Solved

Unable to Remove Rootkit in MBR

Posted on 2008-09-29
13
7,959 Views
Last Modified: 2013-12-06
Hi,

I've been trying to remove a stubborn infection in the MBR on a pc.  The OS is Windows XP Home, SP2.  I've tried running Gmer and mbr.exe with no success. The mbr log as follows:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x4c50135 size 0x1fd !
copy of MBR has been found in sector 62 !

I've tried the following in both normal mode and safe modes, where possible:

- run Eset Smart Security and Malwarebytes scans and nothing detected
- fixmbr in recovery console
- Combofix
- SDFix
- NOD32 DOS scan

ComboFix log:

ComboFix 08-09-28.03 - Lynette 2008-09-30 10:42:33.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.75 [GMT 10:00]
Running from: C:\Documents and Settings\Lynette\Desktop\ComboFix\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dcstds3.dll

.
(((((((((((((((((((((((((   Files Created from 2008-08-28 to 2008-09-30  )))))))))))))))))))))))))))))))
.

2008-09-30 09:20 . 2008-09-30 09:20      <DIR>      d--------      C:\Program Files\ESET
2008-09-30 09:04 . 2008-09-30 08:35      66,048      --a------      C:\mbr.exe
2008-09-30 08:35 . 2008-09-30 10:17      250      --a------      C:\WINDOWS\gmer.ini
2008-09-29 21:47 . 2008-09-30 09:08      <DIR>      d--------      C:\Program Files\TDS3
2008-09-29 20:39 . 2008-09-30 10:42      <DIR>      d--------      C:\WINDOWS\system32\NtmsData
2008-09-29 20:20 . 2008-09-29 20:22      5,251,072      --a------      C:\WINDOWS\sectest.db
2008-09-29 19:49 . 2008-09-29 19:49      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-29 19:49 . 2008-09-29 19:49      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-09-29 19:21 . 2008-09-30 09:27      <DIR>      d--------      C:\Program Files\SUPERAntiSpyware
2008-09-29 19:21 . 2008-09-29 19:21      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-29 18:09 . 2008-09-29 18:09      <DIR>      d--------      C:\Program Files\PrevxCSI
2008-09-29 18:09 . 2008-09-30 09:22      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-29 18:09 . 2008-09-29 18:09      17,408      --a------      C:\WINDOWS\system32\drivers\pxark.sys
2008-09-29 17:02 . 2008-09-29 17:02      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-29 15:57 . 2006-05-25 15:52      162,304      --a------      C:\WINDOWS\system32\ztvunrar36.dll
2008-09-29 15:57 . 2003-02-02 20:06      153,088      --a------      C:\WINDOWS\system32\UNRAR3.dll
2008-09-29 15:57 . 2005-08-26 01:50      77,312      --a------      C:\WINDOWS\system32\ztvunace26.dll
2008-09-29 15:57 . 2002-03-06 01:00      75,264      --a------      C:\WINDOWS\system32\unacev2.dll
2008-09-29 15:57 . 2006-06-19 13:01      69,632      --a------      C:\WINDOWS\system32\ztvcabinet.dll
2008-09-29 15:56 . 2008-09-30 09:14      <DIR>      d--------      C:\Program Files\Trojan Remover
2008-09-29 15:26 . 2008-09-29 15:26      <DIR>      d--------      C:\Documents and Settings\Lynette\Application Data\ESET
2008-09-29 15:01 . 2008-09-29 15:01      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-09-29 14:59 . 2008-09-29 14:59      2,740      --a------      C:\WINDOWS\system32\tmp.reg
2008-09-29 14:58 . 2007-09-06 00:22      289,144      --a------      C:\WINDOWS\system32\VCCLSID.exe
2008-09-29 14:58 . 2006-04-27 17:49      288,417      --a------      C:\WINDOWS\system32\SrchSTS.exe
2008-09-29 14:58 . 2008-09-08 23:38      88,576      --a------      C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-29 14:58 . 2008-09-02 16:51      86,528      --a------      C:\WINDOWS\system32\VACFix.exe
2008-09-29 14:58 . 2008-05-18 21:40      82,944      --a------      C:\WINDOWS\system32\IEDFix.exe
2008-09-29 14:58 . 2008-08-28 22:36      82,432      --a------      C:\WINDOWS\system32\IEDFix.C.exe
2008-09-29 14:58 . 2008-08-18 12:19      82,432      --a------      C:\WINDOWS\system32\404Fix.exe
2008-09-29 14:58 . 2003-06-05 21:13      53,248      --a------      C:\WINDOWS\system32\Process.exe
2008-09-29 14:58 . 2004-07-31 18:50      51,200      --a------      C:\WINDOWS\system32\dumphive.exe
2008-09-29 14:58 . 2007-10-04 00:36      25,600      --a------      C:\WINDOWS\system32\WS2Fix.exe.vir
2008-09-29 14:17 . 2008-09-29 14:17      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\ESET
2008-09-29 11:38 . 2008-09-29 11:38      <DIR>      d--------      C:\Documents and Settings\Lynette\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-29 11:38      <DIR>      d--------      C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 11:37 . 2008-09-29 11:37      <DIR>      d--------      C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 11:37 . 2008-09-10 00:04      38,528      --a------      C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-29 11:37 . 2008-09-10 00:03      17,200      --a------      C:\WINDOWS\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 02:15      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-17 03:08      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\MSN6
