Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kernel Rootkit Suspicious File On WinXP SP2


  • This topic is locked This topic is locked
2 replies to this topic

#1 Metasploit

Metasploit

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 16 September 2012 - 11:06 AM

Hi I am New User in this forum ,and Want To Share a Problem that I found with my WinXP SP2 OS that I suspicious had some kernel rootkit file but because I am not expert so I try to find the answer through this great forum:)
test The suspicious start when I check the verify signature with autorun from microsoft there had several system32/driver/ file that not verified but it said from adobe and microsoft ,this sign is one of the malware habits on OS so I share with the log file that I scan with dds and gmer in this post to share some experience and find the result for this issue,the file that i suspicious is termsrv.dll , tcpip.sys , mswsock.dll and a couple other file that look like from adobe but not verified when I test with autorun verify signature
DDS Report
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Digitallabs at 23:03:36 on 2012-09-16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.455 [GMT 8:00]
.
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
D:\Program Files\Common Files\Comodo\launcher_service.exe
D:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Comodo\tvnserver.exe
D:\Program Files\AVG Secure Search\vprot.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
D:\Program Files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
D:\WINDOWS\system32\tcpsvcs.exe
D:\Program Files\Common Files\Comodo\tvnserver.exe
D:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe
D:\Program Files\COMODO\GeekBuddy\unit_manager.exe
D:\Program Files\OpenOffice.org 3\program\soffice.exe
D:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\Program Files\COMODO\GeekBuddy\unit.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={89623353-19CC-4B25-8D7C-9C6E34ECF3DF}&mid=bbc98c0ccffe4110977e25226ee229db-b2959be072fd9dad2dde575d4c92ca7b7668c711&lang=en&ds=hk011&pr=sa&d=2012-08-31%2018:28:12&v=12.2.0.5&sap=hp
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - d:\program files\avg secure search\12.2.0.5\AVG Secure Search_toolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - d:\program files\avg secure search\12.2.0.5\AVG Secure Search_toolbar.dll
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [tvncontrol] "d:\program files\common files\comodo\tvnserver.exe" -controlservice -slave
mRun: [vProt] "d:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_ssl_v12] "d:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [Persistence] d:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
StartupFolder: d:\docume~1\digita~1\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - d:\program files\mcafee security scan\3.0.207\SSScheduler.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\startg~1.lnk - d:\program files\comodo\geekbuddy\launcher.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - d:\program files\winzip\WZQKPICK32.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
TCP: Interfaces\{C0DE5832-91CA-4203-93DA-800FE34EC986} : DhcpNameServer = 192.168.1.1 192.168.1.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - d:\program files\common files\avg secure search\viprotocolinstaller\12.2.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: d:\windows\system32\guard32.dll
SecurityProviders: msapsspc.dll, digest.dll, msnsspc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\digitallabs\application data\mozilla\firefox\profiles\4oyld4q3.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://isearch.avg.com?cid=%7Bfd94d9d7-afbc-4bad-9e21-3e77435f0f08%7D&mid=bbc98c0ccffe4110977e25226ee229db-b2959be072fd9dad2dde575d4c92ca7b7668c711&ds=hk011&v=12.2.0.5&lang=en&pr=sa&d=2012-08-31%2018%3A28%3A12&sap=hp
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid={89623353-19CC-4B25-8D7C-9C6E34ECF3DF}&mid=bbc98c0ccffe4110977e25226ee229db-b2959be072fd9dad2dde575d4c92ca7b7668c711&lang=en&ds=hk011&pr=sa&d=2012-08-31 18:28:12&v=12.2.0.5&sap=ku&q=
