Question

Unable to Remove Rootkit in MBR

Asked by: Chiarne

Hi,

I've been trying to remove a stubborn infection in the MBR on a pc.  The OS is Windows XP Home, SP2.  I've tried running Gmer and mbr.exe with no success. The mbr log as follows:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4c50135 size 0x1fd !
copy of MBR has been found in sector 62 !

I've tried the following in both normal mode and safe modes, where possible:

- run Eset Smart Security and Malwarebytes scans and nothing detected
- fixmbr in recovery console
- Combofix
- SDFix
- NOD32 DOS scan

ComboFix log:

ComboFix 08-09-28.03 - Lynette 2008-09-30 10:42:33.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.75 [GMT 10:00]
Running from: C:\Documents and Settings\Lynette\Desktop\ComboFix\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dcstds3.dll

.
(((((((((((((((((((((((((   Files Created from 2008-08-28 to 2008-09-30  )))))))))))))))))))))))))))))))
.

2008-09-30 09:20 . 2008-09-30 09:20      <DIR>      d--------      C:\Program Files\ESET
2008-09-30 09:04 . 2008-09-30 08:35      66,048      --a------      C:\mbr.exe
2008-09-30 08:35 . 2008-09-30 10:17      250      --a------      C:\WINDOWS\gmer.ini
2008-09-29 21:47 . 2008-09-30 09:08      <DIR>      d--------      C:\Program Files\TDS3
2008-09-29 20:39 . 2008-09-30 10:42      <DIR>      d--------      C:\WINDOWS\system32\NtmsData
2008-09-29 20:20 . 2008-09-29 20:22      5,251,072      --a------      C:\WINDOWS\sectest.db
2008-09-29 19:49 . 2008-09-29 19:49      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-29 19:49 . 2008-09-29 19:49      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-09-29 19:21 . 2008-09-30 09:27      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-09-29 19:21 . 2008-09-29 19:21      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-29 18:09 . 2008-09-29 18:09      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-09-29 18:09 . 2008-09-30 09:22      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-29 18:09 . 2008-09-29 18:09      17,408      --a------      C:\WINDOWS\system32\drivers\pxark.sys
2008-09-29 17:02 . 2008-09-29 17:02      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 15:57 . 2006-05-25 15:52      162,304      --a------      C:\WINDOWS\system32\ztvunrar36.dll
2008-09-29 15:57 . 2003-02-02 20:06      153,088      --a------      C:\WINDOWS\system32\UNRAR3.dll
2008-09-29 15:57 . 2005-08-26 01:50      77,312      --a------      C:\WINDOWS\system32\ztvunace26.dll
2008-09-29 15:57 . 2002-03-06 01:00      75,264      --a------      C:\WINDOWS\system32\unacev2.dll
2008-09-29 15:57 . 2006-06-19 13:01      69,632      --a------      C:\WINDOWS\system32\ztvcabinet.dll
2008-09-29 15:56 . 2008-09-30 09:14      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-09-29 15:26 . 2008-09-29 15:26      <DIR>      d--------      C:\Documents and Settings\Lynette\Application Data\ESET
2008-09-29 15:01 . 2008-09-29 15:01      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-09-29 14:59 . 2008-09-29 14:59      2,740      --a------      C:\WINDOWS\system32\tmp.reg
2008-09-29 14:58 . 2007-09-06 00:22      289,144      --a------      C:\WINDOWS\system32\VCCLSID.exe
2008-09-29 14:58 . 2006-04-27 17:49      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2008-09-29 14:58 . 2008-09-08 23:38      88,576      --a------      C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-29 14:58 . 2008-09-02 16:51      86,528      --a------      C:\WINDOWS\system32\VACFix.exe
2008-09-29 14:58 . 2008-05-18 21:40      82,944      --a------      C:\WINDOWS\system32\IEDFix.exe
2008-09-29 14:58 . 2008-08-28 22:36      82,432      --a------      C:\WINDOWS\system32\IEDFix.C.exe
2008-09-29 14:58 . 2008-08-18 12:19      82,432      --a------      C:\WINDOWS\system32\404Fix.exe
2008-09-29 14:58 . 2003-06-05 21:13      53,248      --a------      C:\WINDOWS\system32\Process.exe
2008-09-29 14:58 . 2004-07-31 18:50      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2008-09-29 14:58 . 2007-10-04 00:36      25,600      --a------      C:\WINDOWS\system32\WS2Fix.exe.vir
2008-09-29 14:17 . 2008-09-29 14:17      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESET
2008-09-29 11:38 . 2008-09-29 11:38      <DIR>      d--------      C:\Documents and Settings\Lynette\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-29 11:38      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 11:37 . 2008-09-29 11:37      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-29 11:37 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 02:15      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:08      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\MSN6
2008-09-02 02:34      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\U3
2008-08-22 23:26      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\AdobeUM
2008-07-18 12:10      94,920      ----a-w      C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10      53,448      ----a-w      C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10      45,768      ----a-w      C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10      36,552      ----a-w      C:\WINDOWS\system32\wups.dll
2008-07-18 12:09      563,912      ----a-w      C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09      325,832      ----a-w      C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09      205,000      ----a-w      C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09      1,811,656      ----a-w      C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07      270,880      ----a-w      C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07      210,976      ----a-w      C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32      253,952      ----a-w      C:\WINDOWS\system32\es.dll
2008-06-24 16:23      74,240      ----a-w      C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57      826,368      ----a-w      C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41      245,248      ----a-w      C:\WINDOWS\system32\mswsock.dll
2006-12-11 01:56      21,408      ----a-w      C:\Documents and Settings\Lynette\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   snapshot@2008-09-29_19.00.54.07   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-29 23:44:43      884,736      ----a-w      C:\WINDOWS\gmer.dll
+ 2008-09-29 23:44:37      811,008      ----a-w      C:\WINDOWS\gmer.exe
+ 2007-03-06 01:22:39      213,216      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47      371,424      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-07-12 23:31:54      765,952      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2008-09-29 11:29:41      10,134      ----a-r      C:\WINDOWS\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\callmsi.exe
+ 2008-09-29 11:29:41      140,544      ----a-r      C:\WINDOWS\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\egui.exe
- 2007-08-13 08:54:10      765,952      -c--a-w      C:\WINDOWS\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58      765,952      -c--a-w      C:\WINDOWS\system32\dllcache\vgx.dll
+ 2008-06-30 22:56:22      39,944      ----a-w      C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-06-30 23:04:34      71,688      ----a-w      C:\WINDOWS\system32\drivers\epfw.sys
+ 2008-06-30 23:04:38      54,280      ----a-w      C:\WINDOWS\system32\drivers\epfwtdi.sys
+ 2008-09-29 23:44:43      85,969      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2008-09-29 03:49:22      125,320      ----a-w      C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-29 10:38:54      125,320      ----a-w      C:\WINDOWS\system32\FNTCACHE.DAT
+ 2003-06-11 08:05:07      32,768      ----a-w      C:\WINDOWS\system32\tds3shl.dll
+ 1999-01-12 05:19:12      195,584      ----a-w      C:\WINDOWS\system32\xvoice.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-03 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-10-29 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-10-29 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-09-29 17408]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-09-29 618040]
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys [2004-08-03 32384]
S3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 296179]
S3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 231983]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09af1e79-0b42-11dc-8bda-000129fd70fc}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O18 -: Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 10:46:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-30 10:55:39
ComboFix-quarantined-files.txt  2008-09-30 00:55:14
ComboFix2.txt  2008-09-29 09:01:48

