Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly rootkit infection - deep hidden


  • This topic is locked This topic is locked
9 replies to this topic

#1 t4bzz

t4bzz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 24 September 2012 - 03:07 PM

Here's my original topic, and here are logs, of:

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by T4bzZ at 20:25:51 on 2012-09-24
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.2047.1432 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Immunet 3.0 *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
F:\PROGRAMY\Logitech SetPoint\SetPointP\SetPoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Documents and Settings\T4bzZ\Local Settings\Apps\F.lux\flux.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\T4bzZ\Dane aplikacji\Dropbox\bin\Dropbox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 46.4.126.109:3128
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\12.2.5.34\AVG Secure Search_toolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\12.2.5.34\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [F.lux] "c:\documents and settings\t4bzz\local settings\apps\f.lux\flux.exe" /noshow
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>] 
mRun: [EvtMgr6] f:\programy\logitech setpoint\setpointp\SetPoint.exe /launchGaming
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_ROC_NT] "c:\program files\avg secure search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\t4bzz\menust~1\programy\autost~1\dropbox.lnk - c:\documents and settings\t4bzz\dane aplikacji\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoPublishingWizard = 1 (0x1)
uPolicies-explorer: NoWebServices = 1 (0x1)
uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
IE: Download all links by FlashGet3 - f:\programy\flashget 3\bho\fdgetallurl.htm
IE: Download by FlashGet3 - f:\programy\flashget 3\bho\fdgeturl.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1340315307125
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1340315299968
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 89.231.1.206 217.172.224.160
TCP: Interfaces\{DBD4A23F-A249-4ECF-9BE0-6EB67D64EBBE} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DBD4A23F-A249-4ECF-9BE0-6EB67D64EBBE} : DhcpNameServer = 89.231.1.206 217.172.224.160
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\12.2.6\ViProtocol.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs:      
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\t4bzz\dane aplikacji\mozilla\firefox\profiles\dbnmg6pd.default\
FF - prefs.js: keyword.URL - hxxps://isearch.avg.com/search?cid=%7B356ef775-07b6-4d1c-9ec9-5e33893e4b1c%7D&mid=21cdd29428ea47d09fb2d1530b8df0c9-7013a10460e7a8493b5d4368629841d68bc3a41e&ds=AVG&v=12.2.5.34&lang=pl&pr=fr&d=2012-09-15%2017%3A43%3A36&sap=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\12.2.6\npsitesafety.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\nokia\nokia suite\npNokiaSuiteEnabler.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: f:\programy\adobe reader x\reader\air\nppdf32.dll
FF - plugin: f:\programy\adobe reader x\reader\browser\nppdf32.dll
FF - plugin: f:\programy\mozilla firefox\plugins\npVividasPlayer.dll
FF - plugin: f:\programy\vlc\npvlc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-8-9 51936]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-8-9 178656]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-8-10 35168]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-8-13 176096]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-8-10 19808]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-8-9 151648]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-8-10 89440]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-8-10 164704]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-15 27496]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2012-1-8 187736]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2012-1-7 94040]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2012-8-20 5751928]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2012-8-20 184304]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-7-25 681056]
R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files\common files\avg secure search\vtoolbarupdater\12.2.6\ToolbarUpdater.exe [2012-9-15 722528]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-12-19 104280]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2012-9-13 115544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-11-24 1691480]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-7-25 1326176]
.
=============== Created Last 30 ================
.
2012-09-20 17:38:46	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\Help
2012-09-19 11:07:08	--------	d-----w-	c:\program files\Oracle
2012-09-15 15:45:29	--------	d-----w-	c:\documents and settings\t4bzz\dane aplikacji\AVG2013
2012-09-15 15:43:48	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\AVG Secure Search
2012-09-15 15:43:48	--------	d-----w-	c:\documents and settings\t4bzz\dane aplikacji\TuneUp Software
2012-09-15 15:43:44	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\AVG Secure Search
2012-09-15 15:43:37	--------	d-----w-	c:\documents and settings\t4bzz\dane aplikacji\AVG Secure Search
2012-09-15 15:43:35	27496	----a-w-	c:\windows\system32\drivers\avgtpx86.sys
2012-09-15 15:43:33	--------	d-----w-	c:\program files\common files\AVG Secure Search
2012-09-15 15:43:32	--------	d-----w-	c:\program files\AVG Secure Search
2012-09-15 15:42:18	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\AVG2013
2012-09-15 15:42:18	--------	d-----w-	C:\$AVG
2012-09-15 15:41:53	--------	d-----w-	c:\program files\AVG
2012-09-15 15:41:11	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\MFAData
2012-09-15 15:41:11	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\Avg2013
2012-09-15 09:37:39	0	----atw-	c:\windows\004202_.tmp
2012-09-14 21:54:43	9728	------w-	c:\windows\system32\rwnh.dll
2012-09-14 21:54:43	10752	------w-	c:\windows\system32\smtpapi.dll
2012-09-14 11:23:51	41224	----a-w-	c:\windows\avastSS.scr
2012-09-14 11:23:34	--------	d-----w-	c:\program files\AVAST Software
2012-09-14 11:23:34	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\AVAST Software
2012-09-13 06:30:08	115544	----a-w-	c:\windows\system32\drivers\VBoxNetFlt.sys
2012-09-13 06:30:06	174424	----a-w-	c:\windows\system32\VBoxNetFltNobj.dll
2012-09-12 13:10:01	--------	d-----w-	c:\documents and settings\t4bzz\dane aplikacji\Dev-Cpp
2012-09-12 12:04:16	--------	d-----w-	c:\documents and settings\t4bzz\dane aplikacji\codeblocks
2012-09-09 16:56:07	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\Thunderbird
2012-09-05 10:20:16	640000	----a-w-	c:\windows\system32\drivers\i386\DBGHELP.DLL
2012-09-05 10:20:15	847872	----a-w-	c:\windows\system32\drivers\i386\DBGENG.DLL
2012-09-05 10:20:10	60416	----a-w-	c:\windows\system32\drivers\i386\CABINET.DLL
2012-09-05 10:20:09	4952	----a-w-	c:\windows\system32\drivers\i386\BOOTFONT.BIN
2012-09-05 10:20:09	1024	----a-w-	c:\windows\system32\drivers\i386\BOOTFIX.BIN
2012-09-05 10:20:08	602112	----a-w-	c:\windows\system32\drivers\i386\AUTOFMT.EXE
2012-09-05 10:20:07	610304	----a-w-	c:\windows\system32\drivers\i386\AUTOCHK.EXE
2012-09-05 10:20:01	--------	d-----w-	c:\windows\system32\drivers\I386
2012-09-05 10:03:10	--------	d-----w-	c:\windows\setup.pss
2012-09-04 21:36:42	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\AVG2012
2012-09-04 21:31:56	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\MFAData
2012-09-04 21:31:56	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\Common Files
2012-09-04 21:11:51	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\Panda Security
2012-09-03 14:39:30	--------	d-----w-	c:\program files\VideoLAN
2012-09-03 14:35:23	--------	d-----w-	c:\program files\Wireshark
2012-09-03 14:30:42	--------	d-----w-	c:\program files\MySQL
2012-09-03 14:30:38	--------	d-----w-	c:\documents and settings\all users\dane aplikacji\MySQL
2012-09-03 11:17:14	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\Secunia PSI
2012-09-03 11:16:54	--------	d-----w-	c:\program files\Secunia
2012-09-01 11:35:15	883008	----a-w-	c:\windows\system32\nvgenco32.dll
2012-09-01 11:35:15	1000768	----a-w-	c:\windows\system32\nvdispco32.dll
2012-08-28 17:51:18	304712	----a-w-	c:\windows\system32\drivers\Trufos.sys
2012-08-28 16:59:44	--------	d-----w-	c:\documents and settings\t4bzz\ustawienia lokalne\dane aplikacji\NokiaAccount
2012-08-28 16:50:35	--------	d-----w-	c:\program files\common files\Nokia
2012-08-28 16:44:40	19072	----a-w-	c:\windows\system32\drivers\pccsmcfd.sys
2012-08-28 16:44:28	--------	d-----w-	c:\program files\PC Connectivity Solution
2012-08-28 16:44:01	8192	----a-w-	c:\windows\system32\drivers\usbser_lowerfltj.sys
2012-08-28 16:44:00	8192	----a-w-	c:\windows\system32\drivers\usbser_lowerflt.sys
2012-08-28 16:43:58	23168	----a-w-	c:\windows\system32\drivers\ccdcmbo.sys
2012-08-28 16:43:57	18176	----a-w-	c:\windows\system32\drivers\ccdcmb.sys
2012-08-28 16:43:57	1461992	----a-w-	c:\windows\system32\wdfcoinstaller01009.dll
2012-08-28 16:35:25	5632	----a-w-	c:\windows\system32\ptpusb.dll
2012-08-28 16:35:24	159232	----a-w-	c:\windows\system32\ptpusd.dll
2012-08-28 16:35:23	15104	-c--a-w-	c:\windows\system32\dllcache\usbscan.sys
2012-08-28 16:35:23	15104	----a-w-	c:\windows\system32\drivers\usbscan.sys
.
==================== Find3M  ====================
.
2012-09-17 16:58:56	51936	----a-w-	c:\windows\system32\drivers\avgidshx.sys
2012-09-15 09:37:38	0	----atw-	c:\windows\system32\spdwnwxp.exe
2012-09-14 21:51:28	1074876	----a-w-	c:\windows\system32\nvdrsdb0.bin
2012-09-14 21:51:28	1	----a-w-	c:\windows\system32\nvdrssel.bin
2012-09-14 21:51:26	1074876	----a-w-	c:\windows\system32\nvdrsdb1.bin
2012-09-13 06:30:56	187736	----a-w-	c:\windows\system32\drivers\VBoxDrv.sys
2012-09-13 06:30:22	104280	----a-w-	c:\windows\system32\drivers\VBoxNetAdp.sys
2012-09-13 06:30:08	94040	----a-w-	c:\windows\system32\drivers\VBoxUSBMon.sys
2012-09-12 09:47:22	164704	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2012-09-12 09:47:04	151648	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2012-09-07 15:04:46	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2012-09-03 11:22:13	696520	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-09-03 11:22:11	73416	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-28 15:18:53	916992	----a-w-	c:\windows\system32\wininet.dll
2012-08-28 15:18:44	43520	------w-	c:\windows\system32\licmgr10.dll
2012-08-28 15:18:44	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:32	385024	------w-	c:\windows\system32\html.iec
2012-08-13 14:40:54	176096	----a-w-	c:\windows\system32\drivers\avgidsdriverx.sys
2012-08-10 02:52:28	19808	----a-w-	c:\windows\system32\drivers\avgidsshimx.sys
2012-08-10 02:52:18	35168	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2012-08-09 11:56:44	178656	----a-w-	c:\windows\system32\drivers\avglogx.sys
2012-08-02 14:14:20	58273	----a-w-	c:\windows\cscmondump.bin
2012-07-16 19:54:31	76696	----a-w-	c:\windows\system32\drivers\pxrts.sys
2012-07-16 19:54:31	32008	----a-w-	c:\windows\system32\drivers\pxscan.sys
2012-07-16 19:54:30	26096	----a-w-	c:\windows\system32\drivers\pxkbf.sys
2012-07-06 13:58:56	78336	----a-w-	c:\windows\system32\browser.dll
2012-07-05 10:43:08	14664	----a-w-	c:\windows\stinger.sys
2012-07-05 10:42:43	159608	----a-w-	c:\windows\system32\mfevtps.exe.bd3a.deleteme
2012-07-04 14:05:19	139784	----a-w-	c:\windows\system32\drivers\rdpwd.sys
2012-07-03 18:22:38	1866368	----a-w-	c:\windows\system32\win32k.sys
2012-06-27 12:09:08	35672	----a-w-	c:\windows\system32\drivers\klim5.sys
.
============= FINISH: 20:27:02,68 ===============

and GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-24 21:53:37
Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD321KJ rev.CP100-10
Running: ix7krsgb.exe; Driver: C:\DOCUME~1\T4bzZ\USTAWI~1\Temp\ugrdrpob.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwNotifyChangeKey [0xB487E118]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwNotifyChangeMultipleKeys [0xB487E1E8]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwOpenProcess [0xB487DD4A]
SSDT            \??\C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies)                                                              ZwQueryValueKey [0xB8711258]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwSuspendProcess [0xB487DF38]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwSuspendThread [0xB487DFCE]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateProcess [0xB487DE00]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateThread [0xB487DE9C]
SSDT            \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwWriteVirtualMemory [0xB487E06A]

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                     section is writeable [0xB72FA3C0, 0x9B091A, 0xE8000020]
?               C:\DOCUME~1\T4bzZ\USTAWI~1\Temp\mbr.sys                                                                                      Nie można odnaleźć określonego pliku. !

---- User code sections - GMER 1.0.15 ----

.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] ntdll.dll!LdrLoadDll                                                           7C91632D 5 Bytes  JMP 01210C00 F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] kernel32.dll!lstrlenW + 43                                                     7C809AEC 7 Bytes  JMP 01447B4C F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] kernel32.dll!MapViewOfFileEx + 6A                                              7C80B9A0 7 Bytes  JMP 01447B29 F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] kernel32.dll!ValidateLocale + B130                                             7C844958 7 Bytes  JMP 01213FAC F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] USER32.dll!GetWindowInfo                                                       7E37C49C 5 Bytes  JMP 0136B77F F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text           F:\PROGRAMY\Mozilla Firefox\firefox.exe[2212] GDI32.dll!SetDIBitsToDevice + 20A                                              77F19E14 7 Bytes  JMP 01447AAA F:\PROGRAMY\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                     fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

and attached second log from DDS scan.

I'm suspecting (for almost 3 months), that i could have hardware rootkit, which has hidden well.
Earlier, i have made bios rom dump and scanned with few AV's and uploaded on VirusTotal, which also didn't found anything.
Now i must find a way to make dump of HDD and graphic card firmware, under Windows or Linux, to scan them for malware.

Attached Files



BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 28 September 2012 - 05:07 PM

Hello t4bzz :)

Posted Image Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Double click the OTL icon on your desktop.
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.
    activex
    netsvcs
    /md5start
    ugrdrpob.sys
    /md5stop
    %windir%\system32\drivers\*.sys /lockedfiles
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt


#3 t4bzz

t4bzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 29 September 2012 - 11:28 AM

MBAM found nothing.

Here's OTL.txt content, but i didn't get Extras.txt log though..

"Pulpit" means desktop.

#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 29 September 2012 - 11:35 PM

Posted Image Fix items using OTL

  • Double-click OTL.exe to run.
  • Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
  • Download the following file to your desktop:
  • Then drag OTLfix.txt into the Posted Image text-field.
  • You should see a bunch of text transferred over into the text-field.
  • Now click the Posted Image button.
  • The fix will need a reboot. Please allow the computer to boot into Normal Mode.
  • Click the OK button (upon reboot).
  • When OTL is finished, Notepad will open. Close Notepad.
  • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Attach this log to your next message.

__

Posted Image Please download RogueKiller to your desktop.
  • Now rename RogueKiller.exe to winlogon.exe
  • Double-click winlogon.exe to run. Right-click winlogon.exe and select "Run as administrator"
  • When it opens, press the Scan button
  • When the scan is finished, press the Delete button.
  • Attach the latest numbered RKreport.txt from your desktop to your next post.

__

Let me know what problems remain after you have completed these steps.

#5 t4bzz

t4bzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 September 2012 - 06:05 AM

No problems yet.

Attached Files



#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 30 September 2012 - 11:55 AM

These latest logs look good.

No problems yet.

Test out for the computer for a bit to make sure you aren't experiencing any problems.
Report back to me when you are ready; whether you still have problems or if all problems have been resolved and you are ready for final cleanup steps.

#7 t4bzz

t4bzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 September 2012 - 12:06 PM

I'm ready.

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 30 September 2012 - 12:07 PM

If you are not experiencing any other malware related issues, it is time to do our final steps:

  • Any programs we had you download and/or install can be removed at this time.
  • If we had you download and run ComboFix, here is how to uninstall it:
    • Press and hold the Windows key Posted Image and then press the letter R on your keyboard.
    • This opens the Run dialog box.
    • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
    • Now press ENTER
    • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
  • You can re-enable your Disk Emulation software at this time via DeFogger.
  • If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
  • You can delete the C:\JRT folder at this time.
  • Please run OTL.
    • Click the Clean Up button.
    • Follow the prompts.
    • This will remove OTL, and will require a reboot.

Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
  • Go to Start => Right-click "Computer" and select "Properties".
  • In the left pane select "System Protection".
  • Press "Configure".
  • Select "Delete". Then press "Continue" close and "OK".
  • Select your drive (drive C) and press "Create".
  • Fill in a name for the restore point and press "Create".
  • After finished press "Close".
Recommendation:
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Be safe :)

#9 t4bzz

t4bzz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:44 PM

Posted 30 September 2012 - 12:21 PM

Thanks.

#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:44 AM

Posted 30 September 2012 - 01:03 PM

You're welcome :)

__

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Everyone else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users