Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit activity


  • This topic is locked This topic is locked
6 replies to this topic

#1 wetherills

wetherills

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 26 April 2011 - 09:55 AM

Background information here http://www.bleepingcomputer.com/forums/topic393751.html, following these instructions http://www.bleepingcomputer.com/forums/topic34773.html

DDS.txt
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Simon at 14:43:25.46 on 26/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3579.2785 [GMT 1:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Simon\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NUSB3MON] "c:\program files\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303808645468
Notify: klogon - c:\windows\system32\klogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\simon\applic~1\mozilla\firefox\profiles\5lv158kg.default\
FF - prefs.js: browser.startup.homepage - www.ebay.co.uk
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-26 475736]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2010-5-7 32856]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-9-25 56576]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-9-25 138240]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-4-26 58600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-4-26 1684736]
.
=============== Created Last 30 ================
.
2011-04-26 12:28:21 -------- d-----w- c:\docume~1\simon\applic~1\Malwarebytes
2011-04-26 12:26:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-26 12:26:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-26 12:26:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-26 12:26:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-26 11:08:46 -------- d-sh--w- c:\documents and settings\simon\PrivacIE
2011-04-26 11:06:19 -------- d-sh--w- c:\documents and settings\simon\IETldCache
2011-04-26 11:00:04 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-04-26 10:59:54 -------- d-----w- c:\windows\ie8updates
2011-04-26 10:59:49 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-26 10:59:49 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-26 10:59:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-26 10:59:49 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-26 10:59:49 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-04-26 10:59:49 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-04-26 10:59:49 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-04-26 10:58:54 -------- dc-h--w- c:\windows\ie8
2011-04-26 10:53:32 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-04-26 10:53:21 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-04-26 10:53:01 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-04-26 10:53:01 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-04-26 10:52:32 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-04-26 10:24:19 -------- d-----w- c:\windows\system32\scripting
2011-04-26 10:24:19 -------- d-----w- c:\windows\system32\en
2011-04-26 10:24:19 -------- d-----w- c:\windows\system32\bits
2011-04-26 10:24:19 -------- d-----w- c:\windows\l2schemas
2011-04-26 10:21:49 -------- d-----w- c:\windows\network diagnostic
2011-04-26 10:02:01 150200 ----a-w- c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2011-04-26 09:30:28 -------- d-----w- c:\windows\ServicePackFiles
2011-04-26 09:23:16 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-04-26 09:22:08 293376 ------w- c:\windows\system32\browserchoice.exe
2011-04-26 09:21:24 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-04-26 09:21:10 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2011-04-26 09:20:39 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-04-26 09:20:39 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-04-26 09:20:33 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-04-26 09:16:25 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-04-26 09:15:52 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-04-26 09:15:51 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-04-26 09:15:48 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-04-26 09:07:27 -------- d-----w- c:\docume~1\simon\locals~1\applic~1\Temp
2011-04-26 09:07:27 -------- d-----w- c:\docume~1\simon\locals~1\applic~1\Adobe
2011-04-26 09:07:22 -------- d-----w- c:\windows\system32\PreInstall
2011-04-26 09:07:21 -------- d--h--w- c:\windows\$hf_mig$
2011-04-26 09:04:52 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-04-26 09:04:52 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-04-26 09:04:52 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-04-26 09:04:52 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-04-26 09:04:52 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-04-26 08:47:43 -------- d-----w- C:\blcorp
2011-04-26 03:33:14 -------- d--h--w- c:\windows\PIF
2011-04-26 03:16:51 -------- d-----w- c:\program files\common files\Steam
2011-04-26 03:16:50 -------- d-----w- c:\program files\Steam
2011-04-26 03:12:42 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2011-04-26 03:12:42 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-04-26 03:12:38 -------- d-----w- c:\windows\Logs
2011-04-26 03:12:31 819200 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2011-04-26 03:12:31 47616 ----a-w- c:\program files\windows media player\msoobci.dll
2011-04-26 03:12:31 -------- d-----w- c:\program files\Winamp Detect
2011-04-26 03:12:18 -------- d-----w- c:\windows\RegisteredPackages
2011-04-26 03:09:36 -------- d-----w- c:\program files\VideoLAN
2011-04-26 02:54:06 -------- d-sha-r- C:\cmdcons
2011-04-26 02:53:20 98816 ----a-w- c:\windows\sed.exe
2011-04-26 02:53:20 89088 ----a-w- c:\windows\MBR.exe
2011-04-26 02:53:20 256512 ----a-w- c:\windows\PEV.exe
2011-04-26 02:53:20 161792 ----a-w- c:\windows\SWREG.exe
2011-04-26 02:36:36 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-04-26 02:36:36 115267 ----a-w- c:\windows\system32\drivers\klin.dat
2011-04-26 02:36:09 -------- d-----w- c:\program files\Kaspersky Lab
2011-04-26 02:36:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2011-04-26 02:33:05 -------- d-----w- c:\windows\SxsCaPendDel
2011-04-26 02:31:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-04-26 02:25:52 -------- d-sh--w- c:\documents and settings\simon\UserData
2011-04-26 02:24:56 -------- d-----w- c:\windows\pss
2011-04-26 02:20:44 58600 ----a-w- c:\windows\system32\drivers\nvhda32.sys
2011-04-26 02:20:44 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-04-26 02:20:44 227944 ----a-w- c:\windows\system32\nvcohda.dll
2011-04-26 02:20:39 -------- d-----w- C:\NVIDIA
2011-04-26 02:18:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2011-04-26 02:18:55 228632 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-04-26 02:18:54 228632 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-04-26 02:18:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-04-26 02:18:39 -------- d-----w- c:\program files\NVIDIA Corporation
2011-04-26 02:10:13 -------- d-----w- c:\windows\system32\Lang
2011-04-26 02:10:11 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2011-04-26 02:10:06 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-04-26 02:10:05 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2011-04-26 02:10:04 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-04-26 02:08:22 73728 ----a-r- c:\windows\system32\RtNicProp32.dll
2011-04-26 02:08:22 143360 ----a-r- c:\windows\system32\drivers\Rtenicxp.sys
2011-04-26 02:08:18 -------- d-----w- c:\program files\NEC Electronics
2011-04-26 02:06:36 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-04-26 02:03:52 26144 ----a-w- c:\windows\system32\spupdsvc.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 19:44:14 59888 ------w- c:\windows\system32\pxwma.dll
2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe
2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 14:43:34.64 ===============


