Jump to content

Rootkit Infection/Leftovers


Recommended Posts

So last week, I managed to pick up what I would eventually find to be a rootkit. Initial scans with MBAM and Housecall turned up nothing, so I began to research the symptoms (high CPU/network use while idle/minimal startup programs). I was unable to boot from either the AVG Rescue Disc or KAV Rescue Disc, or a thumb drive version of KAV Rescue Disc. I came across various forum threads with similar problems and several tools (Combofix, GMER, dds, Defogger, RKUnhooker, mbr, RSIT, aswMBR) all of which I've downloaded and run at various points and saved logfiles. I then found Kaspersky TDSSKiller, which found part of the problem but still left 2 suspicious items. Something still seems to be amiss. I now turn to those with vastly more experience than myself, which I probably should have done from the start. Any help would be greatly appreciated.

Please find the attached MBAM and DDS logs. Due to family obligations, I will be away from the infected machine from Sunday April 15 through Tuesday April 17, returning on Wednesday April 18.

Thanks again!

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.13.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Administrator :: RETAIL007 [administrator]

4/13/2012 10:40:42 AM

mbam-log-2012-04-13 (10-40-42).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 257535

Time elapsed: 46 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 12:03:16 on 2012-04-13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.323 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\imapi.exe

.

============== Pseudo HJT Report ===============

.

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 192.168.1.1

TCP: Interfaces\{E4E65FFB-9453-48EE-85F1-C72FD9C9604C} : DhcpNameServer = 24.178.162.3 97.81.22.195 192.168.1.1

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\nhguzac0.default\

.

============= SERVICES / DRIVERS ===============

.

R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2012-4-11 439632]

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-9-1 136176]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-9-1 136176]

S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]

S4 SimpleHelpSimpleGatewayService;SimpleHelp SimpleGateway Service;c:\program files\simplehelpservice\SimpleService.exe [2011-8-20 98712]

.

=============== Created Last 30 ================

.

2012-04-13 14:37:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-13 14:37:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-12 16:48:30 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-12 14:42:41 -------- d-----w- c:\documents and settings\administrator\local settings\application data\CutePDF Writer

2012-04-11 17:44:12 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro

2012-04-11 17:44:07 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2012-04-11 17:43:04 -------- d-----w- c:\program files\WinPcap

2012-04-07 20:39:42 -------- d-sha-r- C:\cmdcons

2012-04-07 20:38:34 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp

2012-04-07 20:38:34 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe

2012-04-07 20:32:23 208896 ----a-w- c:\windows\MBR.exe

2012-04-07 20:32:22 98816 ----a-w- c:\windows\sed.exe

2012-04-07 20:32:22 518144 ----a-w- c:\windows\SWREG.exe

2012-04-07 20:32:22 256000 ----a-w- c:\windows\PEV.exe

2012-04-07 19:46:18 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2012-04-07 19:45:42 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache

2012-04-07 19:39:09 -------- d-----w- C:\found.003

2012-04-07 18:56:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google

2012-04-07 18:19:23 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2012-04-07 18:04:36 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-04-07 17:55:26 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla

2012-04-07 17:54:01 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2012-04-07 16:37:02 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-04-07 16:37:02 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2012-02-20 15:09:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 12:04:48.51 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/22/2007 10:57:31 AM

System Uptime: 4/13/2012 12:02:18 PM (0 hours ago)

.

Motherboard: Dell Computer Corp. | | 0C2425

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2790/533mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 74 GiB total, 54.619 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Multimedia Audio Controller

Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD

Manufacturer:

Name: Multimedia Audio Controller

PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_01601028&REV_01\3&172E68DD&0&FD

Service:

.

==== System Restore Points ===================

.

RP1678: 1/15/2012 5:15:10 AM - System Checkpoint

RP1679: 1/16/2012 6:14:58 AM - System Checkpoint

RP1680: 1/17/2012 6:38:19 AM - System Checkpoint

RP1681: 1/18/2012 7:38:18 AM - System Checkpoint

RP1682: 1/19/2012 8:38:17 AM - System Checkpoint

RP1683: 1/20/2012 9:14:53 AM - System Checkpoint

RP1684: 1/21/2012 9:38:06 AM - System Checkpoint

RP1685: 1/22/2012 10:38:06 AM - System Checkpoint

RP1686: 1/23/2012 1:08:20 PM - System Checkpoint

RP1687: 1/24/2012 1:13:31 PM - System Checkpoint

RP1688: 1/25/2012 2:13:31 PM - System Checkpoint

RP1689: 1/26/2012 4:16:50 PM - System Checkpoint

RP1690: 1/27/2012 5:21:29 PM - System Checkpoint

RP1691: 1/28/2012 6:04:59 PM - System Checkpoint

RP1692: 1/29/2012 7:05:07 PM - System Checkpoint

RP1693: 1/30/2012 7:45:53 PM - System Checkpoint

RP1694: 1/31/2012 3:00:16 AM - Software Distribution Service 3.0

RP1695: 2/2/2012 12:29:12 PM - System Checkpoint

RP1696: 2/3/2012 1:01:00 PM - System Checkpoint

RP1697: 2/4/2012 1:21:52 PM - System Checkpoint

RP1698: 2/5/2012 1:38:21 PM - System Checkpoint

RP1699: 2/6/2012 2:36:18 PM - System Checkpoint

RP1700: 2/7/2012 3:13:49 PM - System Checkpoint

RP1701: 2/8/2012 4:21:29 PM - System Checkpoint

RP1702: 2/9/2012 5:11:56 PM - System Checkpoint

RP1703: 2/10/2012 6:13:46 PM - System Checkpoint

RP1704: 2/11/2012 6:33:40 PM - System Checkpoint

RP1705: 2/12/2012 7:15:39 PM - System Checkpoint

RP1706: 2/13/2012 8:14:09 PM - System Checkpoint

RP1707: 2/14/2012 9:14:07 PM - System Checkpoint

RP1708: 2/15/2012 10:14:05 PM - System Checkpoint

RP1709: 2/16/2012 3:53:47 PM - Software Distribution Service 3.0

RP1710: 2/17/2012 5:06:34 PM - System Checkpoint

RP1711: 2/18/2012 5:15:41 PM - System Checkpoint

RP1712: 2/19/2012 5:47:44 PM - System Checkpoint

RP1713: 2/20/2012 6:06:41 PM - System Checkpoint

RP1714: 2/21/2012 6:55:20 PM - System Checkpoint

RP1715: 2/22/2012 7:55:20 PM - System Checkpoint

RP1716: 2/23/2012 7:59:24 PM - System Checkpoint

RP1717: 2/24/2012 8:59:25 PM - System Checkpoint

RP1718: 2/25/2012 9:24:30 PM - System Checkpoint

RP1719: 2/26/2012 10:24:33 PM - System Checkpoint

RP1720: 2/27/2012 11:13:15 PM - System Checkpoint

RP1721: 2/29/2012 12:13:12 AM - System Checkpoint

RP1722: 3/1/2012 12:15:11 AM - System Checkpoint

RP1723: 3/2/2012 1:11:04 AM - System Checkpoint

RP1724: 3/2/2012 11:15:50 AM - Removed Adobe Reader 8.1.3

RP1725: 3/3/2012 12:23:11 PM - System Checkpoint

RP1726: 3/4/2012 12:24:14 PM - System Checkpoint

RP1727: 3/5/2012 12:56:28 PM - System Checkpoint

RP1728: 3/6/2012 1:10:44 PM - System Checkpoint

RP1729: 3/7/2012 2:10:43 PM - System Checkpoint

RP1730: 3/8/2012 4:52:23 PM - System Checkpoint

RP1731: 3/9/2012 5:59:56 PM - System Checkpoint

RP1732: 3/10/2012 6:06:18 PM - System Checkpoint

RP1733: 3/11/2012 7:06:29 PM - System Checkpoint

RP1734: 3/12/2012 7:55:55 PM - System Checkpoint

RP1735: 3/13/2012 8:55:55 PM - System Checkpoint

RP1736: 3/14/2012 3:00:20 AM - Software Distribution Service 3.0

RP1737: 3/15/2012 12:28:42 PM - System Checkpoint

RP1738: 3/16/2012 12:46:03 PM - System Checkpoint

RP1739: 3/17/2012 1:32:13 PM - System Checkpoint

RP1740: 3/18/2012 3:25:17 PM - System Checkpoint

RP1741: 3/19/2012 3:59:14 PM - System Checkpoint

RP1742: 3/20/2012 4:48:48 PM - System Checkpoint

RP1743: 3/21/2012 5:48:47 PM - System Checkpoint

RP1744: 3/22/2012 5:59:04 PM - System Checkpoint

RP1745: 3/23/2012 6:01:36 PM - System Checkpoint

RP1746: 3/24/2012 6:18:38 PM - System Checkpoint

RP1747: 3/25/2012 7:06:45 PM - System Checkpoint

RP1748: 3/26/2012 7:30:29 PM - System Checkpoint

RP1749: 3/27/2012 8:30:29 PM - System Checkpoint

RP1750: 3/28/2012 9:30:29 PM - System Checkpoint

RP1751: 3/29/2012 9:35:41 PM - System Checkpoint

RP1752: 3/30/2012 9:58:07 PM - System Checkpoint

RP1753: 3/31/2012 9:58:48 PM - System Checkpoint

RP1754: 4/1/2012 10:58:54 PM - System Checkpoint

RP1755: 4/2/2012 11:28:10 PM - System Checkpoint

RP1756: 4/3/2012 11:29:05 PM - System Checkpoint

RP1757: 4/4/2012 11:33:14 PM - System Checkpoint

RP1758: 4/6/2012 12:15:04 AM - System Checkpoint

RP1759: 4/7/2012 1:15:03 AM - System Checkpoint

RP1760: 4/7/2012 12:36:11 PM - Restore Operation

RP1761: 4/7/2012 2:04:31 PM - Installed HiJackThis

RP1762: 4/12/2012 12:59:49 PM - ComboFix created restore point

RP1763: 4/13/2012 3:00:34 AM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.2)

Broadcom 440x 10/100 Integrated Controller

CCC

Conexant D850 56K V.9x DFVc Modem

Critical Update for Windows Media Player 11 (KB959772)

CutePDF Writer 2.8

FormsComponent

FOSS

GIMP 2.6.11

Google Chrome

Google Update Helper

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB942288-v3)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB958655-v2)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

ICCHelp

