Rootkit: hidden boot sector

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Rootkit: hidden boot sector

Post by AdkWoody on Wed 11 May 2011, 2:59 pm

Hello all. I have a friends computer that I'm working on trying to remove this pesky thing. File name is MBR:\\.\PHYSICALDRIVE0 and the Rootkit name is Rootkit: hidden boot sector. Avast has picked it up every time and says it has deleted it every time. I have even done a boot scan, it caught it, said it got rid of it, did another scan after start up and it said nothing found. Not a half hour later, avast says it found the rootkit again. There is no restore point to go from since my friend never created one and earlier today was the most recent. Malwarebytes comes up clean, and housecall.trendmicro.com comes up clean. There is no boot disk or windows disk to load to wipe it clean. I do have the application dvd and the drivers and utilities dvd. Is there anything I can do to fix this with what I have?

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Wed 11 May 2011, 3:02 pm

The computer is a Dell Inspiron laptop running Windows 7 64bit

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Wed 11 May 2011, 4:29 pm

Hi,


Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Thu 12 May 2011, 3:05 am

ComboFix 11-05-10.02 - Christine 05/11/2011 11:49:59.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.926 [GMT -4:00]
Running from: c:\users\Christine\Downloads\commy.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
.
----- BITS: Possible infected sites -----
.
[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 15:57 . 2011-05-11 15:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-11 15:19 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\B5B8.tmp
2011-05-11 15:18 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\2C9B.tmp
2011-05-11 14:11 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\82D6.tmp
2011-05-11 14:10 . 2010-05-26 14:39 6144 ------w- c:\windows\system32\11AC.tmp
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-10 23:37 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Christine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\B5B8.tmp [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B5B8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-11 12:02:00
ComboFix-quarantined-files.txt 2011-05-11 16:01
.
Pre-Run: 186,958,000,128 bytes free
Post-Run: 186,942,464,000 bytes free
.
- - End Of File - - 0C8677023DC144E98CA2B4177EE84D5A

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Thu 12 May 2011, 3:09 am

Thank you for the help. Please let me know if what you need is here. If not, I will restart the computer and do it again. One of the programs I tried to use to get rid of it before I posted here may still have it in their "grasp"? It found like 6 or so infected files but said it can't remove them without destroying the computer. The program is called Sophos Anti-Rootkit. Not sure if this helps you any. Thanks again.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Thu 12 May 2011, 5:32 am

Just these to deal with now:

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\B5B8.tmp
    c:\windows\system32\2C9B.tmp
    c:\windows\system32\82D6.tmp
    c:\windows\system32\11AC.tmp

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Thu 12 May 2011, 8:37 am

It won't let me. Every time I drop the file into Commy, it starts up and about 1 minute later I get a blue screen saying windows is under attack then the whole computer restarts.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Thu 12 May 2011, 3:50 pm

Try in Safe Mode

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Fri 13 May 2011, 8:35 am

Ok. I have done it in safe mode but now it wants to submit malware files for further analysis and asking me to ensure I'm connected to the internet before clicking on the OK. In safe mode, I have no internet. What do I do here. I am going to assume that I can copy and past the log in a note and then it will save for when I get back into normal boot?.... I do also have desktop computer that I can hook the hard drive to if it's easier for you... as long as you walk me through accessing the hard drive from it. That computer has Vista 32 bit or Ubuntu 10.10 64 bit.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Fri 13 May 2011, 11:14 am

ComboFix 11-05-10.02 - Christine 05/12/2011 17:21:05.4.2 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.1216 [GMT -4:00]
Running from: c:\users\Christine\Desktop\commy.exe
Command switches used :: c:\users\Christine\Desktop\CFScript - Shortcut.lnk
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-12 21:26 . 2011-05-12 21:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-12 07:02 . 2011-05-12 07:02 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-05-11 15:19 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\B5B8.tmp
2011-05-11 15:18 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\2C9B.tmp
2011-05-11 14:11 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\82D6.tmp
2011-05-11 14:10 . 2010-05-26 14:39 6144 ----a-w- c:\windows\system32\11AC.tmp
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-12 21:00 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-05-11 15:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:03 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-11 13:30 . 2011-05-12 20:55 98176 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-07-10 01:37 . 2011-05-12 07:24 32376 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-05-12 21:03 30944 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-12 21:59 . 2011-05-12 20:55 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-12 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-12 21:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-12 21:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-05-12 21:04 78512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 22:13 . 2011-05-12 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 22:13 . 2011-05-12 21:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 23:51 . 2011-05-12 21:03 5152 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1338394851-2888564178-1302984018-1000_UserData.bin
+ 2011-05-11 18:15 . 2011-05-11 18:15 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat
+ 2011-05-12 21:13 . 2011-05-12 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-12 21:13 . 2011-05-12 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-05-12 21:20 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-05-12 21:20 103496 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:38 . 2011-05-12 21:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 05:38 . 2010-07-10 02:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 04:45 . 2011-05-11 00:52 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-05-12 21:03 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 02:34 . 2011-05-11 15:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-05-11 23:57 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-RunOnce- - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-12 17:28:44
ComboFix-quarantined-files.txt 2011-05-12 21:28
ComboFix2.txt 2011-05-11 16:02
.
Pre-Run: 186,741,207,040 bytes free
Post-Run: 186,299,559,936 bytes free
.
- - End Of File - - 2B4134E82019319CAE62101FD6C36CF7

