Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seriously sneaky rootkit infection. Hooks in win32k.sys, ntdll.dll, wow64cpu.dll


  • Please log in to reply
6 replies to this topic

#1 Onirwai

Onirwai

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 23 September 2013 - 04:52 PM

Hello there!

 

I am posting this from an infected machine as I have no more 100% un-compromised ones.

 

I had Windows 7 x64 (not up to date with patches) and AVG Free, Windows Firewall on but not really configured with care - henceforth referred to as Desktop. I ran some shady software and although in it's packed form it was detected as virus-free, when I fired it up AVG detected an executable "sniffer_gpu.exe" as infected. It didn't know with what, and it prompted me to restart. Since that restart, it's been infected and it has infected all other computers in the house. Even those that only connected to the net without any previously infected machines running at the same time! So from the outside somehow?!

 

My Internet goes like this: The ISP assigns Dynamic IP, you connect through PPPOE. It goes into an old wired router that's always on and then by cables to all the PCs in the house: The Desktop, 2 laptops + 1 netbook occasionally.

 

Initial symptoms on Desktop: 

  • Antivirus log of the infection event gone. No scans ever revealed anything
  • Wireshark revealed suspicious traffic. Initially the capture lit up like a Christmas tree, then it mellowed. The IPs turn out to be mostly home users, from around the globe: Russia (I know, stereotype), Ecuador, Italy, some proxies.
    93-39-6-42.ip73.fastwebnet.it, 40.48.11.37.dynamic.jazztel.es, host-2-60-220-94.pppoe.omsknet.ru, 37-146-226-142.broadband.corbina.ru, 163.242.205.77.rev.sfr.net, nsf02-1-78-215-232-190.fbx.proxad.netThe connections were mostly UDP, and the ports and details sounded even more worrisome: SEBEK: Kernel Data Capture, ndmp, peerwire, x2edisc, inst-descovery, dec-mbadmin, murray, sqlexec-ssl, pptp, bsquare-voip
  • Lost some data, all the files on the desktop (minus the folder structure). I've been able to Recuva the ones I know of since.

  • Can't run Rootkit Unhooker LE 3.8. It did work on a different machine, then that one got infected badly too.

Anyway, as I tried to investigate I moved the ethernet cable to a netbook and it got infected too. Same dubious traffic showed up in Wireshark, and the antivirus was gone completely.

 

Long story short, probably all of the computers got infected.

 

Then a sysadmin guy helped me out. I sent him the PC and system drive (a 60GB OCZ SSD) and after saving some stuff to a USB stick he formatted and installed Windows 7 again, plus put on a payed version of Kaspersky Internet Security 2013.

 

Cut to today, 2 days later, and it's obviously compromised again. Here are the symptoms

  • Kaspersky starts in Protection paused mode. Really now?! That's mighty helpful, expensive AV solution! A possible cause for the re-infection is that I had to connect compromised drives to scan & rescue data. Thinking they will either be clean/unable to infect me/easily detectable as dodgy by Kaspersky. N
  • GMER and OSHI Unhooker find stuff. Rootkit Unhooker crashes. Will post logs when asked to. win32k.sys, ntdll.dll, wow64cpu.dll and a lot of running programs are found with hooks.
  • Various quirks and slow-downs. Wireshark now hangs on startup and shows no dubious traffic. I even suspected tampering of an AVG Rescue CD .rar file (that I downloaded), as it took super-long to open the .rar file the first time. 2 other rescue disks haven't worked but it might not be the infection's fault, IDK.

 

I am prepared to format the system drive and reinstall everything (since I've already done that once), but I must understand some more about this malware. How do I reconnect to the possibly compromised hard drives to copy the data? How do I know I'm not copying the malware too, or infecting my machine as soon as I boot up with an infected HDD attached?

