Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit from Windows Vista Repair virus


  • Please log in to reply
1 reply to this topic

#1 MaddScientist98

MaddScientist98

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 13 July 2011 - 03:36 PM

HP Pavilion DV6500 Laptop
Vista Home Premium SP2
AMD Turion 64 X2 1.9 GHz
2.00 GB RAM
32-bit OS

This laptop has been infected with Windows Vista Repair virus and a rootkit virus at least. I believe I was able to remove the Vista Repair virus with Combofix and Malwarebytes but am pretty sure the rootkit is still buried deep. I am very computer savvy but have never had experience removing a rootkit and have always heard the best way is to reinstall the OS. I would like to try to get around that if possible. Thanks in advance for your time and help.

DDS:


.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by junior at 13:51:17 on 2011-07-13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1465 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: URLSearchHook Class: {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program files\netzero\SearchEnh1.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Pop-up Blocker: {52706ef7-d7a2-49ad-a615-e903858cf284} - c:\program files\netzero\qsacc\X1IEBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZeroBar: {f0f8ecbe-d460-4b34-b007-56a92e8f84a7} - c:\program files\netzero\Toolbar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Display All Images with Full Quality - "c:\program files\netzero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\netzero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 10.24.128.75 10.32.128.75 10.1.128.78
TCP: Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3} : DhcpNameServer = 10.24.128.75 10.32.128.75 10.1.128.78
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-24 21504]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-23 24652]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-19 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-8-15 552448]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=c:\windows\system32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-07-13 15:13:31 -------- d-----w- c:\users\junior\appdata\local\temp
2011-07-13 15:13:01 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-13 15:05:28 -------- d-----w- C:\anything27911a
2011-07-13 13:30:34 -------- d--h--w- c:\windows\PIF
2011-07-13 13:18:09 -------- d-----w- C:\anything20042a
2011-07-13 13:05:19 -------- d-----w- C:\anything
2011-07-13 02:05:43 -------- d-----w- C:\ComboFix
2011-06-29 19:53:32 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f2e8b709-6bf7-49b9-9aac-6cdf2ed1f077}\mpengine.dll
2011-06-29 14:34:32 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-19 07:03:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-19 07:03:02 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-19 07:03:00 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-18 15:22:57 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-18 15:22:54 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-18 15:22:52 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-18 15:22:52 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-18 15:22:49 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-18 15:22:45 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-18 15:22:40 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-18 15:22:40 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-18 15:22:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 14:43:34 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-06 18:58:00 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-05-06 18:58:00 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-05-06 18:58:00 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-05-06 18:58:00 2873344 ----a-w- c:\windows\system32\mf.dll
2011-05-06 18:58:00 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-04-19 14:32:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 13:52:53.33 ===============




GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-13 15:00:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS541616J9SA00 rev.SB4OC7BP
Running: gmer.exe; Driver: C:\Users\junior\AppData\Local\Temp\ufdiqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\junior\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [MANUAL] 983205519 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\983205519@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\983205519@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\983205519@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\983205519@DisplayName Virtual Bus for Microsoft ACPI-Compliant System
Reg HKLM\SYSTEM\ControlSet003\Services\983205519@Start 3
Reg HKLM\SYSTEM\ControlSet003\Services\983205519@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\983205519@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\983205519@DisplayName Virtual Bus for Microsoft ACPI-Compliant System

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:44 AM

Posted 24 July 2011 - 08:04 AM

hi MaddScientist98,

removing a rootkit and have always heard the best way is to reinstall the OS

reinstall after a reformat.

my rootkit disclaimer:

You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.

The best source for information on how to do this would be the computer manufacturers website.


your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users