Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit zeroaccess


  • This topic is locked This topic is locked
2 replies to this topic

#1 jesssica

jesssica

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 12 March 2012 - 09:31 AM

Logs are below. Note: the infected machine has had the rootkit inserted into the tcp/ip stack, rendering the machine so it cannot access the internet.
If any other information is needed, I probably have it. I've been working on this problem for nearly 3 days now with only a little bit of progress. Progress as in the windows firewall service is running again ((it wasn't before...ICS error)) and the 'repair' feature for the network now will run. ((before, it wouldn't clear the NetBT due to an error)). However, it's still not all good, as the machine *still* will not load a web page. It's connected to the network, sending and receiving packets, but that's about it.

Any help would be greatly appreciated!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by office at 10:21:23 on 2012-03-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2013.1549 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://redikersupport.webex.com/client/T26L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{7549A17C-F3F5-484F-90C6-FEA0F135540E} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{A49D7C64-257C-4D56-BEC5-8A79ABF18FD3} : DhcpNameServer = 208.67.220.220 208.67.222.222
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\office\application data\mozilla\firefox\profiles\2cz43ju4.default\
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-3-11 8960]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-3-11 11264]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-3-11 110080]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-16 136176]
S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-5-16 136176]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-3-11 16640]
.
=============== Created Last 30 ================
.
2012-03-12 01:15:04 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-03-12 01:15:04 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-03-12 01:15:04 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-03-12 01:15:04 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-12 01:15:03 138112 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-03-12 01:15:03 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-11 23:27:28 98816 ----a-w- c:\windows\sed.exe
2012-03-11 23:27:28 518144 ----a-w- c:\windows\SWREG.exe
2012-03-11 23:27:28 256000 ----a-w- c:\windows\PEV.exe
2012-03-11 23:27:28 208896 ----a-w- c:\windows\MBR.exe
2012-03-11 20:49:25 53248 ----a-w- c:\windows\system32\CSVer.dll
2012-03-11 20:48:07 80416 ----a-w- c:\windows\system32\RtNicProp32.dll
2012-03-11 20:48:07 100896 ----a-w- c:\windows\system32\RTNUninst32.dll
2012-03-11 19:55:58 -------- d-----w- c:\windows\system32\appmgmt
2012-03-11 18:28:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 18:42:17 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-03-10 18:42:15 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-03-10 18:42:15 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-03-10 18:42:13 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-03-10 18:42:11 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-03-10 18:42:02 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-03-10 18:40:58 794399 -c--a-w- c:\windows\system32\dllcache\usr1806v.sys
2012-03-10 18:39:58 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2012-03-10 18:38:59 8704 -c--a-w- c:\windows\system32\dllcache\snmptrap.exe
2012-03-10 18:37:59 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2012-03-10 18:36:59 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2012-03-10 18:35:58 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2012-03-10 18:34:59 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2012-03-10 18:33:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2012-03-10 18:32:58 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2012-03-10 18:31:59 7680 -c--a-w- c:\windows\system32\dllcache\ftpctrs2.dll
2012-03-10 18:30:59 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2012-03-10 18:29:59 9728 -c--a-w- c:\windows\system32\dllcache\brserif.dll
2012-03-10 18:08:02 -------- d-----w- c:\windows\pss
2012-03-10 18:04:33 -------- d-----w- c:\program files\XP TCPIP Repair
2012-03-10 17:37:59 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-03-10 16:46:14 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-10 16:46:14 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-10 16:46:14 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2012-03-10 16:46:14 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-10 16:26:51 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2012-03-10 14:26:11 -------- d-----w- c:\documents and settings\office\application data\Malwarebytes
2012-03-10 14:26:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-10 14:26:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 14:26:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-08 20:04:04 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-03-08 19:51:48 -------- d-----w- C:\spoolerlogs
2012-03-07 20:02:47 -------- d-----w- c:\program files\AVAST Software
2012-03-07 19:56:57 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-03-07 16:56:17 -------- d-----w- c:\program files\Windows Media Connect 2
2012-03-07 16:52:05 -------- d-----w- C:\f11e417dbb02f3cfb870
2012-03-07 16:51:59 -------- d-----w- c:\documents and settings\office\local settings\application data\PCHealth
2012-03-07 16:51:50 -------- d-----w- c:\windows\system32\LogFiles
2012-03-07 16:51:25 -------- d-----w- C:\f5c11577e5c7c2ee4ab9c7e6494c
2012-02-29 18:59:08 -------- d-sh--w- c:\documents and settings\office\local settings\application data\41e57ff5
2012-02-15 12:19:23 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 12:19:23 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-01-12 16:54:47 1869056 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 10:22:06.01 ===============

Attached Files


Edited by jesssica, 12 March 2012 - 10:30 AM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:58 AM

Posted 12 March 2012 - 03:49 PM

Good evening. :)

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:58 AM

Posted 17 March 2012 - 04:13 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users