Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bitrix Security


  • This topic is locked This topic is locked
2 replies to this topic

#1 cheekcn

cheekcn

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 11 October 2010 - 10:50 AM

I have been working on this computer for several days now; however, I still can't seem to get it clean. Malwarebytes returned no problems, but ComboFix complained of a rootkit. I've attached my combofix log. Please help if you can.


ComboFix 10-10-10.02 - ccheek 10/11/2010 8:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.619 [GMT -5:00]
Running from: c:\documents and settings\ccheek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\bowmanr\GoToAssistDownloadHelper.exe
c:\documents and settings\ccheek\Application Data\Bitrix Security
c:\documents and settings\ccheek\Application Data\Bitrix Security\hwwkat9_shrd
c:\documents and settings\shipping\Application Data\Bitrix Security
c:\documents and settings\shipping\Application Data\Bitrix Security\fg.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\hjzvk
c:\documents and settings\shipping\Application Data\Bitrix Security\hwwkat9_shrd
c:\documents and settings\shipping\Application Data\Bitrix Security\jje.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\ljgh.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\lop.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\plk.txt
c:\documents and settings\shipping\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\shipping\GoToAssistDownloadHelper.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://advtis-fa2:8530
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD


((((((((((((((((((((((((( Files Created from 2010-09-11 to 2010-10-11 )))))))))))))))))))))))))))))))
.

2010-10-08 18:55 . 2010-10-08 18:55 -------- d-----w- c:\documents and settings\shipping\Local Settings\Application Data\Apple
2010-10-08 18:53 . 2010-10-08 18:53 -------- d-----w- c:\documents and settings\shipping\Application Data\Malwarebytes
2010-10-08 18:53 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 18:53 . 2010-10-08 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-08 18:53 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 18:53 . 2010-10-08 18:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 18:18 . 2010-10-01 18:57 118784 ----a-w- c:\windows\system32\chg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 16250880]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-08-07 331288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-07 126976]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2008-01-31 98304]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-01-04 669008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCA"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/10/2010 7:47 PM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [3/10/2010 7:19 PM 203056]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [6/6/2006 11:18 PM 315392]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/19/2007 4:55 AM 540184]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [1/4/2010 6:02 PM 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/10/2010 7:47 PM 69936]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec AntiVirus\SmcLU\Setup\smcinst.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.advtis.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://192.168.1.245:8080/businessobjects/enterprise115/desktoplaunch/viewers/crystalreportviewers115/ActiveXControls/PrintControl.cab
DPF: {6F83F815-49D0-46BB-A81C-A9D18C33A0E7} - hxxp://192.168.1.225/cab/Dibos80.CAB
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
ActiveSetup-{B0B9B83C-BBFC-49F5-93F4-BC388B073320} - c:\documents and settings\shipping\Application Data\Bitrix Security\hwwkat9.dll



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8657AC56]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75ccfc3
\Driver\ACPI -> ACPI.sys @ 0xf745fcb8
\Driver\atapi -> atapi.sys @ 0xf73f17b4
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf72eaba0
PacketIndicateHandler -> NDIS.sys @ 0xf72f7b21
SendHandler -> NDIS.sys @ 0xf72d587b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\WININET.dll
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\RTHDCPL.EXE
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2010-10-11 08:49:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-11 13:49

Pre-Run: 54,914,744,320 bytes free
Post-Run: 55,499,771,904 bytes free

- - End Of File - - 67BED4C7C7B6CB5D2ECBAD6063E3C6CA

Edited by boopme, 11 October 2010 - 03:33 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 17 October 2010 - 01:52 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:59 PM

Posted 21 October 2010 - 06:31 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users