Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR ROOTKIT?


  • Please log in to reply
12 replies to this topic

#1 Hooligan_Mick

Hooligan_Mick

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 02 May 2012 - 10:42 AM

In the process of doing a company wide clean up of many known Trojan infections. I am a professional and use ComboFix last after Symantec and various other products. I have seen other posts regarding MBR and when I found it on a fellow IT computer, thought it best to get some advice. Below is the log.


ComboFix 12-05-02.02 - clint 05/02/2012 9:23.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1930.1223 [GMT -6:00]
Running from: c:\users\clint\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-04-02 to 2012-05-02 )))))))))))))))))))))))))))))))
.
.
2012-05-02 14:11 . 2012-05-02 15:28 -------- d-----w- c:\windows\system32\drivers\NIS\1207010.003
2012-04-27 16:44 . 2012-04-30 14:13 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-27 16:44 . 2012-04-27 16:52 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-04-17 15:07 . 2012-04-17 15:07 -------- d-----w- c:\users\clint\AppData\Local\Diagnostics
2012-04-05 13:18 . 2012-04-05 13:18 -------- d-----w- C:\Firefox
2012-04-04 13:33 . 2012-04-04 13:33 -------- d-----w- c:\program files\Common Files\Java
2012-04-04 13:32 . 2012-04-04 13:32 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 13:32 . 2012-02-03 21:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 22:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-11 143384]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-11 176664]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-11 177176]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI.exe" [2011-06-14 6044264]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2010-10-22 895512]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-05-09 12277248]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-06-20 200704]
"hpsysdrv"="c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-05-09 22:43 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-02 183560]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2011-05-09 51512]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2011-05-09 464440]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2010-08-13 264464]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X32.sys [2010-08-13 57616]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-26 132480]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2011-08-20 816792]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-06 1343400]
S0 MfeEpeOpal;MfeEpeOpal; [x]
S0 MfeEpePc;MfeEpePc; [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207010.003\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207010.003\SYMEFA.SYS [2011-03-15 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20120413.001\BHDrvx86.sys [2012-04-13 821880]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120501.001\IDSvix86.sys [2012-04-28 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207010.003\Ironx86.SYS [2011-01-27 136312]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NIS\1207010.003\SYMNETS.SYS [2011-04-21 299640]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-05-09 320512]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-24 212944]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-06-20 1318912]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe [2011-04-17 130008]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-10-22 1121304]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2011-05-02 62184]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2010-12-21 238760]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-04-27 106104]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2010-10-20 41088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-06 c:\windows\Tasks\HPCeeScheduleForCLINT-SLC120611$.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2012-04-30 c:\windows\Tasks\HPCeeScheduleForclint.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{C0518A41-F651-485E-BDC1-CED790EB256A}: NameServer = 205.171.3.65,205.171.2.65
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
copy of MBR has been found in sector 2 !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.1.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.1.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\DPFPApi.DLL
.
- - - - - - - > 'Explorer.exe'(6044)
c:\program files\Norton Internet Security\Engine\18.7.1.3\ccL100U.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\taskhost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
c:\windows\system32\PrintIsolationHost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-05-02 09:33:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-02 15:33
.
Pre-Run: 459,017,764,864 bytes free
Post-Run: 458,590,445,568 bytes free
.
- - End Of File - - FDFA212B042560D1D540FBE8AD453AFD


PLEASE ADVISE!

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 06 May 2012 - 10:07 AM

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 May 2012 - 09:24 AM

HERE ARE THE RESULTS FOR aswMBR:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-10 08:16:19
-----------------------------
08:16:19.190 OS Version: Windows 6.1.7601 Service Pack 1
08:16:19.190 Number of processors: 4 586 0x2A07
08:16:19.190 ComputerName: CLINT-SLC120611 UserName: david
08:16:24.869 Initialize success
08:16:43.117 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
08:16:43.117 Disk 0 Vendor: Size: 0MB BusType: 0
08:16:43.132 Disk 0 MBR read successfully
08:16:43.132 Disk 0 MBR scan
08:16:43.148 Disk 0 Windows 7 default MBR code
08:16:43.148 Disk 0 MBR hidden
08:16:43.148 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
08:16:43.148 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 468676 MB offset 206848
08:16:43.195 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 8162 MB offset 960055296
08:16:43.226 Disk 0 scanning C:\Windows\system32\drivers
08:16:49.747 Service scanning
08:17:05.097 Modules scanning
08:17:14.364 Disk 0 trace - called modules:
08:17:14.379 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
08:17:14.878 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8722d030]
08:17:14.878 3 CLASSPNP.SYS[833b059e] -> nt!IofCallDriver -> [0x85765908]
08:17:14.878 5 ACPI.sys[886a43d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85768028]
08:17:14.894 Scan finished successfully
08:20:44.121 Disk 0 MBR has been saved successfully to "C:\Users\david\Desktop\MBR.dat"
08:20:44.137 The log file has been saved successfully to "C:\Users\david\Desktop\aswMBR.txt"


Here are the results for CHECKUP


Results of screen317's Security Check version 0.99.32
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 31
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 10 May 2012 - 09:55 AM

The logs are clean.

Any issues pending.

#5 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 May 2012 - 10:22 AM

ComboFix still shows root kit detected in MBR. Identical to the first log posted.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 10 May 2012 - 10:30 AM

Run ASWMBR and tell me what options are available to to.

Fix or FixMBR

#7 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 May 2012 - 10:37 AM

Fix MBR

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 10 May 2012 - 10:58 AM

In my first instruction to run aswMBR I requested that your post the MBR.DAT file.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post it. It's a backup of your MBR. We will have a copy on our system should anything goes wrong.

When posted you can run the aswMbr tool and press the FixMBR button.

Run the aswMBR normally and post a new log for my review

#9 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 May 2012 - 11:16 AM

I apologize for misreading the instructions. This is one of the admin machines so I won't be able to run the FixMBR until tomorrow but I am attaching the MBR.dat zipped.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 10 May 2012 - 01:12 PM

You did good. I did not asked for your to run the fix in my first message. Just wanted to know if one of the options was available.

I do not see the MBR.dat file as an attachment.


#11 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 10 May 2012 - 01:34 PM

My apologies. Second try.

Attached Files

  • Attached File  mbr.zip   570bytes   1 downloads


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:07 AM

Posted 16 May 2012 - 08:03 AM

Are you still with me?

#13 Hooligan_Mick

Hooligan_Mick
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 16 May 2012 - 08:53 AM

Yes I'm so sorry for the delay. Hard to steal this admin's computer away. I will run Fix MBR shortly and advise.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users