Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cause for alarm?


  • Please log in to reply
7 replies to this topic

#1 Anyhoozle

Anyhoozle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:10:41 PM

Posted 19 December 2012 - 09:19 AM

Ok, so I'm using one of my older machines while I prepare to clean up my infected main PC. It turns out that my older machine had some infections on it as well. I was running XP SP3 with all the latest updates. I ran just about every scanner/cleaner known to man and got it cleaned as best as I could. Just to be on the safe side, I did a one pass zero write to the entire drive. After partitioning and formatting, I did a clean install from my XP SP2 disc. I haven't updated anything yet other than Internet Explorer until I get some clarification on a few issues. I'm only using this computer to visit this site. Anyway, after the clean install I ran a few tools. Pretty much everything comes back clean except I get a ZeroAccess detection from McAfee RootKit Remover:

Malware Found --> ZeroAccess trojan detected!!!

--> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )

--> Malicious file: C:\WINDOWS\system32\wbem\wbemess.dll ( will be deleted after restart )

--> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )

--> Malicious file: C:\WINDOWS\system32\wbem\fastprox.dll ( will be deleted after restart )

ZeroAccess trojan was cleaned successfully!

Before McAfee deleted the files, I copied them and uploaded them to VirusTotal. They come back clean! Is this a false positive or something I should be worried about? I do know that when this machine was initially infected one of the scanners I used reported a Sirefef detection. I figured that wiping the drive would have taken care of anything hidden. I noticed that after McAfee performs it's cleaning, the WMI interface loses functionality and I have to do a rebuild. One more thing of note. Kaspersky Virus Removal Tool reports some interesting things that I'm not sure how to interpret:

Suspicious objects

C:\WINDOWS\system32\DRIVERS\7080732drv.sys - Suspicion for Rootkit Kernel-mode hook
\SystemRoot\system32\DRIVERS\7080732drv.sys - Suspicion for Rootkit Kernel-mode hook

--------------------------------------------------------------------------------

Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00B80010<>7C802367
IAT modification detected: GetModuleFileNameA - 00B80080<>7C80B357
IAT modification detected: FreeLibrary - 00B800F0<>7C80AA66
IAT modification detected: GetModuleFileNameW - 00B80160<>7C80B25D
IAT modification detected: CreateProcessW - 00B801D0<>7C802332
IAT modification detected: LoadLibraryW - 00B802B0<>7C80ACD3
IAT modification detected: LoadLibraryA - 00B80320<>7C801D77
IAT modification detected: GetProcAddress - 00B80390<>7C80AC28
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=082B80)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 80559B80
KiST = 804E2D20 (284)
Function NtAdjustPrivilegesToken (0B) intercepted (80598539->F6BBB690), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtClose (19) intercepted (805675D9->F6BBBF94), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (1F) intercepted (80598C34->F6BBCDC8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateEvent (23) intercepted (8056B553->F6BBD312), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateFile (25) intercepted (8057164C->F6BBC270), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (8056F063->F6BBA500), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateMutant (2B) intercepted (80578E73->F6BBD1F8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateNamedPipeFile (2C) intercepted (80580F0D->F6BBB27E), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreatePort (2E) intercepted (80592699->F6BBD0CC), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (32) intercepted (80564B1B->F6BBB426), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSemaphore (33) intercepted (805750D8->F6BBD432), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (8057F262->F6BBBC1C), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateWaitablePort (38) intercepted (805A4F96->F6BBD162), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDebugActiveProcess (39) intercepted (8065960C->F6BBEB1A), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (8059D6BD->F6BBAB0A), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80597430->F6BBAEBE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeviceIoControlFile (42) intercepted (8057FBD0->F6BBC6F2), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805743BE->F6BBFD26), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (8056F76A->F6BBB00A), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (805801FE->F6BBB0A2), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFsControlFile (54) intercepted (8057DA0D->F6BBC500), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (805A6B26->F6BBEC0C), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey (62) intercepted (805B0F28->F6BBA4DC), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey2 (63) intercepted (805B0D76->F6BBA4EE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtMapViewOfSection (6C) intercepted (80573C04->F6BBF374), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeKey (6F) intercepted (805829DD->F6BBB1CE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenEvent (72) intercepted (80580306->F6BBD3A8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (805715E7->F6BBC016), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (805684D5->F6BBA6C0), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenMutant (78) intercepted (80578F21->F6BBD288), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (8057459E->F6BBB8CC), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (7D) intercepted (805766CC->F6BBF10E), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSemaphore (7E) intercepted (805A3C97->F6BBD4C8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenThread (80) intercepted (80597C0A->F6BBB7BE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (8056F473->F6BBB13A), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryMultipleValueKey (A1) intercepted (8064CF58->F6BBAD72), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySection (A7) intercepted (8057B825->F6BBF6AE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (8056B9A8->F6BBA99C), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueueApcThread (B4) intercepted (80580A00->F6BBEFA0), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRenameKey (C0) intercepted (8064D39F->F6BBAC2C), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (C1) intercepted (8064D892->F6BB9F16), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyPort (C2) intercepted (8057D0F1->F6BBD82C), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplyWaitReceivePort (C3) intercepted (8056A6FD->F6BBD6F2), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (C8) intercepted (8057860F->F6BBE8B4), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (8064C3B0->F6BBA28E), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (CE) intercepted (8057F8D5->F6BBFBC8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (CF) intercepted (8064C457->F6BB9EAE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSecureConnectPort (D2) intercepted (80585D7D->F6BBCB0E), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (D5) intercepted (8062C85B->F6BBBE38), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationToken (E6) intercepted (805AA8A1->F6BBE154), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) intercepted (8059DB78->F6BBEDAA), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (F0) intercepted (805A5110->F6BBF7FE), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80575527->F6BBA816), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendProcess (FD) intercepted (8062E431->F6BBF8F0), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (FE) intercepted (805DC61B->F6BBFA2A), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (FF) intercepted (8064872D->F6BBEA3E), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (8058AE1E->F6BBBA68), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateThread (102) intercepted (8057E97C->F6BBB9C8), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnmapViewOfSection (10B) intercepted (80573789->F6BBF552), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (8057C123->F6BBBB52), hook C:\WINDOWS\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function FsRtlCheckLockForReadAccess (804FDAF1) - machine code modification Method of JmpTo. jmp F6BADFD0 \SystemRoot\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
Function IoIsOperationSynchronous (804E8EBA) - machine code modification Method of JmpTo. jmp F6BAE3AC \SystemRoot\system32\DRIVERS\7080732drv.sys, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 284, intercepted: 60, restored: 62
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
CmpCallCallBacks = 00139933
Disable callback OK
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
Driver loaded successfully
Checking - complete
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Is this also any cause for alarm or is it just the Kaspersky driver doing it's checks and catching itself? Remember, this is on a fresh install. Any clarifications would be appreciated. Once I can confirm I'm in the clear I will proceed with updating the OS and then begin work on my other machine. Thanks.