2008-09-02 02:34      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\U3
2008-08-22 23:26      ---------      d-----w      C:\Documents and Settings\Lynette\Application Data\AdobeUM
2008-07-18 12:10      94,920      ----a-w      C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10      53,448      ----a-w      C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10      45,768      ----a-w      C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10      36,552      ----a-w      C:\WINDOWS\system32\wups.dll
2008-07-18 12:09      563,912      ----a-w      C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09      325,832      ----a-w      C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09      205,000      ----a-w      C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09      1,811,656      ----a-w      C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07      270,880      ----a-w      C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07      210,976      ----a-w      C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32      253,952      ----a-w      C:\WINDOWS\system32\es.dll
2008-06-24 16:23      74,240      ----a-w      C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57      826,368      ----a-w      C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41      245,248      ----a-w      C:\WINDOWS\system32\mswsock.dll
2006-12-11 01:56      21,408      ----a-w      C:\Documents and Settings\Lynette\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   snapshot@2008-09-29_19.00.54.07   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-29 23:44:43      884,736      ----a-w      C:\WINDOWS\gmer.dll
+ 2008-09-29 23:44:37      811,008      ----a-w      C:\WINDOWS\gmer.exe
+ 2007-03-06 01:22:39      213,216      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47      371,424      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2007-07-12 23:31:54      765,952      -c----w      C:\WINDOWS\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2008-09-29 11:29:41      10,134      ----a-r      C:\WINDOWS\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\callmsi.exe
+ 2008-09-29 11:29:41      140,544      ----a-r      C:\WINDOWS\Installer\{FBF09842-EB7F-4BC2-BD32-DDE2572B2195}\egui.exe
- 2007-08-13 08:54:10      765,952      -c--a-w      C:\WINDOWS\system32\dllcache\VGX.dll
+ 2008-05-27 17:23:58      765,952      -c--a-w      C:\WINDOWS\system32\dllcache\vgx.dll
+ 2008-06-30 22:56:22      39,944      ----a-w      C:\WINDOWS\system32\drivers\eamon.sys
+ 2008-06-30 23:04:34      71,688      ----a-w      C:\WINDOWS\system32\drivers\epfw.sys
+ 2008-06-30 23:04:38      54,280      ----a-w      C:\WINDOWS\system32\drivers\epfwtdi.sys
+ 2008-09-29 23:44:43      85,969      ----a-w      C:\WINDOWS\system32\drivers\gmer.sys
- 2008-09-29 03:49:22      125,320      ----a-w      C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-29 10:38:54      125,320      ----a-w      C:\WINDOWS\system32\FNTCACHE.DAT
+ 2003-06-11 08:05:07      32,768      ----a-w      C:\WINDOWS\system32\tds3shl.dll
+ 1999-01-12 05:19:12      195,584      ----a-w      C:\WINDOWS\system32\xvoice.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-03 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-10-29 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-10-29 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-07 180224]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-09-29 17408]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-09-29 618040]
S3 KLSIENET;Driver for USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\usb101et.sys [2004-08-03 32384]
S3 STAC97NA;SigmaTel 3D Environmental Audio;C:\WINDOWS\system32\drivers\stac97na.sys [2002-09-20 296179]
S3 STAC97NH;STAC97NH;C:\WINDOWS\system32\drivers\stac97nh.sys [2002-09-20 231983]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{09af1e79-0b42-11dc-8bda-000129fd70fc}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O18 -: Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 10:46:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-30 10:55:39
ComboFix-quarantined-files.txt  2008-09-30 00:55:14
ComboFix2.txt  2008-09-29 09:01:48

Pre-Run: 4,947,554,304 bytes free
Post-Run: 5,022,281,728 bytes free

169      --- E O F ---      2008-09-29 17:02:51

-------------------------------------------------------------------------------------------------------------------------
 Is there any way to kill this thing without performing a clean reinstall.

