Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I was pointed for a Bootkit rootkit problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 mattmcw

mattmcw

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 15 July 2010 - 01:16 PM

My Original topic is here:

http://www.bleepingcomputer.com/forums/ind...p;#entry1843079

I was told to not do a gmer (because it wouldnt show my problem), and to use the dds.scr file to create a report for you.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 14:22:07.59 on Thu 07/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1242 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kyocera Mita\Address Book\AddrBook.exe
C:\Program Files\Kyocera Mita\DB Assistant\NsParCom.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe 4
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris\Desktop\dds.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070216
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
StartupFolder: c:\docume~1\chris\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\chris\desktop\virus removal tool\setup_9.0.0.722_15.07.2010_17-59\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\addres~1.lnk - c:\program files\kyocera mita\address book\AddrBook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dbassi~1.lnk - c:\program files\kyocera mita\db assistant\NsParCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera mita\fileutility\NsCatCom.exe
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 23480322;23480322 Boot Guard Driver;c:\windows\system32\drivers\23480322.sys [2010-7-15 37392]
R0 61849612;61849612 Boot Guard Driver;c:\windows\system32\drivers\61849612.sys [2010-7-15 37392]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-3 310320]
R1 23480321;23480321;c:\windows\system32\drivers\23480321.sys [2010-7-15 128016]
R1 61849611;61849611;c:\windows\system32\drivers\61849611.sys [2010-7-15 128016]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100714.003\IDSXpx86.sys [2010-7-15 331640]
R1 setup_9.0.0.722_15.07.2010_17-59drv;setup_9.0.0.722_15.07.2010_17-59drv;c:\windows\system32\drivers\2348032.sys [2010-7-15 315408]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-6-2 1373480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-15 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100715.003\NAVENG.SYS [2010-7-15 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100715.003\NAVEX15.SYS [2010-7-15 1362608]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-3-27 167808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]

============== File Associations ===============

.scr=AutoCADLTScriptFile

=============== Created Last 30 ================

2010-07-15 18:07:45 525824 ----a-w- C:\dds.scr
2010-07-15 17:55:48 0 ----a-w- c:\documents and settings\chris\defogger_reenable
2010-07-15 17:53:56 37392 ----a-w- c:\windows\system32\drivers\23480322.sys
2010-07-15 17:53:56 315408 ----a-w- c:\windows\system32\drivers\2348032.sys
2010-07-15 17:53:56 128016 ----a-w- c:\windows\system32\drivers\23480321.sys
2010-07-15 15:51:00 37392 ----a-w- c:\windows\system32\drivers\61849612.sys
2010-07-15 15:51:00 128016 ----a-w- c:\windows\system32\drivers\61849611.sys
2010-07-15 15:39:10 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 15:03:50 0 d-----w- c:\program files\TrendMicro
2010-07-14 19:59:32 98816 ----a-w- c:\windows\sed.exe
2010-07-14 19:59:32 77312 ----a-w- c:\windows\MBR.exe
2010-07-14 19:59:32 256512 ----a-w- c:\windows\PEV.exe
2010-07-14 19:59:32 161792 ----a-w- c:\windows\SWREG.exe
2010-07-14 19:59:13 0 d-s---w- C:\ComboFix
2010-07-14 15:44:47 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2010-07-14 15:44:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-14 15:44:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-14 15:44:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-14 15:44:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 15:33:20 64512 ----a-w- c:\windows\system32\drivers\SERIAL.SYS
2010-07-13 13:29:35 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-08 13:08:47 0 d-----w- c:\windows\system32\windows media
2010-07-08 13:08:30 0 d-----w- c:\windows\RegisteredPackages
2010-07-08 13:08:29 0 d--h--w- c:\windows\msdownld.tmp
2010-07-08 13:08:18 0 d-----w- c:\program files\Windows Media Components
2010-06-30 18:45:14 0 d-----w- c:\windows\system32\drivers\NSS
2010-06-30 18:45:14 0 d-----w- c:\program files\Norton Security Scan
2010-06-30 15:45:16 0 d-----w- c:\windows\system32\Adobe
2010-06-23 12:40:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment

==================== Find3M ====================

2010-07-15 15:36:29 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-25 20:53:58 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

============= FINISH: 14:22:45.95 ===============

Attached Files


Edited by mattmcw, 15 July 2010 - 01:24 PM.


BC AdBot (Login to Remove)

 


#2 mattmcw

mattmcw
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 16 July 2010 - 10:44 AM

Please ignore this message.

After seeing how many others were on this website with the same thing, I decided to reformat.

sorry i couldnt explore this more with you.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:30 PM

Posted 16 July 2010 - 10:14 PM

Topic closed.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users