Jump to content

BDA-sjensen

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by BDA-sjensen

  1. Greetings, I have a system that is defying all my attempts thus far to root out whatever is infecting it. I think it's some form of rootkit that has thus far eluded all of my meager attempts at squashing so I am hopeful that one of the gurus here can help me get rid of it. The symptoms are: internet explorer sometimes will run and sometimes it won't, google searches are being redirected to other sites, run dll as an app errors occur when trying to access Add/Remove programs applet in Control Panel, permissions issues when logged in as the user who uses this system, etc. Any help you can offer to help me on this is greatly appreciated!! Thanks, ~Shawn Log files are as follows: -------------------- Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5089 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/10/2010 11:26:59 AM mbam-log-2010-11-10 (11-26-59).txt Scan type: Quick scan Objects scanned: 228870 Time elapsed: 11 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -------------------- DDS (Ver_10-11-09.01) - NTFSx86 Run by Administrator at 11:38:00.95 on Wed 11/10/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2936 [GMT -8:00] AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {D8F5D366-C13B-4A59-A3F4-DBD63BFD099B} AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} ============== Running Processes =============== C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\TrayIcon.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\Program Files\Trojan Remover\Trjscan.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avanquest\PowerDesk\PDHookServer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_05.11.2010_04-09\setup_9.0.0.722_05.11.2010_04-09.exe C:\Program Files\Trend Micro\Client Server Security Agent\TSC.EXE C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe C:\Documents and Settings\Administrator\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [PDHookServer] c:\program files\avanquest\powerdesk\PDHookServer.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe mRun: [DisplayTrayIcon] c:\windows\system32\TrayIcon.exe mRun: [intelliType] "c:\program files\microsoft hardware\keyboard\type32.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [synchronization Manager] "c:\windows\system32\mobsync.exe" /logon mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe" mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe" mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow mRun: [bVRPLiveUpdate] "c:\program files\avanquest update\engine\setup.exe" -s /patch,/reboot,/srcupdatec:\docume~1\alluse~1\applic~1\avanqu~1\powerd~1\liveup~1\LISTOF~1.DAT mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [RTHDCPL] RTHDCPL.EXE dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\administrator\desktop\virus removal tool\setup_9.0.0.722_05.11.2010_04-09\startup.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\capiou~1.lnk - c:\program files\capio utility manager\CapioUtilityMgr.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288393779586 DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/ACAD2000/AcDcToday.ocx DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/ACAD2000/InstBanr.ocx DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/ACAD2000/InstFred.ocx DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/ACAD2000/AcPreview.ocx Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL SEH: Capio H1: {36ded058-d4ad-11d5-92d9-00a0cc63447c} - c:\program files\capio utility manager\programs\H1.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\94qwus5t.default\ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); ============= SERVICES / DRIVERS =============== =============== File Associations =============== .scr=AutoCADScriptFile =============== Created Last 30 ================ ==================== Find3M ==================== =================== ROOTKIT ==================== Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD1600AAJS-00WAA0 rev.58.01D58 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-10 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A840446]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a846504]; MOV EAX, [0x8a846580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8A860AB8] 3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\00000080[0x8A85E9E8] 5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8A86D940] \Driver\atapi[0x8A7CEB10] -> IRP_MJ_CREATE -> 0x8A840446 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; } detected disk devices: \Device\Ide\IdeDeviceP2T0L0-10 -> \??\IDE#DiskWDC_WD1600AAJS-00WAA0___________________58.01D58#5&32772958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8A840292 user != kernel MBR !!! sectors 312579693 (+255): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix. ============= FINISH: 11:41:33.83 =============== DDS (Ver_10-11-09.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 11/8/2010 12:09:26 PM System Uptime: 11/10/2010 11:32:40 AM (0 hours ago) Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L Processor: Intel® Core2 Quad CPU Q6700 @ 2.66GHz | Socket 775 | 2666/266mhz ==== Disk Partitions ========================= A: is Removable C: is FIXED (NTFS) - 149 GiB total, 98.243 GiB free. I: is NetworkDisk (NTFS) - 68 GiB total, 10.448 GiB free. O: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free. P: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free. R: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free. T: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free. W: is NetworkDisk (NTFS) - 699 GiB total, 427.395 GiB free. Z: is CDROM (CDFS) ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 11/8/2010 6:13:43 PM - System Checkpoint RP2: 11/9/2010 10:27:28 AM - Installed Windows NLSDownlevelMapping. RP3: 11/9/2010 10:27:52 AM - Installed Windows IDNMitigationAPIs. RP4: 11/9/2010 10:29:09 AM - Installed Windows Internet Explorer 7. RP5: 11/9/2010 11:44:07 AM - Installed Windows Internet Explorer 8. RP6: 11/10/2010 10:01:02 AM - Installed SUPERAntiSpyware Free Edition ==== Installed Programs ====================== ==== Event Viewer Messages From Past Week ======== ==== End Of File =========================== GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-10 12:48:23 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD1600AAJS-00WAA0 rev.58.01D58 Running: ecqulwys.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fftyqpob.sys ---- System - GMER 1.0.15 ---- SSDT 899B8DC0 ZwCreateKey SSDT 899B82C0 ZwCreateProcess SSDT 899B8580 ZwCreateProcessEx SSDT 899B9A80 ZwCreateSection SSDT 899B9F60 ZwCreateThread SSDT 899B9340 ZwDeleteKey SSDT 899B9600 ZwDeleteValueKey SSDT 899BA100 ZwLoadDriver SSDT 899B8840 ZwOpenProcess SSDT 899B9C20 ZwOpenSection SSDT 899B9080 ZwSetValueKey SSDT 899B8B00 ZwTerminateProcess SSDT 899B9DC0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB689C3A0, 0x5CC259, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00DB000A .text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00DC000A .text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00DA000C .text C:\WINDOWS\System32\svchost.exe[1748] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E4000A .text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00D8000A .text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00D9000A .text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00D7000C ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation) Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8A848292 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8A848292 AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) Device \Device\Ide\IdeDeviceP2T0L0-10 -> \??\IDE#DiskWDC_WD1600AAJS-00WAA0___________________58.01D58#5&32772958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sectors 312579439 (+255): rootkit-like behavior; ---- EOF - GMER 1.0.15 ----
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.