Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ojwmmc Rootkit Infection = Safe Mode or BSOD


  • This topic is locked This topic is locked
2 replies to this topic

#1 omnimage

omnimage

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 19 October 2010 - 01:22 AM

Computer continuously crashes with BSOD error as early as user log in screen, unless operating in Safe Mode.
(Note: Safe mode occasionally crashes with the same error/same filename)

Blue Screen Of Death with the following technical information:

driver_irql_not_less_or_equal
*** Stop: ojwmmc.sys - address F754ECCB base at F754a000, datestamp 4c906e35
_____________

I initially did a search for ojwmmc and found it in the driver directory and also in various registry entries:

ojwmmc.sys 0xf754a000 (File Type Unknown) C:\windows\system32\drivers

Example Registry Paths:
my computer\hkey_local_machine\system\controlset001\Services\ojwmmc (Cannot open ojwmmc: error while opening key)
my computer\hkey_local_machine\system\controlset001\enum\root\legacy_ojwmmc\00 00 (Service, REG_SZ, ojwmmc)

No virus/malware/rootkit remover has been able to resolve this problem yet, but I was redirected here from another section of the forum for expert analysis.

Following the instructions on the preparation page and scanning, GMER came up with a rootkit infection alert - so here are my DDS and GMER logs as requested.

Thank you very much for the help!


_______________________________________


DDS (Ver_10-10-10.03) - NTFSx86 NETWORK
Run by DarkLight at 17:20:56.73 on Mon 10/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.580 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
"C:\WINDOWS\System32\svchost.exe"
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\DarkLight\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph04103325l04c4wu95r44k26243
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph04103325l04c4wu95r44k26243
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph04103325l04c4wu95r44k26243
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph04103325l04c4wu95r44k26243
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: WBSrv - c:\program files\windowblinds\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - No File
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darkli~1\applic~1\mozilla\firefox\profiles\lqlny6f4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bkmks.com/bookmarks
FF - component: c:\documents and settings\darklight\application data\mozilla\firefox\profiles\lqlny6f4.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\darklight\application data\mozilla\firefox\profiles\lqlny6f4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E7A930CD-2A1D-4ABC-B1E1-93F053F819C1} - c:\documents and settings\darklight\local settings\application data\{E7A930CD-2A1D-4ABC-B1E1-93F053F819C1}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-11-6 38912]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2010-4-22 57344]
S2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2010-8-30 16384]
S2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2009-11-6 107016]
S2 gupdate1cadce5ed965c9a;Google Update Service (gupdate1cadce5ed965c9a);c:\program files\google\update\GoogleUpdate.exe [2010-4-15 133104]
S2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2009-11-6 240160]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-6 1684736]
S3 CtPmFilt;CtPmFilt;c:\windows\system32\drivers\CtPmFilt.sys [2010-7-6 18176]
S3 DRVIO;DRVIO;\??\c:\progra~1\walker\drvinst\bin\drvio.sys --> c:\progra~1\walker\drvinst\bin\drvio.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-6 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 StixKB;Stix Virtual Keybord Driver;c:\windows\system32\drivers\stixkb.sys --> c:\windows\system32\drivers\StixKB.sys [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]

============== File Associations ===============

regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.reg=

=============== Created Last 30 ================

2010-10-18 17:54:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 17:54:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-18 17:54:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-18 03:56:07 -------- d-----w- c:\documents and settings\darklight\DoctorWeb
2010-10-17 06:59:46 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-10-17 04:22:25 -------- d-----w- c:\program files\Add Remove Pro
2010-10-15 00:37:18 -------- d-----w- C:\eDrivers_Backup
2010-10-15 00:36:02 -------- d-----w- c:\program files\walker
2010-10-04 00:08:38 -------- d-----w- c:\windows\system32\CatRoot2
2010-09-24 21:06:03 -------- d-----w- c:\docume~1\darkli~1\applic~1\ChemTable Software
2010-09-23 04:02:56 -------- d-----w- c:\docume~1\darkli~1\locals~1\applic~1\JeS_Consultancy
2010-09-22 05:11:36 -------- d-----w- c:\windows\Downloaded Installations
2010-09-22 03:10:41 -------- d-----w- C:\Prey
2010-09-19 23:36:14 -------- d-----w- c:\docume~1\darkli~1\applic~1\SideSlide

==================== Find3M ====================

2010-09-17 18:11:07 0 ----a-w- c:\windows\Lvikisunogewus.bin
2010-09-16 20:31:30 2838 ----a-w- c:\windows\odelovol.dll
2010-09-16 19:51:47 2838 ----a-w- c:\windows\ovaqayoq.dll
2010-09-14 03:25:47 103744 ----a-w- c:\windows\system32\mscomm32.ocx
2010-09-14 03:25:44 140488 ----a-w- c:\windows\system32\comdlg32.ocx
2010-09-14 03:25:18 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-09-14 03:25:18 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-09-10 08:47:56 5243208 ----a-w- c:\docume~1\darkli~1\applic~1\AvsP.exe
2010-09-10 08:47:33 4284535 ----a-w- c:\docume~1\darkli~1\applic~1\ffdshow.exe
2010-09-10 08:47:15 642685 ----a-w- c:\docume~1\darkli~1\applic~1\xvid.exe
2010-09-10 08:47:12 2169915 ----a-w- c:\docume~1\darkli~1\applic~1\Imgburn.exe
2010-09-10 08:47:03 4182178 ----a-w- c:\docume~1\darkli~1\applic~1\Avisynth.exe
2010-09-09 22:39:14 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-14 03:43:08 1311335 ----a-w- c:\windows\system32\aquarium.scr
2010-08-04 05:34:05 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

============= FINISH: 17:21:52.00 ===============


eMachines Netbook em250 - Intel Atom, CPU N270@1.60ghz, 1gb RAM
Windows XP Home Edition 2002 with SP3 (also, .net framework 3.5 sp1)

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:53 PM

Posted 27 October 2010 - 06:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:53 PM

Posted 01 November 2010 - 08:37 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users