Jump to content

possible rootkit infection not detected by malwarebytes

Recommended Posts


I have a system that is defying all my attempts thus far to root out whatever is infecting it. I think it's some form of rootkit that has thus far eluded all of my meager attempts at squashing so I am hopeful that one of the gurus here can help me get rid of it.

The symptoms are: internet explorer sometimes will run and sometimes it won't, google searches are being redirected to other sites, run dll as an app errors occur when trying to access Add/Remove programs applet in Control Panel, permissions issues when logged in as the user who uses this system, etc.

Any help you can offer to help me on this is greatly appreciated!!



Log files are as follows:


Malwarebytes' Anti-Malware 1.46


Database version: 5089

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/10/2010 11:26:59 AM

mbam-log-2010-11-10 (11-26-59).txt

Scan type: Quick scan

Objects scanned: 228870

Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)


DDS (Ver_10-11-09.01) - NTFSx86

Run by Administrator at 11:38:00.95 on Wed 11/10/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2936 [GMT -8:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {D8F5D366-C13B-4A59-A3F4-DBD63BFD099B}

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup




C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe



C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe



C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

C:\Program Files\Trend Micro\Client Server Security Agent\tmproxy.exe

C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe



C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe

C:\Program Files\Trojan Remover\Trjscan.exe




C:\Program Files\Avanquest\PowerDesk\PDHookServer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe

C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

C:\Documents and Settings\Administrator\Desktop\Virus Removal Tool\setup_9.0.0.722_05.11.2010_04-09\setup_9.0.0.722_05.11.2010_04-09.exe

C:\Program Files\Trend Micro\Client Server Security Agent\TSC.EXE

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe

C:\Documents and Settings\Administrator\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [PDHookServer] c:\program files\avanquest\powerdesk\PDHookServer.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [DisplayTrayIcon] c:\windows\system32\TrayIcon.exe

mRun: [intelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [synchronization Manager] "c:\windows\system32\mobsync.exe" /logon

mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"

mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow

mRun: [bVRPLiveUpdate] "c:\program files\avanquest update\engine\setup.exe" -s /patch,/reboot,/srcupdatec:\docume~1\alluse~1\applic~1\avanqu~1\powerd~1\liveup~1\LISTOF~1.DAT

mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup


dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\administrator\desktop\virus removal tool\setup_9.0.0.722_05.11.2010_04-09\startup.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\capiou~1.lnk - c:\program files\capio utility manager\CapioUtilityMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\arcsoft\media card companion\MCC Monitor.exe

mPolicies-explorer: NoWelcomeScreen = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab

DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab

DPF: {3334504D-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpeg4ax.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288393779586

DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/ACAD2000/AcDcToday.ocx

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/ACAD2000/InstBanr.ocx

DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/ACAD2000/InstFred.ocx

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/ACAD2000/AcPreview.ocx

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: Capio H1: {36ded058-d4ad-11d5-92d9-00a0cc63447c} - c:\program files\capio utility manager\programs\H1.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\94qwus5t.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}


c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

============= SERVICES / DRIVERS ===============

=============== File Associations ===============


=============== Created Last 30 ================

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600AAJS-00WAA0 rev.58.01D58 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-10

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A840446]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a846504]; MOV EAX, [0x8a846580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\Harddisk0\DR0[0x8A860AB8]

3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF196] -> \Device\00000080[0x8A85E9E8]

5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF196] -> [0x8A86D940]

\Driver\atapi[0x8A7CEB10] -> IRP_MJ_CREATE -> 0x8A840446

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-10 -> \??\IDE#DiskWDC_WD1600AAJS-00WAA0___________________58.01D58#5&32772958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A840292

user != kernel MBR !!!

sectors 312579693 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 11:41:33.83 ===============

DDS (Ver_10-11-09.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11/8/2010 12:09:26 PM

System Uptime: 11/10/2010 11:32:40 AM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P35-DS3L

Processor: Intel® Core2 Quad CPU Q6700 @ 2.66GHz | Socket 775 | 2666/266mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 149 GiB total, 98.243 GiB free.

I: is NetworkDisk (NTFS) - 68 GiB total, 10.448 GiB free.

O: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free.

P: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free.

R: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free.

T: is NetworkDisk (NTFS) - 342 GiB total, 64.621 GiB free.

W: is NetworkDisk (NTFS) - 699 GiB total, 427.395 GiB free.


==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/8/2010 6:13:43 PM - System Checkpoint

RP2: 11/9/2010 10:27:28 AM - Installed Windows NLSDownlevelMapping.

RP3: 11/9/2010 10:27:52 AM - Installed Windows IDNMitigationAPIs.

RP4: 11/9/2010 10:29:09 AM - Installed Windows Internet Explorer 7.

RP5: 11/9/2010 11:44:07 AM - Installed Windows Internet Explorer 8.

RP6: 11/10/2010 10:01:02 AM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

==== Event Viewer Messages From Past Week ========

==== End Of File ===========================

GMER - http://www.gmer.net

Rootkit scan 2010-11-10 12:48:23

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD1600AAJS-00WAA0 rev.58.01D58

Running: ecqulwys.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fftyqpob.sys

---- System - GMER 1.0.15 ----

SSDT 899B8DC0 ZwCreateKey

SSDT 899B82C0 ZwCreateProcess

SSDT 899B8580 ZwCreateProcessEx

SSDT 899B9A80 ZwCreateSection

SSDT 899B9F60 ZwCreateThread

SSDT 899B9340 ZwDeleteKey

SSDT 899B9600 ZwDeleteValueKey

SSDT 899BA100 ZwLoadDriver

SSDT 899B8840 ZwOpenProcess

SSDT 899B9C20 ZwOpenSection

SSDT 899B9080 ZwSetValueKey

SSDT 899B8B00 ZwTerminateProcess

SSDT 899B9DC0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB689C3A0, 0x5CC259, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00DB000A

.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00DC000A

.text C:\WINDOWS\System32\svchost.exe[1748] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00DA000C

.text C:\WINDOWS\System32\svchost.exe[1748] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E4000A

.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00D8000A

.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00D9000A

.text C:\WINDOWS\Explorer.EXE[2824] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00D7000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8A848292

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8A848292

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP2T0L0-10 -> \??\IDE#DiskWDC_WD1600AAJS-00WAA0___________________58.01D58#5&32772958&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sectors 312579439 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites


Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.