Steve

#5 North Florida IT

North Florida IT
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 June 2010 - 10:37 PM

This is resolved as far as I am concerned - if I have further issues I will post again. You guys take way to long to get to post - but I assume you do this on your own time for free... so yeah.... Thanks anyway,

- Steve

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:02 PM

Posted 27 June 2010 - 04:51 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users