Jump to content


Photo
- - - - -

Possible rootkit.0access infection


  • This topic is locked This topic is locked
65 replies to this topic

#1 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 01:15 PM

I removed Norton Antivirus Corporate Edition (old version) and installed Norton Internet Security (new version). When I tried to run a scan NIS started but then suddenly stopped in the beginning of the scan and disappeared. The NIS icon also disappeared from the taskbar. After that subsequent attempts to run NIS resulted in the same error message as below.

Ran Malwarebytes in chameleon mode and found 11 files labeled as Rootkit.0access. Malwarebytes stated that it successfully quarantined and deleted all 11 files. Ran Malwarebytes again and found no other infected files.

When I try to run Malwarebytes, superantispyware or Norton Internet Security I get the following message:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Therefore I am unable to run any antivirus or antimalware software at this point. Would appreciate any help you might be able to render.

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 14 January 2012 - 01:47 PM

Download DDS and save it to your desktop from here
Right click on dds.scr and choose to "Run as Admin" if running Vista or Windows 7 to run it, double click on dds.scr if running other OS
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to this topic.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#3 ba5852

ba5852

    Member

  • Members
  • PipPipPip
  • 81 posts

Posted 14 January 2012 - 01:54 PM

dds.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Bruce at 13:04:57 on 2012-01-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.414 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Common Files\AOL\1228527480\ee\AOLSoftware.exe
C:\Program Files\Maxtor\ManagerApp\msssort.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ALi5289] "c:\program files\uli5289\ALi5289.exe"
mRun: [SoundMan] "SOUNDMAN.EXE"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [EasyTuneV] "c:\program files\gigabyte\et5\GUI.exe"
mRun: [WheelMouse] Amoumain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OCAudioIni] "c:\program files\one-click audio converter\OCAudioIni.exe"
mRun: [HostManager] "c:\program files\common files\aol\1228527480\ee\AOLSoftware.exe"
mRun: [mssSort] "c:\program files\maxtor\managerapp\msssort.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151899614577
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4C667E55-A13A-427B-9BB2-9028CB4ACB7E} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bruce\application data\mozilla\firefox\profiles\9o218xc0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2006-7-2 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2006-7-2 45056]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Maxtor Sync Services;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2008-4-1 161120]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 Amps2prt;A4Tech PS/2 Port Mouse Filter Driver;c:\windows\system32\drivers\Amps2prt.sys [2006-7-3 10195]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-1-13 24064]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-14 40776]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-8-6 223128]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\security\current\plugins\antimalware\aei.exe" --> c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-1-13 106104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
S3 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
.
=============== Created Last 30 ================
.
2012-01-14 14:46:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-14 04:42:26 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-01-13 21:49:18 -------- d-----w- c:\documents and settings\bruce\application data\Tific
2012-01-13 20:40:25 -------- d-----w- c:\windows\Internet Logs
2012-01-13 20:37:04 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2012-01-13 20:34:36 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-01-13 20:13:03 -------- d-----w- c:\documents and settings\all users\application data\IsolatedStorage
2012-01-13 20:13:00 -------- d-----w- c:\documents and settings\bruce\local settings\application data\ID Vault
2012-01-13 20:11:18 -------- d-----w- c:\documents and settings\bruce\application data\ID Vault
2012-01-13 20:09:11 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-01-13 20:06:04 -------- d-----w- c:\windows\system32\XPSViewer
2012-01-13 20:05:34 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-01-13 20:05:12 14048 ------w- c:\windows\system32\spmsg2.dll
2012-01-13 20:01:32 -------- d-----w- c:\documents and settings\all users\application data\White Sky, Inc
.
==================== Find3M ====================
.
2012-01-13 22:27:36 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-01-13 22:27:36 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x86F99BF8]<<
_asm { MOV EAX, 0x86f99b18; XCHG [ESP], EAX; PUSH EAX; PUSH 0x86fa0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk1\DR1[0x86F66AB8]
\Driver\Disk[0x86F68940] -> IRP_MJ_CREATE -> 0x86F99BF8
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH