[Active] Persistent Win32:Rootkit-gen (Rtk)

bir_25 · #31 (**permalink**) 03-07-2009, 07:06 PM

Cfix log
_______________________________________________
ComboFix 09-06-29.04 - Administrator 07/03/2009 22:40.9 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126.15 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090526-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"C:\FOUND.000"
"C:\FOUND.001"
"C:\FOUND.049"
"C:\FOUND.050"
"C:\FOUND.051"
"c:\windows\system32\drivers\lhllpn.sys"
"c:\windows\system32\windrvNT.sys"
"c:\windows\system32\WinFLdrv.sys"
"c:\windows\system32\WinFLsrv.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\windrvNT.sys
c:\windows\system32\WinFLdrv.sys
c:\windows\system32\WinFLsrv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5
-------\Legacy_windrvNT
-------\Legacy_WinFLdrv
-------\Service_windrvNT
-------\Service_WinFLdrv

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 10:50 . 1996-08-19 13:43 41472 ----a-w- c:\windows\system32\RashProp.dll
2009-07-02 10:50 . 1996-08-19 13:43 132096 ----a-w- c:\windows\system32\RashIcon.dll
2009-07-02 10:50 . 1995-06-01 01:41 28672 ----a-w- c:\windows\system32\AWEMan32.dll
2009-07-01 20:13 . 2009-07-01 20:13 -------- d-sh--w- C:\FOUND.001
2009-07-01 12:52 . 2009-07-01 12:52 -------- d-sh--w- C:\FOUND.000
2009-06-30 19:11 . 2009-06-30 19:11 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-06-30 18:37 . 2009-06-30 18:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-06-30 17:10 . 2009-06-30 17:14 109 --sha-w- c:\windows\system32\2016862369.dat
2009-06-30 12:06 . 2009-06-30 12:06 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-06-30 12:06 . 2009-06-30 12:06 -------- d-----w- c:\program files\Folder Lock 6
2009-06-29 17:29 . 2009-06-29 17:29 -------- d-sh--w- C:\FOUND.051
2009-06-29 15:43 . 2009-06-29 15:43 -------- d-sh--w- C:\FOUND.050
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-29 14:56 . 2009-06-29 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 07:57 . 2009-06-29 07:57 -------- d-sh--w- C:\FOUND.049
2009-06-27 09:13 . 2009-06-27 09:13 3631375 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-26 16:33 . 2009-06-26 16:33 -------- d--h--w- c:\windows\$hf_mig$
2009-06-08 14:41 . 2009-06-08 14:41 -------- d-----w- c:\program files\Mario Forever Toolbar
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\program files\Winamp
2009-06-04 10:35 . 2009-06-04 10:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-30 11:55 . 2008-01-28 09:57 2154 ----a-w- C:\sccfg.sys
2009-06-28 07:50 . 2008-01-09 15:32 499712 ----a-w- c:\windows\system32\igfxtray.exe
2009-06-25 05:55 . 2008-05-16 10:32 60 ----a-w- c:\windows\wpd99.drv
2009-06-17 05:57 . 2009-05-27 16:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 05:57 . 2009-05-27 16:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 14:58 . 2009-05-28 06:44 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\98348586
2009-05-29 19:01 . 2009-05-29 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\18338594
2009-05-28 06:41 . 2009-05-28 06:41 -------- d-----w- c:\program files\Greatis
2009-05-27 19:07 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 19:06 . 2009-05-27 19:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-27 18:21 . 2009-05-27 18:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 16:36 . 2009-05-27 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-25 18:06 . 2009-05-25 18:06 -------- d-----w- c:\program files\Trend Micro
2009-05-18 16:58 . 2008-01-09 15:40 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 14:36 . 2009-05-12 14:36 -------- d-----w- c:\program files\PublicSoft
2009-05-12 08:43 . 2009-05-12 08:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fast Torrent
2009-05-08 08:49 . 2009-05-08 08:49 -------- d-----w- c:\program files\WinDjView
2009-05-07 15:46 . 2009-05-07 15:45 162816 ----a-w- c:\windows\system32\fmod.dll
2009-05-07 15:20 . 2009-05-07 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-07 15:11 . 2009-05-07 15:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_06.12.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-03 17:36 . 2009-07-03 17:36 16384 c:\windows\temp\Perflib_Perfdata_22c.dat
+ 2009-07-02 15:41 . 2009-07-02 15:41 89102 c:\windows\system32\Macromed\Flash\uninstall_activ eX.exe
- 2008-02-03 15:39 . 2009-01-03 15:54 89102 c:\windows\system32\Macromed\Flash\uninstall_activ eX.exe
- 2008-06-09 04:54 . 2008-06-09 18:55 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 32768 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-02-23 17:17 . 1999-11-10 06:35 163840 c:\windows\unvise32qt.exe
+ 2008-01-15 04:41 . 2008-01-15 04:41 437255 c:\windows\system32\mioengine.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.ex e
+ 2008-01-09 15:32 . 2002-09-08 18:35 192512 c:\windows\system32\hkcmd.exe
- 2008-06-09 04:54 . 2008-06-09 18:55 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 196608 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-09 04:54 . 2009-06-30 17:15 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-09 04:54 . 2008-06-09 18:55 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-02 12:37 . 2009-02-02 12:37 1988168 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-28 499712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-09-08 192512]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-04-24 132608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\System32\\hkcmd.exe"= c:\\WINDOWS\\system32\\hkcmd.exe
"c:\\WINDOWS\\SOUNDMAN.EXE"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"e:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThise.exe"=
"e:\\Program Files\\Mario Forever\\Mario Forever.exe"=
"c:\\ComboFix\\NirCmd.cfexe"=
"c:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"=
"e:\\spybotsd162.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\ComboFix.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"53:UDP"= 53:UDP:Promo

R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\drivers\slnt.sys [1/9/2008 9:10 PM 18004]
S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [3/30/2009 2:47 PM 48896]
S3 regguard;RegGuard;c:\windows\system32\drivers\regg uard.sys [5/28/2009 12:14 PM 29584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-31 16:14]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = nnnnnhxxp://www.orissalinks.com/archive
IE: Download all with Free Download Manager - file://e:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\program files\Free Download Manager\dlselected.htm
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vyi0rjd6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Ehu&q=displacement+current+filety pe%3Aswf&btnG=Search&meta=
FF - component: e:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-03 23:05
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
.
************************************************** ************************
.
Completion time: 2009-07-03 23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 17:39
ComboFix2.txt 2009-07-03 05:35
ComboFix3.txt 2009-07-01 19:56
ComboFix4.txt 2009-07-01 08:20
ComboFix5.txt 2009-07-03 17:08

Pre-Run: 3,783,270,400 bytes free
Post-Run: 3,662,151,680 bytes free

204

--------------------------------------------------------------------------
HJT log
--------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11

48 PM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThise.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nnnnnhttp://www.orissalinks.com/archive
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3083 bytes
------------------------------------------------------------------------------

bir_25 · #32 (**permalink**) 03-07-2009, 07:06 PM

I clicked OK. This was also shown to me in one of my earlier scans, where I okayed it outright. I think the malware's first victim is me since no definition of it exists with the latest updated Combofix as well as MABM!!

broni · #33 (**permalink**) 04-07-2009, 01:32 AM

You did fine in both cases

Thanks.

We're not done yet, but the computer looks much better.

Is your Avast working? From your latest HJT, I can see, it's only partially running, but it may be because, you disabled it for the run of Combofix.

Now, let's try Dr.Web again.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.