Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix shows rootkit


  • Please log in to reply
1 reply to this topic

#1 clubkookoo

clubkookoo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 19 October 2010 - 07:03 PM

I have a computer and it had a rootkit virus, but ComboFix seemed to get rid of it. I removed a bunch of programs, ran chkdsk /r, ran Trend Micro antivirus, HijackThis (to clean up the registry), malwarebytes & Sophos Anti-rootkit. However, I have run ComboFix after every one of these and it still reboots with "rootkit activity". I know your forum says not to run ComboFix unless you say so, but this recommendation was from another source.

I also keep getting memory errors in wmiprvse.exe, where it says
Application popup: wmiprvse.exe - Application Error : The instruction at "0x7c911119" referenced memory at "0x0008b456". The memory could not be "written".

computer is Dell Latitude X1, WinXP Pro SP3. FYI, I have just added back the Trend Micro and Checkpoint clients. I had uninstalled them for the previous testing.

attached is attach.txt, ark.txt

below is dds.txt


DDS (Ver_10-10-10.03) - NTFSx86
Run by lshishino-cruz at 16:36:46.11 on Tue 10/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.52 [GMT -7:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {CE1A21FA-A397-4911-99FE-EA4638F4B467}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP20SP2-KB983583-x86.exe
c:\b3d7f115bd09bf9e77e07b0b\HotFixInstaller.exe
C:\WINDOWS\system32\msiexec.exe
c:\WINDOWS\system32\MsiExec.exe
c:\WINDOWS\system32\MsiExec.exe
c:\WINDOWS\system32\wbem\mofcomp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\temp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1006\TmIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - {0f420c1e-9ed6-4da5-8b91-eddde887a1dc} - c:\windows\system32\Print602.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {A156A7A7-14A2-4282-B487-8E25AB68D608} - {E2AC7314-3101-4d2b-B4AB-AD381381717F} - c:\windows\system32\Print602.dll
IE: {F242786D-E1AE-49e7-BD01-E1ABCA405241} - {861B46DD-E551-4dab-A464-208F44F7ABEA} - c:\windows\system32\Print602.dll
Trusted Zone: microsoft.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188410928589
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188410886592
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1006\TmIEPlg.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 10.1.10.5 svdb
Hosts: 10.1.10.20 svmail1
Hosts: 10.1.10.20 svmail1.hrssimi.usa
Hosts: 192.168.50.2 sjmail
Hosts: 210.158.223.43 ag50.agate.net

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lshish~1\applic~1\mozilla\firefox\profiles\q83wgyyp.default\
FF - prefs.js: browser.startup.homepage - hxxp://co117w.col117.mail.live.com/mail/InboxLight.aspx?FolderID=00000000-0000-0000-0000-000000000005&InboxSortAscending=False&InboxSortBy=Date&n=965746037|https://www.quixtar.com/login/default.aspx
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2009-12-15 2245624]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2009-12-15 47504]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2009-12-4 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-12-4 36368]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2009-12-15 126680]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2009-12-15 684280]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-10-19 50704]

=============== Created Last 30 ================

2010-10-19 23:35:32 544768 ----a-w- c:\temp\dds.scr
2010-10-19 20:37:43 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2010-10-19 20:37:43 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2010-10-19 20:37:43 163408 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-19 19:53:41 -------- d-----w- C:\b3d7f115bd09bf9e77e07b0b
2010-10-19 19:35:52 8534336 ----a-w- c:\temp\Firefox Setup 3.6.10.exe
2010-10-18 20:27:48 -------- d-----w- c:\program files\Trend Micro
2010-10-18 18:16:04 264856 ----a-w- c:\temp\hotspot shield\DM-76.exe
2010-10-18 18:09:58 -------- d-----w- c:\docume~1\lshish~1\applic~1\Malwarebytes
2010-10-18 18:09:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-18 18:09:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-18 18:09:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-18 18:09:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-18 18:08:41 6153376 ----a-w- c:\temp\mbam-setup-1.46.exe
2010-10-18 18:05:06 1409 ----a-w- c:\windows\QTFont.for
2010-10-14 22:16:01 1376832 ----a-w- c:\temp\sar_15_sfx.exe
2010-10-14 17:36:56 -------- d-----w- c:\program files\Sophos
2010-10-13 22:56:13 -------- d-----w- c:\windows\system32\drivers\temp
2010-10-13 22:51:30 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2010-10-13 22:51:28 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-10-13 17:47:50 -------- d-sha-r- C:\cmdcons
2010-10-13 17:24:28 77312 ----a-w- c:\windows\MBR.exe
2010-10-13 17:24:28 256512 ----a-w- c:\windows\PEV.exe
2010-10-13 17:24:27 98816 ----a-w- c:\windows\sed.exe
2010-10-13 17:24:27 161792 ----a-w- c:\windows\SWREG.exe
2010-10-12 20:06:58 -------- d-----w- c:\windows\system32\winrm
2010-10-12 20:06:58 -------- d-----w- c:\windows\system32\GroupPolicy
2010-10-12 19:56:52 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-12 19:56:52 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-12 19:56:51 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-12 19:52:29 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 19:04:43 147282329 ----a-w- c:\temp\client-ver6-sp2.exe
2010-10-02 16:09:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-23 01:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-23 01:10:52 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-26 06:14:52 41 ----a-w- C:\H.CMD

============= FINISH: 16:38:57.38 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:25 AM

Posted 29 October 2010 - 07:16 AM

Hello clubkookoo

Welcome to BleepingComputer :)
==========================
Running Combofix is not a good idea.
Unless instructed to do so by a trained helper I know you know this but it still holds true.
If the machine were to be unbootable from it you would then need help to recover it.
Not a good idea.

Please post me the comobfix log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users