Pre-Run: 4,947,554,304 bytes free
Post-Run: 5,022,281,728 bytes free

169      --- E O F ---      2008-09-29 17:02:51

-------------------------------------------------------------------------------------------------------------------------
 Is there any way to kill this thing without performing a clean reinstall.

Regards

Chiarne

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-09-29 at 18:11:52ID23773439
Topics

HijackThis Software

,

Anti-Virus

,

Anti-Virus Applications

Participating Experts
3
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Is this a rootkit?
    Doing some scans on a pc. Ran Rootkit Revealer and received only this result: HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 80 bytes Data mismatch between windows API and raw hive data Is this one of the false/positives or a rootkit?
  2. Persistent Spyware /Rootkit infection.
    I have a persistent virus/spyware problem resulting from down loading an exe file 2 days ago. The symptoms are various trjans/agents/loggrs showing up in AVG anti spyware; new windows opening in ie or firefox going to various gambling/fake spyware sites. Have scanned & c...
  3. Removal of possible Kernel Mode Rootkit Assistance
    Noticed problem earlier this week while trying to install new software on the server. Upon installation everything is fine, but the moment a service associated with the new software is started the executable file deletes itself. Wasn't sure what to make of this at first rando...
  4. Rootkit?
    I'm trying to fix my clients laptop, it looks like a rootkit is on there. I ran Malwarebytes and that came up with nothing found. I ran TrendMicro RootkitBuster and I see the 4 suspect files. I also see in msconfig-->startup, two suspicious entries. One is stsystra.exe and...
  5. rootkit
    I have a rootkit that I can't remove. I ran sdfix, combofix and gmer. I ran gmer and ran a scan but it disappears before finishing. If I stop it when I see typing in red I can delete or disable the service. Here's a log file from gmer. See line with " \\?\globalroo...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: smittyboomPosted on 2008-09-29 at 20:01:12ID: 22602458

Download and run this: http://www.simplysup.com
Also use HiJackThis and post the logfile in a reply.
Make sure Windows is up to date except for service pack 3.

 

by: ChiarnePosted on 2008-09-29 at 20:30:44ID: 22602561

Hi smittyboom,

The Trojan Remover scan came up empty.  HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:28, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
E:\Spyware\Trojan Remover\TrojanRemover_setup_v6.7.2.exe
C:\DOCUME~1\Lynette\LOCALS~1\Temp\is-J1S87.tmp\TrojanRemover_setup_v6.7.2.tmp
C:\Program Files\Trojan Remover\trupd.exe
E:\Spyware\Hijack This and CW Shredder\HiJackThis_v.2.0.2.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://renee090.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164140555102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE9D8CA0-ED6D-4FFA-A5BF-75681788D335}: Domain = nsw.bigpond.net.au
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8484 bytes

Regards

Chiarne

 

by: smittyboomPosted on 2008-09-30 at 06:27:30ID: 22605117

It looks surprisingly clean.