Regards

Chiarne
0
Comment
Question by:Chiarne
  • 5
  • 2
  • 2
  • +1
13 Comments
 
LVL 4

Expert Comment

by:smittyboom
ID: 22602458
Download and run this: http://www.simplysup.com
Also use HiJackThis and post the logfile in a reply.
Make sure Windows is up to date except for service pack 3.
0
 

Author Comment

by:Chiarne
ID: 22602561
Hi smittyboom,

The Trojan Remover scan came up empty.  HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:28, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
E:\Spyware\Trojan Remover\TrojanRemover_setup_v6.7.2.exe
C:\DOCUME~1\Lynette\LOCALS~1\Temp\is-J1S87.tmp\TrojanRemover_setup_v6.7.2.tmp
C:\Program Files\Trojan Remover\trupd.exe
E:\Spyware\Hijack This and CW Shredder\HiJackThis_v.2.0.2.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://renee090.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164140555102
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE9D8CA0-ED6D-4FFA-A5BF-75681788D335}: Domain = nsw.bigpond.net.au
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EHttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8484 bytes

Regards

Chiarne
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22605117
It looks surprisingly clean.

You may want to remove this line. I went to this website and it doesnt look like you should have this.
O1 - Hosts: 203.161.127.141 www.dcsresearch.com

I would also try this:
http://onecare.live.com/site/en-us/default.htm

0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22605547
www.dcsresearch.com is a search engine.
You can look at the google search if you desire.
http://www.google.com/search?hl=en&q=www.dcsresearch.com&aq=f&oq=
0
 
LVL 38

Expert Comment

by:younghv
ID: 22605639
smittyboom,
From what I know (too damned little), that line is harmless - and based on what the Asker has already run (and posted) the problem is going to be much deeper than an HJT fix.

I am more concerned about your recommendation (Make sure Windows is up to date except for service pack 3.) that you made and wonder why you would tell someone not to load SP3?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 4

Expert Comment

by:smittyboom
ID: 22605791
If you would like to handle this problem then i will leave this question alone.
You are right it is a harmless line so there is no problem with deleting it. The reason that i stated the SP3 comment is because i do not know anything else about the users system and if i was to make the comment of adding SP3 and the user has a AMD processor or SP3 caused any other issues (they are all over this website as well as every other technical website) then i will not be held responsible. I am not going to tell the user to put SP3 on this machine and then explain to the user why it is caught in an endless reboot or goes to a BSOD. The comments i made will have no adverse effects on the PC and that was my intentions. If you would like to suggest the SP3 then feel free to.
0
 
LVL 38

Expert Comment

by:younghv
ID: 22606957
smittyboom,
I think you misunderstood my question.
I learn a lot more on this site (from other Experts) than I teach every day.
You've only been posting in earnest for a couple of weeks, but Experts 'cross-post' all the time around here - trying to learn from each other.

My personal attitude toward SP's is to never be in the first wave of those who install it, but I've been running it regularly for the past couple of months and haven't found any conflicts/problems yet.

(Also - you should never feel 'run-off' from a question on EE. This site is all about collaboration and all of us helping each other.)
0
 
LVL 4

Expert Comment

by:smittyboom
ID: 22607584
Copy MBR.exe to C:\Windows folder
Click Start>Run
Type in mbr.exe -f
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 22610122

Chiarne,

>>> malicious code @ sector 0x4c50135 size 0x1fd ! <<<

The above line in Gmer's log doesn't mean MBR rootkit is still active, somehow that line lingers even after running fixmbr which removed
the mbr rootkit, so that line is just a remnant.
Is that line the reason that you think you still have the MBR rootkit?
If the system has MBR rootkit then running the FIXMBR command in Recovery Console in which you already did would've removed it.


The Gmer log can look like this below:
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !
malicious code @ sector 0x1d1c06c0 size 0x1a8 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



Below is also a Gmer log in one of my threads BEFORE 'fixmbr' (it shows a line that rootkit is detected)

---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <--
ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x950e4c1 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.14 ----

-------------------------------------------------------------------------------------------------------------------------

And BELOW is the Gmer log AFTER 'fixmbr' (rootkit flagged lines are no longer there eventhough the harmless "malicious code at sector' line is still
present but mbr rootkit is gone.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-16 13:44:48
Windows 5.1.2600 Service Pack 2

---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x950e4c1 size 0x1fd
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
---- EOF - GMER 1.0.14 ----



So, in my opinion, as long as you don't see this line in any Gmer's log --> MBR rootkit code detected ! or any 'rootkit-like behavior' lines,
then all is well, MBR rootkit is removed by running fixmbr which I assume you've already done.
0
 

Author Comment

by:Chiarne
ID: 22610638
Hi rpggamergirl,

Since my last posting I have run ESET Mebroot Remover and it has not detected any infection.  This confirms your statement that the MBR rootkit is gone.

This was my first close encounter with a rootkit infection and probably not my last. The line "malicious code at sector..." in the GMER report raised a few flags of concern. Being a newbie at this I jumped to the conclusion that the infection was not totally cleaned and/or still active. Since this is a customer's computer I needed confirmation that the infection was no longer active.

Thanks for your detailed answer.  Problem solved.

Regards

Chiarne



0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22620471
>>> The line "malicious code at sector..." in the GMER report raised a few flags of concern. <<<
That's understandable. It's only natural for anyone to be concerned when they see that line in Gmer's log.

If you still have that pc, you might like to uninstall combofix.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.
Thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now