Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MBR rootkit/Mebroot/Sinowal?


  • This topic is locked This topic is locked
2 replies to this topic

#1 remnant48

remnant48

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 22 October 2010 - 01:20 AM

I need help removing MBR Root Kit.

Combofix reports MBR rootkit/Mebroot/Sinowal, but doesn't remove it.

The computer can't run Windows Update and gets SVCHOST.exe - Application Error messages. SVCHOST uses tons of RAM and slows the PC to a crawl.

Below is the ComboFix log. I've tried HitmanPro35, it reports a rootkit but also can't get rid of it. I used MalwareBytes but it reports no problems. I've removed the drive and connected to a USB adapter and scanned it as a removable drive and there are no reports of problems from MalwareBytes. I'm totally stumped for the first time after have removed viruses from hundreds of computers.

Thanks in advance for any help you (who are you guys?) can provide.

P.S. not sure I'm following the rules or not...here's the log (oh and I haven't tried turning off System Restore yet):


ComboFix 10-10-20.04 - rgoedecke 10/21/2010 11:14:25.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.468 [GMT -7:00]
Running from: C:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-21 17:26 . 2010-10-21 17:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-10-21 04:15 . 2009-02-09 12:10 714752 -c--a-w- c:\windows\system32\dllcache\ntdll.dll
2010-10-21 03:44 . 2010-10-21 03:46 -------- d-----w- c:\documents and settings\Administrator.ROGIER
2010-10-21 03:03 . 2010-10-21 03:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-20 04:39 . 2010-10-18 16:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{013897A3-35C4-4C5F-B3A0-A09DD3A91938}\mpengine.dll
2010-10-20 04:36 . 2010-10-20 04:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-20 04:22 . 2010-10-20 04:59 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-20 04:22 . 2010-10-20 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-20 03:59 . 2010-10-20 03:59 -------- dc-h--w- c:\windows\ie8
2010-10-19 23:30 . 2010-10-19 23:30 -------- d-----w- c:\documents and settings\rgoedecke\Application Data\Malwarebytes
2010-10-19 23:30 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 23:30 . 2010-10-20 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 23:30 . 2010-10-19 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-19 23:30 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 21:02 . 2010-10-19 21:02 -------- d-----w- c:\program files\RealVNC
2010-10-19 20:52 . 2010-10-21 18:08 -------- d-----w- C:\kworking
2010-10-19 20:52 . 2010-10-19 21:02 -------- d-----w- C:\temp
2010-10-19 20:44 . 2010-02-26 00:17 135168 ----a-w- c:\windows\system32\KaseyaSP.dll
2010-10-19 20:44 . 2010-10-19 20:44 -------- d-----w- c:\program files\Kaseya
2010-10-19 20:44 . 2010-02-26 00:17 13824 ----a-w- c:\windows\system32\drivers\KAPFA.sys
2010-10-19 18:33 . 2010-10-19 18:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-15 15:56 . 2010-10-15 15:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-10-14 23:22 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 23:22 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 23:22 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-14 22:10 . 2010-10-14 22:10 -------- d-----w- c:\program files\Carbonite
2010-10-12 20:40 . 2010-10-12 20:40 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-09-27 20:17 . 2010-10-21 12:55 -------- d-----w- c:\documents and settings\rgoedecke\Application Data\Dropbox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2008-10-21 20:13 741768 ----a-w- c:\program files\Ask.com\Supertoolbar\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\Supertoolbar\GenericAskToolbar.dll" [2008-10-21 741768]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\rgoedecke\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\rgoedecke\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\rgoedecke\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"KASHVNGSYS86885831773046"="c:\program files\Kaseya\VNGSYS86885831773046\KaUsrTsk.exe" [2010-02-26 319488]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
"Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328]
"FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-25 2145000]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-09-15 281744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

c:\documents and settings\rgoedecke\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\rgoedecke\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD LT Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-25 10872]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-29 15:22 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 04:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2007-11-09 08:53 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-11-09 08:55 884696 ----a-w- c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-07-25 01:46 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 18:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-11-09 08:52 1274600 ----a-w- c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/24/2010 8:31 PM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/20/2008 12:11 PM 95872]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [6/27/2008 3:30 AM 1221952]
R2 ekrn;ESET Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [3/24/2010 8:31 PM 810120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [10/19/2010 1:44 PM 13824]
R3 shwMirror;shwMirror;c:\windows\system32\drivers\shwMirror.sys [8/29/2006 5:17 PM 3584]
S2 gupdate1c9d40a51970454;Google Update Service (gupdate1c9d40a51970454);c:\program files\Google\Update\GoogleUpdate.exe [5/13/2009 1:35 PM 133104]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/8/2008 3:06 PM 20160]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [10/19/2010 9:22 PM 16968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-10-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-09 16:44]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 20:35]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 20:35]

2010-10-18 c:\windows\Tasks\Indexing Task - rgoedecke.job
- c:\program files\Sharp\Sharpdesk\IndexTask.exe [2005-11-06 04:33]

2010-10-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]

2010-10-19 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2010-08-20 15:46]

2010-10-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\Supertoolbar\UpdateTask.exe [2008-10-21 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 192.168.111.*;127.0.0.*;*.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86177446]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72f0852
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf71cabb0
PacketIndicateHandler -> NDIS.sys @ 0xf71d7a21
SendHandler -> NDIS.sys @ 0xf71b587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
@DACL=(02 0011)
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@DACL=(02 0011)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0011)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\WININET.dll
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-10-21 11:33:18
ComboFix-quarantined-files.txt 2010-10-21 18:33
ComboFix2.txt 2010-10-20 02:58

Pre-Run: 5,406,896,128 bytes free
Post-Run: 5,640,511,488 bytes free

- - End Of File - - E2415B349D6A0E4646FC9A8E9A7C556B

BC AdBot (Login to Remove)

 


#2 remnant48

remnant48
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 22 October 2010 - 10:11 AM

This fixed the rootkit that ComboFix and HitmanPro35 couldn’t (and MalwareBytes and MBRCheck.exe):
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 PM

Posted 22 October 2010 - 03:25 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users