can you help me with a rootkit issue

January 20, 2011 at 16:47:23
Specs: Windows XP media center edition
I ran combofix to get rid of Google redirect rootkit issue, but the problem still exists, now what?

See More: can you help me with a rootkit issue

Report •


#1
January 20, 2011 at 20:19:05
Show us the log.

Report •

#2
January 21, 2011 at 04:33:02
ComboFix 11-01-19.04 - Lisa K 01/20/2011 16:11:23.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.264 [GMT -5:00]
Running from: c:\documents and settings\Lisa K\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-20 21:01 . 2011-01-20 21:02 -------- d-----w- C:\32788R22FWJFW
2011-01-06 16:04 . 2011-01-06 16:04 -------- d-----w- c:\documents and settings\Lisa K\Tracing
2011-01-06 16:03 . 2010-10-25 13:50 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2011-01-06 16:03 . 2010-10-25 13:50 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2011-01-06 16:03 . 2011-01-06 16:03 -------- d-----w- c:\program files\DIFX
2011-01-06 16:02 . 2011-01-06 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-12-19 18:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-12-19 18:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-08 169472]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-11 198160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-12-04 53248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-3-8 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-8 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-9-18 315392]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-4-5 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-4-5 106496]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

S2 gupdate1ca32d1dc69f405;Google Update Service (gupdate1ca32d1dc69f405);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2009 6:20 AM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 5:18 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 16:34]

2011-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 11:19]

2011-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-11 11:19]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.vetds.com/
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.chathamncrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.chathamncrod.org/controls/prntpro2.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-20 16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L160M0 rev.BACE1G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82325735]<<
c:\docume~1\LISAK~1\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8232b990]; MOV EAX, [0x8232ba0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A0] -> \Device\Harddisk0\DR0[0x82361030]
3 CLASSPNP[0xF84B605B] -> ntkrnlpa!IofCallDriver[0x804EF1A0] -> [0x823CA8B8]
\Driver\atapi[0x823602D8] -> IRP_MJ_CREATE -> 0x82325735
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskMaxtor_6L160M0__________________________BACE1G10#334c42415730473220202020334c424157304732#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8232557B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(712)
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-20 16:26:09
ComboFix-quarantined-files.txt 2011-01-20 21:26
ComboFix2.txt 2011-01-20 20:41

Pre-Run: 134,321,991,680 bytes free
Post-Run: 134,310,711,296 bytes free

- - End Of File - - D4C2B626AB2359DF24DDC85A00289E49


Report •

#3
January 21, 2011 at 05:04:50
Ok, run this.

How to remove the TDSS, TDL3, or Alureon rootkit using TDSSKiller
http://www.bleepingcomputer.com/vir...
http://support.kaspersky.com/faq/?q...


Report •

Related Solutions

#4
January 21, 2011 at 06:31:13
Ran TDSSKiller, it found a rootkit infection and deleted...I rebooted and immediately ran malwarebytes (per the recommendations). Google search issue seems to be resolved...any way to know for sure???

PS, thanks so much, I have been messing with this stupid desktop for 3 days, I should have come here to begin with, you have been awesome!


Report •

#5
January 21, 2011 at 14:47:35
"Google search issue seems to be resolved...any way to know for sure???"
Good news Colter.

System Restore will probably still have the infection, so you need to clear it.
How Do I Disable & Re-Enable a System Restore After a Virus Infection?
http://windowxptutortips.blogspot.c...
http://www.ehow.com/how_6012864_do-...
http://service1.symantec.com/SUPPOR...
http://service1.symantec.com/SUPPOR...

Keep Malwarebytes ( MBAM ) the free version you have to manually update everytime before you run it, once a week should be enough, unless the comp screams at you, telling you that you have a problem.

SUPERAntiSpyware ( free version, same procedures as MBAM )
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.superantispyware.com/ind...

SpywareBlaster
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://www.javacoolsoftware.com/spy...
FAQ
http://www.javacoolsoftware.com/spy...

To get infected, your defenses were not good enough, google using keywords that include > XP media center edition preventative security < refine if necessary to suit your comp. Everything you need is free.


Report •

#6
January 21, 2011 at 16:14:37
Forgot, run these

ATF Cleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.atribune.org/
http://www.atribune.org/index.php?o...
Forum
http://www.atribune.org/forums/
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This will remove all files from the items that are checked so if you have some cookies you'd like to save, please move them to a different directory first, or use CCleaner. http://img830.imageshack.us/i/cclea...

TFC
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please download TFC - Temporary File Cleaner by Old Timer, saving it to your desktop.
* Open the file and close any other windows.
* It will close all programs itself when run, make sure to let it run uninterrupted.
* Click the Start button to begin the process. The program should not take long to finish its job
* Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean..


Report •


Ask Question