 

Here's a small part of the GMER log file. I will post more on request. ---------------------------

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-23 22:56:26
Windows 6.1.7600  x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP4T0L0-8 OCZ_VERTEX-PLUS rev.3.55 55,90GB
Running: eptm1ivh.exe; Driver: C:\Users\user1\AppData\Local\Temp\kwdiypog.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text     C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey                                                                               000000007758fa48 5 bytes JMP 0000000173c9176e
.text     C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1512] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                                        000000007758ffd8 5 bytes JMP 0000000173c91d67
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlSecondsSince1970ToTime + 451                                                                                   00000000773911d3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5                                                                                                   00000000773911e5 8 bytes {JMP 0xd}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 422                                                                                                 0000000077391386 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159                                                                                        000000007739142f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492                                                                                        000000007739157c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126                                                                                                000000007739190e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 727                                                                                                0000000077391b67 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204                                                                                               0000000077391c3c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373                                                                                  0000000077391dc5 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 721                                                                                  0000000077391f21 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31                                                                                                      0000000077391f4f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 76                                                                                                     0000000077391fcc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81                                                                                                    0000000077392025 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7                                                                                            0000000077392037 8 bytes {JMP 0xb}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 572                                                                                        000000007739227c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 711                                                                                        0000000077392307 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 49                                                                                        0000000077392561 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlSubtreePredecessor + 563                                                                                       0000000077392763 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 318                                                                             00000000773928ae 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlActivateActivationContext + 67                                                                                 0000000077392903 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlDeactivateActivationContext + 256                                                                              0000000077392a10 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroupMembers + 239                                                                                0000000077392b0f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 119                                                                                       0000000077392b97 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseCleanupGroup + 371                                                                                       0000000077392c93 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16                                                                                    0000000077392cb0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18                                                                                  0000000077392cd2 8 bytes {JMP 0x10}
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79                                                                   0000000077392d2f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3192] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176                                                                  0000000077392d90 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text     ...

 

--------------------------------

 

EDIT 02:24 24.09.2013: When running in SafeMode there seems to be no more suspicious traffic and no more detections by GMER and OSHI Unhooker.

 

I await your suggestions.

Thanks very much!  :cowboy:


Edited by Onirwai, 23 September 2013 - 06:27 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 24 September 2013 - 04:58 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
 

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.

 

 

 

Also: Please attach the gmer log to your reply.


Edited by TB-Psychotic, 24 September 2013 - 04:58 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Onirwai

Onirwai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 24 September 2013 - 07:45 AM

I didn't know where I should post and I also got a reply on "Am I infected?"

 

http://www.bleepingcomputer.com/forums/t/508755/seriously-sneaky-rootkit-cant-tell-what-it-is-what-to-do-please-help/

 

Which should I follow?



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 24 September 2013 - 08:17 AM

Answer the other guy - I´ll close this topic for now. If it will be necessary, send me a pm an I reopen it.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 26 September 2013 - 06:40 AM

This topic has been re-opened at the request of the person who originally posted.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 26 September 2013 - 06:40 AM

This topic has been re-opened at the request of the person who originally posted.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Onirwai

Onirwai
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 26 September 2013 - 01:46 PM

Hi! I'm back. Rookit from hell. I now suppose it's one of those rootkits that lives on its own partition.
 
I'm in SafeMode now because I was writing this message and it BSODd on me because of attempted "system modifications". 
 
 
Problem signature:
  Problem Event Name: BlueScreen
  OS Version: 6.1.7600.2.0.0.256.1
  Locale ID: 1048
 
Additional information about the problem:
  BCCode: 109
  BCP1: A3A039D89E68B615
  BCP2: B3B7465EF0E6F323
  BCP3: FFFFF880024685C0
  BCP4: 0000000000000002
  OS Version: 6_1_7600
  Service Pack: 0_0
  Product: 256_1
 
 
It had hooks into everything I was running, and since I was online... it probably downloaded more malware to keep me from fixing anything. After this I tried the BitDefender TDL4 Removal Tool and it doesn't let it start. The desktop icons very dramatically flash and the tool fails.
 
Anyway, here are the logs. The malware may have evolved another step since then though! (with the BSOD and all).
 
DDS.scr-----------------------------------------------------------------------------------------------
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7600.16385
Run by user1 at 20:56:54 on 2013-09-26
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.7912.6151 [GMT 3:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
SP: Kaspersky Internet Security *Enabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\HTC Home\Clock.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
uRun: [Clock Widget (HTC Home)] "C:\Program Files (x86)\HTC Home\Clock.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:60
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{03707782-98A6-48FA-97BC-23519FD9DBA0} : DHCPNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\user1\AppData\Roaming\Mozilla\Firefox\Profiles\dfw567l4.default\
FF - prefs.js: browser.startup.homepage - google.ro
FF - ExtSQL: 2013-09-19 22:57; anti_banner@kaspersky.com; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\anti_banner@kaspersky.com
FF - ExtSQL: 2013-09-19 23:07; url_advisor@kaspersky.com; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\url_advisor@kaspersky.com
FF - ExtSQL: 2013-09-19 23:07; virtual_keyboard@kaspersky.com; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\virtual_keyboard@kaspersky.com
FF - ExtSQL: 2013-09-19 23:07; content_blocker@kaspersky.com; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\content_blocker@kaspersky.com
FF - ExtSQL: 2013-09-19 23:07; online_banking@kaspersky.com; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\online_banking@kaspersky.com
.
============= SERVICES / DRIVERS ===============
.
R0 asahci64;asahci64;C:\Windows\System32\drivers\asahci64.sys [2010-11-19 34400]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2013-6-10 30304]
R1 klpd;klpd;C:\Windows\System32\drivers\klpd.sys [2013-4-12 15456]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2013-5-14 55904]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2013-6-6 178784]
R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe [2013-6-17 214512]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2010-12-29 122856]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2010-12-29 370152]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2013-5-5 29280]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2013-5-5 29280]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-8-24 76912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-9-25 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-9-25 701512]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-9-25 25928]
.
=============== Created Last 30 ================
.
2013-09-26 17:49:55 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-09-26 17:27:38 -------- d-----w- C:\FRST
2013-09-25 15:33:12 -------- d-sh--w- C:\$RECYCLE.BIN
2013-09-25 15:20:29 -------- d-----w- C:\Users\user1\AppData\Roaming\Malwarebytes
2013-09-25 15:20:23 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-09-25 15:20:23 -------- d-----w- C:\ProgramData\Malwarebytes
2013-09-25 15:20:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-25 15:20:10 -------- d-----w- C:\Users\user1\AppData\Local\Programs
2013-09-25 15:10:59 35712 ----a-w- C:\Windows\SysWow64\drivers\cp2LMmIa.sys
2013-09-25 15:10:03 -------- d-----w- C:\Program Files (x86)\145636
2013-09-25 15:00:04 35712 ----a-w- C:\Windows\SysWow64\drivers\1Gqu018q.sys
2013-09-24 12:58:49 -------- d-----w- C:\Program Files (x86)\ESET
2013-09-24 12:52:13 -------- d-----w- C:\AdwCleaner
2013-09-24 12:47:55 9694160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F5F0BB2F-7D77-4696-9AD6-30237BC4CFD9}\mpengine.dll
2013-09-24 12:47:55 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-09-24 12:24:22 -------- d-----w- C:\Infection
2013-09-24 12:24:16 -------- d-----w- C:\WiresharkPortable
2013-09-23 23:28:28 -------- d-----w- C:\Users\user1\AppData\Local\ElevatedDiagnostics
2013-09-23 22:24:58 98816 ----a-w- C:\Windows\sed.exe
2013-09-23 22:24:58 256000 ----a-w- C:\Windows\PEV.exe
2013-09-23 22:24:58 208896 ----a-w- C:\Windows\MBR.exe
2013-09-23 22:21:44 35712 ----a-w- C:\Windows\SysWow64\drivers\6fdckbaw.sys
2013-09-23 14:09:57 -------- d-----w- C:\Windows\System32\log
2013-09-22 12:45:40 -------- d-----w- C:\Program Files (x86)\HTC Home
2013-09-22 11:52:48 -------- d-----w- C:\Windows\pss
2013-09-22 11:39:57 -------- d-----w- C:\LaptopBackup
2013-09-22 10:53:00 -------- d-----w- C:\Program Files (x86)\WinPcap
2013-09-22 09:48:59 -------- d-----w- C:\Users\user1\AppData\Local\Google
2013-09-21 19:41:47 -------- d-----w- C:\Windows\System32\appmgmt
2013-09-20 06:09:31 -------- d-----w- C:\Windows\Panther
2013-09-20 03:51:18 -------- d-----w- C:\Users\user1\AppData\Local\Macromedia
2013-09-19 20:52:12 -------- d-----w- C:\Windows\PCHEALTH
2013-09-19 20:50:54 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2013-09-19 20:50:25 -------- d-----w- C:\Users\user1\AppData\Local\Microsoft Help
2013-09-19 20:44:01 -------- d-----w- C:\Users\user1\AppData\Local\Mozilla
2013-09-19 20:42:14 972712 ----a-w- C:\Windows\System32\deployJava1.dll
2013-09-19 20:42:14 1093032 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-09-19 20:42:13 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-09-19 20:41:13 -------- d-----w- C:\Program Files (x86)\VideoLAN
2013-09-19 20:40:03 696832 ----a-w- C:\Windows\System32\xvidcore.dll
2013-09-19 20:40:03 645632 ----a-w- C:\Windows\SysWow64\xvidcore.dll
2013-09-19 20:40:03 255488 ----a-w- C:\Windows\System32\xvidvfw.dll
2013-09-19 20:40:03 240640 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2013-09-19 20:40:03 173568 ----a-w- C:\Windows\System32\xvid.ax
2013-09-19 20:40:03 153088 ----a-w- C:\Windows\SysWow64\xvid.ax
2013-09-19 20:40:03 -------- d-----w- C:\Program Files (x86)\Xvid
2013-09-19 20:39:32 -------- d-----w- C:\Program Files (x86)\ffdshow
2013-09-19 20:36:31 -------- d-----w- C:\Program Files\CCleaner
2013-09-19 20:36:05 965120 ----a-w- C:\Windows\SysWow64\ac3filter.acm
2013-09-19 20:36:05 1202688 ----a-w- C:\Windows\System32\ac3filter64.acm
2013-09-19 20:36:05 -------- d-----w- C:\Program Files (x86)\AC3Filter
2013-09-19 20:23:28 20992 ----a-w- C:\Windows\System32\OpenCL.dll
2013-09-19 20:23:28 120832 ----a-w- C:\Windows\System32\IntelOpenCL64.dll
2013-09-19 20:23:26 86016 ----a-w- C:\Windows\SysWow64\IntelOpenCL32.dll
2013-09-19 20:23:26 17920 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-09-19 20:23:23 -------- d-----w- C:\Program Files\Common Files\Intel
2013-09-19 20:23:23 -------- d-----w- C:\Program Files (x86)\Common Files\Intel
2013-09-19 19:58:08 110176 ----a-w- C:\Windows\System32\klfphc.dll
2013-09-19 19:58:00 -------- d-----w- C:\Windows\ELAMBKUP
2013-09-19 19:52:44 -------- d-----w- C:\Windows\SysWow64\RTCOM
2013-09-19 19:49:42 -------- d-----w- C:\Program Files (x86)\ASM106xSATA
2013-09-19 19:49:35 -------- d-sh--w- C:\Windows\Installer
2013-09-19 19:48:47 -------- d-----w- C:\Windows\SysWow64\Atheros_L1e
2013-09-19 19:46:25 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-09-19 19:39:52 -------- d-----w- C:\LeeroyBackupSSD
2013-09-19 19:15:39 -------- d-----w- C:\Recovery
.
==================== Find3M  ====================
.
.
============= FINISH: 20:57:05,02 ===============
 
 
 
 
 
 
 
 
 
 
 
---------------------------------------------------------------------------------------------
 
Malwarebytes Anti-Rootkit mbar-log-2013-09-26 (20-49-57) ------------------------------------
 
 
 
 
 
 
 
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org
 
Database version: v2013.09.26.06
 
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
user1 :: AFLOWERPOT [administrator]
 
26.09.2013 20:49:57
mbar-log-2013-09-26 (20-49-57).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 211692
Time elapsed: 5 minute(s), 
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
 
 
 
 
 
 
 
However system-log.txt shows that I have 4 partitions. I shouldn't have 4 partitions, I should have 1.
 
 
 
 
 
 
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8007231060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-1\
Lower Device Object: 0xfffffa8006f89060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8007231060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007231b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007231060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8006f8f580, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8006f89060, DeviceName: \Device\Ide\IdeDeviceP1T0L0-1\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 968867B6
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 117020672
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 60022480896 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-117211408-117231408)...
Done!
Scan finished
=======================================
 
 
 
Alright. So it's pretty complicated to remove it, huh? Until I get rid of booting from this rootkit-controlled hard drive I see no way of fixing it.
 
I tried scanning other infected PCs in the house with a BitDefender Rescue CD, but since it only sees the OTHER partitions, not the super-secret infected ones, it finds nothing.
 
Thank you for your help, I appologise for the slowness, it's dragging me down.

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users