Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a recurring Fake Antivirus Alert XP Home


  • This topic is locked This topic is locked
2 replies to this topic

#1 TheTinker

TheTinker

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 16 February 2011 - 03:30 PM

Rewrites the Hosts file adding additional entries.

MBR rebuilt with no change.

DDS & Ark Logs below.

DDS Log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Chris Zarate at 5:34:05.31 on Wed 02/16/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.298 [GMT -8:00]

AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Documents and Settings\Chris Zarate\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HostManager] c:\program files\common files\aol\1195252894\ee\AOLSoftware.exe
dRunOnce: [VF0415Inst] RunDll32.exe c:\windows\system32\V0415Pin.dll,RunDLL32EP 515
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1297488423500
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/html - {ed11e09b-2886-45df-9364-58ac147e706d} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-10-26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-10-26 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-21 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-10-26 501888]
R1 SASDIFSV;SASDIFSV;c:\docume~1\chrisz~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\chrisz~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-10-26 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-10-26 126392]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-7-4 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-25 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110215.001\IDSXpx86.sys [2011-2-15 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110215.038\NAVENG.SYS [2011-2-16 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110215.038\NAVEX15.SYS [2011-2-16 1360760]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-12-25 31616]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2008-12-25 135616]
S3 V0415Afx;Creative Camera VF0415 Audio Effects Driver;c:\windows\system32\drivers\V0415Afx.sys [2008-12-25 160768]
S3 V0415Vid;Creative Live! Cam Video IM Ultra Driver;c:\windows\system32\drivers\V0415Vid.sys [2008-12-25 282464]