FF - plugin: d:\program files\common files\avg secure search\sitesafetyinstaller\12.2.0\npsitesafety.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\nitro pdf\professional 7\npdf.dll
FF - plugin: d:\program files\nitro pdf\professional 7\npnitroie.dll
FF - plugin: d:\program files\nitro pdf\professional 7\npnitromozilla.dll
FF - plugin: d:\program files\nitro pdf\professional 7\NPShellExtension.dll
FF - plugin: d:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgtp;avgtp;d:\windows\system32\drivers\avgtpx86.sys [2012-8-31 27496]
R1 CFRMD;CFRMD;d:\windows\system32\drivers\CFRMD.sys [2012-8-3 36112]
R1 cmderd;COMODO Internet Security Eradication Driver;d:\windows\system32\drivers\cmderd.sys [2012-3-11 18056]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;d:\windows\system32\drivers\cmdGuard.sys [2012-3-11 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;d:\windows\system32\drivers\cmdhlp.sys [2012-3-11 31704]
R2 CLPSLauncher;COMODO LPS Launcher;d:\program files\common files\comodo\launcher_service.exe [2012-8-23 70352]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2012-3-11 1983232]
R2 Iprip;RIP Listener;d:\windows\system32\svchost.exe -k netsvcs [2004-9-1 14336]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;d:\program files\nitro pdf\professional 7\NitroPDFDriverService2.exe [2012-8-28 184840]
R2 tvnserver;TightVNC Server;d:\program files\common files\comodo\tvnserver.exe [2012-1-27 828944]
R2 vToolbarUpdater12.2.0;vToolbarUpdater12.2.0;d:\program files\common files\avg secure search\vtoolbarupdater\12.2.0\ToolbarUpdater.exe [2012-8-31 927840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;d:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;d:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-8-26 250568]
S3 McComponentHostService;McAfee Security Scan Component Host Service;d:\program files\mcafee security scan\3.0.207\McCHSvc.exe [2011-6-18 237008]
S3 MozillaMaintenance;Mozilla Maintenance Service;d:\program files\mozilla maintenance service\maintenanceservice.exe [2012-8-26 113120]
S3 USB_BusEnum_H;EVDO Telecom USB Bus Enumerator h;d:\windows\system32\drivers\usb_busenum_h.sys --> d:\windows\system32\drivers\USB_BusEnum_H.sys [?]
S3 USB_ETS_H;EVDO Rev A Service USB port h;d:\windows\system32\drivers\usb_ets_h.sys --> d:\windows\system32\drivers\USB_ETS_H.sys [?]
S3 USB_WinMux_H;EVDO Telecom USB MUX Serial Port h;d:\windows\system32\drivers\usb_winmux_h.sys --> d:\windows\system32\drivers\USB_WinMux_H.sys [?]
S3 UsbModemDriver;EVDO Rev A USB Modem h;d:\windows\system32\drivers\usb_modem_h.sys --> d:\windows\system32\drivers\USB_MODEM_H.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;d:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 nlsX86cc;Nalpeiron Licensing Service;d:\windows\system32\NLSSRV32.EXE [2012-8-28 69640]
.
=============== Created Last 30 ================
.
2012-09-16 13:43:53 98816 ----a-w- d:\windows\sed.exe
2012-09-16 13:43:53 518144 ----a-w- d:\windows\SWREG.exe
2012-09-16 13:43:53 256000 ----a-w- d:\windows\PEV.exe
2012-09-16 13:43:53 208896 ----a-w- d:\windows\MBR.exe
2012-09-16 07:01:45 -------- d-----w- d:\documents and settings\digitallabs\local settings\application data\Help
2012-09-09 13:25:40 -------- d-----w- d:\documents and settings\digitallabs\application data\TechSmith
2012-09-09 13:24:59 -------- d-----w- d:\documents and settings\digitallabs\local settings\application data\TechSmith
2012-09-09 13:10:56 -------- d-----w- d:\program files\common files\TechSmith Shared
2012-09-02 04:36:14 27144 ----a-w- d:\windows\system32\nitrolocalmon2.dll
2012-09-02 04:36:14 18440 ----a-w- d:\windows\system32\nitrolocalui2.dll
2012-09-02 04:35:19 -------- d-----w- d:\program files\common files\Nitro PDF
2012-09-02 04:33:45 -------- d-----w- d:\documents and settings\digitallabs\application data\Downloaded Installations
2012-09-02 03:44:56 -------- d-----w- d:\program files\Mobipocket.com
2012-09-02 03:44:56 -------- d-----w- d:\program files\common files\Mobipocket Shared
2012-09-02 01:21:48 -------- d-----w- d:\documents and settings\digitallabs\application data\PrimoPDF
2012-09-02 01:19:19 180624 ----a-w- d:\windows\system32\Primomonnt.dll
2012-09-02 01:19:09 -------- d-----w- d:\program files\Nitro PDF
