Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kernel-Rootkit infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Bleky

Bleky

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on internet
  • Local time:03:28 AM

Posted 04 August 2014 - 03:54 PM

It all started with a few strange proccesses ran RogueKiller and found a kernel-rootkit.

If needed I will post the RK log. ;)

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.55.2
Run by USER at 22:43:47 on 2014-08-04
Microsoft Windows 7 Ultimate   6.1.7601.1.1250.385.1033.18.3574.1480 [GMT 2:00]
.
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\HitmanPro.Alert\hmpalert.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\IoctlSvc.exe
C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TeamViewer\Version9\TeamViewer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\TeamViewer\Version9\tv_w32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Users\USER\AppData\Local\Skillbrains\lightshot\5.1.2.5\Lightshot.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Avira\AntiVir Desktop\updrgui.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre7\bin\java.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k bthsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.hr/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - 
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - c:\program files\amd\steadyvideo\SteadyVideo.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightShot] c:\users\user\appdata\local\skillbrains\lightshot\Lightshot.exe Flags: uninsdeletevalue
uRun: [Facebook Update] "c:\users\user\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ITSecMng] c:\program files\toshiba\bluetooth toshiba stack\ItSecMng.exe /START
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\program files\avira\antivir desktop\avsda.dll
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{9887B342-0491-449B-A360-B3AC871E5DE3} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{9887B342-0491-449B-A360-B3AC871E5DE3}\16462626D20727F646 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{9887B342-0491-449B-A360-B3AC871E5DE3}\350756564645F6573686442363645403 : DHCPNameServer = 192.168.5.1
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\program files\amd\steadyvideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - c:\program files\amd\steadyvideo\VideoMIMEFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\36.0.1985.125\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\fmruwdpp.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - plugin: c:\program files\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\users\user\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\user\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-6-6 37352]
R1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-2-18 74456]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-6-6 97648]
R2 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys [2014-4-3 75640]
R3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\drivers\amdhub30.sys [2012-1-4 82560]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\drivers\amdxhc.sys [2012-1-4 173184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-11-4 23256]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-3-26 51928]
S3 AKSIM;ActivKey Sim;c:\windows\system32\drivers\aksim.sys [2013-6-24 26496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-12 62464]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-1-28 30976]
.
=============== Created Last 30 ================
.
2014-08-03 08:41:51 29160 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-03 08:41:48 -------- d-----w- c:\programdata\RogueKiller
2014-08-01 11:13:42 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-01 11:13:08 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-01 11:12:45 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-01 11:12:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-07-22 13:25:53 -------- d-----w- c:\users\user\appdata\local\Diagnostics
2014-07-21 08:20:05 -------- d-----w- c:\users\user\appdata\local\Apple Computer
2014-07-21 08:19:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2014-07-21 08:16:29 -------- d-----w- c:\program files\iPod
2014-07-21 08:16:27 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-07-21 08:16:27 -------- d-----w- c:\program files\iTunes
2014-07-21 08:12:36 -------- d-----w- c:\users\user\appdata\local\Apple
2014-07-21 08:10:07 -------- d-----w- c:\program files\Bonjour
2014-07-09 11:18:55 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-09 11:18:54 62464 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-07-09 11:18:53 752640 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2014-07-09 11:18:52 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-07-09 11:18:49 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-07-09 11:18:48 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-07-09 11:18:08 509440 ----a-w- c:\windows\system32\qedit.dll
.
==================== Find3M  ====================
.
2014-08-04 20:38:50 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-26 12:13:31 35848 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-07-08 17:33:02 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-08 17:33:02 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-30 01:40:16 404480 ----a-w- c:\windows\system32\aepdu.dll
2014-06-30 01:36:00 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-06-24 09:58:27 97648 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-06-18 23:56:37 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-06-18 23:56:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-06-18 23:37:23 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-06-18 23:36:35 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-06-18 23:23:27 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-06-18 23:23:24 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-06-18 23:16:33 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-06-18 23:06:10 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-18 22:45:59 1964544 ----a-w- c:\windows\system32\inetcpl.cpl
2014-06-18 22:13:59 1791488 ----a-w- c:\windows\system32\wininet.dll
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-18 00:52:00 2350080 ----a-w- c:\windows\system32\win32k.sys
2014-06-10 19:50:24 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll
2014-06-10 19:50:24 45056 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2014-06-05 14:26:50 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-05-30 07:52:51 172032 ----a-w- c:\windows\system32\wdigest.dll
2014-05-30 07:52:49 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-05-30 07:52:45 247808 ----a-w- c:\windows\system32\schannel.dll
2014-05-30 07:52:41 220160 ----a-w- c:\windows\system32\ncrypt.dll
2014-05-30 07:52:40 259584 ----a-w- c:\windows\system32\msv1_0.dll
2014-05-30 07:52:36 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-05-30 07:52:30 17408 ----a-w- c:\windows\system32\credssp.dll
2014-05-30 06:36:07 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-05-16 13:25:48 204064 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2014-05-16 13:24:56 116512 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2014-05-16 13:24:54 104736 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2014-05-16 13:24:48 174880 ------w- c:\windows\system32\VBoxNetFltNobj.dll
2014-05-12 05:26:08 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 05:25:58 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 05:25:54 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-08 09:06:54 2742784 ----a-w- c:\windows\system32\rdpcorets.dll
2014-05-08 09:06:54 13824 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
.
============= FINISH: 22:47:46,25 ===============
 


BC AdBot (Login to Remove)

 


#2 Bleky

Bleky
  • Topic Starter

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on internet
  • Local time:03:28 AM

Posted 04 August 2014 - 03:56 PM

Sorry for double-post



#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:28 PM

Posted 04 August 2014 - 04:39 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users