Anyhoozle

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:41 PM

Posted 19 December 2012 - 09:07 PM

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Anyhoozle

Anyhoozle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:10:41 PM

Posted 19 December 2012 - 09:20 PM

Should I post the logs here or should I start a new thread in the appropriate forum? Thanks!

Anyhoozle

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:41 PM

Posted 19 December 2012 - 09:22 PM

Post logs here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Anyhoozle

Anyhoozle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:10:41 PM

Posted 19 December 2012 - 10:02 PM

Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.20.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Kevin :: MAXIMUM-LENSE [administrator]

12/19/2012 9:46:22 PM
mbar-log-2012-12-19 (21-46-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 23483
Time elapsed: 5 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 535834624, free: 329883648

------------ Kernel report ------------
12/19/2012 21:35:01
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
intelide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
agp440.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\AN983.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff81fa8ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff81faf030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Downloaded database version: v2012.12.20.01
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 535834624, free: 245153792

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.994000 GHz
Memory total: 535834624, free: 254803968

------------ Kernel report ------------
12/19/2012 21:40:16
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
intelide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
MpFilter.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
agp440.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\AN983.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff81fa8ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff81faf030
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff81fa8ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff81fca900, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff81fa8ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff81faf030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffe1a9e130, 0xffffffff81fa8ab8, 0xffffffff81cc1040
Lower DeviceData: 0xffffffffe1a254e0, 0xffffffff81faf030, 0xffffffff81c27858
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\WINDOWS\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 50CF7810

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 156280257
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 80026361856 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:41 PM

Posted 19 December 2012 - 10:05 PM

Nothing malicious there.
You should be good to go.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Anyhoozle

Anyhoozle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:10:41 PM

Posted 20 December 2012 - 09:33 AM

Excellent, that's what I wanted to hear. Now I'll proceed with updating the OS with all the security updates and put on a decent anti-virus/malware solution. We only plan on using this machine for web browsing until I get our main computer cleaned up. Do you have any ideas or an explanation of my initial findings with McAfee Rootkit Remover and Kaspersky on the clean install? I'm assuming the McAfee detection is just a false positive and I will pass that infomation along in their forums. The Kaspersky report is another story. Were you able to decipher the report and understand the kernel-mode hooks it was detecting? Am I wrong to think that the RANDOM#drv.sys was part of the virus removal tool itself? A simple and short explanation is all I'm looking for. Thanks for your help.

Anyhoozle

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:41 PM

Posted 20 December 2012 - 05:38 PM

I don't see anything in Kaspersky report you should worry about.

Posted Image

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users