Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix finds Bootkit TDL4, infected?


  • This topic is locked This topic is locked
19 replies to this topic

#1 jonas914

jonas914

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 18 April 2011 - 06:04 PM

So, I've got a training room with 9 XP machines, half of them can't open taskmanager or regedit. I've checked the obvious user rights and group policy settings.
As a shot in the dark, I just ran Combofix. It said it found a few files and "Bootkit - TDL4" and disinfected it. Here are the files that it found from ComboFix:

2011-04-18 18:49:25 . 2011-04-18 18:49:25 814 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-PreSonus 1394 Audio Driver V2.27.0 (EASERA GATEWAY) Setup.reg.dat
2011-04-18 18:47:11 . 2011-04-18 18:47:11 8,801 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-18 18:28:41 . 2011-04-18 18:41:22 121 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-12-22 21:26:32 . 2010-12-22 21:26:32 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\idmf.dat.vir
2010-12-22 21:26:32 . 2010-12-22 21:26:32 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\fdscd.dat.vir
2010-11-10 22:44:39 . 2011-03-04 19:45:33 225,836 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\lkdsd.dat.vir
2010-05-19 21:32:45 . 2010-11-17 23:29:09 45,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\loml.gif.vir
2009-06-29 16:52:56 . 2009-06-29 16:52:56 2,443,571 ----a-w- C:\Qoobox\Quarantine\C\PROGRA~1\RENKUS~1\RHAON\COT144.exe.vir
2007-02-22 17:42:45 . 2009-11-14 19:28:09 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winsusrx.dll.vir
2007-02-22 17:42:45 . 2010-11-17 22:45:14 264 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\winsusrm.dll.vir

So, it didn't fix the problem of opening taskmanager or regedit though. So I tried the fixes mentioned here:
http://www.dougknox.com/security/scripts_desc/regtools.htm
http://windowsxp.mvps.org/Taskmanager_error.htm

And it was fixed momentarily untill I logged off or rebooted, then I was back to no regedit or taskmanager.

So, I just ran the DDS tool and GMER and am posting my logs here.
Also, as a test, I ran ComboFix on a machine that DIDN'T have the regedit/taskmanager problem and it too still found some files and Bootkit-TDL4.

So here are my logs. Any help would be appreciated!! Thank you!!!!!!

Jonas
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by EaseUser at 12:21:18.56 on Mon 04/18/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.654 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RH_PreSonus\1394AudioDriver_EASERA_GATEWAY\EASERA_Gateway.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\EaseUser\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.renkus-heinz.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2C5EB892-1B87-449E-A13F-7BC1112C99EB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [EASERA 1.1] c:\program files\sda\easera 1.0\easera100\InitCrypKey.exe
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\easera~1.lnk - c:\program files\rh_presonus\1394audiodriver_easera_gateway\EASERA_Gateway.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172101521109
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
mASetup: {E7F780A5-FC7C-45C5-882E-256832665E0A} - rundll32 rxten.dll,laspi
.
============= SERVICES / DRIVERS ===============
.
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20071114.020\NAVENG.sys [2007-11-15 81232]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20071114.020\NAVEX15.sys [2007-11-15 865904]
S3 SDA_1394;SDA_1394;c:\windows\system32\drivers\SDA_1394.sys [2007-2-22 113664]
S3 SDA_avs;SDA_avs;c:\windows\system32\drivers\SDA_avs.sys [2007-2-22 28672]
.
=============== Created Last 30 ================
.
2011-04-18 18:59:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-18 18:31:52 984064 ----a-w- c:\windows\system32\OLD2.tmp
2011-04-18 18:28:50 98816 ----a-w- c:\windows\sed.exe
2011-04-18 18:28:50 89088 ----a-w- c:\windows\MBR.exe
2011-04-18 18:28:50 256512 ----a-w- c:\windows\PEV.exe
2011-04-18 18:28:50 161792 ----a-w- c:\windows\SWREG.exe
.
==================== Find3M ====================
.
2011-01-26 00:47:10 125760 ----a-w- c:\windows\system32\W32N55.dll
.
============= FINISH: 12:21:55.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 18 April 2011 - 06:38 PM

Also, to add... Most of these computers have not been updated (Windows updates) for well over a year. They were supposed to be left alone, but have been used by different groups in the meantime.