I also have the combofix log i can attach if required but wont attach it at this stage unless asked, thanks

I also ran a scan using rootrepeal and have attached the log, a previous scan using this tool flagged up a handful of hidden/locked html files with a status of Visible to the Windows API, but not on disk, these html files where webpages i had saved on my previous pc and copied onto this one, they may have been files previously infected with a trojan dropper but disinfected by kaspersky and scanned clean, they have since been deleted anyway, i would appreciate it if someone could have a look at the log and let me know what they think, tdsskiller and sophos rootkit removal where both run and found nothing, kaspersky anti virus has completed full deep scans and has detected nothing

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 28 April 2011 - 06:08 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 03 May 2011 - 07:50 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 wetherills

wetherills
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 04 May 2011 - 06:12 AM

Since the above i wiped the disc with paragon's disc wipe and installed windows 7 so i should be clean now, i did a lot of reading on rootkits whilst i was waiting for a reply and whilst i wasnt convinced i had one i decided it would be best to start a fresh, is there anything i can / should run to check there is nothing lingering in bios etc? thanks for your reply mole

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 04 May 2011 - 05:56 PM

If you have reformatted and reinstalled then the only malware known to survive is TDL4 which overwrites the Master Boot Record. We can check that with MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 wetherills

wetherills
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 04 May 2011 - 06:07 PM

Log attached, thanks mole

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 04 May 2011 - 06:33 PM

That log is absolutely fine. If you're not having any symptoms now then you are home free! :)
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:16 AM

Posted 09 May 2011 - 07:36 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users