Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected rootkit - XP cannot shut down system, only reboots


  • This topic is locked This topic is locked
2 replies to this topic

#1 I.hate.doze

I.hate.doze

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 16 August 2010 - 02:52 PM

Hi folks - Like many who have gone before me, I am here seeking help trying to sort out a very ill doze box. Any help would be appreciated.

At issue -

1 ) system will load up to 100% cpu usage and become completely unresponsive.
2) XP cannot shut system "off", system reboots instead
3) mouse tends to require "waking up" from time to time
4) other wierdness that can't be pinpointed with 100% certainty

Any help would be appreciated.

BTW, I should also mention that I ran TDDSKiller a couple of days ago which found and removed a rootkit. Unfortunately I can't remember the name of the variant nor the names of the affected files, one of which it had flagged as a definite for removal which was removed and a driver file that it listed as suspect which I left in place. Hopefully I haven't left myself stranded.

DDS.txt -


DDS (Ver_10-03-17.01) - NTFSx86
Run by Drew at 13:36:18.83 on Mon 08/16/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.490 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Drew\Desktop\dds.pif

============== Pseudo HJT Report ===============

uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
uRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BJPD HID Control] c:\program files\canon\bjpv\TVMon.exe
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleans~1.lnk - c:\program files\norton systemworks\norton cleansweep\CsinsmNT.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: winqto32 - winqto32.dll
AppInit_DLLs: apitrap.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2010-1-19 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2010-1-19 3904]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2010-1-19 46080]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NAVENG.Sys [2010-8-12 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NavEx15.Sys [2010-8-12 1362608]
R3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [2004-8-31 13792]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\SAVRT.SYS [2004-7-23 338056]

=============== Created Last 30 ================

2010-08-16 16:46:12 0 d-----w- c:\program files\MSXML 4.0
2010-08-14 21:36:10 40 ---ha-w- c:\windows\system32\ivireg.ivr
2010-08-14 21:32:02 88 --sh--r- c:\docume~1\alluse~1\applic~1\A3AFC482B5.sys
2010-08-14 21:32:02 3350 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-08-14 21:31:33 10368 ----a-w- c:\windows\system32\drivers\iviaspi.sys
2010-08-14 21:30:26 0 d-----w- c:\program files\common files\xing shared
2010-08-14 21:30:17 0 d-----w- c:\program files\common files\Real
2010-08-14 21:29:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
2010-08-14 21:29:06 0 d-----w- c:\program files\InterVideo
2010-08-14 21:29:05 0 d-----w- c:\program files\common files\Protexis
2010-08-14 21:29:05 0 d-----w- c:\program files\common files\InterVideo
2010-08-14 21:28:47 0 d-----w- c:\program files\Corel
2010-08-14 21:27:49 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-08-12 19:38:48 49152 ----a-w- c:\windows\system32\FTPStubInstUtils.dll
2010-08-12 19:38:46 0 d-----w- c:\program files\WS_FTP Pro
2010-08-12 19:18:22 81920 ----a-w- c:\windows\system32\winqto32.dll
2010-08-12 19:17:20 81920 ----a-w- c:\windows\system32\wintxl32.dll
2010-08-04 08:39:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-08-13 19:32:31 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:10:44 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:10:44 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
1999-04-26 17:58:06 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1999-04-26 17:58:06 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1999-04-26 17:58:06 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1999-04-26 17:58:06 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1999-04-26 17:58:06 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
1999-04-26 17:58:04 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL

============= FINISH: 13:36:53.30 ===============

Attach.txt - uploaded.

Ark.txt - (GMer.log - this took a long time and a couple tries to acquire)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 15:18:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Drew\LOCALS~1\Temp\pweyqpog.sys


---- System - GMER 1.0.15 ----

SSDT 84856CC0 ZwConnectPort
SSDT 846B62B8 ZwOpenProcess
SSDT 844F0BF0 ZwOpenThread

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF642E360, 0x32DEFD, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs qdfsdrv.sys (Norton Filter Driver/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Again, any help would be appreicated.

Thanks in advance.

Attached Files


Edited by I.hate.doze, 16 August 2010 - 09:10 PM.


BC AdBot (Login to Remove)

 


#2 I.hate.doze

I.hate.doze
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 17 August 2010 - 10:14 AM

This one can be closed. I've managed to clean it up on my own.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 17 August 2010 - 04:24 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users