I have started to run Windows Updates on most of the machines (there are a lot of them) except the one I posted the logs from. I won't touch that machine untill I get a useful response hopefully from someone here.

Edited by jonas914, 18 April 2011 - 08:05 PM.


#3 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 19 April 2011 - 12:23 PM

Hello? Anybody?

So, now, on the other machines that I've been doing Windows Updates on... the first two machines failed the SP3 update. That's highly suspicious. Is there anybody out there?

EDIT: Please be patient. There are over 340 unanswered topics in this forum at present and the current average wait time to receive help is 9 days. ~Budapest

Edited by Budapest, 19 April 2011 - 05:20 PM.


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 29 April 2011 - 07:22 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#5 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 May 2011 - 11:43 PM

DR,
The machine in question has not been touch since I sent the logs. It is still on and waiting. I have been too busy with other things to attempt any other solutions. So, please use the posted logs for diagnosis and suggestions.
I will be able to check or perform any other tests tomorrow.
Thank you.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 AM

Posted 05 May 2011 - 02:08 PM

Hi jonas914,

Apologies for the delay. I will be assisting you with this issue.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

File::
c:\windows\system32\rxten.dll
c:\windows\system32\OLD2.tmp

DDS::
BHO: {2C5EB892-1B87-449E-A13F-7BC1112C99EB} - No File
uPolicies-system: DisableTaskMgr = 1 (0x1)
mASetup: {E7F780A5-FC7C-45C5-882E-256832665E0A} - rundll32 rxten.dll,laspi


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by farbar, 05 May 2011 - 02:10 PM.


#7 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 06 May 2011 - 11:57 PM

I'll have to wait now. I'm travelling for the next week and a half and will do it when I get back. Sorry.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 AM

Posted 07 May 2011 - 04:17 AM

Take your time and thanks for letting me know.

#9 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 27 May 2011 - 05:17 PM

ComboFix 11-05-27.01 - EaseUser 05/27/2011 15:22:01.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.697 [GMT -7:00]
Running from: c:\documents and settings\EaseUser\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\EaseUser\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\system32\OLD2.tmp"
"c:\windows\system32\rxten.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\OLD2.tmp
c:\windows\system32\rxten.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-04-27 to 2011-05-27 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"EASERA 1.1"="c:\program files\SDA\EASERA 1.0\EASERA100\InitCrypKey.exe" [2005-11-29 20480]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
EASERA GATEWAY Control Panel.lnk - c:\program files\RH_PreSonus\1394AudioDriver_EASERA_GATEWAY\EASERA_Gateway.exe [2007-2-22 921600]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Renkus-Heinz\\RHAON\\RHAON.exe"=
.
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/26/2010 7:09 PM 50704]
S3 SDA_1394;SDA_1394;c:\windows\system32\drivers\SDA_1394.sys [2/22/2007 11:50 AM 113664]
S3 SDA_avs;SDA_avs;c:\windows\system32\drivers\SDA_avs.sys [2/22/2007 11:50 AM 28672]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.renkus-heinz.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.1.1.21 10.1.1.20
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_ActiveSetup-{E7F780A5-FC7C-45C5-882E-256832665E0A} - rxten.dll
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-27 15:29:12
ComboFix-quarantined-files.txt 2011-05-27 22:29
ComboFix2.txt 2011-04-18 18:49
.
Pre-Run: 25,953,443,840 bytes free
Post-Run: 25,946,382,336 bytes free
.
- - End Of File - - 66793C8C7C5F7EB278A1BB269D73EA17

#10 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 27 May 2011 - 05:47 PM

FWIW, I ran ComboFix again, and got the same "has detected rootkit activity" and says Bootkit TDL4 was found and disinfected.