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Fri 13 May 2011, 11:16 am

Here's the report without sending to the internet. It said it saved the file to send at a later time. I don't know how to find it or if it's even needed. Let me know.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Fri 13 May 2011, 12:15 pm

Hi,

You created a shortcut to the txt file so it didn't execute correctly. Please be sure you save it as cfscript.txt

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Fri 13 May 2011, 1:26 pm

I'm not sure how to save it to the desktop so I can drop it into combo fix without creating a shortcut. I did save it as CFScript.txt in note pad but only the main icon saying "note pad" is visible on the desktop. How do I get it to the drag and drop as described above?

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Fri 13 May 2011, 4:18 pm

How are you saving the file? File>Save As? That will allow you to specify the location for the txt file

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Sat 14 May 2011, 5:45 am

ComboFix 11-05-10.02 - Christine 05/13/2011 14:15:42.5.2 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.1565 [GMT -4:00]
Running from: c:\users\Christine\Desktop\commy.exe
Command switches used :: c:\users\Christine\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\11AC.tmp"
"c:\windows\system32\2C9B.tmp"
"c:\windows\system32\82D6.tmp"
"c:\windows\system32\B5B8.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\11AC.tmp
c:\windows\system32\2C9B.tmp
c:\windows\system32\82D6.tmp
c:\windows\system32\B5B8.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 18:22 . 2011-05-13 18:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-13 07:07 . 2011-05-13 07:07 -------- d-----w- c:\windows\SysWow64\Wat
2011-05-13 07:07 . 2011-05-13 07:07 -------- d-----w- c:\windows\system32\Wat
2011-05-12 07:02 . 2011-05-12 07:02 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-05-11 14:10 . 2011-05-11 14:10 -------- d-----w- c:\program files (x86)\Sophos
2011-05-11 05:03 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-05-11 01:22 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 01:22 . 2011-05-11 01:22 -------- d-----w- c:\programdata\Malwarebytes
2011-05-11 01:21 . 2011-05-11 01:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-05-11 01:21 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 00:41 . 2011-05-11 00:41 -------- d-----w- c:\programdata\CyberLink
2011-05-11 00:40 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-05-11 00:40 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-05-11 00:40 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-05-11 00:40 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-05-11 00:15 . 2011-05-11 00:15 -------- d-----w- c:\program files (x86)\Google
2011-05-11 00:15 . 2011-04-18 17:18 287064 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-11 00:15 . 2011-04-18 17:13 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-11 00:15 . 2011-04-18 17:13 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-11 00:15 . 2011-04-18 17:17 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-11 00:15 . 2011-04-18 17:16 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-11 00:15 . 2011-04-18 17:25 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-11 00:15 . 2011-04-18 17:13 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-11 00:14 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
2011-05-11 00:14 . 2011-04-18 17:25 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\programdata\AVAST Software
2011-05-11 00:14 . 2011-05-11 00:14 -------- d-----w- c:\program files\AVAST Software
2011-05-11 00:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D1E45A3C-A590-48A6-8D46-591CD26E4604}\mpengine.dll
2011-05-11 00:12 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 21:30 . 2011-05-12 21:00 -------- d-----w- c:\users\Christine
2011-05-10 21:17 . 2011-05-11 01:40 -------- d-----w- C:\Emergency
2011-05-10 20:54 . 2011-05-10 21:17 -------- d-----w- c:\windows\SMINST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-10 01:37 . 2011-05-13 00:12 32566 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-05-13 07:05 30984 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-05-12 21:59 . 2011-05-12 20:55 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 21:26 . 2011-05-13 18:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 21:26 . 2011-05-11 15:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-10 21:26 . 2011-05-13 18:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-05-11 15:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-05-13 18:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-05-13 09:09 12368 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-10 22:13 . 2011-05-13 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-10 22:13 . 2011-05-11 15:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 22:13 . 2011-05-13 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-10 23:51 . 2011-05-13 07:05 5442 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1338394851-2888564178-1302984018-1000_UserData.bin
+ 2011-05-11 18:15 . 2011-05-11 18:15 8192 c:\windows\system32\Microsoft\Protect\Recovery\Recovery.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-05-13 18:23 . 2011-05-13 18:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-05-13 18:23 . 2011-05-13 18:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-05-11 15:01 . 2011-05-11 15:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-11 13:30 . 2011-05-13 18:01 118214 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2011-05-13 07:07 . 2011-05-13 07:07 152888 c:\windows\system32\Wat\WatWeb.dll
+ 2011-05-13 07:07 . 2011-05-13 07:07 249656 c:\windows\system32\Wat\WatUX.exe
+ 2011-05-13 07:07 . 2011-05-13 07:07 138664 c:\windows\system32\Wat\npWatWeb.dll
+ 2009-07-14 02:36 . 2011-05-13 18:08 615122 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-05-13 18:08 103496 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:38 . 2011-05-12 21:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
- 2009-07-14 05:38 . 2010-07-10 02:59 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2011-05-13 07:07 . 2011-05-13 07:07 1255736 c:\windows\system32\Wat\WatAdminSvc.exe
+ 2009-07-14 04:45 . 2011-05-13 09:08 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-05-11 00:52 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 02:34 . 2011-05-11 15:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-05-13 08:01 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe" [2011-01-13 165184]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
R2 aswFsBlk;aswFsBlk; [x]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-11 00:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 17:25 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-RunOnce- - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-13 14:32:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-13 18:32
ComboFix2.txt 2011-05-12 21:28
ComboFix3.txt 2011-05-11 16:02
.
Pre-Run: 184,488,480,768 bytes free
Post-Run: 184,414,531,584 bytes free
.
- - End Of File - - 4C2D99F4A65D6A85A2349635F9ED8F17

