Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit causing BSOD


  • This topic is locked This topic is locked
3 replies to this topic

#1 scootrz32

scootrz32

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 06 December 2010 - 12:03 AM

I have what I believe appears to be a rootkit that keeps causing a BSOD. When I run GMER it tells me it has detected rootkit activity. I delete the file in the C:\windows\system32\drivers but it reappers and when windows crashes it references that file. Here are the DDS and Gmer Logs attached. The file it always references is radjssoj.sys. I have tried every tool under the sun anvir, trojan killer, malwarebytes, combofix. Nothing seems to help.

I cant get gmer to run to completion without a BSOD. I see it show up multiple times in GMER so I hope this is what is causing all my headaches.


Can anyone help before reformat?



Gmer Log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-05 20:48:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD30 rev.03.0
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.MER\LOCALS~1\Temp\fxtdypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\radjssoj.sys A device attached to the system is not functioning.
PAGE Ntfs.sys B7C84E55 4 Bytes CALL 8AE7AFE1
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB75A6360, 0x33445D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[556] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B3F5118
Device \Driver\Tcpip \Device\Ip 8A13B1E0
Device \Driver\Tcpip \Device\Tcp 8A13B1E0
Device \Driver\Tcpip \Device\Udp 8A13B1E0
Device \Driver\Tcpip \Device\RawIp 8A13B1E0
Device \Driver\Tcpip \Device\IPMULTICAST 8A13B1E0
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] radjssoj <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0002760d3bbd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002760d3bbd (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d3bbd
Reg HKLM\SYSTEM\CurrentControlSet\Services\radjssoj@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\radjssoj@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\radjssoj@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\radjssoj@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0002760d3bbd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\radjssoj@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\radjssoj@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\radjssoj@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\radjssoj@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000



DDS Log with Attached log.

DDS (Ver_10-11-27.01) - NTFSx86
Run by administrator at 20:49:00.35 on Sun 12/05/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2523 [GMT -8:00]

AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Kaseya\Agent\KasAVSrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\LTSVC\LTSVC.exe
C:\WINDOWS\LTSvc\LTSvcMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\LTSvc\LTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\administrator.MERIDIANINT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GridinSoft Trojan Killer] "c:\program files\gridinsoft trojan killer\trojankiller.exe" 0
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Kaseya Agent Service Helper] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\networ~1.lnk - c:\windows\ltsvc\LTTray.exe
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: britecity.com
Trusted Zone: britecity.com\lt
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258496448025
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://planwelltechnologies.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-29 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-29 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-29 29584]
R2 AbacusBillingPopup;Abacus Billing Popup;c:\program files\abacus\billingpopup\AbacusBillingPopup.exe [2009-3-3 1363968]
R2 KaseyaAgent;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2008-8-12 610304]
R2 KaseyaAVService;Kaseya Security Service;c:\program files\kaseya\agent\KasAVSrv.exe [2009-12-29 221184]
R2 LTService;briteCARE;c:\windows\ltsvc\LTSVC.exe [2010-12-3 3076608]
R2 LTSvcMon;briteCARE CheckUp Util;c:\windows\ltsvc\LTSvcMon.exe [2010-12-3 88064]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2008-10-28 3575808]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2008-8-12 20792]
S1 qvqokmkk;qvqokmkk;\??\c:\windows\system32\drivers\qvqokmkk.sys --> c:\windows\system32\drivers\qvqokmkk.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-9 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-7-29 15656]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-27 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-21 308136]
S4 iheeosj;iheeosj; [x]
S4 rniqhb;rniqhb; [x]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-7-29 2789672]
S4 XTJPDT;XTJPDT;c:\docume~1\admini~1.mer\locals~1\temp\xtjpdt.exe --> c:\docume~1\admini~1.mer\locals~1\temp\XTJPDT.exe [?]

=============== File Associations ===============

txtfile=c:\windows\notepad.exe %1
.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-12-03 20:11:17 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2010-12-03 19:56:22 -------- d-----w- c:\windows\LTSvc
2010-12-03 19:48:35 -------- d-----w- c:\program files\AnVir Task Manager Free
2010-12-03 19:48:28 -------- d-----w- c:\docume~1\admini~1.mer\locals~1\applic~1\AnVir
2010-12-03 19:43:35 -------- d-----w- c:\program files\WhoLockMe
2010-12-03 19:35:40 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2010-12-03 18:41:37 388096 ----a-r- c:\docume~1\admini~1.mer\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-03 18:41:36 -------- d-----w- c:\program files\Trend Micro
2010-12-03 18:12:58 -------- d-----w- c:\docume~1\admini~1.mer\applic~1\Windows Search
2010-12-03 18:08:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-03 18:08:46 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-03 17:40:39 -------- d-----w- c:\documents and settings\administrator.meridianint\DoctorWeb
2010-12-03 17:33:47 -------- d-----w- c:\docume~1\admini~1.mer\applic~1\Malwarebytes

==================== Find3M ====================

2010-12-03 18:54:25 118784 ----a-w- c:\windows\system32\chg.exe
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 20:55:09.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:03 AM

Posted 13 December 2010 - 01:26 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 scootrz32

scootrz32
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 13 December 2010 - 01:30 PM

I believe I got it all cleaned up. I think it was a MBR infection. I booted to the XP CD re-wrote a new MBR. Then scanned and was able to remove everthing.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 13 December 2010 - 04:57 PM

As this problem is resolved I will close this thread.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users