I need to get a couple of these PC's ready for a trade show, so I'm going to just do the HD Wipe fix and spend all day reinstalling every update known to man.
But I'd like to see if you can help me fix the rest of the machines, or at least help figure out what the heck is in here.

Also, FYI, this PC that I just posted the log from (after just running ComboFix), now CAN open task manager and regedit.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 AM

Posted 28 May 2011 - 03:55 AM

Let's hold on to this computer and you can apply the same approach to other computers.

I think the initial infection is taken care and ComboFix is showing a false positive. But to make abolutely sure we will run a couple of highly reliable programs:

  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.
  • Please download MBRCheck by clicking here and save it to your desktop.
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Please post the contents of that file in your next reply.


#12 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 June 2011 - 03:59 PM

TDS Killer - Nothing found:

2011/06/02 14:13:36.0515 2428 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/02 14:13:36.0890 2428 ================================================================================
2011/06/02 14:13:36.0890 2428 SystemInfo:
2011/06/02 14:13:36.0890 2428
2011/06/02 14:13:36.0890 2428 OS Version: 5.1.2600 ServicePack: 2.0
2011/06/02 14:13:36.0890 2428 Product type: Workstation
2011/06/02 14:13:36.0890 2428 ComputerName: EASECLASS7
2011/06/02 14:13:36.0890 2428 UserName: EaseUser
2011/06/02 14:13:36.0890 2428 Windows directory: C:\WINDOWS
2011/06/02 14:13:36.0890 2428 System windows directory: C:\WINDOWS
2011/06/02 14:13:36.0890 2428 Processor architecture: Intel x86
2011/06/02 14:13:36.0890 2428 Number of processors: 1
2011/06/02 14:13:36.0890 2428 Page size: 0x1000
2011/06/02 14:13:36.0890 2428 Boot type: Normal boot
2011/06/02 14:13:36.0890 2428 ================================================================================
2011/06/02 14:13:38.0046 2428 Initialize success
2011/06/02 14:13:47.0109 3964 ================================================================================
2011/06/02 14:13:47.0109 3964 Scan started
2011/06/02 14:13:47.0109 3964 Mode: Manual;
2011/06/02 14:13:47.0109 3964 ================================================================================
2011/06/02 14:13:49.0000 3964 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/02 14:13:49.0250 3964 ================================================================================
2011/06/02 14:13:49.0250 3964 Scan finished
2011/06/02 14:13:49.0250 3964 ================================================================================
2011/06/02 14:13:49.0281 3676 Detected object count: 0
2011/06/02 14:13:49.0281 3676 Actual detected object count: 0

MBRCheck - Nothing found

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0200000d

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7D63000 \WINDOWS\system32\KDCOM.DLL
0xF7C73000 \WINDOWS\system32\BOOTVID.dll
0xF7814000 ACPI.sys
0xF7D65000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7803000 pci.sys
0xF7863000 isapnp.sys
0xF7E2B000 pciide.sys
0xF7AE3000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7D67000 intelide.sys
0xF7873000 MountMgr.sys
0xF77E4000 ftdisk.sys
0xF7D69000 dmload.sys
0xF77BE000 dmio.sys
0xF7AEB000 PartMgr.sys
0xF7883000 VolSnap.sys
0xF77A6000 atapi.sys
0xF7893000 disk.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7786000 fltMgr.sys
0xF7774000 sr.sys
0xF775D000 KSecDD.sys
0xF76D0000 Ntfs.sys
0xF76A3000 NDIS.sys
0xF78B3000 ohci1394.sys
0xF78C3000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7688000 Mup.sys
0xF78D3000 agp440.sys
0xF79B3000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF79C3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF693E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF692A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7BA3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6907000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7BAB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF68E0000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF79D3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7BB3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7BBB000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF68CC000 \SystemRoot\system32\DRIVERS\parport.sys
0xF79E3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF68BB000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF79F3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7A03000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6898000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7BC3000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF64ED000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF64C9000 \SystemRoot\system32\drivers\portcls.sys
0xF7A13000 \SystemRoot\system32\drivers\drmk.sys
0xF7E81000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7A23000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7D13000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF64B2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7A33000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7A43000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7BCB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF64A1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7A53000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7BD3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7BDB000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF63D0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7A63000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BE3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D83000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF639C000 \SystemRoot\system32\DRIVERS\update.sys
0xF7D2F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7A73000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7AB3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D85000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7BEB000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7D87000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7EFE000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D89000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7BFB000 \SystemRoot\System32\drivers\vga.sys
0xF7D8B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D8D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7C03000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7C0B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6DBE000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA7A5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA74D000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA725000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA703000 \SystemRoot\System32\drivers\afd.sys
0xF7AD3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA6D8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7C13000 \SystemRoot\system32\ckldrv.sys
0xBA669000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7913000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA648000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7923000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7933000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7953000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7CFB000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7963000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7C23000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7CFF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA568000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D93000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF638C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7C2B000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7F43000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF0E6000 \SystemRoot\System32\atikvmag.dll
0xBF146000 \SystemRoot\System32\atiok3x2.dll
0xBF185000 \SystemRoot\System32\ati3duag.dll
0xBF494000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB845C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8193000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8280000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8078000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7DC9000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB8005000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB7FF4000 \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS
0xB7FA2000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8123000 \SystemRoot\system32\drivers\npf.sys
0xF7B6B000 \??\C:\DOCUME~1\EaseUser\LOCALS~1\Temp\catchme.sys
0xB7CC1000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xB7C5C000 \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys
0xB7B8A000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071114.020\NAVEX15.sys
0xB7B77000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20071114.020\NAVENG.sys
0xF7D81000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xB7A1E000 \SystemRoot\System32\Drivers\HTTP.sys
0xB78C9000 \SystemRoot\system32\drivers\42809671.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 27):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
652 csrss.exe
684 C:\WINDOWS\system32\winlogon.exe
736 C:\WINDOWS\system32\services.exe
748 C:\WINDOWS\system32\lsass.exe
904 C:\WINDOWS\system32\ati2evxx.exe
916 C:\WINDOWS\system32\svchost.exe
1016 svchost.exe
1108 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1272 svchost.exe
1300 C:\WINDOWS\system32\ati2evxx.exe
1616 C:\WINDOWS\system32\spoolsv.exe
1988 C:\WINDOWS\system32\Crypserv.exe
2004 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
280 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
616 C:\WINDOWS\system32\MsPMSPSv.exe
1556 alg.exe
312 C:\WINDOWS\system32\wscntfy.exe
1924 C:\WINDOWS\explorer.exe
2588 C:\Program Files\Internet Explorer\iexplore.exe
2620 C:\WINDOWS\system32\ctfmon.exe
2412 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
3588 C:\Documents and Settings\EaseUser\Desktop\tdsskiller\TDSSKiller.exe
3264 C:\Documents and Settings\EaseUser\Desktop\MBRCheck.exe

\\.\C: --> error 1

PhysicalDrive0 Model Number: WDCWD400BB-00HEA0, Rev: 13.03G13

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 AM

Posted 02 June 2011 - 04:07 PM

The logs are consistent on the fact that there is no MBR infection. How is the computer running?

#14 jonas914

jonas914
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 June 2011 - 04:07 PM

I'm assuming you're reply will be that it all looks fine at this point (since it appears to me that it is).

So, my next question in anticipation to that answer, what should I do with all the other machines? I've got 5 more that were like this one that I haven't touched since we started. Should I run the same CFScript file on those?
Or was it just the latest CF that appeared to have fixed it?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 AM

Posted 02 June 2011 - 04:13 PM

I'm not sure what was there before. But at this point there is no MBR infection on this computer and we didn't do anything to fix MBR infection. Combofix sees a MBR infection and report fixing it and it appears again on the log. I'm sure this is a false positive that probably is evoked by a security program on that system.

Now the question is what to do with other computers. To answer that I need to know how this system is running and whether other systems have any issues at the moment.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users