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Sat 14 May 2011, 5:48 am

I hope I did it right this time! If not, let me know what to do. It did restart while in the middle of it, but combofix came right back up and said it was creating the boot log. Not sure if it was intentional of the program, or the rootkit trying to protect it's self again.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Sat 14 May 2011, 5:53 am

Yes. Looks good. How are things running?

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Sat 14 May 2011, 6:17 am

About 5 min after I booted back up into normal mode, the rootkit came up again in the grasp of avast.... even though avast was shut off permanently through this process and I hadn't turned it back on yet. Same thing. I just shut the computer down to await further instructions.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Sat 14 May 2011, 6:50 am


  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 2:47 am

2011/05/15 11:44:56.0118 1900 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0149 1900 SystemInfo:
2011/05/15 11:44:56.0149 1900
2011/05/15 11:44:56.0149 1900 OS Version: 6.1.7600 ServicePack: 0.0
2011/05/15 11:44:56.0149 1900 Product type: Workstation
2011/05/15 11:44:56.0149 1900 ComputerName: CHRISTINE-PC
2011/05/15 11:44:56.0149 1900 UserName: Christine
2011/05/15 11:44:56.0149 1900 Windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 System windows directory: C:\Windows
2011/05/15 11:44:56.0149 1900 Running under WOW64
2011/05/15 11:44:56.0149 1900 Processor architecture: Intel x64
2011/05/15 11:44:56.0149 1900 Number of processors: 2
2011/05/15 11:44:56.0149 1900 Page size: 0x1000
2011/05/15 11:44:56.0149 1900 Boot type: Normal boot
2011/05/15 11:44:56.0149 1900 ================================================================================
2011/05/15 11:44:56.0445 1900 Initialize success

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 2:52 am

Sorry it took so long. The computer says it had 68 windows updates that it was configuring on reboot. It was stuck on update 1 for EVER! I turned off the updates for now. Please let me know if there is anything else I should do. I will run a full scan with Avast again to see what it pulls up and let you know. Thanks for all your help Crush. GeekPolice is a life saver for me!

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Mon 16 May 2011, 6:44 am


Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 11:23 am

Avast picked up a TON more than before when I had it set for high sensitivity and checked all packers. I simply hit repair then apply since I couldn't copy and past that log report and couldn't go to any other window without closing that one first. Once the computer reset, I seemed to have more control over the computer and it seems as though it's back to normal. I then changed all the setting for the full system scan back to normal and that came back clean. I just finished the full round of windows updates... 73 including the optional security ones. Now I am running another full system scan with the setting back to the high and all packers to see what happens. I will let you know if that came back clean, or if it found anything.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by AdkWoody on Mon 16 May 2011, 1:05 pm

This is what came up on the Avast full system scan with high sensitivity and all packers checked.

File Names Status

C:\...|>_TUProj.dat Error: Archive is password protected
C:\...|>DataSave_Green.ico Error: Archive is password protected
C:\...|>IRIMG1.BMP Error: Archive is password protected
C:\...|>IRIMG1.JPG Error: Archive is password protected
C:\...|>DataSafe_Green.ico Error: Archive is password protected
C:\...|>diff_000001.dif Error: Archive is password protected
C:\...|>diff_000002.dif Error: Archive is password protected
C:\...|>diff_000003.dif Error: Archive is password protected
C:\...|>diff_000004.dif Error: Archive is password protected
C:\...|>diff_000005.dif Error: Archive is password protected
C:\...|>diff_000006.dif Error: Archive is password protected
C:\...|>diff_000007.dif Error: Archive is password protected

I couldn't copy and paste so I had to enter this manually. Under the Status of each one it says "Error: Archive is password protect.." Because I couldn't see it I just filled in the blanks. Before I clicked on the report it said the scan couldn't check all files.

AdkWoody

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-17
Operating System : Windows 7 Home Premium 64-Bit

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Crush on Tue 17 May 2011, 4:14 am

Those are nothing to worry about. The high sensitivity will produce false positives. The important thing is, is it still picking up the rootkit in the MBR?


Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: Rootkit: hidden boot sector

Post by Sponsored content Today at 1:10 pm


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum