PDA

View Full Version : [DDS Log] Need help; possible rootkit.


iPlasma
2011-06-03, 21:00
So my friend gave me her computer, complaining of malware, and asked me to fix it for her. It's not looking good, and I need some help cleaning this mess up.

The problems:
Browser Hijacking: Search results are redirected on IE and Chrome when you click on them.
Malware phone-home: Avast frequently blocks traffic trying to connect to malicious sites.
DoS (maybe): This may or may not be a malware related issue, but Windows Update is no longer able to connect to Microsoft's servers.

Notes:
I'm pretty sure the infection started through the p2p client "Frostwire." The client has since been uninstalled.
I replaced Microsoft Security Essentials with Avast! Anti-virus. A full system scan found nothing, but a boot scan with High hueristics sensitivity found PUPs called Relevant Knowledge, which I removed. The scan also found some exploits in Java, which seems to have been patched by uninstalling Java and reinstalling the newest version.
I downloaded, updated, and ran Spybot S&D. Spybot did not detect any issues. I also ran Spybot's immunization tool.

Now, down to the nitty gritty:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Molly at 13:08:29 on 2011-06-03
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2815.1327 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.msi.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [EPSON NX125 NX127 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigga.exe /fu "c:\windows\temp\E_S4BAF.tmp" /EF "HKCU"
uRun: [EPSON NX125 NX127 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigga.exe /fu "c:\windows\temp\E_S5081.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://cas.immaculata.edu/auth/taweb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.75.198 68.87.64.150
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C} : DhcpNameServer = 68.87.75.198 68.87.64.150
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\0556163686350727573656D27657563747 : DhcpNameServer = 192.168.33.1 68.87.64.150 68.87.75.198
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\5446469656026556464656270227F657475627 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\75962756C6563737 : DhcpNameServer = 68.87.75.198 68.87.64.150
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\84F66666D616E6E45647 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\D416279616D6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F78807E0-AC3F-4021-AF75-AE131CC4147C}\E4544574541425 : DhcpNameServer = 68.87.75.198 68.87.64.150 68.82.0.6
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-2 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-2 307928]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-2 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-6-2 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-2 42184]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50ST7.EXE [2010-8-25 153600]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\common files\epson\epw!3 ssrp\E_S50RP7.EXE [2010-8-25 121856]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2009-9-10 160768]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2011-1-6 1104608]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-3 1153368]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2009-9-10 17920]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-9-10 64032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-16 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-8-19 616960]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-9-10 166912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-7 1343400]
.
=============== Created Last 30 ================
.
2011-06-03 16:49:49 388096 ----a-r- c:\users\molly\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-03 16:49:49 -------- d-----w- c:\program files\Trend Micro
2011-06-03 14:03:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-03 13:53:50 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6375083e-5d39-4cb5-9bd0-0ed2893f002b}\mpengine.dll
2011-06-03 02:18:02 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-03 02:18:01 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-06-03 02:17:57 40112 ----a-w- c:\windows\avastSS.scr
2011-06-03 02:17:50 -------- d-----w- c:\programdata\AVAST Software
2011-06-03 02:17:50 -------- d-----w- c:\program files\AVAST Software
2011-05-30 19:34:20 0 ---ha-w- c:\users\molly\appdata\local\BITDB6.tmp
2011-05-20 04:15:07 -------- d-----w- c:\users\molly\appdata\roaming\Malwarebytes
2011-05-20 04:14:08 -------- d-----w- c:\programdata\Malwarebytes
2011-05-20 04:14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-20 01:46:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-20 01:46:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-20 01:28:09 -------- d-----w- c:\programdata\Alwil Software
2011-05-20 01:19:38 -------- d-----w- c:\program files\Defraggler
2011-05-20 01:19:11 -------- d-----w- c:\program files\CCleaner
2011-05-19 17:13:46 -------- d-----w- c:\windows\pss
2011-05-19 01:55:29 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-05-19 01:19:21 -------- d-----w- c:\users\molly\appdata\roaming\Webroot
2011-05-18 13:44:48 -------- d-----w- c:\users\molly\FrostWire
2011-05-17 00:20:47 -------- d-----w- c:\windows\en
2011-05-17 00:20:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-05-17 00:17:30 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-05-17 00:17:30 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-05-17 00:17:30 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-05-11 15:17:37 -------- d-----w- c:\programdata\AVG Security Toolbar
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: TOSHIBA_ rev.FG00 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x866B64D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x866bc7f0]; MOV EAX, [0x866bc86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82E53448] -> \Device\Harddisk0\DR0[0x86698030]
3 CLASSPNP[0x8360459E] -> ntkrnlpa!IofCallDriver[0x82E53448] -> [0x86102978]
5 ACPI[0x836413B2] -> ntkrnlpa!IofCallDriver[0x82E53448] -> \00000065[0x865BD998]
\Driver\nvstor32[0x86698C30] -> IRP_MJ_CREATE -> 0x866B64D0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000065 -> \??\SCSI#Disk&Ven_TOSHIBA&Prod_MK2555GSX#4&1d82ffab&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:14:07.00 ===============
Blade81
2011-06-12, 13:15
Hi,

If help still needed post fresh dds logs, please.
Blade81
2011-06-18, 12:00
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.