2012-09-01 14:28:15 -------- d-----w- d:\documents and settings\digitallabs\application data\UBot Studio
2012-08-31 11:30:44 -------- d-----w- d:\documents and settings\digitallabs\application data\WinZip
2012-08-31 10:29:23 -------- d-----w- d:\documents and settings\digitallabs\local settings\application data\WinZip
2012-08-31 10:28:46 -------- d-----w- d:\documents and settings\all users\AVG Secure Search
2012-08-31 10:28:44 -------- d-----w- d:\documents and settings\digitallabs\local settings\application data\AVG Secure Search
2012-08-31 10:28:38 -------- d-----w- d:\documents and settings\all users\application data\AVG Secure Search
2012-08-31 10:28:13 -------- d-----w- d:\documents and settings\digitallabs\application data\AVG Secure Search
2012-08-31 10:28:06 27496 ----a-w- d:\windows\system32\drivers\avgtpx86.sys
2012-08-31 10:27:57 -------- d-----w- d:\program files\common files\AVG Secure Search
2012-08-31 10:27:53 -------- d-----w- d:\program files\AVG Secure Search
2012-08-29 16:10:18 -------- d-----w- d:\documents and settings\all users\application data\McAfee Security Scan
2012-08-29 16:09:59 -------- d-----w- d:\program files\McAfee Security Scan
2012-08-29 14:20:33 -------- d-----w- d:\program files\common files\Comodo
2012-08-28 10:44:06 69640 ----a-w- d:\windows\system32\NLSSRV32.EXE
2012-08-27 10:27:24 73728 ----a-w- d:\windows\system32\RtNicProp32.dll
2012-08-27 10:27:24 130432 ----a-w- d:\windows\system32\drivers\Rtnicxp.sys
2012-08-27 10:21:54 557056 ----a-w- d:\windows\system32\Netw2c32.dll
2012-08-27 10:21:54 2732032 ----a-w- d:\windows\system32\Netw2r32.dll
2012-08-27 10:21:54 2216064 ----a-w- d:\windows\system32\drivers\w29n51.sys
2012-08-27 10:21:19 -------- d-----w- d:\windows\system32\ReinstallBackups
2012-08-27 10:21:17 6400 ----a-w- d:\windows\system32\drivers\splitter.sys
2012-08-27 10:21:12 52864 ----a-w- d:\windows\system32\drivers\DMusic.sys
2012-08-27 10:20:43 4096 ----a-w- d:\windows\system32\ksuser.dll
2012-08-27 10:20:41 130048 ----a-w- d:\windows\system32\ksproxy.ax
2012-08-27 10:20:09 577536 ----a-w- d:\windows\SOUNDMAN.EXE
2012-08-27 10:20:09 147456 ----a-w- d:\windows\system32\RTLCPAPI.dll
2012-08-27 10:20:07 4122368 ----a-w- d:\windows\system32\drivers\ALCXWDM.SYS
2012-08-27 10:20:07 217088 ----a-w- d:\windows\Alcrmv.exe
2012-08-27 10:20:07 18804736 ----a-w- d:\windows\system32\ALSNDMGR.CPL
2012-08-27 10:20:07 10528768 ----a-w- d:\windows\system32\RTLCPL.EXE
2012-08-26 22:29:21 -------- d-----w- D:\VritualRoot
2012-08-26 22:25:01 -------- d-----w- d:\documents and settings\all users\application data\CPA_VA
2012-08-26 22:23:10 1474832 ----a-w- d:\windows\system32\drivers\sfi.dat
2012-08-26 22:13:32 -------- d-----w- d:\program files\COMODO
2012-08-26 22:13:31 1060864 ----a-w- d:\windows\system32\mfc71.dll
2012-08-26 22:13:30 348160 ----a-w- d:\windows\system32\msvcr71.dll
2012-08-26 15:16:57 73416 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-26 15:16:57 696520 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-08-26 12:40:56 -------- d-----w- d:\documents and settings\digitallabs\application data\EVDO_Haier
2012-08-26 12:36:16 -------- d-----w- d:\windows\pss
2012-08-26 12:27:20 -------- d-----w- d:\documents and settings\all users\application data\Comodo
2012-08-26 12:24:12 -------- d-----w- d:\documents and settings\digitallabs\local settings\application data\Mozilla
.
==================== Find3M ====================
.
2012-08-03 02:23:28 36112 ----a-w- d:\windows\system32\drivers\CFRMD.sys
2012-08-03 02:23:28 36112 ----a-w- d:\windows\inf\lps-ca\cfrmd.sys
.
============= FINISH: 23:04:20.74 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,967 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 AM

Posted 19 September 2012 - 10:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your DDS log is clean.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

Please post the logs and let me know if the problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,967 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 AM

Posted 25 September 2012 - 09:34 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users