Intel® Extreme Graphics Driver

Java™ 6 Update 13

KONICA MINOLTA magicolor 2400W

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Help Viewer 1.0

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Professional Edition 2003

Microsoft Outlook Personal Folders Backup

Microsoft SQL Server 2008 Management Objects

Microsoft SQL Server Compact 3.5 SP2 ENU

Microsoft SQL Server Desktop Engine (UPSWSDBSERVER)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries

Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu

Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32

Mozilla Firefox 9.0.1 (x86 en-US)

MSIChecker

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NA1Messenger

NRF

PDFZilla V1.2.9

PolicyManager

Reconciler

ReportServer

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2660465)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SQL Server System CLR Types

SupportUtility

System

Trend Micro RUBotted 2.0 Beta

UnifiedPrinting

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Windows Internet Explorer 8 (KB971930)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

UPS WorldShip

UPSDB

UPSICC

UPSlinkHTTP

UPSVCMM

WebFldrs XP

WebHelp

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinPcap 4.1.1

WinUtilities 10.32 Free Edition

WorldShip

.

==== Event Viewer Messages From Past Week ========

.

4/9/2012 10:26:51 AM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).

4/9/2012 10:26:51 AM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

4/9/2012 10:10:49 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

4/13/2012 10:24:51 AM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 82edc7b8, parameter3 82edc92c, parameter4 805fb1d6.

4/12/2012 2:20:02 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

4/12/2012 10:22:10 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

4/12/2012 10:03:59 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

4/12/2012 10:03:23 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {943B6A75-BB5E-41A7-A6D3-A1A5E892B33B}

4/11/2012 3:34:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

4/11/2012 2:54:37 PM, error: PlugPlayManager [11] - The device Root\LEGACY_SYMTDI\0000 disappeared from the system without first being prepared for removal.

4/11/2012 2:54:37 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ERASERUTILREBOOTDRV\0000 disappeared from the system without first being prepared for removal.

4/11/2012 2:30:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Trend Micro RUBotted Service service to connect.

4/11/2012 2:30:19 PM, error: Service Control Manager [7000] - The Trend Micro RUBotted Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

4/11/2012 2:29:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

4/11/2012 12:55:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

4/11/2012 12:54:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSP SRTSPX SYMTDI Tcpip WS2IFSL

4/11/2012 12:54:48 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

4/11/2012 12:54:48 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/11/2012 12:54:48 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/11/2012 12:54:48 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

4/11/2012 12:21:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SYMTDI

.

==== End Of File ===========================

Merged 2nd post into this ~ Moderator

Just realized I left out the rootkit that TDSSKiller found - it was Rootkit.Boot.Pihar.b. aswMBR is finding infected files but the option to "Fix" is greyed out, with only "FixMBR", "Save Log", and "Exit" being available. Also, RKUnhooker is detecting rootkit activity again :mellow:

Edited by Maurice Naggar
Merged 2 posts
Link to post
Share on other sites

Hello jss2811,

A rootkit or bootkit is an extremely serious infection. Please confirm for me that this is your system, and that it is not a business computer.

Advise me if you have the Windows operating system CD and if you have a very recent backup of this system from before the infection.

Disconnect this system from any network and from the internet.

This system may well have serious backdoor trojans, spyware, and likely, a rookit.

This is a point where you need to decide about whether to make a clean start.

Rootkits or trojans may well allow hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh. While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions. I would recommend that you do a full reformat and reinstall of Windows rather than clean the system.

I suggest that you backup important files and reinstall everything from scratch. There are so many changes that could have been done if that backdoor was used.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com/article2/0,1895,1945808,00.asp

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.