=============== Created Last 30 ================

2011-02-16 06:50:40 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-02-16 06:50:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-02-16 06:50:31 17408 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-02-16 06:50:27 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-02-16 06:50:22 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-02-16 06:50:12 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-02-16 06:50:04 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-02-16 06:50:03 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-02-16 06:49:56 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-02-16 06:49:24 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2011-02-16 06:49:20 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2011-02-16 06:49:07 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2011-02-16 06:47:58 604253 ----a-w- c:\windows\system32\dllcache\vmodem.sys
2011-02-16 06:46:59 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2011-02-16 06:45:59 14336 ----a-w- c:\windows\system32\dllcache\tsprof.exe
2011-02-16 06:44:58 28232 ----a-w- c:\windows\system32\dllcache\tos4mo.sys
2011-02-16 06:43:59 30688 ----a-w- c:\windows\system32\dllcache\sym_u3.sys
2011-02-16 06:42:58 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2011-02-16 06:41:57 236544 ----a-w- c:\windows\system32\dllcache\smi2smir.exe
2011-02-16 06:40:58 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2011-02-16 06:39:58 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2011-02-16 06:38:59 179264 ----a-w- c:\windows\system32\dllcache\s3sav3d.dll
2011-02-16 06:37:59 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2011-02-16 06:36:58 33152 ----a-w- c:\windows\system32\dllcache\ql10wnt.sys
2011-02-16 06:35:59 19840 ----a-w- c:\windows\system32\dllcache\philtune.sys
2011-02-16 06:34:49 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll
2011-02-16 06:33:58 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2011-02-16 06:33:43 4274816 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-02-16 06:33:43 1897408 ----a-w- c:\windows\system32\dllcache\nv4_mini.sys
2011-02-16 06:33:39 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2011-02-16 06:33:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2011-02-16 06:33:29 180360 ----a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2011-02-16 06:33:06 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2011-02-16 06:33:06 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-02-16 06:32:58 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2011-02-16 06:32:55 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2011-02-16 06:32:53 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2011-02-16 06:32:38 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-02-16 06:32:34 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-02-16 06:32:23 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-02-16 06:32:20 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-02-16 06:31:59 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-02-16 06:31:48 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-02-16 06:31:45 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-02-16 06:31:41 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-02-16 06:31:24 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-02-16 06:31:21 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-02-16 06:31:18 33088 ----a-w- c:\windows\system32\dllcache\n9i128v2.sys
2011-02-16 06:31:14 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll
2011-02-16 06:31:11 13664 ----a-w- c:\windows\system32\dllcache\n9i128.sys
2011-02-16 06:31:07 35392 ----a-w- c:\windows\system32\dllcache\n9i128.dll
2011-02-16 06:31:04 128000 ----a-w- c:\windows\system32\dllcache\n100325.sys
2011-02-16 06:31:00 52255 ----a-w- c:\windows\system32\dllcache\n1000nt5.sys
2011-02-16 06:29:30 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2011-02-16 06:29:12 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-02-16 06:28:35 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2011-02-16 06:28:29 40960 ----a-w- c:\windows\system32\dllcache\msiregmv.exe
2011-02-16 06:28:29 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2011-02-16 06:28:28 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2011-02-16 06:27:48 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2011-02-16 06:27:38 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2011-02-16 06:27:37 51328 ----a-w- c:\windows\system32\dllcache\msdv.sys
2011-02-16 06:26:53 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-02-16 06:26:41 15360 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-02-16 06:26:26 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-02-16 06:26:19 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-02-16 06:24:53 797500 ----a-w- c:\windows\system32\dllcache\ltsmt.sys
2011-02-16 06:23:57 45568 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2011-02-16 06:22:59 45632 ----a-w- c:\windows\system32\dllcache\ip5515.sys
2011-02-16 06:21:55 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2011-02-16 06:20:55 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2011-02-16 06:19:57 13312 ----a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2011-02-16 06:18:51 907456 ----a-w- c:\windows\system32\dllcache\hcf_msft.sys
2011-02-16 06:17:59 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll
2011-02-16 06:16:58 37120 ----a-w- c:\windows\system32\dllcache\es1370mp.sys
2011-02-16 06:15:58 334208 ----a-w- c:\windows\system32\dllcache\ds1wdm.sys
2011-02-16 06:14:58 29531 ----a-w- c:\windows\system32\dllcache\dgapci.sys
2011-02-16 06:13:59 216064 ----a-w- c:\windows\system32\dllcache\cpscan.dll
2011-02-16 06:12:59 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2011-02-16 06:11:59 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
2011-02-16 06:10:59 19456 ----a-w- c:\windows\system32\dllcache\agt0412.dll
2011-02-16 06:09:51 32827 ----a-w- c:\windows\system32\dllcache\tcptest.exe
2011-02-14 22:11:50 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-02-13 16:17:10 -------- d-----w- c:\docume~1\chrisz~1\applic~1\SUPERAntiSpyware.com
2011-02-13 16:17:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-12 18:53:42 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-02-12 11:47:39 -------- d-----w- C:\VBARESCUE
2011-02-11 02:43:07 -------- d-----w- c:\windows\system32\scripting
2011-02-11 02:43:05 -------- d-----w- c:\windows\l2schemas
2011-02-11 02:43:00 -------- d-----w- c:\windows\system32\en
2011-02-11 02:43:00 -------- d-----w- c:\windows\system32\bits
2011-02-11 02:31:18 -------- d-----w- c:\windows\network diagnostic
2011-02-11 02:14:45 263552 ----a-w- c:\windows\system32\drivers\http.sys
2011-02-11 02:14:45 263552 ----a-w- c:\windows\system32\dllcache\http.sys
2011-02-11 02:14:44 128896 ----a-w- c:\windows\system32\drivers\fltmgr.sys
2011-02-11 02:14:44 128896 ----a-w- c:\windows\system32\dllcache\fltmgr.sys
2011-02-11 02:14:34 272128 ----a-w- c:\windows\system32\dllcache\bthport.sys
2011-02-11 02:14:34 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-02-11 02:14:32 75776 ----a-w- c:\windows\system32\strmfilt.dll
2011-02-11 02:14:32 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2011-02-11 02:13:35 2143744 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-11 02:13:34 2021888 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-11 02:13:32 215552 ----a-w- c:\windows\system32\dllcache\wordpad.exe
2011-02-11 02:13:32 215552 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2011-02-11 02:11:59 27648 ----a-w- c:\windows\system32\dllcache\jgpl400.dll
2011-02-11 02:11:59 163840 ----a-w- c:\windows\system32\dllcache\jgdw400.dll
2011-02-11 02:09:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-02-11 02:08:57 -------- d-----w- c:\windows\EHome
2011-02-11 01:41:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-11 01:41:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-02-10 20:27:20 -------- d-----w- C:\bd_logs

==================== Find3M ====================

2010-12-26 05:10:27 1409 ----a-w- c:\windows\QTFont.for

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST980829A rev.3.05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85348555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8534e7b0]; MOV EAX, [0x8534e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\Harddisk0\DR0[0x853A8820]
3 CLASSPNP[0xF757305B] -> ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\00000079[0x8533A9E8]
5 ACPI[0xF73E9620] -> ntkrnlpa!IofCallDriver[0x804EE136] -> [0x85356940]
\Driver\atapi[0x85384730] -> IRP_MJ_CREATE -> 0x85348555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980829A_______________________________3.05____#5&2ce473f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8534839B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 5:36:13.81 ===============

Ark Log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-16 06:05:15
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST980829A rev.3.05
Running: gmer.exe; Driver: C:\DOCUME~1\CHRISZ~1\LOCALS~1\Temp\kxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT 851108E0 ZwAlertResumeThread
SSDT 850BB3A0 ZwAlertThread
SSDT 84501958 ZwAllocateVirtualMemory
SSDT 84F65878 ZwAssignProcessToJobObject
SSDT 8518B008 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB4B1B210]
SSDT 8513A980 ZwCreateMutant
SSDT 84F7A008 ZwCreateSymbolicLinkObject
SSDT 852F83F8 ZwCreateThread
SSDT 851C2C98 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB4B1B490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB4B1B9F0]
SSDT 850B4F30 ZwDuplicateObject
SSDT 84FC6098 ZwFreeVirtualMemory
SSDT 85244070 ZwImpersonateAnonymousToken
SSDT 84D7B0C0 ZwImpersonateThread
SSDT 85215478 ZwLoadDriver
SSDT 844FF070 ZwMapViewOfSection
SSDT 850EE070 ZwOpenEvent
SSDT 8508AD08 ZwOpenProcess
SSDT 84D07070 ZwOpenProcessToken
SSDT 8515C0C0 ZwOpenSection
SSDT 85124CC0 ZwOpenThread
SSDT 8507A0D8 ZwProtectVirtualMemory
SSDT 85113B88 ZwResumeThread
SSDT 85082548 ZwSetContextThread
SSDT 84F6C0A8 ZwSetInformationProcess
SSDT 84D47070 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB4B1BC40]
SSDT 84D5E0C0 ZwSuspendProcess
SSDT 84F463B8 ZwSuspendThread
SSDT 84D2F070 ZwTerminateProcess
SSDT 850FF5F0 ZwTerminateThread
SSDT 852F0800 ZwUnmapViewOfSection
SSDT 84FC6128 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\CHRISZ~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\System32\svchost.exe[1092] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 0121000A
.text C:\WINDOWS\System32\svchost.exe[1092] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00CA000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B2000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8534839B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8534839B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8534839B

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980829A_______________________________3.05____#5&2ce473f4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 TheTinker

TheTinker
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 17 February 2011 - 12:36 AM

Please cancel this request, had a little time, looked over the logs, ran TDSSKiller to remove the rootkit followed by MalwareBytes and the systems back to normal.

Thanks,

TheTinker

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:45 PM

Posted 17 February 2011 - 04:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users