You may want to remove this line. I went to this website and it doesnt look like you should have this.
O1 - Hosts: 203.161.127.141 www.dcsresearch.com

I would also try this:
http://onecare.live.com/site/en-us/default.htm

 

by: smittyboomPosted on 2008-09-30 at 07:14:51ID: 22605547

www.dcsresearch.com is a search engine.
You can look at the google search if you desire.
http://www.google.com/search?hl=en&q=www.dcsresearch.com&aq=f&oq=

 

by: younghvPosted on 2008-09-30 at 07:25:21ID: 22605639

smittyboom,
From what I know (too damned little), that line is harmless - and based on what the Asker has already run (and posted) the problem is going to be much deeper than an HJT fix.

I am more concerned about your recommendation (Make sure Windows is up to date except for service pack 3.) that you made and wonder why you would tell someone not to load SP3?

 

by: smittyboomPosted on 2008-09-30 at 07:39:41ID: 22605791

If you would like to handle this problem then i will leave this question alone.
You are right it is a harmless line so there is no problem with deleting it. The reason that i stated the SP3 comment is because i do not know anything else about the users system and if i was to make the comment of adding SP3 and the user has a AMD processor or SP3 caused any other issues (they are all over this website as well as every other technical website) then i will not be held responsible. I am not going to tell the user to put SP3 on this machine and then explain to the user why it is caught in an endless reboot or goes to a BSOD. The comments i made will have no adverse effects on the PC and that was my intentions. If you would like to suggest the SP3 then feel free to.

 

by: younghvPosted on 2008-09-30 at 09:26:32ID: 22606957

smittyboom,
I think you misunderstood my question.
I learn a lot more on this site (from other Experts) than I teach every day.
You've only been posting in earnest for a couple of weeks, but Experts 'cross-post' all the time around here - trying to learn from each other.

My personal attitude toward SP's is to never be in the first wave of those who install it, but I've been running it regularly for the past couple of months and haven't found any conflicts/problems yet.

(Also - you should never feel 'run-off' from a question on EE. This site is all about collaboration and all of us helping each other.)

 

by: smittyboomPosted on 2008-09-30 at 10:31:59ID: 22607584

Copy MBR.exe to C:\Windows folder
Click Start>Run
Type in mbr.exe -f

 

by: rpggamergirlPosted on 2008-09-30 at 15:49:12ID: 22610122


Chiarne,

>>> malicious code @ sector 0x4c50135 size 0x1fd ! <<< 

The above line in Gmer's log doesn't mean MBR rootkit is still active, somehow that line lingers even after running fixmbr which removed
the mbr rootkit, so that line is just a remnant.
Is that line the reason that you think you still have the MBR rootkit?
If the system has MBR rootkit then running the FIXMBR command in Recovery Console in which you already did would've removed it.


The Gmer log can look like this below:
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !
malicious code @ sector 0x1d1c06c0 size 0x1a8 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



Below is also a Gmer log in one of my threads BEFORE 'fixmbr' (it shows a line that rootkit is detected)

---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <--
ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x950e4c1 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.14 ----


-------------------------------------------------------------------------------------------------------------------------

And BELOW is the Gmer log AFTER 'fixmbr' (rootkit flagged lines are no longer there eventhough the harmless "malicious code at sector' line is still
present but mbr rootkit is gone.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-16 13:44:48
Windows 5.1.2600 Service Pack 2

---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x950e4c1 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
---- EOF - GMER 1.0.14 ----



So, in my opinion, as long as you don't see this line in any Gmer's log --> MBR rootkit code detected ! or any 'rootkit-like behavior' lines,
then all is well, MBR rootkit is removed by running fixmbr which I assume you've already done.

 

by: ChiarnePosted on 2008-09-30 at 17:21:22ID: 22610638

Hi rpggamergirl,

Since my last posting I have run ESET Mebroot Remover and it has not detected any infection.  This confirms your statement that the MBR rootkit is gone.

This was my first close encounter with a rootkit infection and probably not my last. The line "malicious code at sector..." in the GMER report raised a few flags of concern. Being a newbie at this I jumped to the conclusion that the infection was not totally cleaned and/or still active. Since this is a customer's computer I needed confirmation that the infection was no longer active.

Thanks for your detailed answer.  Problem solved.

Regards

Chiarne



 

by: rpggamergirlPosted on 2008-10-01 at 17:58:56ID: 22620471

>>> The line "malicious code at sector..." in the GMER report raised a few flags of concern. <<<

That's understandable. It's only natural for anyone to be concerned when they see that line in Gmer's log.

If you still have that pc, you might like to uninstall combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

Thanks!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...